coordination #61780
open[functional][y][epic] test update for yast-samba re 389-ds
Description
The 389-ds ui in yast-auth-server was recently updated to change from openldap -> 389-ds, but then to update the 389-ds module to work with the 389 project's new instance helper tools. This has resulted in a change in the ui which has broken openqa tests in bz https://bugzilla.suse.com/show_bug.cgi?id=1146736
The test previously used the items:
my %ldap_directives = (
fqdn => 'openqa.ldaptest.org',
dir_instance => 'openqatest',
dir_suffix => 'dc=ldaptest,dc=org',
dn_container => 'dc=ldaptest,dc=org',
dir_manager_dn => 'cn=root',
dir_manager_passwd => 'openqatest',
ca_cert_pem => '/root/samba_ca_cert.pem',
srv_cert_key_pkcs12 => '/root/samba_server_cert.p12'
);
However, the ui options have changed slightly. I believe now the items should be:
my %ldap_directives = (
fqdn => "openqa.ldaptest.org"
instance_name => "openqatest"
suffix => "dc=ldaptest,dc=org"
dm_pass => "openqatest"
dm_pass_repeat => "openqatest"
tls_ca => "/root/samba_ca_cert.pem"
tls_p12 => "/root/samba_server_cert.p12"
);
Thanks,
Example of failing job: https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=yast2_ncurses&version=Tumbleweed
In case some other issue after the changes are applied, follow up ticket is created, so it's out of scope of this task.
Acceptance criteria¶
- Test passes with proposed changes or moved to development job group (both for SLES 15 and TW) until https://bugzilla.suse.com/show_bug.cgi?id=1146736 is fixed
- In case of exclusion, there is follow up ticket to re-enable the test, so we don't forget
Files
Updated by mgriessmeier almost 5 years ago
- Subject changed from [openqa] test update for yast-samba re 389-ds to [functional][u][y][openqa] test update for yast-samba re 389-ds
- Category set to Bugs in existing tests
- Target version set to Milestone 30
to be discussed in grooming
Updated by mgriessmeier almost 5 years ago
Updated by okurz almost 5 years ago
- Assignee set to mgriessmeier
@mgriessmeier your PR, needs your action, at least close PR and ask others ;)
Updated by SLindoMansilla over 4 years ago
- Subject changed from [functional][u][y][openqa] test update for yast-samba re 389-ds to [functional][y][openqa] test update for yast-samba re 389-ds
- Assignee deleted (
mgriessmeier)
Updated by riafarov over 4 years ago
- Due date set to 2020-06-16
- Target version changed from Milestone 30 to Milestone 35+
Updated by riafarov over 4 years ago
- Due date changed from 2020-06-16 to 2020-06-02
Updated by riafarov over 4 years ago
- Description updated (diff)
- Status changed from New to Workable
- Estimated time set to 3.00 h
Updated by JRivrain over 4 years ago
- Status changed from Workable to In Progress
The proposed changes only change the variable names used by the test itself, not the values. the PR looks like an aborted re-design of the test, really not sure what was the idea behind. using those variable names obviously does not change anything.
Updated by riafarov over 4 years ago
- Target version changed from Milestone 35+ to SLE 15 SP2
Updated by JRivrain over 4 years ago
I tried to find if we could easily adapt the module, it seems not. It will require more investigation, especially that the bug is not clear and looks like we have a different issue in SLE and TW.
In SLE we have could not find certificate
While in TW we have invalid credentials
PR to disable the module https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/10270
Updated by JRivrain over 4 years ago
- Due date changed from 2020-06-02 to 2020-05-14
- Start date changed from 2020-01-06 to 2020-05-14
en raison d'un changement dans une tâche liée: #66871
Updated by JRivrain over 4 years ago
I renewed the key, but that was not the issue - though at least it allowed me to go ahead. It looks like now we have to use "cn=Directory Manager" instead of "cn=root" : https://openqa.opensuse.org/tests/1275011#step/yast2_samba/62. We see this cn here : https://openqa.opensuse.org/tests/1275011#step/yast2_samba/15.
Also now, we have two new bugs. I'll report them on monday.
Updated by firstyear over 4 years ago
You probably should be checking that connection with Anonymous, not Directory Manager, or another test account, but yes, we removed the ability to change the admin dn :)
Updated by JRivrain over 4 years ago
I reported this https://bugzilla.opensuse.org/show_bug.cgi?id=1172084. As for the bug in SLE, I try to understand why we are using a workaround that does not point to a bug report here https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/536d1fb618b99b81b9b63d8816b4f1e242f1f294/tests/console/yast2_samba.pm#L94.
Collection of bugs for reference:
https://bugzilla.suse.com/show_bug.cgi?id=1117643
https://bugzilla.suse.com/show_bug.cgi?id=1083328
https://bugzilla.suse.com/show_bug.cgi?id=1068900#c5
In those bug reports, it appears that yast2-ldap is pretty much abandoned, and yast2-samba is not maintained by yast team. I wonder if it should be supported at all in these conditions.
Updated by firstyear over 4 years ago
Reading those issues you linked, I think they somewhat fall into my jurisdiction to enable the schema to make this work.
I think that https://bugzilla.opensuse.org/show_bug.cgi?id=1172084, https://bugzilla.suse.com/show_bug.cgi?id=1083328, and https://bugzilla.suse.com/show_bug.cgi?id=1068900#c5 are all the same issue. I believe when I saw and commented on these in the past, I was still very new to SUSE and did not fully understand the context of the bug report, so for that I'm sorry.
1117643 is not related to this, so I think that needs to be looked at seperately.
So I have taken 1083328, and I'll treat that as the BZ that I need to resolve.
I have also opened the following upstream issue: https://pagure.io/389-ds-base/issue/51115
So leave this up to me, I will resolve it hopefully in the next week, and then pending an upstream patch release we can get it into SLE proper ASAP.
Updated by JRivrain over 4 years ago
- Status changed from In Progress to Feedback
firstyear wrote:
I have also opened the following upstream issue: https://pagure.io/389-ds-base/issue/51115
So leave this up to me, I will resolve it hopefully in the next week, and then pending an upstream patch release we can get it into SLE proper ASAP.
Thanks for the feedback ! I guess we can close https://bugzilla.suse.com/show_bug.cgi?id=1146736 now. We will have to modify our test module as well, as we are doing some workarounds for that issue.
Updated by JRivrain over 4 years ago
- Due date set to 2020-05-27
en raison d'un changement dans une tâche liée: #67363
Updated by firstyear over 4 years ago
Sounds like a plan. And of course, please stay in contact so we can resolve these tests and get it all working. Thanks so much for your patience in this!
Updated by riafarov over 4 years ago
- Due date set to 2020-06-16
due to changes in a related task: #67363
Updated by riafarov over 4 years ago
- Due date changed from 2020-06-16 to 2020-06-30
due to changes in a related task: #66871
Updated by riafarov over 4 years ago
- Subject changed from [functional][y][openqa] test update for yast-samba re 389-ds to [functional][y][epic] test update for yast-samba re 389-ds
Updated by firstyear over 4 years ago
https://pagure.io/389-ds-base/pull-request/51126
Upstream PR made,
Updated by riafarov over 4 years ago
- Due date changed from 2020-06-30 to 2020-07-14
due to changes in a related task: #67363
Updated by JRivrain over 4 years ago
I was asked to explain how the new certificates were generated, so here it is. I adapted the way that it had been done last time, see https://bugzilla.suse.com/show_bug.cgi?id=1088152#c8 though as-is it did not work and needed to be adapted.
I adapted this file https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html
root@~/ca # diff root-config.txt openssl-ca.cnf
13c13
< new_certs_dir = $dir/newcerts
---
> new_certs_dir = $dir/certs
19,20c19,20
< private_key = $dir/private/ca.key.pem
< certificate = $dir/certs/ca.cert.pem
---
> private_key = $dir/private/ca_key.pem
> certificate = $dir/certs/ca_cert.pem
81,86c81,86
< countryName_default = GB
< stateOrProvinceName_default = England
< localityName_default =
< 0.organizationName_default = Alice Ltd
< organizationalUnitName_default =
< emailAddress_default =
---
> countryName_default = DE
> stateOrProvinceName_default = Bayern
> localityName_default = Nuremberg
> 0.organizationName_default = Suse
> organizationalUnitName_default = QA
> emailAddress_default = ca_qa@suse.de
then from my commands history, steps seem to be:
mkdir csr private certs
1. Create a CA
# ca key
openssl genrsa -out private/ca_key.pem
# ca cert
openssl req -config openssl-ca.cnf -key private/ca_key.pem -new -x509 -days 7300 -extensions v3_ca -out certs/ca_cert.pem -nodes
2. Create server key & cert
# server key
openssl genrsa -out private/server_key.pem 2048
#server cert
openssl req -new -config openssl-ca.cnf -key private/server_key.pem -out csr/server_csr.pem -nodes -days 7300
3. Sign server cert by ca
openssl ca -config openssl-ca.cnf -extensions server_cert -days 7300 -notext -md sha256 -in csr/server_csr.pem -out certs/server_cert.pem
4. Export signed server cert & key to pkcs12 format
openssl pkcs12 -export -nodes -CAfile certs/ca_cert.pem -inkey private/server_key.pem -in certs/server_cert.pem -out server_cert.pfx
... rename server key and p12 files and copied to server.
specified empty passwords when possible.
Updated by riafarov over 4 years ago
- Target version changed from SLE 15 SP2 to SLE 15 SP3
Updated by riafarov over 4 years ago
- Due date changed from 2020-07-14 to 2020-10-20
due to changes in a related task: #67363
Updated by JRivrain over 4 years ago
firstyear wrote:
https://pagure.io/389-ds-base/pull-request/51126
Upstream PR made,
Hello @firstyear, I see that the bsc#1172084 is still happening on Tumbleweed - see here https://openqa.opensuse.org/tests/1345057#step/yast2_samba/70 - I guess the upstream PR never reached the required package in OBS ?
Updated by firstyear over 4 years ago
No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(
Updated by JRivrain over 4 years ago
- File dirsrvlog.tar.xz dirsrvlog.tar.xz added
firstyear wrote:
No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(
Attached dirsrv logs, and you will find all the rest here https://openqa.opensuse.org/tests/1352957/file/yast2_samba-y2logs.tar.bz2. It may be (again) that we are doing something wrong on our side... I'll also try to see if I see something obvious, though I think you know a lot more about the matter, so your help is greatly appreciated here :)
Updated by JRivrain over 4 years ago
Following this issue here https://bugzilla.opensuse.org/show_bug.cgi?id=1172084, As the source of issue seem to be still [ 441.942193] ns-slapd[2888]: [26/May/2020:03:26:52.650749532 -0400] - ERR - slapi_entry_schema_check_ext - Entry "sambaDomainName=QA-SAMBA,dc=ldaptest,dc=org" has unknown object class "sambaDomain"
. I can add more logs/info to that report if needed.
Updated by firstyear over 4 years ago
JRivrain wrote:
firstyear wrote:
No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(
Attached dirsrv logs, and you will find all the rest here https://openqa.opensuse.org/tests/1352957/file/yast2_samba-y2logs.tar.bz2. It may be (again) that we are doing something wrong on our side... I'll also try to see if I see something obvious, though I think you know a lot more about the matter, so your help is greatly appreciated here :)
Sorry I missed this update, I have been quite busy lately. I'll investigate shortly. Next time you make a tar though, can you add a top level directory please :)
I started to review this then I immediately realised the issue:
# rpm -qa | grep -i 389-ds
389-ds-1.4.4.3~git0.7b79b89c1-1.3.x86_64
The 1.4.4.4 update is in the feeder project for tumbleweed:
https://build.opensuse.org/package/show/network:ldap/389-ds
So I guess you need to wait for this update to flow through the magic pipeline to arrive to you. I have no idea where it is or how that works because I really don't understand OBS beyond a superficial level, so maybe someone else can help push it along ....
Updated by JRivrain over 4 years ago
Hi, thanks for the update, and sorry for the archive !
Updated by riafarov over 4 years ago
- Has duplicate action #70639: [functional][y] test fails in yast2_samba - Unable to find the Domain Master Browser name QA-WORKGROUP<1b> for the workgroup QA-WORKGROUP. added
Updated by riafarov over 4 years ago
- Due date changed from 2020-10-20 to 2020-11-03
due to changes in a related task: #67363
Updated by szarate about 4 years ago
- Tracker changed from action to coordination
Updated by szarate about 4 years ago
See for the reason of tracker change: http://mailman.suse.de/mailman/private/qa-sle/2020-October/002722.html
Updated by firstyear about 4 years ago
I don't have access to this mailing list I think, so I'm unable to see the reason sorry.
Updated by riafarov about 4 years ago
- Project changed from openQA Tests (public) to qe-yam
- Category deleted (
Bugs in existing tests)
Updated by firstyear about 4 years ago
@szarate can you please forward me the information from the mailing list in question? wbrown at suse.de please.
Updated by JRivrain almost 4 years ago
firstyear wrote:
JRivrain wrote:
firstyear wrote:
No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(
Attached dirsrv logs, and you will find all the rest here https://openqa.opensuse.org/tests/1352957/file/yast2_samba-y2logs.tar.bz2. It may be (again) that we are doing something wrong on our side... I'll also try to see if I see something obvious, though I think you know a lot more about the matter, so your help is greatly appreciated here :)
Sorry I missed this update, I have been quite busy lately. I'll investigate shortly. Next time you make a tar though, can you add a top level directory please :)
I started to review this then I immediately realised the issue:
# rpm -qa | grep -i 389-ds 389-ds-1.4.4.3~git0.7b79b89c1-1.3.x86_64
The 1.4.4.4 update is in the feeder project for tumbleweed:
https://build.opensuse.org/package/show/network:ldap/389-ds
So I guess you need to wait for this update to flow through the magic pipeline to arrive to you. I have no idea where it is or how that works because I really don't understand OBS beyond a superficial level, so maybe someone else can help push it along ....
I see that 389-ds is now in version 1.4.4.9 in Sle 15 sp3 beta 3 (2.0.1 in Tumbleweed) and yet we still see the same bug happening: https://openqa.opensuse.org/tests/1587572#step/yast2_samba/68. Bugs 1177302 and 1172084 have not been updated yet. The errors in the serial output still look identical as in may, I wonder if the certificate I generated back then were actually proper. To be honest I do not understand those error messages.
Updated by JRivrain almost 4 years ago
- File serial0.txt serial0.txt added
Attaching latest serial0.txt
Updated by oorlov over 3 years ago
- Target version changed from SLE 15 SP3 to Current
Updated by JRivrain over 2 years ago
- Status changed from Blocked to In Progress
I fixed the test module https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14620, some test module takes more time than it used to.
Bug reported https://bugzilla.opensuse.org/show_bug.cgi?id=1197896
Updated by JRivrain over 2 years ago
Added the test suite in OSD sle15 development jobgroup and re-created needles, the same bug occurs there. Then once it's fixed, we can put the test suite back in production both on OOO and OSD.
Updated by JRivrain over 2 years ago
- Status changed from In Progress to Blocked
Updated by jgwang about 2 years ago
- Related to action #119662: openldap_to_389ds module failed because of dependency issue added