Issue #8622: [Tracker] Nightly test failure (rawhide) with otp tests - freeipa

freeipa

#8622 [Tracker] Nightly test failure (rawhide) with otp tests

Closed: fixed 3 years ago by frenaud. Opened 3 years ago by frenaud.

The nightly tests related to OTP are failing in rawhide, see PR #586:
- test_krbtpolicy.py::TestPWPolicy::test_krbtpolicy_otp (report)
- multiple tests in test_otp.py::TestOTPToken (report).

They all fail when trying OTP authentication:

# kinit -n -c /path/to/armor_cache
# kinit -T /path/to/armor_cache otpuser
Enter OTP Token Value: 
kinit: Preauthentication failed while getting initial credentials

and the following error is logged in krb5kdc.log:

master.ipa.test krb5kdc[31025](info): preauth (otp) verify failure: No such file or directory

By using strace on krb5kdc daemon, we can see that the daemon wants to communicate with ipa-otpd using the unix socket /var/kerberos/run/krb5kdc/DEFAULT.socket, but ipa-otpd is listening on /var/run/krb5kdc/DEFAULT.socket as set in its unit file:

# cat /usr/lib/systemd/system/ipa-otpd.socket
[Unit]
Description=ipa-otpd socket

[Socket]
ListenStream=/var/run/krb5kdc/DEFAULT.socket
RemoveOnStop=true
SocketMode=0600
Accept=true

[Install]
WantedBy=krb5kdc.service

@rharwood do you know if something changed recently that could explain this new failure?
The issue happens with krb5-server-1.18.3-4.fc34.x86_64 but not with krb5-server-1.18.2-29.fc32.x86_64.

rharwood commented 3 years ago

systemd folks mandated I migrate from hardcoding /var/run to hardcoding /run despite one being a symlink to the other. Unfortunately configuration of this is tricky and I got it slightly wrong. Fix forthcoming.

abbra commented 3 years ago

Do we need to modify the path on ipa-otpd side too?

rharwood commented 3 years ago

No change from freeipa should be needed.

rharwood commented 3 years ago

Fixed-in: krb5-1.18.3-5.fc34. https://koji.fedoraproject.org/koji/taskinfo?taskID=57583849

frenaud commented 3 years ago

Issue can be closed, the latest rawhide run was green: PR #649 with the following report, using krb5-server-1.19-0.beta2.1.fc34.x86_64.
Fedora 32 and fedora 33 are still shipping krb5-1.18.2-29 which doesn't have the regression.

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8622 [Tracker] Nightly test failure (rawhide) with otp tests Closed: fixed 3 years ago by frenaud. Opened 3 years ago by frenaud.

Metadata

test-failure tests tracker

#8622 [Tracker] Nightly test failure (rawhide) with otp tests

Closed: fixed 3 years ago by frenaud. Opened 3 years ago by frenaud.