tasks.create_active_user() failed to set the password for the nonadmin user:
test_integration/test_adtrust_install.py:62: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ pytest_ipa/integration/tasks.py:2000: in create_active_user stdin_text='{0}\n{1}\n{1}\n'.format(temp_password, password)) _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ self = <ipatests.pytest_ipa.integration.host.Host master.ipa.test (master)> argv = ['kinit', 'nonadmin'], set_env = True stdin_text = 'Secret456789\nSecret123\nSecret123\n', log_stdout = True raiseonerr = True, cwd = None, bg = False, encoding = 'utf-8', ok_returncode = 0 def run_command(self, argv, set_env=True, stdin_text=None, log_stdout=True, raiseonerr=True, cwd=None, bg=False, encoding='utf-8', ok_returncode=0): """Wrapper around run_command to log stderr on raiseonerr=True :param ok_returncode: return code considered to be correct, you can pass an integer or sequence of integers """ result = super().run_command( argv, set_env=set_env, stdin_text=stdin_text, log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg, encoding=encoding ) # in FIPS mode SSH may print noise to stderr, remove the string # "FIPS mode initialized" + optional newline. result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes) try: result_ok = result.returncode in ok_returncode except TypeError: result_ok = result.returncode == ok_returncode if not result_ok and raiseonerr: result.log.error('stderr: %s', result.stderr_text) raise subprocess.CalledProcessError( result.returncode, argv, > result.stdout_text, result.stderr_text ) E subprocess.CalledProcessError: Command '['kinit', 'nonadmin']' returned non-zero exit status 1.
[ipatests.pytest_ipa.integration.host.Host.master.cmd62] RUN ['ipa', 'user-add', 'nonadmin', '--first', 'nonadmin', '--last', 'nonadmin', '--password'] [ipatests.pytest_ipa.integration.host.Host.master.cmd62] --------------------- [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Added user "nonadmin" [ipatests.pytest_ipa.integration.host.Host.master.cmd62] --------------------- [ipatests.pytest_ipa.integration.host.Host.master.cmd62] User login: nonadmin [ipatests.pytest_ipa.integration.host.Host.master.cmd62] First name: nonadmin [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Last name: nonadmin [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Full name: nonadmin nonadmin [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Display name: nonadmin nonadmin [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Initials: nn [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Home directory: /home/nonadmin [ipatests.pytest_ipa.integration.host.Host.master.cmd62] GECOS: nonadmin nonadmin [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Login shell: /bin/sh [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Principal name: nonadmin@IPA.TEST [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Principal alias: nonadmin@IPA.TEST [ipatests.pytest_ipa.integration.host.Host.master.cmd62] User password expiration: 20200414141937Z [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Email address: nonadmin@ipa.test [ipatests.pytest_ipa.integration.host.Host.master.cmd62] UID: 763800003 [ipatests.pytest_ipa.integration.host.Host.master.cmd62] GID: 763800003 [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Password: True [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Member of groups: ipausers [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Kerberos keys available: True [ipatests.pytest_ipa.integration.host.Host.master.cmd62] Exit code: 0 [ipatests.pytest_ipa.integration.host.Host.master.IPAOpenSSHTransport] RUN ['kinit', 'nonadmin'] [ipatests.pytest_ipa.integration.host.Host.master.cmd63] RUN ['kinit', 'nonadmin'] [ipatests.pytest_ipa.integration.host.Host.master.cmd63] Password for nonadmin@IPA.TEST: [ipatests.pytest_ipa.integration.host.Host.master.cmd63] Password expired. You must change it now. [ipatests.pytest_ipa.integration.host.Host.master.cmd63] Enter new password: [ipatests.pytest_ipa.integration.host.Host.master.cmd63] Enter it again: [ipatests.pytest_ipa.integration.host.Host.master.cmd63] kinit: Password has expired while getting initial credentials [ipatests.pytest_ipa.integration.host.Host.master.cmd63] Exit code: 1 ipa: ERROR: stderr: kinit: Password has expired while getting initial credentials
krb5 logs show:
Apr 14 14:19:39 master.ipa.test krb5kdc[22870](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.122.38: CLIENT KEY EXPIRED: nonadmin@IPA.TEST for krbtgt/IPA.TEST@IPA.TEST, Password has expired Apr 14 14:19:39 master.ipa.test krb5kdc[22870](info): closing down fd 4 Apr 14 14:19:39 master.ipa.test krb5kdc[22870](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.122.38: NEEDED_PREAUTH: nonadmin@IPA.TEST for kadmin/changepw@IPA.TEST, Additional pre-authentication required Apr 14 14:19:39 master.ipa.test krb5kdc[22870](info): closing down fd 4 Apr 14 14:19:39 master.ipa.test krb5kdc[22870](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.122.38: ISSUE: authtime 1586873979, etypes {rep=aes256-cts-hmac-sha1-96(18), tkt=aes256-cts-hmac-sha1-96(18), ses=aes256-cts-hmac-sha1-96(18)}, nonadmin@IPA.TEST for kadmin/changepw@IPA.TEST Apr 14 14:19:39 master.ipa.test krb5kdc[22870](info): closing down fd 4 Apr 14 14:19:39 master.ipa.test krb5kdc[22870](info): AS_REQ (7 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 192.168.122.38: CLIENT KEY EXPIRED: nonadmin@IPA.TEST for krbtgt/IPA.TEST@IPA.TEST, Password has expired
The behavior is similar to https://pagure.io/freeipa/issue/1793 and is sporadic, re-running the test did not reproduce the issue
For reference: - failed run - green run
Information from @rharwood : - debug information, using KRB5_TRACE from the client on failure, would help - "for whatever reason the client either didn't receive or didn't correctly handle the changepw - perhaps it didn't get the TGT" - maybe "routing issue or perhaps port 749 not being open" - not enough info to have a fix or a good diagnosis
Closing. We don't have enough information for a fix. It if reappears, enable KRB5_TRACE on each client invocation.
Metadata Update from @fcami: - Issue close_status updated to: insufficientinfo - Issue status updated to: Closed (was: Open)
master:
ipa-4-8:
Login to comment on this ticket.