[Freeipa] [Bug 1747411] Re: Change of default database file format to SQL
** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/nss/+git/nss/+merge/345213 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1747411 Title: Change of default database file format to SQL Status in certmonger package in Ubuntu: Fix Released Status in corosync package in Ubuntu: New Status in dogtag-pki package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Fix Released Status in libapache2-mod-nss package in Ubuntu: Won't Fix Status in nss package in Ubuntu: New Bug description: nss in version 3.35 in upstream changed [2] the default file format [1] (if no explicit one is specified). For now we reverted that change in bug 1746947 until all packages depending on it are ready to work with that correctly. This bug here is about to track when the revert can be dropped. Therefore we list all known-to-be-affected packages and once all are resolved this can be dropped. [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql [2]: https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1747411] Re: Change of default database file format to SQL
Corosync is actually a sync for Cosmic, with all Delta dropped: * Merge with Debian unstable (LP: #1747411). Remaining changes: * Dropped Changes: - Properly restart corosync and pacemaker together (LP: #1740892) d/rules: pass --restart-after-upgrade to dh_installinit. (this is default in compat >=10, and the package is 11) - d/control: indicate this version breaks all older pacemaker, to force an upgrade of pacemaker. (Upgrades have gone through Bionic, so we can drop this now) - d/corosync.postinst: if flagged to do so by pacemaker, start pacemaker on upgrade. (Can be dropped after Bionic) - New upstream release 2.4.3 (now in Debian) - Drop upstreamed patches and refresh others. (now in Debian) To get a second opinion on that I opened: https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184 ** Merge proposal linked: https://code.launchpad.net/~paelzer/ubuntu/+source/corosync/+git/corosync/+merge/345184 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1747411 Title: Change of default database file format to SQL Status in certmonger package in Ubuntu: Fix Released Status in corosync package in Ubuntu: New Status in dogtag-pki package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Fix Released Status in libapache2-mod-nss package in Ubuntu: Won't Fix Status in nss package in Ubuntu: New Bug description: nss in version 3.35 in upstream changed [2] the default file format [1] (if no explicit one is specified). For now we reverted that change in bug 1746947 until all packages depending on it are ready to work with that correctly. This bug here is about to track when the revert can be dropped. Therefore we list all known-to-be-affected packages and once all are resolved this can be dropped. [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql [2]: https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1747411] Re: Change of default database file format to SQL
For corosync the affected components are corosync-qnetd. I checked and without adaption on install they would be fine as they initialize a new DB and nowhere does anyone specify the type. But as with some other tools on an upgrade we have to assume that the old DBM format will be tried to be read as SQL and then fail. Worth to notice is that Fedora who started all of this in [1] in their NSS build still uses DBM as default :-) corosync 2.4.4-1 of 20th of April made corosync compatible with the nss change. They prefix all calls with dbm to stay compat until the upgrade is handled by upstream. So a merge of this or latter version will address this for corosync. Afterwards nss can be merged dropping the change of the default. [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql -- You received this bug notification because you are a member of FreeIPA, which is subscribed to dogtag-pki in Ubuntu. https://bugs.launchpad.net/bugs/1747411 Title: Change of default database file format to SQL Status in certmonger package in Ubuntu: Fix Released Status in corosync package in Ubuntu: New Status in dogtag-pki package in Ubuntu: Fix Released Status in freeipa package in Ubuntu: Fix Released Status in libapache2-mod-nss package in Ubuntu: Won't Fix Status in nss package in Ubuntu: New Bug description: nss in version 3.35 in upstream changed [2] the default file format [1] (if no explicit one is specified). For now we reverted that change in bug 1746947 until all packages depending on it are ready to work with that correctly. This bug here is about to track when the revert can be dropped. Therefore we list all known-to-be-affected packages and once all are resolved this can be dropped. [1]: https://fedoraproject.org/wiki/Changes/NSSDefaultFileFormatSql [2]: https://github.com/nss-dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/1747411/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1746947] Re: failing autopkgtest due to password issue by nss
** Changed in: freeipa (Ubuntu) Status: New => Won't Fix -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1746947 Title: failing autopkgtest due to password issue by nss Status in freeipa package in Ubuntu: Won't Fix Status in nss package in Ubuntu: Fix Released Bug description: Hi, I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case. Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz It essentially does this and fails: $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests Containers: Bionic-as-is: installs ok Bionic-Proposed: installs ok In LP Infra: dpkg: error processing package freeipa-client (--configure): installed freeipa-client package post-installation script subprocess returned error exit status 1 Use Pinning to get the autopkgtest style: # cat /etc/apt/preferences.d/nssonlyproposed Package: * Pin: release a=bionic Pin-Priority: 1001 Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg Pin: release a=bionic-proposed Pin-Priority: 1002 Bionic-nss-only-from-Proposed: TRIGGERS the issue freeipa-client is in the postinst calling this: python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb create_ipa_nssdb() File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb db.create_db(pwdfile) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db self.run_certutil(["-N", "-f", password_filename]) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255 That is - if called alone complaining about the passwd: # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt Invalid password. certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. Note that there is a related freeipa fix in later versions: freeipa (4.6.2-4) unstable; urgency=medium * client.postinst: Migrate from old nssdb only if it exists. And since that change freeipa has: if [ -f /etc/ipa/nssdb/cert8.db ]; then around the call. It also changed the import slightly - now the python being: python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' That in the "all-proposed" case with the cert8.db file copied over is still failing but differently: /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. The merge of nss was a minor bump 3.34->3.35 Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there. I don't fully understand it yet - so filing this bug for a discussion. I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on. Do we have to: - rebuild freeipa against newer nss? - just mark something as bad test - something completely else? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1746947] Re: failing autopkgtest due to password issue by nss
Built with said change - and now testing against the nss in the ppa (should all work): - install 4.4 (ppa) -> OK - install 4.6 (proposed + ppa) -> OK - old python call against 4.4 (ppa) -> OK - new python call against 4.6 (proposed + ppa) -> OK I dupped Corosync on here, so lets verify it fixes that as well - install corosync-qnetd as in proposed (should fail) -> FAIL - install corosync-qnetd with ppa (should work) -> OK This was a bit of a panic exercise for me :-) After breaking things with nss which isn't my home turf I wanted to get rid of it asap. Thanks to Timo to keep me in line with our discussions so it ended up as a much more reasonable fix. Uploading the fixed 3.35 version now ... -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1746947 Title: failing autopkgtest due to password issue by nss Status in freeipa package in Ubuntu: New Status in nss package in Ubuntu: Triaged Bug description: Hi, I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case. Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz It essentially does this and fails: $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests Containers: Bionic-as-is: installs ok Bionic-Proposed: installs ok In LP Infra: dpkg: error processing package freeipa-client (--configure): installed freeipa-client package post-installation script subprocess returned error exit status 1 Use Pinning to get the autopkgtest style: # cat /etc/apt/preferences.d/nssonlyproposed Package: * Pin: release a=bionic Pin-Priority: 1001 Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg Pin: release a=bionic-proposed Pin-Priority: 1002 Bionic-nss-only-from-Proposed: TRIGGERS the issue freeipa-client is in the postinst calling this: python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb create_ipa_nssdb() File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb db.create_db(pwdfile) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db self.run_certutil(["-N", "-f", password_filename]) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255 That is - if called alone complaining about the passwd: # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt Invalid password. certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. Note that there is a related freeipa fix in later versions: freeipa (4.6.2-4) unstable; urgency=medium * client.postinst: Migrate from old nssdb only if it exists. And since that change freeipa has: if [ -f /etc/ipa/nssdb/cert8.db ]; then around the call. It also changed the import slightly - now the python being: python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' That in the "all-proposed" case with the cert8.db file copied over is still failing but differently: /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. The merge of nss was a minor bump 3.34->3.35 Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there. I don't fully understand it yet - so filing this bug for a discussion. I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on. Do we have to: - rebuild freeipa against newer nss? - just mark something as bad test - something completely else? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa
[Freeipa] [Bug 1746947] Re: failing autopkgtest due to password issue by nss
I was discussing this with Timo and he correctly pointed out that reverting [1] might be enough. This would allow to get all fixes of 3.35, but at the same time not run into this bug here all over the place. Building with that for some test runs. [1]: https://github.com/nss- dev/nss/commit/33b114e38278c4ffbb6b244a0ebc9910e5245cd3 -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1746947 Title: failing autopkgtest due to password issue by nss Status in freeipa package in Ubuntu: New Status in nss package in Ubuntu: Triaged Bug description: Hi, I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case. Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz It essentially does this and fails: $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests Containers: Bionic-as-is: installs ok Bionic-Proposed: installs ok In LP Infra: dpkg: error processing package freeipa-client (--configure): installed freeipa-client package post-installation script subprocess returned error exit status 1 Use Pinning to get the autopkgtest style: # cat /etc/apt/preferences.d/nssonlyproposed Package: * Pin: release a=bionic Pin-Priority: 1001 Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg Pin: release a=bionic-proposed Pin-Priority: 1002 Bionic-nss-only-from-Proposed: TRIGGERS the issue freeipa-client is in the postinst calling this: python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb create_ipa_nssdb() File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb db.create_db(pwdfile) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db self.run_certutil(["-N", "-f", password_filename]) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255 That is - if called alone complaining about the passwd: # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt Invalid password. certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. Note that there is a related freeipa fix in later versions: freeipa (4.6.2-4) unstable; urgency=medium * client.postinst: Migrate from old nssdb only if it exists. And since that change freeipa has: if [ -f /etc/ipa/nssdb/cert8.db ]; then around the call. It also changed the import slightly - now the python being: python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' That in the "all-proposed" case with the cert8.db file copied over is still failing but differently: /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. The merge of nss was a minor bump 3.34->3.35 Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there. I don't fully understand it yet - so filing this bug for a discussion. I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on. Do we have to: - rebuild freeipa against newer nss? - just mark something as bad test - something completely else? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1746947] Re: failing autopkgtest due to password issue by nss
** Also affects: nss (Ubuntu) Importance: Undecided Status: New ** Changed in: nss (Ubuntu) Status: New => Triaged -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1746947 Title: failing autopkgtest due to password issue by nss Status in freeipa package in Ubuntu: New Status in nss package in Ubuntu: Triaged Bug description: Hi, I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case. Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz It essentially does this and fails: $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests Containers: Bionic-as-is: installs ok Bionic-Proposed: installs ok In LP Infra: dpkg: error processing package freeipa-client (--configure): installed freeipa-client package post-installation script subprocess returned error exit status 1 Use Pinning to get the autopkgtest style: # cat /etc/apt/preferences.d/nssonlyproposed Package: * Pin: release a=bionic Pin-Priority: 1001 Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg Pin: release a=bionic-proposed Pin-Priority: 1002 Bionic-nss-only-from-Proposed: TRIGGERS the issue freeipa-client is in the postinst calling this: python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb create_ipa_nssdb() File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb db.create_db(pwdfile) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db self.run_certutil(["-N", "-f", password_filename]) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255 That is - if called alone complaining about the passwd: # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt Invalid password. certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. Note that there is a related freeipa fix in later versions: freeipa (4.6.2-4) unstable; urgency=medium * client.postinst: Migrate from old nssdb only if it exists. And since that change freeipa has: if [ -f /etc/ipa/nssdb/cert8.db ]; then around the call. It also changed the import slightly - now the python being: python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' That in the "all-proposed" case with the cert8.db file copied over is still failing but differently: /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. The merge of nss was a minor bump 3.34->3.35 Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there. I don't fully understand it yet - so filing this bug for a discussion. I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on. Do we have to: - rebuild freeipa against newer nss? - just mark something as bad test - something completely else? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
[Freeipa] [Bug 1746947] Re: failing autopkgtest due to password issue by nss
Subscribing tjaalton to get his opinion on this. -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/1746947 Title: failing autopkgtest due to password issue by nss Status in freeipa package in Ubuntu: New Bug description: Hi, I was failed by autopkgtests of freeipa, but not the old "ip route output changed" case. Like: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz It essentially does this and fails: $ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient python-ipalib python-ipaserver python-ipatests Containers: Bionic-as-is: installs ok Bionic-Proposed: installs ok In LP Infra: dpkg: error processing package freeipa-client (--configure): installed freeipa-client package post-installation script subprocess returned error exit status 1 Use Pinning to get the autopkgtest style: # cat /etc/apt/preferences.d/nssonlyproposed Package: * Pin: release a=bionic Pin-Priority: 1001 Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg Pin: release a=bionic-proposed Pin-Priority: 1002 Bionic-nss-only-from-Proposed: TRIGGERS the issue freeipa-client is in the postinst calling this: python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in update_ipa_nssdb create_ipa_nssdb() File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in create_ipa_nssdb db.create_db(pwdfile) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in create_db self.run_certutil(["-N", "-f", password_filename]) File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in run_certutil return ipautil.run(new_args, stdin, **kwargs) File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in run raise CalledProcessError(p.returncode, arg_string, str(output)) subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255 That is - if called alone complaining about the passwd: # /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt Invalid password. certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The security password entered is incorrect. Note that there is a related freeipa fix in later versions: freeipa (4.6.2-4) unstable; urgency=medium * client.postinst: Migrate from old nssdb only if it exists. And since that change freeipa has: if [ -f /etc/ipa/nssdb/cert8.db ]; then around the call. It also changed the import slightly - now the python being: python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' That in the "all-proposed" case with the cert8.db file copied over is still failing but differently: /usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database. The merge of nss was a minor bump 3.34->3.35 Also this is the nss version from Debian with the freeipa version from Debian. They seem to work together there. I don't fully understand it yet - so filing this bug for a discussion. I need the help of tjaalton who did the freeipa changes - maybe he knows what is going on. Do we have to: - rebuild freeipa against newer nss? - just mark something as bad test - something completely else? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions ___ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp