Hi Timo, according to my sniff tests it will fail later on in 4.6.2 as well. It seems the new nss makes the crypto/passwords no more behave the way as expected.
Of course the autopkgtest for 4.6.2 won't fail (as there is no old cert8.db, so the call is skipped), but if there would be one (e.g. on an upgrade) then it would fail (at least according to my tests in some containers). So as soon as I bad-test 4.4.4 things will go on as the autopkgtest won't test the upgrade path. but it will still be "broken under the hood". I didn't expect a fix in 4.4.x but instead wondered if you might be able to help to understand why it fails at all. And then depending on that insight we can work on a fix for either nss or freeipa as needed. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1746947 Title: failing autopkgtest due to password issue by nss Status in freeipa package in Ubuntu: New Bug description: Hi, I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case. Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz It essentially does this and fails: $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests Containers: Bionic-as-is: installs ok Bionic-Proposed: installs ok In LP Infra: dpkg: error processing package freeipa-client (--configure): installed freeipa-client package post-installation script subprocess returned error exit status 1 Use Pinning to get the autopkgtest style: # cat /etc/apt/preferences.d/nssonlyproposed Package: * Pin: release a=bionic Pin-Priority: 1001 Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg Pin: release a=bionic-proposed Pin-Priority: 1002 Bionic-nss-only-from-Proposed: TRIGGERS the issue freeipa-client is in the postinst calling this: python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb create_ipa_nssdb() File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb db.create_db(pwdfile) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db self.run_certutil(["-N", "-f", password_filename]) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255 That is - if called alone complaining about the passwd: # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt Invalid password. certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. Note that there is a related freeipa fix in later versions: freeipa (4.6.2-4) unstable; urgency=medium * client.postinst: Migrate from old nssdb only if it exists. And since that change freeipa has: if [ -f /etc/ipa/nssdb/cert8.db ]; then around the call. It also changed the import slightly - now the python being: python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' That in the "all-proposed" case with the cert8.db file copied over is still failing but differently: /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. The merge of nss was a minor bump 3.34->3.35 Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there. I don't fully understand it yet - so filing this bug for a discussion. I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on. Do we have to: - rebuild freeipa against newer nss? - just mark something as bad test - something completely else? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
