according to my sniff tests it will fail later on in 4.6.2 as well.
It seems the new nss makes the crypto/passwords no more behave the way as
Of course the autopkgtest for 4.6.2 won't fail (as there is no old
cert8.db, so the call is skipped), but if there would be one (e.g. on an
upgrade) then it would fail (at least according to my tests in some
So as soon as I bad-test 4.4.4 things will go on as the autopkgtest
won't test the upgrade path. but it will still be "broken under the
I didn't expect a fix in 4.4.x but instead wondered if you might be able
to help to understand why it fails at all. And then depending on that
insight we can work on a fix for either nss or freeipa as needed.
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
failing autopkgtest due to password issue by nss
Status in freeipa package in Ubuntu:
I was failed by autopkgtests of freeipa, but not the old "ip route output
It essentially does this and fails:
$ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient
python-ipalib python-ipaserver python-ipatests
Bionic-as-is: installs ok
Bionic-Proposed: installs ok
In LP Infra:
dpkg: error processing package freeipa-client (--configure):
installed freeipa-client package post-installation script subprocess
returned error exit status 1
Use Pinning to get the autopkgtest style:
# cat /etc/apt/preferences.d/nssonlyproposed
Pin: release a=bionic
Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
Pin: release a=bionic-proposed
Bionic-nss-only-from-Proposed: TRIGGERS the issue
freeipa-client is in the postinst calling this:
python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in
self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in
return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in
raise CalledProcessError(p.returncode, arg_string, str(output))
subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255
That is - if called alone complaining about the passwd:
# /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The
security password entered is incorrect.
Note that there is a related freeipa fix in later versions:
freeipa (4.6.2-4) unstable; urgency=medium
* client.postinst: Migrate from old nssdb only if it exists.
And since that change freeipa has:
if [ -f /etc/ipa/nssdb/cert8.db ]; then
around the call.
It also changed the import slightly - now the python being:
python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
That in the "all-proposed" case with the cert8.db file copied over is still
failing but differently:
/usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad
The merge of nss was a minor bump 3.34->3.35
Also this is the nss version from Debian with the freeipa version from
Debian. They seem to work together there.
I don't fully understand it yet - so filing this bug for a discussion.
I need the help of tjaalton who did the freeipa changes - maybe he knows what
is going on.
Do we have to:
- rebuild freeipa against newer nss?
- just mark something as bad test
- something completely else?
To manage notifications about this bug go to:
Mailing list: https://launchpad.net/~freeipa
Post to : firstname.lastname@example.org
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp