Project

General

Profile

action #61780

[functional][y][epic] test update for yast-samba re 389-ds

Added by firstyear 7 months ago. Updated 1 day ago.

Status:
Feedback
Priority:
Normal
Assignee:
Category:
Bugs in existing tests
Target version:
SUSE QA tests - SLE 15 SP3
Start date:
2020-05-14
Due date:
2020-10-20
% Done:

0%

Estimated time:
3.00 h
Difficulty:
Duration: 114

Description

The 389-ds ui in yast-auth-server was recently updated to change from openldap -> 389-ds, but then to update the 389-ds module to work with the 389 project's new instance helper tools. This has resulted in a change in the ui which has broken openqa tests in bz https://bugzilla.suse.com/show_bug.cgi?id=1146736

The test previously used the items:

my %ldap_directives = (
    fqdn                => 'openqa.ldaptest.org',
    dir_instance        => 'openqatest',
    dir_suffix          => 'dc=ldaptest,dc=org',
    dn_container        => 'dc=ldaptest,dc=org',
    dir_manager_dn      => 'cn=root',
    dir_manager_passwd  => 'openqatest',
    ca_cert_pem         => '/root/samba_ca_cert.pem',
    srv_cert_key_pkcs12 => '/root/samba_server_cert.p12'
);

However, the ui options have changed slightly. I believe now the items should be:

my %ldap_directives = (
 fqdn => "openqa.ldaptest.org"
 instance_name => "openqatest"
 suffix => "dc=ldaptest,dc=org"
 dm_pass => "openqatest"
 dm_pass_repeat => "openqatest"
 tls_ca => "/root/samba_ca_cert.pem"
 tls_p12 => "/root/samba_server_cert.p12"
);

Thanks,

Example of failing job: https://openqa.opensuse.org/tests/latest?arch=x86_64&distri=opensuse&flavor=DVD&machine=64bit&test=yast2_ncurses&version=Tumbleweed

In case some other issue after the changes are applied, follow up ticket is created, so it's out of scope of this task.

Acceptance criteria

  1. Test passes with proposed changes or moved to development job group (both for SLES 15 and TW) until https://bugzilla.suse.com/show_bug.cgi?id=1146736 is fixed
  2. In case of exclusion, there is follow up ticket to re-enable the test, so we don't forget
dirsrvlog.tar.xz (6.18 KB) dirsrvlog.tar.xz JRivrain, 2020-08-05 16:33

Subtasks

action #66871: [funcional][y] Re-enable samba test module in yast2-ncurses suiteBlocked

action #67363: [functional][y] Remove or adapt workaround for yast2-samba ncurses testBlockedriafarov

History

#1 Updated by mgriessmeier 7 months ago

  • Subject changed from [openqa] test update for yast-samba re 389-ds to [functional][u][y][openqa] test update for yast-samba re 389-ds
  • Category set to Bugs in existing tests
  • Target version set to Milestone 30

to be discussed in grooming

#2 Updated by mgriessmeier 7 months ago

  • Description updated (diff)

#4 Updated by okurz 5 months ago

  • Assignee set to mgriessmeier

mgriessmeier your PR, needs your action, at least close PR and ask others ;)

#5 Updated by SLindoMansilla 3 months ago

  • Subject changed from [functional][u][y][openqa] test update for yast-samba re 389-ds to [functional][y][openqa] test update for yast-samba re 389-ds
  • Assignee deleted (mgriessmeier)

#6 Updated by riafarov 3 months ago

  • Due date set to 2020-06-16
  • Target version changed from Milestone 30 to Milestone 35+

#7 Updated by riafarov 3 months ago

  • Due date changed from 2020-06-16 to 2020-06-02

#8 Updated by riafarov 3 months ago

  • Priority changed from Normal to High

#9 Updated by riafarov 3 months ago

  • Description updated (diff)
  • Status changed from New to Workable
  • Estimated time set to 3.00 h

#10 Updated by JRivrain 3 months ago

  • Assignee set to JRivrain

#11 Updated by JRivrain 3 months ago

  • Status changed from Workable to In Progress

The proposed changes only change the variable names used by the test itself, not the values. the PR looks like an aborted re-design of the test, really not sure what was the idea behind. using those variable names obviously does not change anything.

#12 Updated by riafarov 3 months ago

  • Target version changed from Milestone 35+ to SLE 15 SP2

#13 Updated by JRivrain 3 months ago

I tried to find if we could easily adapt the module, it seems not. It will require more investigation, especially that the bug is not clear and looks like we have a different issue in SLE and TW.
In SLE we have could not find certificate
While in TW we have invalid credentials

PR to disable the module https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/10270

#14 Updated by JRivrain 3 months ago

  • Due date changed from 2020-06-02 to 2020-05-14
  • Start date changed from 2020-01-06 to 2020-05-14

en raison d'un changement dans une tâche liée: #66871

#15 Updated by JRivrain 3 months ago

I renewed the key, but that was not the issue - though at least it allowed me to go ahead. It looks like now we have to use "cn=Directory Manager" instead of "cn=root" : https://openqa.opensuse.org/tests/1275011#step/yast2_samba/62. We see this cn here : https://openqa.opensuse.org/tests/1275011#step/yast2_samba/15.
Also now, we have two new bugs. I'll report them on monday.

#16 Updated by firstyear 2 months ago

You probably should be checking that connection with Anonymous, not Directory Manager, or another test account, but yes, we removed the ability to change the admin dn :)

#17 Updated by JRivrain 2 months ago

I reported this https://bugzilla.opensuse.org/show_bug.cgi?id=1172084. As for the bug in SLE, I try to understand why we are using a workaround that does not point to a bug report here https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/536d1fb618b99b81b9b63d8816b4f1e242f1f294/tests/console/yast2_samba.pm#L94.

Collection of bugs for reference:
https://bugzilla.suse.com/show_bug.cgi?id=1117643
https://bugzilla.suse.com/show_bug.cgi?id=1083328
https://bugzilla.suse.com/show_bug.cgi?id=1068900#c5

In those bug reports, it appears that yast2-ldap is pretty much abandoned, and yast2-samba is not maintained by yast team. I wonder if it should be supported at all in these conditions.

#18 Updated by firstyear 2 months ago

Reading those issues you linked, I think they somewhat fall into my jurisdiction to enable the schema to make this work.

I think that https://bugzilla.opensuse.org/show_bug.cgi?id=1172084, https://bugzilla.suse.com/show_bug.cgi?id=1083328, and https://bugzilla.suse.com/show_bug.cgi?id=1068900#c5 are all the same issue. I believe when I saw and commented on these in the past, I was still very new to SUSE and did not fully understand the context of the bug report, so for that I'm sorry.

1117643 is not related to this, so I think that needs to be looked at seperately.

So I have taken 1083328, and I'll treat that as the BZ that I need to resolve.

I have also opened the following upstream issue: https://pagure.io/389-ds-base/issue/51115

So leave this up to me, I will resolve it hopefully in the next week, and then pending an upstream patch release we can get it into SLE proper ASAP.

#19 Updated by JRivrain 2 months ago

  • Status changed from In Progress to Feedback

firstyear wrote:

I have also opened the following upstream issue: https://pagure.io/389-ds-base/issue/51115

So leave this up to me, I will resolve it hopefully in the next week, and then pending an upstream patch release we can get it into SLE proper ASAP.

Thanks for the feedback ! I guess we can close https://bugzilla.suse.com/show_bug.cgi?id=1146736 now. We will have to modify our test module as well, as we are doing some workarounds for that issue.

#20 Updated by JRivrain 2 months ago

  • Due date set to 2020-05-27

en raison d'un changement dans une tâche liée: #67363

#21 Updated by firstyear 2 months ago

Sounds like a plan. And of course, please stay in contact so we can resolve these tests and get it all working. Thanks so much for your patience in this!

#22 Updated by riafarov 2 months ago

  • Due date set to 2020-06-16

due to changes in a related task: #67363

#23 Updated by riafarov 2 months ago

  • Due date changed from 2020-06-16 to 2020-06-30

due to changes in a related task: #66871

#24 Updated by riafarov 2 months ago

  • Subject changed from [functional][y][openqa] test update for yast-samba re 389-ds to [functional][y][epic] test update for yast-samba re 389-ds

#26 Updated by riafarov about 2 months ago

  • Due date changed from 2020-06-30 to 2020-07-14

due to changes in a related task: #67363

#27 Updated by JRivrain about 1 month ago

I was asked to explain how the new certificates were generated, so here it is. I adapted the way that it had been done last time, see https://bugzilla.suse.com/show_bug.cgi?id=1088152#c8 though as-is it did not work and needed to be adapted.

I adapted this file https://jamielinux.com/docs/openssl-certificate-authority/appendix/root-configuration-file.html

root@~/ca # diff root-config.txt openssl-ca.cnf

13c13
< new_certs_dir     = $dir/newcerts
---
> new_certs_dir     = $dir/certs
19,20c19,20
< private_key       = $dir/private/ca.key.pem
< certificate       = $dir/certs/ca.cert.pem
---
> private_key       = $dir/private/ca_key.pem
> certificate       = $dir/certs/ca_cert.pem
81,86c81,86
< countryName_default             = GB
< stateOrProvinceName_default     = England
< localityName_default            =
< 0.organizationName_default      = Alice Ltd
< organizationalUnitName_default  =
< emailAddress_default            =
---
> countryName_default             = DE
> stateOrProvinceName_default     = Bayern
> localityName_default            = Nuremberg
> 0.organizationName_default      = Suse
> organizationalUnitName_default  = QA
> emailAddress_default            = ca_qa@suse.de

then from my commands history, steps seem to be:

mkdir csr private certs

1. Create a CA
# ca key
openssl genrsa -out private/ca_key.pem
# ca cert
openssl req -config openssl-ca.cnf -key private/ca_key.pem -new -x509 -days 7300 -extensions v3_ca -out certs/ca_cert.pem -nodes

2. Create server key & cert
# server key
 openssl genrsa -out private/server_key.pem 2048
#server cert
openssl req -new -config openssl-ca.cnf -key private/server_key.pem -out csr/server_csr.pem -nodes -days 7300

3. Sign server cert by ca
openssl ca -config openssl-ca.cnf -extensions server_cert -days 7300 -notext -md sha256 -in csr/server_csr.pem -out certs/server_cert.pem

4. Export signed server cert & key to pkcs12 format
openssl pkcs12 -export -nodes -CAfile certs/ca_cert.pem -inkey private/server_key.pem -in certs/server_cert.pem -out server_cert.pfx

... rename server key and p12 files and copied to server.
specified empty passwords when possible.

#28 Updated by riafarov 29 days ago

  • Target version changed from SLE 15 SP2 to SLE 15 SP3

#29 Updated by riafarov 23 days ago

  • Due date changed from 2020-07-14 to 2020-10-20

due to changes in a related task: #67363

#30 Updated by JRivrain 8 days ago

firstyear wrote:

https://pagure.io/389-ds-base/pull-request/51126

Upstream PR made,

Hello firstyear, I see that the bsc#1172084 is still happening on Tumbleweed - see here https://openqa.opensuse.org/tests/1345057#step/yast2_samba/70 - I guess the upstream PR never reached the required package in OBS ?

#31 Updated by firstyear 8 days ago

No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(

#32 Updated by JRivrain 1 day ago

firstyear wrote:

No, 1.4.4.4 is in tumbleweed, so this must be a different error. I'd need to see the content of /var/log/dirsrv, journalctl -b, the yast logs, and probably rpm -qa to know what's going wrong here ... :(

Attached dirsrv logs, and you will find all the rest here https://openqa.opensuse.org/tests/1352957/file/yast2_samba-y2logs.tar.bz2. It may be (again) that we are doing something wrong on our side... I'll also try to see if I see something obvious, though I think you know a lot more about the matter, so your help is greatly appreciated here :)

Also available in: Atom PDF