This bug was fixed in the package nss - 2:3.35-2ubuntu2
---------------
nss (2:3.35-2ubuntu2) bionic; urgency=medium
* d/p/lp1746947-revert-switch-default-to-sql.patch: the switch of the
default is still causing too much issues in consumers of nss.
So until resolved revert the switched default (LP: #1746947)
nss (2:3.35-2ubuntu1) bionic; urgency=medium
* Merge with Debian unstable. Remaining changes:
- When building with -O3, build with -Wno-error=maybe-uninitialized.
* Added Changes:
- d/libnss3.links: make freebl3 available as library (LP: #1744328)
+ d/control: add dh-exec to Build-Depends
+ d/rules: make mkdir tolerate debian/tmp existing (due to dh-exec)
nss (2:3.35-2) unstable; urgency=medium
* nss/lib/freebl/Makefile: Build Hacl_Poly1305_64.o on arm64.
nss (2:3.35-1) unstable; urgency=medium
* New upstream release.
nss (2:3.34.1-1) unstable; urgency=medium
* New upstream release.
-- Christian Ehrhardt <christian.ehrha...@canonical.com> Mon, 05 Feb
2018 11:36:07 +0100
** Changed in: nss (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/1746947
Title:
failing autopkgtest due to password issue by nss
Status in freeipa package in Ubuntu:
New
Status in nss package in Ubuntu:
Fix Released
Bug description:
Hi,
I was failed by autopkgtests of freeipa, but not the old "ip route output
changed" case.
Like:
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/f/freeipa/20180201_161632_c9091@/log.gz
It essentially does this and fails:
$ apt install freeipa-server freeipa-server-dns freeipa-server-trust-ad
freeipa-common freeipa-client freeipa-admintools freeipa-tests python-ipaclient
python-ipalib python-ipaserver python-ipatests
Containers:
Bionic-as-is: installs ok
Bionic-Proposed: installs ok
In LP Infra:
dpkg: error processing package freeipa-client (--configure):
installed freeipa-client package post-installation script subprocess
returned error exit status 1
Use Pinning to get the autopkgtest style:
# cat /etc/apt/preferences.d/nssonlyproposed
Package: *
Pin: release a=bionic
Pin-Priority: 1001
Package: libnss3 libnss3-tools libnss3-dev libnss3-dbg
Pin: release a=bionic-proposed
Pin-Priority: 1002
Bionic-nss-only-from-Proposed: TRIGGERS the issue
freeipa-client is in the postinst calling this:
python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 64, in
update_ipa_nssdb
create_ipa_nssdb()
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 53, in
create_ipa_nssdb
db.create_db(pwdfile)
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 149, in
create_db
self.run_certutil(["-N", "-f", password_filename])
File "/usr/lib/python2.7/dist-packages/ipapython/certdb.py", line 142, in
run_certutil
return ipautil.run(new_args, stdin, **kwargs)
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 515, in
run
raise CalledProcessError(p.returncode, arg_string, str(output))
subprocess.CalledProcessError: Command '/usr/bin/certutil -d /etc/ipa/nssdb
-N -f /etc/ipa/nssdb/pwdfile.txt' returned non-zero exit status 255
That is - if called alone complaining about the passwd:
# /usr/bin/certutil -d /etc/ipa/nssdb -N -f /etc/ipa/nssdb/pwdfile.txt
Invalid password.
certutil: Could not set password for the slot: SEC_ERROR_BAD_PASSWORD: The
security password entered is incorrect.
Note that there is a related freeipa fix in later versions:
freeipa (4.6.2-4) unstable; urgency=medium
* client.postinst: Migrate from old nssdb only if it exists.
And since that change freeipa has:
if [ -f /etc/ipa/nssdb/cert8.db ]; then
around the call.
It also changed the import slightly - now the python being:
python2 -c 'from ipaclient.install.client import update_ipa_nssdb;
update_ipa_nssdb()'
That in the "all-proposed" case with the cert8.db file copied over is still
failing but differently:
/usr/bin/certutil -d /etc/ipa/nssdb -L -f /etc/ipa/nssdb/pwdfile.txt
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad
database.
The merge of nss was a minor bump 3.34->3.35
Also this is the nss version from Debian with the freeipa version from
Debian. They seem to work together there.
I don't fully understand it yet - so filing this bug for a discussion.
I need the help of tjaalton who did the freeipa changes - maybe he knows what
is going on.
Do we have to:
- rebuild freeipa against newer nss?
- just mark something as bad test
- something completely else?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/1746947/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~freeipa
Post to : freeipa@lists.launchpad.net
Unsubscribe : https://launchpad.net/~freeipa
More help : https://help.launchpad.net/ListHelp
