Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ipa-client-install fails with TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc' #6804

Open
martinpitt opened this issue Aug 28, 2024 · 2 comments

Comments

@martinpitt
Copy link
Member

Downstream report: https://launchpad.net/bugs/2078034

@cockpituous
Copy link
Contributor

ubuntu-stable
Ooops, it happened again


# ----------------------------------------------------------------------
# testUnqualifiedUsers (__main__.TestIPA.testUnqualifiedUsers)
Error: unknown connection 'ens15'.
Error: cannot delete unknown connection(s): 'ens15'.
Starting ChromeDriver 127.0.6533.99 (f31af5097d90ef5ae5bd7b8700199bc6189ba34d-refs/branch-heads/6533@{#1910}) on port 42395
Only local connections are allowed.
Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe.
ChromeDriver was started successfully.
time="2024-08-28T08:50:12Z" level=warning msg="The input device is not a TTY. The --tty and --interactive flags might not work properly"
userdel: admin mail spool (/var/mail/admin) not found
 * Resolving: _ldap._tcp.cockpit.lan
 * Performing LDAP DSE lookup on: 10.111.112.100
 * Successfully discovered: cockpit.lan
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd
Option --force-ntpd has been deprecated and will be removed in a future release.
Discovery was successful!
Client hostname: x0.cockpit.lan
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Attempting to sync time with chronyc.
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
unable to convert the attribute 'cacertificate;binary' value b'0\x82\x04J0\x82\x02\xb2\xa0\x03\x02\x01\x02\x02\x01\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00061\x140\x12\x06\x03U\x04\n\x0c\x0bCOCKPIT.LAN1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate Authority0\x1e\x17\r240807182318Z\x17\r440807182318Z061\x140\x12\x06\x03U\x04\n\x0c\x0bCOCKPIT.LAN1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate Authority0\x82\x01\xa20\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x8f\x000\x82\x01\x8a\x02\x82\x01\x81\x00\xaf<B\xc3M-F\xaa\xd0\xd7\x91\xdd[k\xbf\x13\x9b\xc9\xff\x06\xfa\xb7:)\x1c]\xe0I\xb0\x9a\xb1y\x86!z\tm\xd2T-\x07:@\x0f\x1cL\xc5x\xa8\xa4\xb19\xe8\x15[U\xf4"\x9e{l\xd8\n\xa6c4\xa1\xa9\x1ah\xdc\x00\xf9\xdf\xaf26\x16Abkb\xdc\xe5J)\x8c\xa3;\xec\xa0n\tf\x97^N\'fr\xbapH\x94\x1f\xca\xf1\xc9N\xbe\x98r\xc4\xf7\x04\x8a\xf3\xf9\xbcA\xf1\x89\xbb\x06\xae\xcb\xd0\x92aNR\xd3\xe1Y\x98p\x83d\x8e\xd3?\xddu\xe2!%(C`[\xf7\x00k\x9e\x98(\xfd\xc9pg\x1a\n\xbf\x89\xdbx\xe6\xd3h\'\xfa\xbb\xef,o\x02\xc6\xe7X\t\x9e\xfdD\xdf\xac\xe2\x18\x87\xe1\x19c\x88\xa5\xce\r\xd8\xd4\x17\xa7\xd7`\xb7C*c\x002\xbe7\xean\x9d!\xd87[;\xe2\xa6\xd1\xe8b\xf3\xf0\xf1/\xeeC\xd2\x15\x93\x93\xe6\xe2\x82,\xb1L\xea-\xa6\xe4$\xff$\xcc\xb0-\xba5G\xa7\x9f\x7f\xc2u)Ok\x01:\xc7_\xbf\x9d\xab\xfe\x03;\xdc\xa62\xb3\xf3ab})<\x14#\xc2\xa1\x0f\xba\xa7\xb2\xca\xf4\xce\xc1S\xc8\x17%z\xb8\x07\x86q\x07\xb6\xa8p\xd4\xb3\xad\xad\xa8Pm\xb7\x01{\x89wQ\xa4a\x86\tb\xca\x0e\xe8\x9d\x87\x86\xd7\xd1\xa3\xae6\xe9\x0e]\x1fC\xd1\x11\xa1P-[\xa2\xbdY\xe3\x13\x1f\x8a\x0fS,{\x1f\xaaj\xef_#\x16\\\xeefSi\xcd\xd93\xfdc<\x93\'`\x1d\xd0t\xb9\x01\x06\xe9\x93\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x9e\xd8\xb2\x7f\xae(Z\xca\x86\x86\xeb\x87&\x99\xc3\xdaT;\xba\xf20\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x9e\xd8\xb2\x7f\xae(Z\xca\x86\x86\xeb\x87&\x99\xc3\xdaT;\xba\xf20\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\xc60\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x81\x00\x93Rmqh\xd3#\\\x1f\x01~\xb5\xbf\xb4\xa4^\xa8\xcb\x97\xdf,\x10r?/FH\r\xa36\xab\x81\xf5\xc2\xbe\xfa <\x84F\xd7o\x18\x1b\x9d\xa4d\x12\xdb;\xfe\xf9\xe3\xb1z\x1e$\x8f\x82\x8eE\x95H\x9e\x8f~\x10\xa0B\xd4\x8e\x9e\xf6\xb1\xf4\x82\xb3\x1e\x98+\xf3\xeb7;Uv\xbb"\xc7w\x9f\x95\xcdr\x02nl\xe2o!\x91$&\x05V!\xb5\xd6\xff\xe7\x9a%\xa0|@\xd0\xb6\xd2\x08<\x03n\xcb\x1a\xbf\xff=\xaa\xa7Q\xd52!9d\xe9$\xe8\tn\xe2\x93_\x0b*ik\x8f\xa1\xb3\x07\xc2\xe3B\xf9\n"]\xdbA$\x96\x86\xdd\t\x17@\x84z\x95\xba@\x9d\x82K[\xe2\x91F\xdcID\xf3\x83\x9d\xde\xb0\x84\x88#\xcc\xb4cF\x1e\x05\xf9N%\xc0\x91\xe7\xde\xce\xe7Xpq\x11\xb7b@\xb3i\x1a\x9e\x17\x97\xcec\xbbwwS9\xee\x1a\xf3/1\xcb\x89\xa7\xf3\xb6\x98a/\xaay\xf7,\xf0\x0f\x8d\xd9y\x10\x0e\xabj9q\x97\x8f\r\xad\x7fM,9\x18A`\x81N\x9amO\xbb\xbc:+\xd4\xa9\x12\x0c\xe7\x8e9\xdeVQ\x14\x1cZ9\x16\xe0Y\x13\x8d\xb4&Z\xbb\xb07\xd5\xa5\xae\x144\xb7\xc4\xf5\xbcD9q\xf2\xe2\x02Y\xcd\xb7\xc2\xebd\xf4\xfd\xa8\x06\x95\xc66\xa0\xbd\xafh\x0e\xb2\x18\xceoK\xf7\xae\x8d\xd1m\x8e\xca\xeb18|k\xd714C/+\x91\xd3\xba\xe0j-:\x91\xba\xce\x04\x1b\xdfR\xf1E\xf2\xa5\'g\xb0\xe5\xd5\xf2!\xe6\xea9D#' to type <class 'cryptography.x509.base.Certificate'>
Cannot obtain CA certificate
'ldap://f0.cockpit.lan' doesn't have a certificate.
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Some installation state for ntp has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state
Some installation state has not been restored.
This may cause re-installation to fail.
It should be safe to remove /var/lib/ipa-client/sysrestore.state but it may
 mean your system hasn't been restored to its pre-installation state.
Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
This program will set up IPA client.
Version 4.11.1

WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd


Using default chrony configuration.
 ! Running ipa-client-install failed
realm: Couldn't join realm: Running ipa-client-install failed
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 625, in testUnqualifiedUsers
    super().testUnqualifiedUsers()
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 289, in testUnqualifiedUsers
    m.execute(f"echo {self.admin_password} | realm join -vU {self.admin_user} cockpit.lan", timeout=300)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2401', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%h-%p-%r-18066', '127.0.0.2', 'set -e;', 'echo foobarfoo | realm join -vU admin cockpit.lan')' returned non-zero exit status 1.

Wrote screenshot to TestIPA-testUnqualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.png
Wrote HTML dump to TestIPA-testUnqualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.html
Journal extracted to TestIPA-testUnqualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.log.gz
Journal extracted to TestIPA-testUnqualifiedUsers-services-127.0.0.2-2402-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 625, in testUnqualifiedUsers
    super().testUnqualifiedUsers()
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 289, in testUnqualifiedUsers
    m.execute(f"echo {self.admin_password} | realm join -vU {self.admin_user} cockpit.lan", timeout=300)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2401', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%h-%p-%r-18066', '127.0.0.2', 'set -e;', 'echo foobarfoo | realm join -vU admin cockpit.lan')' returned non-zero exit status 1.

# Result testUnqualifiedUsers (__main__.TestIPA.testUnqualifiedUsers) failed
# 1 TEST FAILED [152s on e67fb6cb7f03]
not ok 60 test/verify/check-system-realms TestIPA.testUnqualifiedUsers $2

First occurrence: 2024-08-28T08:51:45.869776+00:00 | revision c27098d
Times recorded: 1
Latest occurrences:

  • 2024-08-28T08:51:45.869776+00:00 | revision c27098d

@cockpituous
Copy link
Contributor

cockpituous commented Aug 28, 2024

ubuntu-stable
Ooops, it happened again


# ----------------------------------------------------------------------
# testClientCertAuthentication (__main__.TestIPA.testClientCertAuthentication)
Error: unknown connection 'ens15'.
Error: cannot delete unknown connection(s): 'ens15'.
Starting ChromeDriver 129.0.6668.89 (951c0b97221f8d4ba37cf97d324505c832251cf9-refs/branch-heads/6668@{#1503}) on port 36575
Only local connections are allowed.
Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe.
ChromeDriver was started successfully on port 36575.
time="2024-12-01T05:12:57Z" level=warning msg="The input device is not a TTY. The --tty and --interactive flags might not work properly"
+ ipa user-add --first=Alice --last=Developer --shell=/bin/bash alice
+ yes WonderLand123
+ ipa user-mod --password alice
+ ipa user-mod --password-expiration=2030-01-01T00:00:00Z alice
+ openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout /tmp/alice.key -out /tmp/alice.csr -subj /CN=alice
Ignoring -days without -x509; not generating a certificate
...............+.+.....+.......+..+++++++++++++++++++++++++++++++++++++++*........+......+...+++++++++++++++++++++++++++++++++++++++*............+......+.+.....++++++
.+++++++++++++++++++++++++++++++++++++++*...........+...+...+++++++++++++++++++++++++++++++++++++++*..........+....++++++
-----
+ ipa cert-request /tmp/alice.csr --principal=alice --certificate-out=/tmp/alice.pem
+ ipa group-add-member admins --users=alice
+ ipa-advise enable-admins-sudo
+ sh -ex
+ klist
+ '[' 0 -ne 0 ']'
+ ipa hbacrule-show admins_sudo
+ echo HBAC rule admins_sudo already exists
+ ipa sudorule-show admins_all
+ echo SUDO rule admins_all already exists
> warn: Failed to get current crypto policy: not-found ; falling back to /etc/crypto-policies/config
> warn: cockpit.format_{bytes,bits}[_per_sec](..., MiB, [object Object]) is deprecated.
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 729, in testClientCertAuthentication
    self.checkClientCertAuthentication()
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 366, in checkClientCertAuthentication
    b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

Wrote screenshot to TestIPA-testClientCertAuthentication-ubuntu-stable-127.0.0.2-2401-FAIL.png
Wrote HTML dump to TestIPA-testClientCertAuthentication-ubuntu-stable-127.0.0.2-2401-FAIL.html
Wrote JS log to TestIPA-testClientCertAuthentication-ubuntu-stable-127.0.0.2-2401-FAIL.js.log
Journal extracted to TestIPA-testClientCertAuthentication-ubuntu-stable-127.0.0.2-2401-FAIL.log.gz
Journal extracted to TestIPA-testClientCertAuthentication-services-127.0.0.2-2402-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 729, in testClientCertAuthentication
    self.checkClientCertAuthentication()
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 366, in checkClientCertAuthentication
    b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

# Result testClientCertAuthentication (__main__.TestIPA.testClientCertAuthentication) failed
# 1 TEST FAILED [402s on fb0b17bc5aa5]
not ok 57 test/verify/check-system-realms TestIPA.testClientCertAuthentication $2

First occurrence: 2024-12-01T05:19:12.522582+00:00 | revision 8a0031376e7dccc59348c7dad252eef29dc1a08a
Times recorded: 1
Latest occurrences:

  • 2024-12-01T05:19:12.522582+00:00 | revision 8a0031376e7dccc59348c7dad252eef29dc1a08a

# ----------------------------------------------------------------------
# testNegotiate (__main__.TestKerberos.testNegotiate)
Error: unknown connection 'ens15'.
Error: cannot delete unknown connection(s): 'ens15'.
Starting ChromeDriver 129.0.6668.89 (951c0b97221f8d4ba37cf97d324505c832251cf9-refs/branch-heads/6668@{#1503}) on port 47299
Only local connections are allowed.
Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe.
ChromeDriver was started successfully on port 47299.
userdel: admin mail spool (/var/mail/admin) not found
time="2024-12-01T05:34:02Z" level=warning msg="The input device is not a TTY. The --tty and --interactive flags might not work properly"
++ seq 1 20
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 1
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 2
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 3
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 4
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 5
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ break
+ echo foobarfoo
+ realm join -vU admin cockpit.lan
 * Resolving: _ldap._tcp.cockpit.lan
 * Performing LDAP DSE lookup on: 10.111.112.100
 * Successfully discovered: cockpit.lan
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd
Option --force-ntpd has been deprecated and will be removed in a future release.
Discovery was successful!
Client hostname: x0.cockpit.lan
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Attempting to sync time with chronyc.
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
unable to convert the attribute 'cacertificate;binary' value b'0\x82\x04J0\x82\x02\xb2\xa0\x03\x02\x01\x02\x02\x01\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00061\x140\x12\x06\x03U\x04\n\x0c\x0bCOCKPIT.LAN1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate Authority0\x1e\x17\r241118224612Z\x17\r441118224612Z061\x140\x12\x06\x03U\x04\n\x0c\x0bCOCKPIT.LAN1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate Authority0\x82\x01\xa20\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x8f\x000\x82\x01\x8a\x02\x82\x01\x81\x00\xcc\nK\xb4<\xe1\x12\xad\'\'\xc3\x93;r\x15\\ \x05\x1fs\xea><\xfa~%\xe6\xd0)\xd4\xfd\xce\xd4\xe8C\xc6\x98y\xfa\x15NQ\xf1\x9f\x1aZo\x1dj\x8f\x13[\xab\xf2\x8e\xc7E\xd1u\xc1r\xd2\x14@\x1b\xa8~"\x9f\'\xbf\xd1\xf2\xdf?\x86\xdb\xd1b\xe6\\\xf6\xc9N\x9dB\xdf\xa5"1\'Iy\xd8F\xc0\x81{&&\xe8|.\x84\x1a}|\x1cD\rK\xfe\xc5f\xac4\x01\x1f\xf6\xf5PW\x8bN\xfd\x1e~r\x0f(Q SK\xb3 \x97\x14#\x8d\xd0\x17I\xe6B\x19:2D\xbbR\xd9\xe5~K\xac!@\x00\x91\xe6\xdc\nf\xf3\xc9\x18\x8fkq\xe2P\xc8@\x9cVp\x9a\xafBP\xddk\xa8L\x13\xfe\x0e`\x87\x7fg[\xfc\x905\xc9-\x90\x7fl\x95 \x16\x17M\x91FD\xac\xc0\xee\xf2\x0b}\xb9\xfc\x98\x95E\x94\xcf\xf6\xda\xdc\x0b\xeaAI\x97l\x19\xd5?\xe4\xdfl\x9c\xb7\xb7\xdb\x00\x0f\xac\xf9\xa1\xa7\x15\x19\xd3\xb4\xeb7j\xa8\xbb\x16*\xa6\xb7\x88\xad=G0}P\xfb@T2\xa2\xe7\xa3\xf6\x89\x89\rz\xdc\x1d\xc1\xe7+\x01j\xd9\x7f\xe49h\xbeU\x97\x82\x10\xbcC\xf4\xcb\x1d\x06\x87+\xcc\xcf\x0f\\\x99\xe1\xeaz\xb9\xce\x83\xf5F\x9f\'\xf0\xfb\xdb\x87F\xd6\xf1Y\x9a\xe9\xe9UQ\xb6s\x12\x93\xb3\xa9f\x17\xbd\xc4\x14\x92\x0c\x1b{|\xc1\xa3\x02\xa6\xcd\x9duq\xb4=:>H?\x84\xd5,\xcc\xb7.\xf8\xb9r\xae)\xa5l\x93t\xf9\xe0\xf7\xf2u"a\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x020\xa8\xa3(\xe3\xa5\x14\xc4\xb7\t\xe0\xc2v\xf9 \x19\x0e[\x0b0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x020\xa8\xa3(\xe3\xa5\x14\xc4\xb7\t\xe0\xc2v\xf9 \x19\x0e[\x0b0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\xc60\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x81\x00\xcba.\xf4B\xd7hk/d\xe1\xd9\x8a\xfe\xa59\x10\xf2 Y\n(\xeeP\x87sW\xa6\xfd\x01u\xd2\xfc\xe3\xdd\x8a1"\xe8\xb0\x8f\xf0ou\xa3&\xb6\xd4O\xfe\x1e\xa2\xd5\xd1\xa0o\rxY<\x9d\x1b\xdb\xd4\xa1K\x8fj\xee\x11+]o\x02o\xa4\x11\x8do\xbf\x02L]\xdf\xb9\xef\x02\xc4:e\xcf?\x84Qw\xd4\xc9U \x9b\x9a\x9a5\x06\xe1\x86@\x95\xd5.\xb8\xf6\xa1\xaf\xcd\xe6\x9bXJ \xea\xf8\xf6\xb8)\xea\xe3\xf3\x97\x13B\x96\xd08J\xb7\xac\xd9X\x0b\x1b\xb8\x0c*\xa6N\xa6G\x95v\n\xc4g\xadv\xcbC-\x08\x99\x11\x88\x1f\xce\x1f\x14\xfcf}\'\xbaMM\xbf\x02\x9b\x00L\xad}\xf8J\xf3H\xbb\xd3k\x9a\xee\xc4\xd2\x92*\x80\xd5\xd4\x13>4\x8e\xfa\xc7=\n\xf4i\\bD\xd5\xe7\x94\x8apR\xfb6\x7f]\xc7u\xe4\xa6\x03\x97r%#\'\xdd\xbe3\xcbs`?\xda\xcf\xb9@\x9f\x99\xceUa\xe8\x12\x9c\x05\xf0\xc6\xf23\x90O\x85?\xb8\x8e\xcb\x94\x96\x1d\xed\x98\xe6\xf0\xcf\xb5\xbe\\-\x86a\x95\x00\xa7\xcb{\xe2\xc1f\xa44\xb2\xe1\xc9\x11\xbeF\xe2\xf9\xb0\x08he\x11Ol\xb4\xc8\xcc:b\xa1\x04.\x01pg\xe9c\x87\xbc\x13<\xd5y\x86\xd5\xc3\x01O\xcfc\xa0c\x16\x8ba \xa8\xe2?\x02\xd5\x869\xee\t>\xb3\x05\x1c\xda\x17\x95\t\x83B5\x7fy\xc367\xc5\x9d\xbd\xf0[\x1a\xb2%&\xfbU\x9c%\xdc\x16\xc3\x91k\x87\x1d\xbbc\x90\xaa9\\\xe0\x8b' to type <class 'cryptography.x509.base.Certificate'>
Cannot obtain CA certificate
'ldap://f0.cockpit.lan' doesn't have a certificate.
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Some installation state for ntp has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state
Some installation state has not been restored.
This may cause re-installation to fail.
It should be safe to remove /var/lib/ipa-client/sysrestore.state but it may
 mean your system hasn't been restored to its pre-installation state.
Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
This program will set up IPA client.
Version 4.11.1

WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd


Using default chrony configuration.
 ! Running ipa-client-install failed
realm: Couldn't join realm: Running ipa-client-install failed
+ systemctl --quiet is-failed sssd.service
+ journalctl -u realmd.service
+ exit 1
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1046, in testNegotiate
    self.configure_kerberos("/etc/cockpit/krb5.keytab")
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1016, in configure_kerberos
    self.machine.execute(JOIN_SCRIPT % args, timeout=1800)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2201', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%C-18310', '127.0.0.2', 'set -e;', '\nset -ex\n# Wait until zones from LDAP get loaded\nfor x in $(seq 1 20); do\n    if nslookup -type=SRV _ldap._tcp.cockpit.lan; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\nif ! echo \'foobarfoo\' | realm join -vU admin cockpit.lan; then\n    if systemctl --quiet is-failed sssd.service; then\n        systemctl status --lines=100 sssd.service >&2\n    fi\n    journalctl -u realmd.service\n    exit 1\nfi\n\n# On certain OS\'s it takes time for sssd to come up properly\n#   [8347] 1528294262.886088: Sending initial UDP request to dgram 172.27.0.15:88\n#   kinit: Cannot contact any KDC for realm \'COCKPIT.LAN\' while getting initial credentials\nfor x in $(seq 1 20); do\n    if echo \'foobarfoo\' | KRB5_TRACE=/dev/stderr kinit -f [email protected]; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\n# create SPN and keytab for ws\nif type ipa >/dev/null 2>&1; then\n    LC_ALL=C.UTF-8 ipa service-add --ok-as-delegate=true --force HTTP/[email protected]\nelse\n    curl --insecure -s --negotiate -u : \\\n         --header \'Referer: https://services.cockpit.lan/ipa\' \\\n         --header "Content-Type: application/json" \\\n         --header "Accept: application/json" \\\n         --data \'{"params":\n                  [\n                    ["HTTP/[email protected]"],\n                    {"raw": false, "all": false, "version": "2.101",\n                     "force": true, "no_members": false, "ipakrbokasdelegate": true}\n                  ], "method": "service_add", "id": 0}\' \\\n         https://services.cockpit.lan/ipa/json\nfi\nipa-getkeytab -p HTTP/x0.cockpit.lan -k /etc/cockpit/krb5.keytab\n\n# HACK: due to sudo\'s "last rule wins", our /etc/sudoers rule becomes trumped by sssd\'s, so swap the order\nsed -i \'/^sudoers:/ s/files sss/sss files/\' /etc/nsswitch.conf\n')' returned non-zero exit status 1.

Wrote screenshot to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.png
Wrote HTML dump to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.html
Journal extracted to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.log.gz
Journal extracted to TestKerberos-testNegotiate-services-127.0.0.2-2202-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1046, in testNegotiate
    self.configure_kerberos("/etc/cockpit/krb5.keytab")
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1016, in configure_kerberos
    self.machine.execute(JOIN_SCRIPT % args, timeout=1800)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2201', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%C-18310', '127.0.0.2', 'set -e;', '\nset -ex\n# Wait until zones from LDAP get loaded\nfor x in $(seq 1 20); do\n    if nslookup -type=SRV _ldap._tcp.cockpit.lan; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\nif ! echo \'foobarfoo\' | realm join -vU admin cockpit.lan; then\n    if systemctl --quiet is-failed sssd.service; then\n        systemctl status --lines=100 sssd.service >&2\n    fi\n    journalctl -u realmd.service\n    exit 1\nfi\n\n# On certain OS\'s it takes time for sssd to come up properly\n#   [8347] 1528294262.886088: Sending initial UDP request to dgram 172.27.0.15:88\n#   kinit: Cannot contact any KDC for realm \'COCKPIT.LAN\' while getting initial credentials\nfor x in $(seq 1 20); do\n    if echo \'foobarfoo\' | KRB5_TRACE=/dev/stderr kinit -f [email protected]; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\n# create SPN and keytab for ws\nif type ipa >/dev/null 2>&1; then\n    LC_ALL=C.UTF-8 ipa service-add --ok-as-delegate=true --force HTTP/[email protected]\nelse\n    curl --insecure -s --negotiate -u : \\\n         --header \'Referer: https://services.cockpit.lan/ipa\' \\\n         --header "Content-Type: application/json" \\\n         --header "Accept: application/json" \\\n         --data \'{"params":\n                  [\n                    ["HTTP/[email protected]"],\n                    {"raw": false, "all": false, "version": "2.101",\n                     "force": true, "no_members": false, "ipakrbokasdelegate": true}\n                  ], "method": "service_add", "id": 0}\' \\\n         https://services.cockpit.lan/ipa/json\nfi\nipa-getkeytab -p HTTP/x0.cockpit.lan -k /etc/cockpit/krb5.keytab\n\n# HACK: due to sudo\'s "last rule wins", our /etc/sudoers rule becomes trumped by sssd\'s, so swap the order\nsed -i \'/^sudoers:/ s/files sss/sss files/\' /etc/nsswitch.conf\n')' returned non-zero exit status 1.

# Result testNegotiate (__main__.TestKerberos.testNegotiate) failed
# 1 TEST FAILED [76s on cd69a0ddc86d]
not ok 61 test/verify/check-system-realms TestKerberos.testNegotiate $2

First occurrence: 2024-12-01T05:34:51.236336+00:00 | revision 2e226058efd13fa742d83c58e58aab62c6f7f44f
Times recorded: 1
Latest occurrences:

  • 2024-12-01T05:34:51.236336+00:00 | revision 2e226058efd13fa742d83c58e58aab62c6f7f44f

# ----------------------------------------------------------------------
# testQualifiedUsers (__main__.TestIPA.testQualifiedUsers)
Error: unknown connection 'ens15'.
Error: cannot delete unknown connection(s): 'ens15'.
Starting ChromeDriver 129.0.6668.89 (951c0b97221f8d4ba37cf97d324505c832251cf9-refs/branch-heads/6668@{#1503}) on port 32875
Only local connections are allowed.
Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe.
ChromeDriver was started successfully on port 32875.
time="2024-12-01T05:32:43Z" level=warning msg="The input device is not a TTY. The --tty and --interactive flags might not work properly"
> warn: Failed to get current crypto policy: not-found ; falling back to /etc/crypto-policies/config
> warn: cockpit.format_{bytes,bits}[_per_sec](..., MiB, [object Object]) is deprecated.
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 130, in testQualifiedUsers
    b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

Wrote screenshot to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.png
Wrote HTML dump to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.html
Wrote JS log to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.js.log
Journal extracted to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.log.gz
Journal extracted to TestIPA-testQualifiedUsers-services-127.0.0.2-2402-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 130, in testQualifiedUsers
    b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

# Result testQualifiedUsers (__main__.TestIPA.testQualifiedUsers) failed
# 1 TEST FAILED [376s on cd69a0ddc86d]
not ok 59 test/verify/check-system-realms TestIPA.testQualifiedUsers $2

First occurrence: 2024-12-01T05:38:34.319085+00:00 | revision 2e226058efd13fa742d83c58e58aab62c6f7f44f
Times recorded: 1
Latest occurrences:

  • 2024-12-01T05:38:34.319085+00:00 | revision 2e226058efd13fa742d83c58e58aab62c6f7f44f

# ----------------------------------------------------------------------
# testNegotiate (__main__.TestKerberos.testNegotiate)
Error: unknown connection 'ens15'.
Error: cannot delete unknown connection(s): 'ens15'.
Starting ChromeDriver 129.0.6668.89 (951c0b97221f8d4ba37cf97d324505c832251cf9-refs/branch-heads/6668@{#1503}) on port 49925
Only local connections are allowed.
Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe.
ChromeDriver was started successfully on port 49925.
userdel: admin mail spool (/var/mail/admin) not found
time="2024-12-02T08:30:56Z" level=warning msg="The input device is not a TTY. The --tty and --interactive flags might not work properly"
++ seq 1 20
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 1
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 2
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 3
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 4
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 5
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ sleep 6
+ for x in $(seq 1 20)
+ nslookup -type=SRV _ldap._tcp.cockpit.lan
+ break
+ echo foobarfoo
+ realm join -vU admin cockpit.lan
 * Resolving: _ldap._tcp.cockpit.lan
 * Performing LDAP DSE lookup on: 10.111.112.100
 * Successfully discovered: cockpit.lan
 * Unconditionally checking packages
 * Resolving required packages
 * LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan --realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended --force-join --principal admin -W --force-ntpd
Option --force-ntpd has been deprecated and will be removed in a future release.
Discovery was successful!
Client hostname: x0.cockpit.lan
Realm: COCKPIT.LAN
DNS Domain: cockpit.lan
IPA Server: f0.cockpit.lan
BaseDN: dc=cockpit,dc=lan
Synchronizing time
No SRV records of NTP servers found and no NTP server or pool address was provided.
Attempting to sync time with chronyc.
Process chronyc waitsync failed to sync time!
Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network.
unable to convert the attribute 'cacertificate;binary' value b'0\x82\x04J0\x82\x02\xb2\xa0\x03\x02\x01\x02\x02\x01\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00061\x140\x12\x06\x03U\x04\n\x0c\x0bCOCKPIT.LAN1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate Authority0\x1e\x17\r241118224612Z\x17\r441118224612Z061\x140\x12\x06\x03U\x04\n\x0c\x0bCOCKPIT.LAN1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate Authority0\x82\x01\xa20\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x8f\x000\x82\x01\x8a\x02\x82\x01\x81\x00\xcc\nK\xb4<\xe1\x12\xad\'\'\xc3\x93;r\x15\\ \x05\x1fs\xea><\xfa~%\xe6\xd0)\xd4\xfd\xce\xd4\xe8C\xc6\x98y\xfa\x15NQ\xf1\x9f\x1aZo\x1dj\x8f\x13[\xab\xf2\x8e\xc7E\xd1u\xc1r\xd2\x14@\x1b\xa8~"\x9f\'\xbf\xd1\xf2\xdf?\x86\xdb\xd1b\xe6\\\xf6\xc9N\x9dB\xdf\xa5"1\'Iy\xd8F\xc0\x81{&&\xe8|.\x84\x1a}|\x1cD\rK\xfe\xc5f\xac4\x01\x1f\xf6\xf5PW\x8bN\xfd\x1e~r\x0f(Q SK\xb3 \x97\x14#\x8d\xd0\x17I\xe6B\x19:2D\xbbR\xd9\xe5~K\xac!@\x00\x91\xe6\xdc\nf\xf3\xc9\x18\x8fkq\xe2P\xc8@\x9cVp\x9a\xafBP\xddk\xa8L\x13\xfe\x0e`\x87\x7fg[\xfc\x905\xc9-\x90\x7fl\x95 \x16\x17M\x91FD\xac\xc0\xee\xf2\x0b}\xb9\xfc\x98\x95E\x94\xcf\xf6\xda\xdc\x0b\xeaAI\x97l\x19\xd5?\xe4\xdfl\x9c\xb7\xb7\xdb\x00\x0f\xac\xf9\xa1\xa7\x15\x19\xd3\xb4\xeb7j\xa8\xbb\x16*\xa6\xb7\x88\xad=G0}P\xfb@T2\xa2\xe7\xa3\xf6\x89\x89\rz\xdc\x1d\xc1\xe7+\x01j\xd9\x7f\xe49h\xbeU\x97\x82\x10\xbcC\xf4\xcb\x1d\x06\x87+\xcc\xcf\x0f\\\x99\xe1\xeaz\xb9\xce\x83\xf5F\x9f\'\xf0\xfb\xdb\x87F\xd6\xf1Y\x9a\xe9\xe9UQ\xb6s\x12\x93\xb3\xa9f\x17\xbd\xc4\x14\x92\x0c\x1b{|\xc1\xa3\x02\xa6\xcd\x9duq\xb4=:>H?\x84\xd5,\xcc\xb7.\xf8\xb9r\xae)\xa5l\x93t\xf9\xe0\xf7\xf2u"a\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14\x020\xa8\xa3(\xe3\xa5\x14\xc4\xb7\t\xe0\xc2v\xf9 \x19\x0e[\x0b0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14\x020\xa8\xa3(\xe3\xa5\x14\xc4\xb7\t\xe0\xc2v\xf9 \x19\x0e[\x0b0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\xc60\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x81\x00\xcba.\xf4B\xd7hk/d\xe1\xd9\x8a\xfe\xa59\x10\xf2 Y\n(\xeeP\x87sW\xa6\xfd\x01u\xd2\xfc\xe3\xdd\x8a1"\xe8\xb0\x8f\xf0ou\xa3&\xb6\xd4O\xfe\x1e\xa2\xd5\xd1\xa0o\rxY<\x9d\x1b\xdb\xd4\xa1K\x8fj\xee\x11+]o\x02o\xa4\x11\x8do\xbf\x02L]\xdf\xb9\xef\x02\xc4:e\xcf?\x84Qw\xd4\xc9U \x9b\x9a\x9a5\x06\xe1\x86@\x95\xd5.\xb8\xf6\xa1\xaf\xcd\xe6\x9bXJ \xea\xf8\xf6\xb8)\xea\xe3\xf3\x97\x13B\x96\xd08J\xb7\xac\xd9X\x0b\x1b\xb8\x0c*\xa6N\xa6G\x95v\n\xc4g\xadv\xcbC-\x08\x99\x11\x88\x1f\xce\x1f\x14\xfcf}\'\xbaMM\xbf\x02\x9b\x00L\xad}\xf8J\xf3H\xbb\xd3k\x9a\xee\xc4\xd2\x92*\x80\xd5\xd4\x13>4\x8e\xfa\xc7=\n\xf4i\\bD\xd5\xe7\x94\x8apR\xfb6\x7f]\xc7u\xe4\xa6\x03\x97r%#\'\xdd\xbe3\xcbs`?\xda\xcf\xb9@\x9f\x99\xceUa\xe8\x12\x9c\x05\xf0\xc6\xf23\x90O\x85?\xb8\x8e\xcb\x94\x96\x1d\xed\x98\xe6\xf0\xcf\xb5\xbe\\-\x86a\x95\x00\xa7\xcb{\xe2\xc1f\xa44\xb2\xe1\xc9\x11\xbeF\xe2\xf9\xb0\x08he\x11Ol\xb4\xc8\xcc:b\xa1\x04.\x01pg\xe9c\x87\xbc\x13<\xd5y\x86\xd5\xc3\x01O\xcfc\xa0c\x16\x8ba \xa8\xe2?\x02\xd5\x869\xee\t>\xb3\x05\x1c\xda\x17\x95\t\x83B5\x7fy\xc367\xc5\x9d\xbd\xf0[\x1a\xb2%&\xfbU\x9c%\xdc\x16\xc3\x91k\x87\x1d\xbbc\x90\xaa9\\\xe0\x8b' to type <class 'cryptography.x509.base.Certificate'>
Cannot obtain CA certificate
'ldap://f0.cockpit.lan' doesn't have a certificate.
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
nscd daemon is not installed, skip configuration
nslcd daemon is not installed, skip configuration
Some installation state for ntp has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state
Some installation state has not been restored.
This may cause re-installation to fail.
It should be safe to remove /var/lib/ipa-client/sysrestore.state but it may
 mean your system hasn't been restored to its pre-installation state.
Client uninstall complete.

The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
This program will set up IPA client.
Version 4.11.1

WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd


Using default chrony configuration.
 ! Running ipa-client-install failed
realm: Couldn't join realm: Running ipa-client-install failed
+ systemctl --quiet is-failed sssd.service
+ journalctl -u realmd.service
+ exit 1
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1046, in testNegotiate
    self.configure_kerberos("/etc/cockpit/krb5.keytab")
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1016, in configure_kerberos
    self.machine.execute(JOIN_SCRIPT % args, timeout=1800)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2201', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%C-18259', '127.0.0.2', 'set -e;', '\nset -ex\n# Wait until zones from LDAP get loaded\nfor x in $(seq 1 20); do\n    if nslookup -type=SRV _ldap._tcp.cockpit.lan; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\nif ! echo \'foobarfoo\' | realm join -vU admin cockpit.lan; then\n    if systemctl --quiet is-failed sssd.service; then\n        systemctl status --lines=100 sssd.service >&2\n    fi\n    journalctl -u realmd.service\n    exit 1\nfi\n\n# On certain OS\'s it takes time for sssd to come up properly\n#   [8347] 1528294262.886088: Sending initial UDP request to dgram 172.27.0.15:88\n#   kinit: Cannot contact any KDC for realm \'COCKPIT.LAN\' while getting initial credentials\nfor x in $(seq 1 20); do\n    if echo \'foobarfoo\' | KRB5_TRACE=/dev/stderr kinit -f [email protected]; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\n# create SPN and keytab for ws\nif type ipa >/dev/null 2>&1; then\n    LC_ALL=C.UTF-8 ipa service-add --ok-as-delegate=true --force HTTP/[email protected]\nelse\n    curl --insecure -s --negotiate -u : \\\n         --header \'Referer: https://services.cockpit.lan/ipa\' \\\n         --header "Content-Type: application/json" \\\n         --header "Accept: application/json" \\\n         --data \'{"params":\n                  [\n                    ["HTTP/[email protected]"],\n                    {"raw": false, "all": false, "version": "2.101",\n                     "force": true, "no_members": false, "ipakrbokasdelegate": true}\n                  ], "method": "service_add", "id": 0}\' \\\n         https://services.cockpit.lan/ipa/json\nfi\nipa-getkeytab -p HTTP/x0.cockpit.lan -k /etc/cockpit/krb5.keytab\n\n# HACK: due to sudo\'s "last rule wins", our /etc/sudoers rule becomes trumped by sssd\'s, so swap the order\nsed -i \'/^sudoers:/ s/files sss/sss files/\' /etc/nsswitch.conf\n')' returned non-zero exit status 1.

Wrote screenshot to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.png
Wrote HTML dump to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.html
Journal extracted to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.log.gz
Journal extracted to TestKerberos-testNegotiate-services-127.0.0.2-2202-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1046, in testNegotiate
    self.configure_kerberos("/etc/cockpit/krb5.keytab")
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1016, in configure_kerberos
    self.machine.execute(JOIN_SCRIPT % args, timeout=1800)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2201', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%C-18259', '127.0.0.2', 'set -e;', '\nset -ex\n# Wait until zones from LDAP get loaded\nfor x in $(seq 1 20); do\n    if nslookup -type=SRV _ldap._tcp.cockpit.lan; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\nif ! echo \'foobarfoo\' | realm join -vU admin cockpit.lan; then\n    if systemctl --quiet is-failed sssd.service; then\n        systemctl status --lines=100 sssd.service >&2\n    fi\n    journalctl -u realmd.service\n    exit 1\nfi\n\n# On certain OS\'s it takes time for sssd to come up properly\n#   [8347] 1528294262.886088: Sending initial UDP request to dgram 172.27.0.15:88\n#   kinit: Cannot contact any KDC for realm \'COCKPIT.LAN\' while getting initial credentials\nfor x in $(seq 1 20); do\n    if echo \'foobarfoo\' | KRB5_TRACE=/dev/stderr kinit -f [email protected]; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\n# create SPN and keytab for ws\nif type ipa >/dev/null 2>&1; then\n    LC_ALL=C.UTF-8 ipa service-add --ok-as-delegate=true --force HTTP/[email protected]\nelse\n    curl --insecure -s --negotiate -u : \\\n         --header \'Referer: https://services.cockpit.lan/ipa\' \\\n         --header "Content-Type: application/json" \\\n         --header "Accept: application/json" \\\n         --data \'{"params":\n                  [\n                    ["HTTP/[email protected]"],\n                    {"raw": false, "all": false, "version": "2.101",\n                     "force": true, "no_members": false, "ipakrbokasdelegate": true}\n                  ], "method": "service_add", "id": 0}\' \\\n         https://services.cockpit.lan/ipa/json\nfi\nipa-getkeytab -p HTTP/x0.cockpit.lan -k /etc/cockpit/krb5.keytab\n\n# HACK: due to sudo\'s "last rule wins", our /etc/sudoers rule becomes trumped by sssd\'s, so swap the order\nsed -i \'/^sudoers:/ s/files sss/sss files/\' /etc/nsswitch.conf\n')' returned non-zero exit status 1.

# Result testNegotiate (__main__.TestKerberos.testNegotiate) failed
# 1 TEST FAILED [83s on 8555673efafb]
not ok 61 test/verify/check-system-realms TestKerberos.testNegotiate $2

First occurrence: 2024-12-02T08:31:52.163391+00:00 | revision 12ebe11436d440ba0323bff7b8a2c4814c86d171
Times recorded: 1
Latest occurrences:

  • 2024-12-02T08:31:52.163391+00:00 | revision 12ebe11436d440ba0323bff7b8a2c4814c86d171

# ----------------------------------------------------------------------
# testQualifiedUsers (__main__.TestIPA.testQualifiedUsers)
Error: unknown connection 'ens15'.
Error: cannot delete unknown connection(s): 'ens15'.
Starting ChromeDriver 129.0.6668.89 (951c0b97221f8d4ba37cf97d324505c832251cf9-refs/branch-heads/6668@{#1503}) on port 44439
Only local connections are allowed.
Please see https://chromedriver.chromium.org/security-considerations for suggestions on keeping ChromeDriver safe.
ChromeDriver was started successfully on port 44439.
time="2024-12-02T08:29:43Z" level=warning msg="The input device is not a TTY. The --tty and --interactive flags might not work properly"
> warn: Failed to get current crypto policy: not-found ; falling back to /etc/crypto-policies/config
> warn: cockpit.format_{bytes,bits}[_per_sec](..., MiB, [object Object]) is deprecated.
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
> info: Object(4)
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 130, in testQualifiedUsers
    b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

Wrote screenshot to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.png
Wrote HTML dump to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.html
Wrote JS log to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.js.log
Journal extracted to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.log.gz
Journal extracted to TestIPA-testQualifiedUsers-services-127.0.0.2-2402-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 130, in testQualifiedUsers
    b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

# Result testQualifiedUsers (__main__.TestIPA.testQualifiedUsers) failed
# 1 TEST FAILED [376s on 8555673efafb]
not ok 59 test/verify/check-system-realms TestIPA.testQualifiedUsers $2

First occurrence: 2024-12-02T08:35:33.316897+00:00 | revision 12ebe11436d440ba0323bff7b8a2c4814c86d171
Times recorded: 1
Latest occurrences:

  • 2024-12-02T08:35:33.316897+00:00 | revision 12ebe11436d440ba0323bff7b8a2c4814c86d171

File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1045, in testNegotiate
    self.configure_kerberos("/etc/cockpit/krb5.keytab")
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1015, in configure_kerberos
    self.machine.execute(JOIN_SCRIPT % args, timeout=1800)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2201', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%C-18247', '127.0.0.2', 'set -e;', '\nset -ex\n# Wait until zones from LDAP get loaded\nfor x in $(seq 1 20); do\n    if nslookup -type=SRV _ldap._tcp.cockpit.lan; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\nif ! echo \'foobarfoo\' | realm join -vU admin cockpit.lan; then\n    if systemctl --quiet is-failed sssd.service; then\n        systemctl status --lines=100 sssd.service >&2\n    fi\n    journalctl -u realmd.service\n    exit 1\nfi\n\n# On certain OS\'s it takes time for sssd to come up properly\n#   [8347] 1528294262.886088: Sending initial UDP request to dgram 172.27.0.15:88\n#   kinit: Cannot contact any KDC for realm \'COCKPIT.LAN\' while getting initial credentials\nfor x in $(seq 1 20); do\n    if echo \'foobarfoo\' | KRB5_TRACE=/dev/stderr kinit -f [email protected]; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\n# create SPN and keytab for ws\nif type ipa >/dev/null 2>&1; then\n    LC_ALL=C.UTF-8 ipa service-add --ok-as-delegate=true --force HTTP/[email protected]\nelse\n    curl --insecure -s --negotiate -u : \\\n         --header \'Referer: https://services.cockpit.lan/ipa\' \\\n         --header "Content-Type: application/json" \\\n         --header "Accept: application/json" \\\n         --data \'{"params":\n                  [\n                    ["HTTP/[email protected]"],\n                    {"raw": false, "all": false, "version": "2.101",\n                     "force": true, "no_members": false, "ipakrbokasdelegate": true}\n                  ], "method": "service_add", "id": 0}\' \\\n         https://services.cockpit.lan/ipa/json\nfi\nipa-getkeytab -p HTTP/x0.cockpit.lan -k /etc/cockpit/krb5.keytab\n\n# HACK: due to sudo\'s "last rule wins", our /etc/sudoers rule becomes trumped by sssd\'s, so swap the order\nsed -i \'/^sudoers:/ s/files sss/sss files/\' /etc/nsswitch.conf\n')' returned non-zero exit status 1.

Wrote screenshot to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.png
Wrote HTML dump to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.html
Journal extracted to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.log.gz
Journal extracted to TestKerberos-testNegotiate-services-127.0.0.2-2202-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1045, in testNegotiate
    self.configure_kerberos("/etc/cockpit/krb5.keytab")
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1015, in configure_kerberos
    self.machine.execute(JOIN_SCRIPT % args, timeout=1800)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2201', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%C-18247', '127.0.0.2', 'set -e;', '\nset -ex\n# Wait until zones from LDAP get loaded\nfor x in $(seq 1 20); do\n    if nslookup -type=SRV _ldap._tcp.cockpit.lan; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\nif ! echo \'foobarfoo\' | realm join -vU admin cockpit.lan; then\n    if systemctl --quiet is-failed sssd.service; then\n        systemctl status --lines=100 sssd.service >&2\n    fi\n    journalctl -u realmd.service\n    exit 1\nfi\n\n# On certain OS\'s it takes time for sssd to come up properly\n#   [8347] 1528294262.886088: Sending initial UDP request to dgram 172.27.0.15:88\n#   kinit: Cannot contact any KDC for realm \'COCKPIT.LAN\' while getting initial credentials\nfor x in $(seq 1 20); do\n    if echo \'foobarfoo\' | KRB5_TRACE=/dev/stderr kinit -f [email protected]; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\n# create SPN and keytab for ws\nif type ipa >/dev/null 2>&1; then\n    LC_ALL=C.UTF-8 ipa service-add --ok-as-delegate=true --force HTTP/[email protected]\nelse\n    curl --insecure -s --negotiate -u : \\\n         --header \'Referer: https://services.cockpit.lan/ipa\' \\\n         --header "Content-Type: application/json" \\\n         --header "Accept: application/json" \\\n         --data \'{"params":\n                  [\n                    ["HTTP/[email protected]"],\n                    {"raw": false, "all": false, "version": "2.101",\n                     "force": true, "no_members": false, "ipakrbokasdelegate": true}\n                  ], "method": "service_add", "id": 0}\' \\\n         https://services.cockpit.lan/ipa/json\nfi\nipa-getkeytab -p HTTP/x0.cockpit.lan -k /etc/cockpit/krb5.keytab\n\n# HACK: due to sudo\'s "last rule wins", our /etc/sudoers rule becomes trumped by sssd\'s, so swap the order\nsed -i \'/^sudoers:/ s/files sss/sss files/\' /etc/nsswitch.conf\n')' returned non-zero exit status 1.

# Result testNegotiate (__main__.TestKerberos.testNegotiate) failed
# 1 TEST FAILED [109s on e9b1a1777937]
not ok 61 test/verify/check-system-realms TestKerberos.testNegotiate $2

First occurrence: 2024-12-02T15:02:13.114076+00:00 | revision f6d055a190486d4aa2a02b0c5406504d1d468591
Times recorded: 1
Latest occurrences:

  • 2024-12-02T15:02:13.114076+00:00 | revision f6d055a190486d4aa2a02b0c5406504d1d468591

b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

Wrote screenshot to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2301-FAIL.png
Wrote HTML dump to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2301-FAIL.html
Wrote JS log to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2301-FAIL.js.log
Journal extracted to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2301-FAIL.log.gz
Journal extracted to TestIPA-testQualifiedUsers-services-127.0.0.2-2302-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 130, in testQualifiedUsers
    b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

# Result testQualifiedUsers (__main__.TestIPA.testQualifiedUsers) failed
# 1 TEST FAILED [387s on e9b1a1777937]
not ok 59 test/verify/check-system-realms TestIPA.testQualifiedUsers $2

First occurrence: 2024-12-02T15:05:50.795753+00:00 | revision f6d055a190486d4aa2a02b0c5406504d1d468591
Times recorded: 1
Latest occurrences:

  • 2024-12-02T15:05:50.795753+00:00 | revision f6d055a190486d4aa2a02b0c5406504d1d468591

File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1045, in testNegotiate
    self.configure_kerberos("/etc/cockpit/krb5.keytab")
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1015, in configure_kerberos
    self.machine.execute(JOIN_SCRIPT % args, timeout=1800)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2201', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%C-18357', '127.0.0.2', 'set -e;', '\nset -ex\n# Wait until zones from LDAP get loaded\nfor x in $(seq 1 20); do\n    if nslookup -type=SRV _ldap._tcp.cockpit.lan; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\nif ! echo \'foobarfoo\' | realm join -vU admin cockpit.lan; then\n    if systemctl --quiet is-failed sssd.service; then\n        systemctl status --lines=100 sssd.service >&2\n    fi\n    journalctl -u realmd.service\n    exit 1\nfi\n\n# On certain OS\'s it takes time for sssd to come up properly\n#   [8347] 1528294262.886088: Sending initial UDP request to dgram 172.27.0.15:88\n#   kinit: Cannot contact any KDC for realm \'COCKPIT.LAN\' while getting initial credentials\nfor x in $(seq 1 20); do\n    if echo \'foobarfoo\' | KRB5_TRACE=/dev/stderr kinit -f [email protected]; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\n# create SPN and keytab for ws\nif type ipa >/dev/null 2>&1; then\n    LC_ALL=C.UTF-8 ipa service-add --ok-as-delegate=true --force HTTP/[email protected]\nelse\n    curl --insecure -s --negotiate -u : \\\n         --header \'Referer: https://services.cockpit.lan/ipa\' \\\n         --header "Content-Type: application/json" \\\n         --header "Accept: application/json" \\\n         --data \'{"params":\n                  [\n                    ["HTTP/[email protected]"],\n                    {"raw": false, "all": false, "version": "2.101",\n                     "force": true, "no_members": false, "ipakrbokasdelegate": true}\n                  ], "method": "service_add", "id": 0}\' \\\n         https://services.cockpit.lan/ipa/json\nfi\nipa-getkeytab -p HTTP/x0.cockpit.lan -k /etc/cockpit/krb5.keytab\n\n# HACK: due to sudo\'s "last rule wins", our /etc/sudoers rule becomes trumped by sssd\'s, so swap the order\nsed -i \'/^sudoers:/ s/files sss/sss files/\' /etc/nsswitch.conf\n')' returned non-zero exit status 1.

Wrote screenshot to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.png
Wrote HTML dump to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.html
Journal extracted to TestKerberos-testNegotiate-ubuntu-stable-127.0.0.2-2201-FAIL.log.gz
Journal extracted to TestKerberos-testNegotiate-services-127.0.0.2-2202-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1045, in testNegotiate
    self.configure_kerberos("/etc/cockpit/krb5.keytab")
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 1015, in configure_kerberos
    self.machine.execute(JOIN_SCRIPT % args, timeout=1800)
  File "/work/make-checkout-workdir/bots/machine/machine_core/ssh_connection.py", line 327, in execute
    res = subprocess.run(command_line,
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/subprocess.py", line 571, in run
    raise CalledProcessError(retcode, process.args,
subprocess.CalledProcessError: Command '('env', '-u', 'LANGUAGE', 'LC_ALL=C', 'ssh', '-p', '2201', '-o', 'BatchMode=yes', '-o', 'IdentitiesOnly=yes', '-o', 'PKCS11Provider=none', '-o', 'StrictHostKeyChecking=no', '-o', 'UserKnownHostsFile=/dev/null', '-o', 'LogLevel=ERROR', '-l', 'root', '-o', 'ControlPath=/tmp/.cockpit-test-resources/ssh-%C-18357', '127.0.0.2', 'set -e;', '\nset -ex\n# Wait until zones from LDAP get loaded\nfor x in $(seq 1 20); do\n    if nslookup -type=SRV _ldap._tcp.cockpit.lan; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\nif ! echo \'foobarfoo\' | realm join -vU admin cockpit.lan; then\n    if systemctl --quiet is-failed sssd.service; then\n        systemctl status --lines=100 sssd.service >&2\n    fi\n    journalctl -u realmd.service\n    exit 1\nfi\n\n# On certain OS\'s it takes time for sssd to come up properly\n#   [8347] 1528294262.886088: Sending initial UDP request to dgram 172.27.0.15:88\n#   kinit: Cannot contact any KDC for realm \'COCKPIT.LAN\' while getting initial credentials\nfor x in $(seq 1 20); do\n    if echo \'foobarfoo\' | KRB5_TRACE=/dev/stderr kinit -f [email protected]; then\n        break\n    else\n        sleep $x\n    fi\ndone\n\n# create SPN and keytab for ws\nif type ipa >/dev/null 2>&1; then\n    LC_ALL=C.UTF-8 ipa service-add --ok-as-delegate=true --force HTTP/[email protected]\nelse\n    curl --insecure -s --negotiate -u : \\\n         --header \'Referer: https://services.cockpit.lan/ipa\' \\\n         --header "Content-Type: application/json" \\\n         --header "Accept: application/json" \\\n         --data \'{"params":\n                  [\n                    ["HTTP/[email protected]"],\n                    {"raw": false, "all": false, "version": "2.101",\n                     "force": true, "no_members": false, "ipakrbokasdelegate": true}\n                  ], "method": "service_add", "id": 0}\' \\\n         https://services.cockpit.lan/ipa/json\nfi\nipa-getkeytab -p HTTP/x0.cockpit.lan -k /etc/cockpit/krb5.keytab\n\n# HACK: due to sudo\'s "last rule wins", our /etc/sudoers rule becomes trumped by sssd\'s, so swap the order\nsed -i \'/^sudoers:/ s/files sss/sss files/\' /etc/nsswitch.conf\n')' returned non-zero exit status 1.

# Result testNegotiate (__main__.TestKerberos.testNegotiate) failed
# 1 TEST FAILED [84s on 6f2c6524d1dd]
not ok 61 test/verify/check-system-realms TestKerberos.testNegotiate $2

First occurrence: 2024-12-02T15:46:35.286530+00:00 | revision 784c0f3940aadae401db73d2eefc085f718727b4
Times recorded: 1
Latest occurrences:

  • 2024-12-02T15:46:35.286530+00:00 | revision 784c0f3940aadae401db73d2eefc085f718727b4

b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

Wrote screenshot to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.png
Wrote HTML dump to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.html
Wrote JS log to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.js.log
Journal extracted to TestIPA-testQualifiedUsers-ubuntu-stable-127.0.0.2-2401-FAIL.log.gz
Journal extracted to TestIPA-testQualifiedUsers-services-127.0.0.2-2402-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 130, in testQualifiedUsers
    b.wait_not_present("#realms-join-dialog")
  File "/work/make-checkout-workdir/test/common/testlib.py", line 831, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
  File "/work/make-checkout-workdir/test/common/testlib.py", line 822, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
  File "/work/make-checkout-workdir/test/common/testlib.py", line 819, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

# Result testQualifiedUsers (__main__.TestIPA.testQualifiedUsers) failed
# 1 TEST FAILED [383s on 6f2c6524d1dd]
not ok 59 test/verify/check-system-realms TestIPA.testQualifiedUsers $2

First occurrence: 2024-12-02T15:50:53.731781+00:00 | revision 784c0f3940aadae401db73d2eefc085f718727b4
Times recorded: 1
Latest occurrences:

  • 2024-12-02T15:50:53.731781+00:00 | revision 784c0f3940aadae401db73d2eefc085f718727b4

raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

Wrote screenshot to TestIPA-testClientCertAuthentication-ubuntu-stable-127.0.0.2-2401-FAIL.png
Wrote HTML dump to TestIPA-testClientCertAuthentication-ubuntu-stable-127.0.0.2-2401-FAIL.html
Wrote JS log to TestIPA-testClientCertAuthentication-ubuntu-stable-127.0.0.2-2401-FAIL.js.log
Journal extracted to TestIPA-testClientCertAuthentication-ubuntu-stable-127.0.0.2-2401-FAIL.log.gz
Journal extracted to TestIPA-testClientCertAuthentication-services-127.0.0.2-2402-FAIL.log.gz
Traceback (most recent call last):
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 728, in testClientCertAuthentication
    self.checkClientCertAuthentication()
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/work/make-checkout-workdir/test/verify/check-system-realms", line 365, in checkClientCertAuthentication
    b.wait_not_present("#realms-join-dialog")
    ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^
  File "/work/make-checkout-workdir/test/common/testlib.py", line 826, in wait_not_present
    self.wait_js_func('!ph_is_present', selector)
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/work/make-checkout-workdir/test/common/testlib.py", line 817, in wait_js_func
    self.wait_js_cond("%s(%s)" % (func, ','.join(map(jsquote, args))))
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/work/make-checkout-workdir/test/common/testlib.py", line 814, in wait_js_cond
    raise Error(f"timeout\nwait_js_cond({cond}): {last_error.msg}") from None
testlib.Error: timeout
wait_js_cond(!ph_is_present("#realms-join-dialog")): Error: condition did not become true

# Result testClientCertAuthentication (__main__.TestIPA.testClientCertAuthentication) failed
# 1 TEST FAILED [399s on baba324713c8]
not ok 57 test/verify/check-system-realms TestIPA.testClientCertAuthentication $2

First occurrence: 2025-01-15T13:40:00.197161+00:00 | revision bea1a450867ad5a8871b72d05db32bad5389de56
Times recorded: 1
Latest occurrences:

  • 2025-01-15T13:40:00.197161+00:00 | revision bea1a450867ad5a8871b72d05db32bad5389de56

martinpitt added a commit to martinpitt/bots that referenced this issue Dec 16, 2024
jelly pushed a commit that referenced this issue Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants