I was discussing this with Timo and he correctly pointed out that reverting [1] might be enough. This would allow to get all fixes of 3.35, but at the same time not run into this bug here all over the place.
Building with that for some test runs. [1]: https://github.com/nss- dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1746947 Title: failing autopkgtest due to password issue by nss Status in freeipa package in Ubuntu: New Status in nss package in Ubuntu: Triaged Bug description: Hi, I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case. Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz It essentially does this and fails: $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests Containers: Bionic-as-is: installs ok Bionic-Proposed: installs ok In LP Infra: dpkg: error processing package freeipa-client (--configure): installed freeipa-client package post-installation script subprocess returned error exit status 1 Use Pinning to get the autopkgtest style: # cat /etc/apt/preferences.d/nssonlyproposed Package: * Pin: release a=bionic Pin-Priority: 1001 Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg Pin: release a=bionic-proposed Pin-Priority: 1002 Bionic-nss-only-from-Proposed: TRIGGERS the issue freeipa-client is in the postinst calling this: python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' Traceback (most recent call last): File "<string>", line 1, in <module> File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb create_ipa_nssdb() File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb db.create_db(pwdfile) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db self.run_certutil(["-N", "-f", password_filename]) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255 That is - if called alone complaining about the passwd: # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt Invalid password. certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. Note that there is a related freeipa fix in later versions: freeipa (4.6.2-4) unstable; urgency=medium * client.postinst: Migrate from old nssdb only if it exists. And since that change freeipa has: if [ -f /etc/ipa/nssdb/cert8.db ]; then around the call. It also changed the import slightly - now the python being: python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' That in the "all-proposed" case with the cert8.db file copied over is still failing but differently: /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. The merge of nss was a minor bump 3.34->3.35 Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there. I don't fully understand it yet - so filing this bug for a discussion. I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on. Do we have to: - rebuild freeipa against newer nss? - just mark something as bad test - something completely else? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : [email protected] Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
