#50392 dscreate fails because it generates a temporary password that has first character an '-' and pwdhash fails
Closed: fixed 4 months ago by mreynolds. Opened 4 months ago by abbra.

Issue Description

Running FreeIPA git master ipa-server-install occasionally fails because a temporary password generated while creating a directory server contains a dash character as a first one and then calls /usr/bin/pwdhash which complaints that this option does not exist:

Configuring directory server (dirsrv). Estimated time: 30 seconds
  [1/43]: creating directory server instance

Starting installation...
/usr/bin/pwdhash: invalid option -- 'N'
usage: /usr/bin/pwdhash -D config-dir [-H] [-s scheme | -c comparepwd ] password...
  [error] CalledProcessError: Command '['/usr/bin/pwdhash', '-Nn3hQCxVDMqhorEE22.482Z5tfIDHbElUJR-x5XCxjioK8.WimpAMix8UoJ8.pN1']' returned non-zero exit status 1.
Command '['/usr/bin/pwdhash', '-Nn3hQCxVDMqhorEE22.482Z5tfIDHbElUJR-x5XCxjioK8.WimpAMix8UoJ8.pN1']' returned non-zero exit status 1.
The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

Package Version and Platform

Fedora 30.x86_64

Steps to reproduce

  1. run ipa-server-install
  2. sometimes a hash password is generated that starts with -<some letter> where a letter is not a known /usr/bin/pwdhash option
  3. /usr/bin/pwdhash fails, installation stops.

Actual results

installation fails

Expected results

installation continues successfully

I've got the behaviour twice over this weekend while running IPA tests in Azure Pipelines CI. I'm attaching full logs but here is a traceback from ipaserver-install.log:

2019-05-19T10:25:20Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
    method()
  File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 554, in __create_instance
    sds.create_from_args(general, slapd, backends, None)
  File "/usr/lib/python3.7/site-packages/lib389/instance/setup.py", line 643, in create_from_args
    self._prepare_ds(general, slapd, backends)
  File "/usr/lib/python3.7/site-packages/lib389/instance/setup.py", line 601, in _prepare_ds
    self._secure_password = password_hash(self._raw_secure_password, bin_dir=slapd['bin_dir'])
  File "/usr/lib/python3.7/site-packages/lib389/passwd.py", line 38, in password_hash
    h = subprocess.check_output([pwdhashbin, pw]).strip()
  File "/usr/lib64/python3.7/subprocess.py", line 395, in check_output
    **kwargs).stdout
  File "/usr/lib64/python3.7/subprocess.py", line 487, in run
    output=stdout, stderr=stderr)
subprocess.CalledProcessError: Command '['/usr/bin/pwdhash', '-Nn3hQCxVDMqhorEE22.482Z5tfIDHbElUJR-x5XCxjioK8.WimpAMix8UoJ8.pN1']' returned non-zero exit status 1.

2019-05-19T10:25:20Z DEBUG   [error] CalledProcessError: Command '['/usr/bin/pwdhash', '-Nn3hQCxVDMqhorEE22.482Z5tfIDHbElUJR-x5XCxjioK8.WimpAMix8UoJ8.pN1']' returned non-zero exit status 1.
2019-05-19T10:25:20Z DEBUG   File "/usr/lib/python3.7/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.7/site-packages/ipapython/install/cli.py", line 347, in run
    return cfgr.run()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 360, in run
    return self.execute()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 386, in execute
    for rval in self._executor():
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 655, in _configure
    next(executor)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 431, in __runner
    exc_handler(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 460, in _handle_execute_exception
    self._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 515, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 450, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 421, in __runner
    step()
  File "/usr/lib/python3.7/site-packages/ipapython/install/core.py", line 418, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python3.7/site-packages/six.py", line 693, in reraise
    raise value
  File "/usr/lib/python3.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python3.7/site-packages/ipapython/install/common.py", line 65, in _install
    for unused in self._installer(self.parent):
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/__init__.py", line 557, in main
    master_install(self)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/install.py", line 254, in decorated
    func(installer)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/server/install.py", line 813, in install
    setup_pkinit=not options.no_pkinit)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 316, in create_instance
    self.start_creation(runtime=30)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 603, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python3.7/site-packages/ipaserver/install/service.py", line 589, in run_step
    method()
  File "/usr/lib/python3.7/site-packages/ipaserver/install/dsinstance.py", line 554, in __create_instance
    sds.create_from_args(general, slapd, backends, None)
  File "/usr/lib/python3.7/site-packages/lib389/instance/setup.py", line 643, in create_from_args
    self._prepare_ds(general, slapd, backends)
  File "/usr/lib/python3.7/site-packages/lib389/instance/setup.py", line 601, in _prepare_ds
    self._secure_password = password_hash(self._raw_secure_password, bin_dir=slapd['bin_dir'])
  File "/usr/lib/python3.7/site-packages/lib389/passwd.py", line 38, in password_hash
    h = subprocess.check_output([pwdhashbin, pw]).strip()
  File "/usr/lib64/python3.7/subprocess.py", line 395, in check_output
    **kwargs).stdout
  File "/usr/lib64/python3.7/subprocess.py", line 487, in run
    output=stdout, stderr=stderr)

2019-05-19T10:25:20Z DEBUG The ipa-server-install command failed, exception: CalledProcessError: Command '['/usr/bin/pwdhash', '-Nn3hQCxVDMqhorEE22.482Z5tfIDHbElUJR-x5XCxjioK8.WimpAMix8UoJ8.pN1']' returned non-zero exit status 1.
2019-05-19T10:25:20Z ERROR Command '['/usr/bin/pwdhash', '-Nn3hQCxVDMqhorEE22.482Z5tfIDHbElUJR-x5XCxjioK8.WimpAMix8UoJ8.pN1']' returned non-zero exit status 1.
2019-05-19T10:25:20Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

There is a comment in password_generate() about the very same issue but it doesn't address the problem, thus this bug. It would be good, for example, to call random.shuffle(pw) until the first element is not a dash.

While this is easy to prevent I don't see how a dash character could even be in the password since all the candidate characters come from:

string.ascii_letters + string.digits + '.''

abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.

What is the exact version of python-lib389 that is on your system? I suspect this is already fixed but not in the current F30 release of 389.

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

4 months ago
  Installing       : 389-ds-base-1.4.1.2-2.fc30.x86_64                  339/365 

It is the last one available for F30: https://koji.fedoraproject.org/koji/buildinfo?buildID=1240368

It looks like it is fixed already with commit 223846d in master and 389-ds-base-1.4.0 branch. Let's close it when a new build will be available in F30.

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 months ago

Login to comment on this ticket.

Metadata
Attachments 2
Attached 4 months ago View Comment
Attached 4 months ago View Comment