RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1364113 - ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user'
Summary: ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Er...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-04 13:49 UTC by Sudhir Menon
Modified: 2016-11-04 06:00 UTC (History)
3 users (show)

Fixed In Version: ipa-4.4.0-8.el7
Doc Type: Bug Fix
Doc Text:
`ipa` commands no longer fail when the user does not have a home directory in IdM Previously, when Identity Management (IdM) was unable to create a cache directory at `~/.cache/ipa` in the home directory, all `ipa` commands failed. This situation occurred, for example, when the user did not have a home directory. With this update, IdM is able to continue working even when it cannot create or access the cache. Note that in such situations, `ipa` commands can take a long time to complete because all metadata must be downloaded repeatedly.
Clone Of:
Environment:
Last Closed: 2016-11-04 06:00:15 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-08-04 13:49:22 UTC 
Description of problem: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user'


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-4.el7.x86_64

How reproducible:Always

Steps to Reproduce:
ipa-password module throws permission denied error.

Actual results:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: grouppolicy check length maximum value
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 02:02:28 ] :: check upper bound of length setting
        |:: [ 02:02:29 ] :: [Local_KinitAsAdmin] success
        |:: [  BEGIN   ] :: create group [test_group], desc=[test group] :: actually running 'ipa group-add test_group --desc "test group"'
        |------------------------
        |Added group "test_group"
        |------------------------
        |  Group name: test_group
        |  Description: test group
        |  GID: 1066000105
        |:: [   PASS   ] :: create group [test_group], desc=[test group] (Expected 0, got 0)
:: [ 02:02:33 ] :: [Local_KinitAsAdmin] success
ipa: ERROR: test_group: password policy not found
:: [ 02:02:36 ] :: [Local_KinitAsAdmin] success
:: [ 02:02:39 ] :: [reset_group_pwpolicy] success
:: [ 02:02:39 ] :: disable other password policy constrains
:: [  BEGIN   ] :: Running 'rlDistroDiff keyctl'
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [ 02:02:39 ] :: [Local_KinitAsAdmin] success
  Group: test_group
  Max lifetime (days): 60
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 10
  Priority: 6
  Max failures: 0
  Failure reset interval: 0
  Lockout duration: 0
:: [  BEGIN   ] :: Running '/usr/bin/kdestroy -qA '
:: [   PASS   ] :: Command '/usr/bin/kdestroy -qA ' (Expected 0, got 0)
:: [ 02:02:43 ] :: precondition: minlife=[0] minclasses=[0] history=[0]
:: [ 02:02:43 ] :: [Local_KinitAsAdmin] success
:: [ 02:02:48 ] :: [add_test_user] success
        |:: [  BEGIN   ] :: Running 'rlDistroDiff keyctl'
        |:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
        |:: [ 02:02:49 ] :: [Local_KinitAsAdmin] success
        |:: [ 02:02:51 ] :: add user [test_user] as member of group [test_group]: ipa group-add-member test_group --users=test_user
        |:: [  BEGIN   ] :: Running 'ipa group-add-member test_group --users=test_user'
        |  Group name: test_group
        |  Description: test group
        |  GID: 1066000105
        |  Member users: test_user
        |-------------------------
        |Number of members added 1
        |-------------------------
        |:: [   PASS   ] :: Command 'ipa group-add-member test_group --users=test_user' (Expected 0, got 0)
:: [ 02:02:52 ] :: there is no real upper-bound of password length, I will try some bigger but resonable number here [30]
:: [  BEGIN   ] :: Running 'rlDistroDiff keyctl'
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [ 02:02:53 ] :: [Local_KinitAsAdmin] success
        |+------- begining of [/tmp/tmp.XdIHwlAMTh/grouppwupperbound.23518.out] -----------+
        |  Group: test_group
        |  Max lifetime (days): 60
        |  Min lifetime (hours): 0
        |  History size: 0
        |  Character classes: 0
        |  Min length: 30
        |  Priority: 6
        |  Max failures: 0
        |  Failure reset interval: 0
        |  Lockout duration: 0
        |+------------ end of [/tmp/tmp.XdIHwlAMTh/grouppwupperbound.23518.out] -----------+
:: [  BEGIN   ] :: Running '/usr/bin/kdestroy -qA '
:: [   PASS   ] :: Command '/usr/bin/kdestroy -qA ' (Expected 0, got 0)
:: [ 02:02:56 ] :: len=[30] edge=[30]
:: [ 02:02:56 ] :: minlength=[30], now continue test
:: [ 02:02:56 ] :: minlength=[30], current len [29],password=[eW8/ðtW0=čcG9#čuX7,ðlP1+№xM3,]
:: [  BEGIN   ] :: Running 'rlDistroDiff keyctl'
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [  BEGIN   ] :: validating current password :: actually running 'echo Password_123 | sudo -u test_user kinit test_user 2>&1 >/dev/null'
:: [   PASS   ] :: validating current password (Expected 0, got 0)
      [change_password_through_pam_stack] change password for user: [test_user] [Password_123] --> [eW8/ðtW0=čcG9#čuX7,ðlP1+№xM3,] pam-stack: localUser[test_user]
      [change_password_through_pam_stack] found kerberos for user [test_user], test continue pam-stack: localUser[test_user]
        |+------- begining of [[change_password_through_pam_stack] ready to execute exp file [/tmp/tmp.XdIHwlAMTh/changepassword.24362.exp]] -----------+
        |set timeout 5
        |set force_conservative 0
        |set send_slow {1 .001}
        |spawn sudo -u test_user ipa passwd test_user
        |expect "Current Password: "
        |send Password_123\r
        |expect "New Password: "
        |send eW8/ðtW0=čcG9#čuX7,ðlP1+№xM3,\r
        |expect "Enter New Password again to verify: "
        |send eW8/ðtW0=čcG9#čuX7,ðlP1+№xM3,\r
        |expect eof
        |+------------ end of [[change_password_through_pam_stack] ready to execute exp file [/tmp/tmp.XdIHwlAMTh/changepassword.24362.exp]] -----------+
send: spawn id exp5 not open
    while executing
"send Password_123\r"
    (file "/tmp/tmp.XdIHwlAMTh/changepassword.24362.exp" line 6)
        |+------- begining of [[change_password_through_pam_stack] output of exp file execution] -----------+
        |spawn sudo -u test_user ipa passwd test_user
        |ipa: ERROR: Could not create log_dir u'/home/test_user/.ipa/log'
        |ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user'
        |Traceback (most recent call last):
        |  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1347, in run
        |    api.finalize()
        |  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 701, in finalize
        |    self.__do_if_not_done('load_plugins')
        |  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 416, in __do_if_not_done
        |    getattr(self, name)()
        |  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 579, in load_plugins
        |    for package in self.packages:
        |  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
        |    ipaclient.remote_plugins.get_package(self),
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 17, in get_package
        |    plugins = schema.get_package(api, client)
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 494, in get_package
        |    fingerprint = str(schema['fingerprint'])
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 443, in __getitem__
        |    self._ensure_cached()
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 422, in _ensure_cached
        |    (fp, exp) = self._get_schema()
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 390, in _get_schema
        |    self._store(fp, schema)
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 453, in _store
        |    _ensure_dir_created(SCHEMA_DIR)
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 283, in _ensure_dir_created
        |    "".format(e))
        |RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user'
        |ipa: ERROR: an internal error has occurred
        |+------------ end of [[change_password_through_pam_stack] output of exp file execution] -----------+

Expected results:
Need to fix the issue.
 
Additional info: This issue was seen for many of the testcases which ran in beaker job for ipa-password module.
Comment 3 Martin Bašti 2016-08-09 10:53:58 UTC 
Should be fixed in bz1356146

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/47a693d17430e82787d9704637c022a2fcac531a
https://fedorahosted.org/freeipa/changeset/29f7f822aba674ebc4184ecc126854adb4330a89
https://fedorahosted.org/freeipa/changeset/86977070e12329be02ef5ebb749c837a8d6d258f
https://fedorahosted.org/freeipa/changeset/23609d59559f15d4414ce87b850b6e845ed1cd40
https://fedorahosted.org/freeipa/changeset/e76b0bbbcc77aa0473f209beeb538c8313172c66
Comment 5 Sudhir Menon 2016-08-23 12:32:54 UTC 
Traceback or permission denied message is not seen for any of the tests for ipa-password.
Verified on RHEL7.3 using 

ipa-server-4.4.0-8.el7.x86_64
sssd-1.14.0-27.el7.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: grouppolicy check length maximum value
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: check upper bound of length setting
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   PASS   ] :: create group [test_group], desc=[test group] (Expected 0, got 0)
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   LOG    ] :: [reset_group_pwpolicy] success
:: [   LOG    ] :: disable other password policy constrains
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   PASS   ] :: Command '/usr/bin/kdestroy -qA ' (Expected 0, got 0)
:: [   LOG    ] :: precondition: minlife=[0] minclasses=[0] history=[0]
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   PASS   ] :: [add_test_user] PASS: create user [test_user] and set password [Password_123] success 
:: [   LOG    ] :: [add_test_user] success
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   LOG    ] :: add user [test_user] as member of group [test_group]: ipa group-add-member test_group --users=test_user
:: [   PASS   ] :: Command 'ipa group-add-member test_group --users=test_user' (Expected 0, got 0)
:: [   LOG    ] :: there is no real upper-bound of password length, I will try some bigger but resonable number here [30]
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   PASS   ] :: Command '/usr/bin/kdestroy -qA ' (Expected 0, got 0)
:: [   LOG    ] :: len=[30] edge=[30]
:: [   LOG    ] :: minlength=[30], now continue test
:: [   LOG    ] :: minlength=[30], current len [29],password=[bC9~πdN0=ðxB3=špD2+№gM2+đnE5%]
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   PASS   ] :: validating current password (Expected 0, got 0)
:: [   PASS   ] :: password change failed, this is expected 
:: [   LOG    ] :: minlength=[30], current len [30],class=[5]
:: [   LOG    ] :: minlength=[30], current len [30],password=[qI4,ðjG7+وnF8%๐uC4=čjE9#đtT1%è]
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   PASS   ] :: validating current password (Expected 0, got 0)
:: [   PASS   ] :: password change success is expected 
:: [   LOG    ] :: minlength=[30], current len [31],password=[cJ4=ènK8+èrC7=ŵmO5%ðsK6,ðjJ2/đb]
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   PASS   ] :: validating current password (Expected 0, got 0)
:: [   PASS   ] :: password change success is expected 
:: [   LOG    ] :: Duration: 41s
:: [   LOG    ] :: Assertions: 17 good, 0 bad
:: [   PASS   ] :: RESULT: grouppolicy check length maximum value
Comment 13 errata-xmlrpc 2016-11-04 06:00:15 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.