#3742 Change of: User may not run sudo --> a password is required
Closed: Fixed 5 months ago by pcech. Opened 5 months ago by pcech.


Error message changed from:
Sorry, user testuser1 may not run sudo on vm-171-135.
sudo: a password is required

_________ TestSudo.test_sudo_rule_restricted_to_one_hostmask_negative __________

self = <ipatests.test_integration.test_sudo.TestSudo object at 0x7fb1069e5080>

def test_sudo_rule_restricted_to_one_hostmask_negative(self):
result1 = self.list_sudo_commands("testuser1")
assert result1.returncode != 0
> assert "Sorry, user testuser1 may not run sudo on {}.".format(
self.clientname) in result1.stderr_text
E AssertionError: assert 'Sorry, user testuser1 may not run sudo on vm-171-135.' in 'sudo: a password is required\n'
E + where 'Sorry, user testuser1 may not run sudo on vm-171-135.' = <built-in method format of str object at 0x7fb106906bd0>('vm-171-135')
E + where <built-in method format of str object at 0x7fb106906bd0> = 'Sorry, user testuser1 may not run sudo on {}.'.format
E + and 'vm-171-135' = <ipatests.test_integration.test_sudo.TestSudo object at 0x7fb1069e5080>.clientname
E + and 'sudo: a password is required\n' = <pytest_multihost.ssh_command.SSHCommand object at 0x7fb1068d20b8>.stderr_text

test_integration/test_sudo.py:361: AssertionError

It is originaly connected to

And it could be caused by:

Are there any logs the test left behind?

I've talked to @fbarreto and he gave me the following instructions on how to reproduce the issue.
Firstly, we'll need the following patch (f27.patch):

[fidencio@machado ~]$ cat ~/Downloads/f27.patch 
diff --git a/ipavagrant/constants.py b/ipavagrant/constants.py
index ff064b2..3f0361c 100644
--- a/ipavagrant/constants.py
+++ b/ipavagrant/constants.py
@@ -24,7 +24,7 @@ AUTO_DOMAIN_LEVEL = -1

 # please keep ABC order of keys
-    box="f26",
+    box="f27",
@@ -132,13 +132,11 @@ box_mapping = {
             "domain.template": "ipa-Fedora-24-x86_64-developer-brq",
-    "f26": {
+    "f27": {
         "libvirt": {
-            "override.vm.box": "f26",
+            "override.vm.box": "f27",
-                "https://download.fedoraproject.org/pub/fedora/linux/releases/"
-                "26/CloudImages/x86_64/images/Fedora-Cloud-Base-Vagrant-26-1.5"
-                ".x86_64.vagrant-libvirt.box",
+                "http://fedora.c3sl.ufpr.br/linux/releases/27/CloudImages/x86_64/images/Fedora-Cloud-Base-Vagrant-27-1.6.x86_64.vagrant-libvirt.box",
         "virtualbox": {
             "override.vm.box": "box-cutter/fedora26",

And then, just follow:

git clone https://github.com/freeipa/ipa-vagrant-tools/
cd ipa-vagrant-tools
git am f27.patch
./ipa-vagrant-ci-topology-create sudo-test --clients 1 --add-package={freeipa-server,freeipa-server-dns,freeipa-tests} --box f27
cd sudo-test;
ls rpms/
# put here the rpms you want to install
vagrant up
vagrant ssh controller
$IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests test_integration/test_sudo.py::TestSudo::test_sudo_rule_restricted_to_one_hostmask_negative --verbose --logging-level=DEBUG --pdb

He also mentioned that he's not completely sure we can just run the method. In case it fails, we should run the whole tests' class:

$IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests test_integration/test_sudo.py::TestSudo --verbose --logging-level=DEBUG --pdb

@fbarreto, thanks a lot, you saved us some nice amount of time! :-)

The test is failing if you run whole test suite in the vagrant machinery. If you choose just proper test, it pass.

sudo IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests test_integration/test_sudo.py::TestSudo --verbose --logging-level=DEBUG --pdb

Okay, I've bisected SSSD and the faulty patch is 47ad077.

Basically, I will leave up to @pbrezina whether he'd prefer to close this one as a dup of #3733 or not (as, although the regression was not introduced by the same patch, it was introduced by the same series).

@pcech, please, I'd like you to confirm that reverting the patch solves the issue.
The easiest way to test is, after cloning the ipa-vagrant-tools and applying the f27 patch, do:

./ipa-vagrant-ci-topology-create sudo-test --clients 1 --add-package={freeipa-server,freeipa-server-dns,freeipa-tests} --box f27
cd sudo-test;
cd rpms/ && koji download-task 27162149 && rm sssd-1.16.1-8.fc27.20180524083617.pcech.src.rpm && cd -
vagrant up
vagrant ssh controller
# download freeipa, build it ... and the run
IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests test_integration/test_sudo.py --verbose --logging-level=DEBUG --pdb

I've just tested here following the steps provided and the test passed.

Metadata Update from @fidencio:
- Issue tagged with: regression

5 months ago

Can you point me to the exact test that failed? Or do we have a manual reproducer?


test_sudo_rule_restricted_to_one_hostmask_negative is the test failing. However, in order to get a failure there you have to run the whole test suit as per https://pagure.io/SSSD/sssd/issue/3742#comment-513462

@fidencio , good news to everyone! The tests are green with rpms provided by Fabiano.

I'll revert the change on Fedora and keep this ticket opened in order to investigate it properly.

As discussed with @pbrezina Today, there may be some issue even on the tests themselves.

Metadata Update from @fidencio:
- Issue assigned to fidencio

5 months ago

Metadata Update from @fidencio:
- Issue tagged with: PR

5 months ago

Metadata Update from @fidencio:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

5 months ago

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

4 months ago

Login to comment on this ticket.