[Touch-packages] [Bug 1746947] Re: failing autopkgtest due to password issue by nss

2018-02-06 Thread ChristianEhrhardt 
** Changed in: freeipa (Ubuntu)
   Status: New => Won't Fix

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1746947

Title:
  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:
  Won't Fix
Status in nss package in Ubuntu:
  Fix Released

Bug description:
  Hi,
  I was failed by autopkgtests of freeipa, but not the old "ip route output 
changed" case.
  Like: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad 
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient 
python-ipalib python-ipaserver python-ipatests

  Containers:
  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess 
returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
File "", line 1, in 
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in 
update_ipa_nssdb
  create_ipa_nssdb()
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in 
create_ipa_nssdb
  db.create_db(pwdfile)
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in 
create_db
  self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in 
run_certutil
  return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in 
run
  raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb 
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  
  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
  Invalid password.
  certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The 
security password entered is incorrect.

  
  Note that there is a related freeipa fix in later versions:
 freeipa (4.6.2-4) unstable; urgency=medium 
  

  
   * client.postinst: Migrate from old nssdb only if it exists.

  And since that change freeipa has:
  if [ -f /etc/ipa/nssdb/cert8.db ]; then
  around the call.

  It also changed the import slightly - now the python being:

  python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
  update_ipa_nssdb()'

  That in the "all-proposed" case with the cert8.db file copied over is still 
failing but differently:
  /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
  certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad 
database.

  The merge of nss was a minor bump 3.34->3.35
  Also this is the nss version from Debian with the freeipa version from 
Debian. They seem to work together there.

  I don't fully understand it yet - so filing this bug for a discussion.
  I need the help of tjaalton who did the freeipa changes - maybe he knows what 
is going on.

  Do we have to:
  - rebuild freeipa against newer nss?
  - just mark something as bad test
  - something completely else?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1746947] Re: failing autopkgtest due to password issue by nss

2018-02-05 Thread Launchpad Bug Tracker 
This bug was fixed in the package nss - 2:3.35-2ubuntu2

---
nss (2:3.35-2ubuntu2) bionic; urgency=medium

  * d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
default is still causing too much issues in consumers of nss.
So until resolved revert the switched default (LP: #1746947)

nss (2:3.35-2ubuntu1) bionic; urgency=medium

  * Merge with Debian unstable. Remaining changes:
- When building with -O3, build with -Wno-error=maybe-uninitialized.
  * Added Changes:
- d/libnss3.links: make freebl3 available as library (LP: #1744328)
  + d/control: add dh-exec to Build-Depends
  + d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)

nss (2:3.35-2) unstable; urgency=medium

  * nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.

nss (2:3.35-1) unstable; urgency=medium

  * New upstream release.

nss (2:3.34.1-1) unstable; urgency=medium

  * New upstream release.

 -- Christian Ehrhardt   Mon, 05 Feb
2018 11:36:07 +0100

** Changed in: nss (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1746947

Title:
  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:
  New
Status in nss package in Ubuntu:
  Fix Released

Bug description:
  Hi,
  I was failed by autopkgtests of freeipa, but not the old "ip route output 
changed" case.
  Like: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad 
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient 
python-ipalib python-ipaserver python-ipatests

  Containers:
  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess 
returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
File "", line 1, in 
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in 
update_ipa_nssdb
  create_ipa_nssdb()
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in 
create_ipa_nssdb
  db.create_db(pwdfile)
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in 
create_db
  self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in 
run_certutil
  return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in 
run
  raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb 
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  
  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
  Invalid password.
  certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The 
security password entered is incorrect.

  
  Note that there is a related freeipa fix in later versions:
 freeipa (4.6.2-4) unstable; urgency=medium 
  

  
   * client.postinst: Migrate from old nssdb only if it exists.

  And since that change freeipa has:
  if [ -f /etc/ipa/nssdb/cert8.db ]; then
  around the call.

  It also changed the import slightly - now the python being:

  python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
  update_ipa_nssdb()'

  That in the "all-proposed" case with the cert8.db file copied over is still 
failing but differently:
  /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
  certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad 
database.

  The merge of nss was a minor bump 3.34->3.35
  Also this is the nss version from Debian with the freeipa version from 
Debian. They seem to work together there.

  I don't fully understand it yet - so filing this bug for a discussion.
  I need the help of tjaalton who did the freeipa changes - maybe he knows what 
is going on.

  Do

[Touch-packages] [Bug 1746947] Re: failing autopkgtest due to password issue by nss

2018-02-05 Thread ChristianEhrhardt 
Built with said change - and now testing against the nss in the ppa (should all 
work):
- install 4.4 (ppa) -> OK
- install 4.6 (proposed + ppa) -> OK
- old python call against 4.4 (ppa) -> OK
- new python call against 4.6 (proposed + ppa) -> OK

I dupped Corosync on here, so lets verify it fixes that as well
- install corosync-qnetd as in proposed (should fail) -> FAIL
- install corosync-qnetd with ppa (should work) -> OK


This was a bit of a panic exercise for me :-)
After breaking things with nss which isn't my home turf I wanted to get rid of 
it asap.
Thanks to Timo to keep me in line with our discussions so it ended up as a much 
more reasonable fix.
Uploading the fixed 3.35 version now ...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1746947

Title:
  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:
  New
Status in nss package in Ubuntu:
  Triaged

Bug description:
  Hi,
  I was failed by autopkgtests of freeipa, but not the old "ip route output 
changed" case.
  Like: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad 
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient 
python-ipalib python-ipaserver python-ipatests

  Containers:
  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess 
returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
File "", line 1, in 
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in 
update_ipa_nssdb
  create_ipa_nssdb()
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in 
create_ipa_nssdb
  db.create_db(pwdfile)
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in 
create_db
  self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in 
run_certutil
  return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in 
run
  raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb 
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  
  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
  Invalid password.
  certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The 
security password entered is incorrect.

  
  Note that there is a related freeipa fix in later versions:
 freeipa (4.6.2-4) unstable; urgency=medium 
  

  
   * client.postinst: Migrate from old nssdb only if it exists.

  And since that change freeipa has:
  if [ -f /etc/ipa/nssdb/cert8.db ]; then
  around the call.

  It also changed the import slightly - now the python being:

  python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
  update_ipa_nssdb()'

  That in the "all-proposed" case with the cert8.db file copied over is still 
failing but differently:
  /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
  certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad 
database.

  The merge of nss was a minor bump 3.34->3.35
  Also this is the nss version from Debian with the freeipa version from 
Debian. They seem to work together there.

  I don't fully understand it yet - so filing this bug for a discussion.
  I need the help of tjaalton who did the freeipa changes - maybe he knows what 
is going on.

  Do we have to:
  - rebuild freeipa against newer nss?
  - just mark something as bad test
  - something completely else?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More

[Touch-packages] [Bug 1746947] Re: failing autopkgtest due to password issue by nss

2018-02-05 Thread ChristianEhrhardt 
I was discussing this with Timo and he correctly pointed out that reverting [1] 
might be enough.
This would allow to get all fixes of 3.35, but at the same time not run into 
this bug here all over the place.

Building with that for some test runs.

[1]: https://github.com/nss-
dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1746947

Title:
  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:
  New
Status in nss package in Ubuntu:
  Triaged

Bug description:
  Hi,
  I was failed by autopkgtests of freeipa, but not the old "ip route output 
changed" case.
  Like: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad 
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient 
python-ipalib python-ipaserver python-ipatests

  Containers:
  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess 
returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
File "", line 1, in 
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in 
update_ipa_nssdb
  create_ipa_nssdb()
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in 
create_ipa_nssdb
  db.create_db(pwdfile)
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in 
create_db
  self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in 
run_certutil
  return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in 
run
  raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb 
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  
  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
  Invalid password.
  certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The 
security password entered is incorrect.

  
  Note that there is a related freeipa fix in later versions:
 freeipa (4.6.2-4) unstable; urgency=medium 
  

  
   * client.postinst: Migrate from old nssdb only if it exists.

  And since that change freeipa has:
  if [ -f /etc/ipa/nssdb/cert8.db ]; then
  around the call.

  It also changed the import slightly - now the python being:

  python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
  update_ipa_nssdb()'

  That in the "all-proposed" case with the cert8.db file copied over is still 
failing but differently:
  /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
  certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad 
database.

  The merge of nss was a minor bump 3.34->3.35
  Also this is the nss version from Debian with the freeipa version from 
Debian. They seem to work together there.

  I don't fully understand it yet - so filing this bug for a discussion.
  I need the help of tjaalton who did the freeipa changes - maybe he knows what 
is going on.

  Do we have to:
  - rebuild freeipa against newer nss?
  - just mark something as bad test
  - something completely else?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1746947] Re: failing autopkgtest due to password issue by nss

2018-02-05 Thread ChristianEhrhardt 
For a better overview and to make a decision (as a +really version always sucks 
to some extend) I did some tests:
- built nss 3.34 with the freebl3 change in ppa [1] as 
2:3.35-2ubuntu1+really3.34-1ubuntu2
- set up some containers to test
- ran the sequence of installs/commands that freeipa tests would do

I did so in different combinations:
1. freeipa 4.4.4 + nss 3.34-1ubuntu1 (as bionic is)
2. freeipa 4.6.3 + nss 3.35-1ubuntu1 (full bionic proposed)
3. freeipa 4.4.4 + nss 3.35-1ubuntu1 (as tested by autopkgtest by pinning)
4. freeipa 4.4.4 + nss 3.35-2ubuntu1+really3.34-1ubuntu2 (ppa)
5. freeipa 4.6.3 + nss 3.35-2ubuntu1+really3.34-1ubuntu2 (proposed + ppa)

I tested:
- the install that fails in the autopkgtest
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad 
freeipa-common
freeipa-client freeipa-admintools freeipa-tests python-ipaclient 
python-ipalib
python-ipaserver python-ipatests
- the python call that fails (old & new form of it as it needs an additional 
import in 4.6.2)
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  python2 -c 'from ipaclient.install.client import update_ipa_nssdb; 
update_ipa_nssdb()'

 #1 install#2 old python #3 new python
1.   okokfail (4.4 has only old 
import)
2.   ok (skip) fail (4.6 need new import)ok
3.   fail  fail (nss format) fail (4.4 has only old 
import)
4.   okokfail (4.4 has only old 
import)
5.   ok (skip) fail (4.6 need new import)ok

So an nss upload should work as planned with both verserions:
- freeipa 4.4 (case 4. #2)
- freeipa 4.6 (case 5. #3)
- and both cases would install (4./5. #1).

Due to the hint by Timo (thanks) I found [1] which explains a bit what is going 
on.
That is a nice change to be made in nss, but not unplanned and unprepared.
Some consuming packages need to be adapted first, and that was not what I 
intended by picking a new minor version. So that as well points to an upload 
reverting the move to 3.35.

Get me right - the move to 3.35 and the new file format should be done
at some point, but not now unplanned (it accidentally slipped in by the
merge) - so I'm uploading 2:3.35-2ubuntu1+really3.34-1ubuntu2 to un-
break it for now.

[1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1746947

Title:
  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:
  New
Status in nss package in Ubuntu:
  Triaged

Bug description:
  Hi,
  I was failed by autopkgtests of freeipa, but not the old "ip route output 
changed" case.
  Like: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad 
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient 
python-ipalib python-ipaserver python-ipatests

  Containers:
  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess 
returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
File "", line 1, in 
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in 
update_ipa_nssdb
  create_ipa_nssdb()
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in 
create_ipa_nssdb
  db.create_db(pwdfile)
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in 
create_db
  self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in 
run_certutil
  return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in 
run
  raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb 
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  
  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f

[Touch-packages] [Bug 1746947] Re: failing autopkgtest due to password issue by nss

2018-02-05 Thread ChristianEhrhardt 
** Also affects: nss (Ubuntu)
   Importance: Undecided
   Status: New

** Changed in: nss (Ubuntu)
   Status: New => Triaged

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1746947

Title:
  failing autopkgtest due to password issue by nss

Status in freeipa package in Ubuntu:
  New
Status in nss package in Ubuntu:
  Triaged

Bug description:
  Hi,
  I was failed by autopkgtests of freeipa, but not the old "ip route output 
changed" case.
  Like: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz

  It essentially does this and fails:
  $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad 
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient 
python-ipalib python-ipaserver python-ipatests

  Containers:
  Bionic-as-is: installs ok
  Bionic-Proposed: installs ok

  In LP Infra:
  dpkg: error processing package freeipa-client (--configure):
   installed freeipa-client package post-installation script subprocess 
returned error exit status 1

  Use Pinning to get the autopkgtest style:
  # cat /etc/apt/preferences.d/nssonlyproposed
  Package: *
  Pin: release a=bionic
  Pin-Priority: 1001
  Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
  Pin: release a=bionic-proposed
  Pin-Priority: 1002
  Bionic-nss-only-from-Proposed: TRIGGERS the issue

  freeipa-client is in the postinst calling this:
  python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
  Traceback (most recent call last):
File "", line 1, in 
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in 
update_ipa_nssdb
  create_ipa_nssdb()
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in 
create_ipa_nssdb
  db.create_db(pwdfile)
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in 
create_db
  self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in 
run_certutil
  return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in 
run
  raise CalledProcessError(p.returncode, arg_string, str(output))
  subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb 
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255

  
  That is - if called alone complaining about the passwd:
  # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
  Invalid password.
  certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The 
security password entered is incorrect.

  
  Note that there is a related freeipa fix in later versions:
 freeipa (4.6.2-4) unstable; urgency=medium 
  

  
   * client.postinst: Migrate from old nssdb only if it exists.

  And since that change freeipa has:
  if [ -f /etc/ipa/nssdb/cert8.db ]; then
  around the call.

  It also changed the import slightly - now the python being:

  python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
  update_ipa_nssdb()'

  That in the "all-proposed" case with the cert8.db file copied over is still 
failing but differently:
  /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
  certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad 
database.

  The merge of nss was a minor bump 3.34->3.35
  Also this is the nss version from Debian with the freeipa version from 
Debian. They seem to work together there.

  I don't fully understand it yet - so filing this bug for a discussion.
  I need the help of tjaalton who did the freeipa changes - maybe he knows what 
is going on.

  Do we have to:
  - rebuild freeipa against newer nss?
  - just mark something as bad test
  - something completely else?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp