Project

General

Profile

Actions

coordination #61780

open

[functional][y][epic] test update for yast-samba re 389-ds

Added by firstyear almost 5 years ago. Updated 10 months ago.

Status:
Blocked
Priority:
Normal
Assignee:
Target version:
Start date:
2020-05-14
Due date:
% Done:

100%

Estimated time:
3.00 h

Description

The 389-ds ui in yast-auth-server was recently updated to change from openldap -> 389-ds, but then to update the 389-ds module to work with the 389 project's new instance helper tools. This has resulted in a change in the ui which has broken openqa tests in bz https://bugzilla.suse.com/show_bug.cgi?id=1146736

The test previously used the items:

my %ldap_directives = (
    fqdn                => 'openqa.ldaptest.org',
    dir_instance        => 'openqatest',
    dir_suffix          => 'dc=ldaptest,dc=org',
    dn_container        => 'dc=ldaptest,dc=org',
    dir_manager_dn      => 'cn=root',
    dir_manager_passwd  => 'openqatest',
    ca_cert_pem         => '/root/samba_ca_cert.pem',
    srv_cert_key_pkcs12 => '/root/samba_server_cert.p12'
);

However, the ui options have changed slightly. I believe now the items should be:

my %ldap_directives = (
 fqdn => "openqa.ldaptest.org"
 instance_name => "openqatest"
 suffix => "dc=ldaptest,dc=org"
 dm_pass => "openqatest"
 dm_pass_repeat => "openqatest"
 tls_ca => "/root/samba_ca_cert.pem"
 tls_p12 => "/root/samba_server_cert.p12"
);

Thanks,

Example of failing job: https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=yast2_ncurses&version=Tumbleweed

In case some other issue after the changes are applied, follow up ticket is created, so it's out of scope of this task.

Acceptance criteria

  1. Test passes with proposed changes or moved to development job group (both for SLES 15 and TW) until https://bugzilla.suse.com/show_bug.cgi?id=1146736 is fixed
  2. In case of exclusion, there is follow up ticket to re-enable the test, so we don't forget

Files

dirsrvlog.tar.xz (6.18 KB) dirsrvlog.tar.xz JRivrain, 2020-08-05 16:33
serial0.txt (888 KB) serial0.txt JRivrain, 2021-01-15 15:58

Subtasks 2 (0 open2 closed)

action #66871: [funcional][y] Re-enable samba test module in yast2-ncurses suiteRejected2020-05-14

Actions
action #67363: [functional][y] Remove or adapt workaround for yast2-samba ncurses testRejected2020-05-27

Actions

Related issues 2 (0 open2 closed)

Related to qe-yam - action #119662: openldap_to_389ds module failed because of dependency issueResolvedsyrianidou_sofia2022-11-01

Actions
Has duplicate openQA Tests - action #70639: [functional][y] test fails in yast2_samba - Unable to find the Domain Master Browser name QA-WORKGROUP<1b> for the workgroup QA-WORKGROUP.Rejected2020-08-28

Actions
Actions #1

Updated by mgriessmeier almost 5 years ago

  • Subject changed from [openqa] test update for yast-samba re 389-ds to [functional][u][y][openqa] test update for yast-samba re 389-ds
  • Category set to Bugs in existing tests
  • Target version set to Milestone 30

to be discussed in grooming

Actions #2

Updated by mgriessmeier almost 5 years ago

  • Description updated (diff)
Actions #4

Updated by okurz over 4 years ago

  • Assignee set to mgriessmeier

@mgriessmeier your PR, needs your action, at least close PR and ask others ;)

Actions #5

Updated by SLindoMansilla over 4 years ago

  • Subject changed from [functional][u][y][openqa] test update for yast-samba re 389-ds to [functional][y][openqa] test update for yast-samba re 389-ds
  • Assignee deleted (mgriessmeier)
Actions #6

Updated by riafarov over 4 years ago

  • Due date set to 2020-06-16
  • Target version changed from Milestone 30 to Milestone 35+
Actions #7

Updated by riafarov over 4 years ago

  • Due date changed from 2020-06-16 to 2020-06-02
Actions #8

Updated by riafarov over 4 years ago

  • Priority changed from Normal to High
Actions #9

Updated by riafarov over 4 years ago

  • Description updated (diff)
  • Status changed from New to Workable
  • Estimated time set to 3.00 h
Actions #10

Updated by JRivrain over 4 years ago

  • Assignee set to JRivrain
Actions #11

Updated by JRivrain over 4 years ago

  • Status changed from Workable to In Progress

The proposed changes only change the variable names used by the test itself, not the values. the PR looks like an aborted re-design of the test, really not sure what was the idea behind. using those variable names obviously does not change anything.

Actions #12

Updated by riafarov over 4 years ago

  • Target version changed from Milestone 35+ to SLE 15 SP2
Actions #13

Updated by JRivrain over 4 years ago

I tried to find if we could easily adapt the module, it seems not. It will require more investigation, especially that the bug is not clear and looks like we have a different issue in SLE and TW.
In SLE we have could not find certificate
While in TW we have invalid credentials

PR to disable the module https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/10270

Actions #14

Updated by JRivrain over 4 years ago

  • Due date changed from 2020-06-02 to 2020-05-14
  • Start date changed from 2020-01-06 to 2020-05-14

en raison d'un changement dans une tâche liée: #66871

Actions #15

Updated by JRivrain over 4 years ago

I renewed the key, but that was not the issue - though at least it allowed me to go ahead. It looks like now we have to use "cn=Directory Manager" instead of "cn=root" : https://openqa.opensuse.org/tests/1275011#step/yast2_samba/62. We see this cn here : https://openqa.opensuse.org/tests/1275011#step/yast2_samba/15.
Also now, we have two new bugs. I'll report them on monday.

Actions #16

Updated by firstyear over 4 years ago

You probably should be checking that connection with Anonymous, not Directory Manager, or another test account, but yes, we removed the ability to change the admin dn :)

Actions #17

Updated by JRivrain over 4 years ago

I reported this https://bugzilla.opensuse.org/show_bug.cgi?id=1172084. As for the bug in SLE, I try to understand why we are using a workaround that does not point to a bug report here https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/536d1fb618b99b81b9b63d8816b4f1e242f1f294/tests/console/yast2_samba.pm#L94.

Collection of bugs for reference:
https://bugzilla.suse.com/show_bug.cgi?id=1117643
https://bugzilla.suse.com/show_bug.cgi?id=1083328
https://bugzilla.suse.com/show_bug.cgi?id=1068900#c5

In those bug reports, it appears that yast2-ldap is pretty much abandoned, and yast2-samba is not maintained by yast team. I wonder if it should be supported at all in these conditions.

Actions #18

Updated by firstyear over 4 years ago

Reading those issues you linked, I think they somewhat fall into my jurisdiction to enable the schema to make this work.

I think that https://bugzilla.opensuse.org/show_bug.cgi?id=1172084, https://bugzilla.suse.com/show_bug.cgi?id=1083328, and https://bugzilla.suse.com/show_bug.cgi?id=1068900#c5 are all the same issue. I believe when I saw and commented on these in the past, I was still very new to SUSE and did not fully understand the context of the bug report, so for that I'm sorry.

1117643 is not related to this, so I think that needs to be looked at seperately.

So I have taken 1083328, and I'll treat that as the BZ that I need to resolve.

I have also opened the following upstream issue: https://pagure.io/389-ds-base/issue/51115

So leave this up to me, I will resolve it hopefully in the next week, and then pending an upstream patch release we can get it into SLE proper ASAP.

Actions #19

Updated by JRivrain over 4 years ago

  • Status changed from In Progress to Feedback

firstyear wrote:

I have also opened the following upstream issue: https://pagure.io/389-ds-base/issue/51115

So leave this up to me, I will resolve it hopefully in the next week, and then pending an upstream patch release we can get it into SLE proper ASAP.

Thanks for the feedback ! I guess we can close https://bugzilla.suse.com/show_bug.cgi?id=1146736 now. We will have to modify our test module as well, as we are doing some workarounds for that issue.

Actions #20

Updated by JRivrain over 4 years ago

  • Due date set to 2020-05-27

en raison d'un changement dans une tâche liée: #67363

Actions #21

Updated by firstyear over 4 years ago

Sounds like a plan. And of course, please stay in contact so we can resolve these tests and get it all working. Thanks so much for your patience in this!

Actions #22

Updated by riafarov over 4 years ago

  • Due date set to 2020-06-16

due to changes in a related task: #67363

Actions #23

Updated by riafarov over 4 years ago

  • Due date changed from 2020-06-16 to 2020-06-30

due to changes in a related task: #66871

Actions #24

Updated by riafarov over 4 years ago

  • Subject changed from [functional][y][openqa] test update for yast-samba re 389-ds to [functional][y][epic] test update for yast-samba re 389-ds
Actions #26

Updated by riafarov over 4 years ago

  • Due date changed from 2020-06-30 to 2020-07-14

due to changes in a related task: #67363

Actions #27

Updated by JRivrain over 4 years ago

I was asked to explain how the new certificates were generated, so here it is. I adapted the way that it had been done last time, see https://bugzilla.suse.com/show_bug.cgi?id=1088152#c8 though as-is it did not work and needed to be adapted.

I adapted this file https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html

root@~/ca # diff root-config.txt openssl-ca.cnf

13c13
< new_certs_dir     = $dir/newcerts
---
> new_certs_dir     = $dir/certs
19,20c19,20
< private_key       = $dir/private/ca.key.pem
< certificate       = $dir/certs/ca.cert.pem
---
> private_key       = $dir/private/ca_key.pem
> certificate       = $dir/certs/ca_cert.pem
81,86c81,86
< countryName_default             = GB
< stateOrProvinceName_default     = England
< localityName_default            =
< 0.organizationName_default      = Alice Ltd
< organizationalUnitName_default  =
< emailAddress_default            =
---
> countryName_default             = DE
> stateOrProvinceName_default     = Bayern
> localityName_default            = Nuremberg
> 0.organizationName_default      = Suse
> organizationalUnitName_default  = QA
> emailAddress_default            = ca_qa@suse.de

then from my commands history, steps seem to be:

mkdir csr private certs

1. Create a CA
# ca key
openssl genrsa -out private/ca_key.pem
# ca cert
openssl req -config openssl-ca.cnf -key private/ca_key.pem -new -x509 -days 7300 -extensions v3_ca -out certs/ca_cert.pem -nodes

2. Create server key & cert
# server key
 openssl genrsa -out private/server_key.pem 2048
#server cert
openssl req -new -config openssl-ca.cnf -key private/server_key.pem -out csr/server_csr.pem -nodes -days 7300

3. Sign server cert by ca
openssl ca -config openssl-ca.cnf -extensions server_cert -days 7300 -notext -md sha256 -in csr/server_csr.pem -out certs/server_cert.pem

4. Export signed server cert & key to pkcs12 format
openssl pkcs12 -export -nodes -CAfile certs/ca_cert.pem -inkey private/server_key.pem -in certs/server_cert.pem -out server_cert.pfx

... rename server key and p12 files and copied to server.
specified empty passwords when possible.

Actions #28

Updated by riafarov over 4 years ago

  • Target version changed from SLE 15 SP2 to SLE 15 SP3
Actions #29

Updated by riafarov over 4 years ago

  • Due date changed from 2020-07-14 to 2020-10-20

due to changes in a related task: #67363

Actions #30

Updated by JRivrain over 4 years ago

firstyear wrote:

https://pagure.io/389-ds-base/pull-request/51126

Upstream PR made,

Hello @firstyear, I see that the bsc#1172084 is still happening on Tumbleweed - see here https://openqa.opensuse.org/tests/1345057#step/yast2_samba/70 - I guess the upstream PR never reached the required package in OBS ?

Actions #31

Updated by firstyear over 4 years ago

No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(

Actions #32

Updated by JRivrain over 4 years ago

firstyear wrote:

No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(

Attached dirsrv logs, and you will find all the rest here https://openqa.opensuse.org/tests/1352957/file/yast2_samba-y2logs.tar.bz2. It may be (again) that we are doing something wrong on our side... I'll also try to see if I see something obvious, though I think you know a lot more about the matter, so your help is greatly appreciated here :)

Actions #33

Updated by JRivrain over 4 years ago

Following this issue here https://bugzilla.opensuse.org/show_bug.cgi?id=1172084, As the source of issue seem to be still [ 441.942193] ns-slapd[2888]: [26/May/2020:03:26:52.650749532 -0400] - ERR - slapi_entry_schema_check_ext - Entry "sambaDomainName=QA-SAMBA,dc=ldaptest,dc=org" has unknown object class "sambaDomain". I can add more logs/info to that report if needed.

Actions #34

Updated by firstyear over 4 years ago

JRivrain wrote:

firstyear wrote:

No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(

Attached dirsrv logs, and you will find all the rest here https://openqa.opensuse.org/tests/1352957/file/yast2_samba-y2logs.tar.bz2. It may be (again) that we are doing something wrong on our side... I'll also try to see if I see something obvious, though I think you know a lot more about the matter, so your help is greatly appreciated here :)

Sorry I missed this update, I have been quite busy lately. I'll investigate shortly. Next time you make a tar though, can you add a top level directory please :)

I started to review this then I immediately realised the issue:

# rpm -qa | grep -i 389-ds
389-ds-1.4.4.3~git0.7b79b89c1-1.3.x86_64

The 1.4.4.4 update is in the feeder project for tumbleweed:

https://build.opensuse.org/package/show/network:ldap/389-ds

So I guess you need to wait for this update to flow through the magic pipeline to arrive to you. I have no idea where it is or how that works because I really don't understand OBS beyond a superficial level, so maybe someone else can help push it along ....

Actions #35

Updated by JRivrain over 4 years ago

Hi, thanks for the update, and sorry for the archive !

Actions #36

Updated by riafarov over 4 years ago

  • Has duplicate action #70639: [functional][y] test fails in yast2_samba - Unable to find the Domain Master Browser name QA-WORKGROUP<1b> for the workgroup QA-WORKGROUP. added
Actions #37

Updated by riafarov about 4 years ago

  • Due date changed from 2020-10-20 to 2020-11-03

due to changes in a related task: #67363

Actions #38

Updated by szarate about 4 years ago

  • Tracker changed from action to coordination
Actions #40

Updated by firstyear about 4 years ago

I don't have access to this mailing list I think, so I'm unable to see the reason sorry.

Actions #41

Updated by riafarov about 4 years ago

  • Project changed from openQA Tests to qe-yam
  • Category deleted (Bugs in existing tests)
Actions #42

Updated by riafarov about 4 years ago

  • Status changed from Feedback to Blocked
Actions #43

Updated by firstyear about 4 years ago

@szarate can you please forward me the information from the mailing list in question? wbrown at suse.de please.

Actions #44

Updated by JRivrain almost 4 years ago

firstyear wrote:

JRivrain wrote:

firstyear wrote:

No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(

Attached dirsrv logs, and you will find all the rest here https://openqa.opensuse.org/tests/1352957/file/yast2_samba-y2logs.tar.bz2. It may be (again) that we are doing something wrong on our side... I'll also try to see if I see something obvious, though I think you know a lot more about the matter, so your help is greatly appreciated here :)

Sorry I missed this update, I have been quite busy lately. I'll investigate shortly. Next time you make a tar though, can you add a top level directory please :)

I started to review this then I immediately realised the issue:

# rpm -qa | grep -i 389-ds
389-ds-1.4.4.3~git0.7b79b89c1-1.3.x86_64

The 1.4.4.4 update is in the feeder project for tumbleweed:

https://build.opensuse.org/package/show/network:ldap/389-ds

So I guess you need to wait for this update to flow through the magic pipeline to arrive to you. I have no idea where it is or how that works because I really don't understand OBS beyond a superficial level, so maybe someone else can help push it along ....

I see that 389-ds is now in version 1.4.4.9 in Sle 15 sp3 beta 3 (2.0.1 in Tumbleweed) and yet we still see the same bug happening: https://openqa.opensuse.org/tests/1587572#step/yast2_samba/68. Bugs 1177302 and 1172084 have not been updated yet. The errors in the serial output still look identical as in may, I wonder if the certificate I generated back then were actually proper. To be honest I do not understand those error messages.

Actions #45

Updated by JRivrain almost 4 years ago

Attaching latest serial0.txt

Actions #46

Updated by oorlov over 3 years ago

  • Target version changed from SLE 15 SP3 to Current
Actions #47

Updated by JRivrain over 2 years ago

  • Status changed from Blocked to In Progress

I fixed the test module https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/14620, some test module takes more time than it used to.
Bug reported https://bugzilla.opensuse.org/show_bug.cgi?id=1197896

Actions #48

Updated by JRivrain over 2 years ago

Added the test suite in OSD sle15 development jobgroup and re-created needles, the same bug occurs there. Then once it's fixed, we can put the test suite back in production both on OOO and OSD.

Actions #49

Updated by JRivrain over 2 years ago

  • Status changed from In Progress to Blocked
Actions #50

Updated by jgwang about 2 years ago

  • Related to action #119662: openldap_to_389ds module failed because of dependency issue added
Actions

Also available in: Atom PDF