Bug 1364113 - ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user'
Summary: ipa-password: ipa: ERROR: RuntimeError: Unable to create cache directory: [Er...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa   
(Show other bugs)
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
Aneta Šteflová Petrová
URL:
Whiteboard:
Keywords: Regression
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-04 13:49 UTC by Sudhir Menon
Modified: 2016-11-04 06:00 UTC (History)
3 users (show)

Fixed In Version: ipa-4.4.0-8.el7
Doc Type: Bug Fix
Doc Text:
`ipa` commands no longer fail when the user does not have a home directory in IdM Previously, when Identity Management (IdM) was unable to create a cache directory at `~/.cache/ipa` in the home directory, all `ipa` commands failed. This situation occurred, for example, when the user did not have a home directory. With this update, IdM is able to continue working even when it cannot create or access the cache. Note that in such situations, `ipa` commands can take a long time to complete because all metadata must be downloaded repeatedly.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-11-04 06:00:15 UTC
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-08-04 13:49:22 UTC
Description of problem: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user'


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-4.el7.x86_64

How reproducible:Always

Steps to Reproduce:
ipa-password module throws permission denied error.

Actual results:
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: grouppolicy check length maximum value
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 02:02:28 ] :: check upper bound of length setting
        |:: [ 02:02:29 ] :: [Local_KinitAsAdmin] success
        |:: [  BEGIN   ] :: create group [test_group], desc=[test group] :: actually running 'ipa group-add test_group --desc "test group"'
        |------------------------
        |Added group "test_group"
        |------------------------
        |  Group name: test_group
        |  Description: test group
        |  GID: 1066000105
        |:: [   PASS   ] :: create group [test_group], desc=[test group] (Expected 0, got 0)
:: [ 02:02:33 ] :: [Local_KinitAsAdmin] success
ipa: ERROR: test_group: password policy not found
:: [ 02:02:36 ] :: [Local_KinitAsAdmin] success
:: [ 02:02:39 ] :: [reset_group_pwpolicy] success
:: [ 02:02:39 ] :: disable other password policy constrains
:: [  BEGIN   ] :: Running 'rlDistroDiff keyctl'
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [ 02:02:39 ] :: [Local_KinitAsAdmin] success
  Group: test_group
  Max lifetime (days): 60
  Min lifetime (hours): 0
  History size: 0
  Character classes: 0
  Min length: 10
  Priority: 6
  Max failures: 0
  Failure reset interval: 0
  Lockout duration: 0
:: [  BEGIN   ] :: Running '/usr/bin/kdestroy -qA '
:: [   PASS   ] :: Command '/usr/bin/kdestroy -qA ' (Expected 0, got 0)
:: [ 02:02:43 ] :: precondition: minlife=[0] minclasses=[0] history=[0]
:: [ 02:02:43 ] :: [Local_KinitAsAdmin] success
:: [ 02:02:48 ] :: [add_test_user] success
        |:: [  BEGIN   ] :: Running 'rlDistroDiff keyctl'
        |:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
        |:: [ 02:02:49 ] :: [Local_KinitAsAdmin] success
        |:: [ 02:02:51 ] :: add user [test_user] as member of group [test_group]: ipa group-add-member test_group --users=test_user
        |:: [  BEGIN   ] :: Running 'ipa group-add-member test_group --users=test_user'
        |  Group name: test_group
        |  Description: test group
        |  GID: 1066000105
        |  Member users: test_user
        |-------------------------
        |Number of members added 1
        |-------------------------
        |:: [   PASS   ] :: Command 'ipa group-add-member test_group --users=test_user' (Expected 0, got 0)
:: [ 02:02:52 ] :: there is no real upper-bound of password length, I will try some bigger but resonable number here [30]
:: [  BEGIN   ] :: Running 'rlDistroDiff keyctl'
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [ 02:02:53 ] :: [Local_KinitAsAdmin] success
        |+------- begining of [/tmp/tmp.XdIHwlAMTh/grouppwupperbound.23518.out] -----------+
        |  Group: test_group
        |  Max lifetime (days): 60
        |  Min lifetime (hours): 0
        |  History size: 0
        |  Character classes: 0
        |  Min length: 30
        |  Priority: 6
        |  Max failures: 0
        |  Failure reset interval: 0
        |  Lockout duration: 0
        |+------------ end of [/tmp/tmp.XdIHwlAMTh/grouppwupperbound.23518.out] -----------+
:: [  BEGIN   ] :: Running '/usr/bin/kdestroy -qA '
:: [   PASS   ] :: Command '/usr/bin/kdestroy -qA ' (Expected 0, got 0)
:: [ 02:02:56 ] :: len=[30] edge=[30]
:: [ 02:02:56 ] :: minlength=[30], now continue test
:: [ 02:02:56 ] :: minlength=[30], current len [29],password=[eW8/ðtW0=čcG9#čuX7,ðlP1+№xM3,]
:: [  BEGIN   ] :: Running 'rlDistroDiff keyctl'
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [  BEGIN   ] :: validating current password :: actually running 'echo Password_123 | sudo -u test_user kinit test_user 2>&1 >/dev/null'
:: [   PASS   ] :: validating current password (Expected 0, got 0)
      [change_password_through_pam_stack] change password for user: [test_user] [Password_123] --> [eW8/ðtW0=čcG9#čuX7,ðlP1+№xM3,] pam-stack: localUser[test_user]
      [change_password_through_pam_stack] found kerberos for user [test_user], test continue pam-stack: localUser[test_user]
        |+------- begining of [[change_password_through_pam_stack] ready to execute exp file [/tmp/tmp.XdIHwlAMTh/changepassword.24362.exp]] -----------+
        |set timeout 5
        |set force_conservative 0
        |set send_slow {1 .001}
        |spawn sudo -u test_user ipa passwd test_user
        |expect "Current Password: "
        |send Password_123\r
        |expect "New Password: "
        |send eW8/ðtW0=čcG9#čuX7,ðlP1+№xM3,\r
        |expect "Enter New Password again to verify: "
        |send eW8/ðtW0=čcG9#čuX7,ðlP1+№xM3,\r
        |expect eof
        |+------------ end of [[change_password_through_pam_stack] ready to execute exp file [/tmp/tmp.XdIHwlAMTh/changepassword.24362.exp]] -----------+
send: spawn id exp5 not open
    while executing
"send Password_123\r"
    (file "/tmp/tmp.XdIHwlAMTh/changepassword.24362.exp" line 6)
        |+------- begining of [[change_password_through_pam_stack] output of exp file execution] -----------+
        |spawn sudo -u test_user ipa passwd test_user
        |ipa: ERROR: Could not create log_dir u'/home/test_user/.ipa/log'
        |ipa: ERROR: RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user'
        |Traceback (most recent call last):
        |  File "/usr/lib/python2.7/site-packages/ipalib/cli.py", line 1347, in run
        |    api.finalize()
        |  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 701, in finalize
        |    self.__do_if_not_done('load_plugins')
        |  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 416, in __do_if_not_done
        |    getattr(self, name)()
        |  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 579, in load_plugins
        |    for package in self.packages:
        |  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in packages
        |    ipaclient.remote_plugins.get_package(self),
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/__init__.py", line 17, in get_package
        |    plugins = schema.get_package(api, client)
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 494, in get_package
        |    fingerprint = str(schema['fingerprint'])
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 443, in __getitem__
        |    self._ensure_cached()
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 422, in _ensure_cached
        |    (fp, exp) = self._get_schema()
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 390, in _get_schema
        |    self._store(fp, schema)
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 453, in _store
        |    _ensure_dir_created(SCHEMA_DIR)
        |  File "/usr/lib/python2.7/site-packages/ipaclient/remote_plugins/schema.py", line 283, in _ensure_dir_created
        |    "".format(e))
        |RuntimeError: Unable to create cache directory: [Errno 13] Permission denied: '/home/test_user'
        |ipa: ERROR: an internal error has occurred
        |+------------ end of [[change_password_through_pam_stack] output of exp file execution] -----------+

Expected results:
Need to fix the issue.
 
Additional info: This issue was seen for many of the testcases which ran in beaker job for ipa-password module.

Comment 5 Sudhir Menon 2016-08-23 12:32:54 UTC
Traceback or permission denied message is not seen for any of the tests for ipa-password.
Verified on RHEL7.3 using 

ipa-server-4.4.0-8.el7.x86_64
sssd-1.14.0-27.el7.x86_64


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: grouppolicy check length maximum value
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: check upper bound of length setting
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   PASS   ] :: create group [test_group], desc=[test group] (Expected 0, got 0)
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   LOG    ] :: [reset_group_pwpolicy] success
:: [   LOG    ] :: disable other password policy constrains
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   PASS   ] :: Command '/usr/bin/kdestroy -qA ' (Expected 0, got 0)
:: [   LOG    ] :: precondition: minlife=[0] minclasses=[0] history=[0]
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   PASS   ] :: [add_test_user] PASS: create user [test_user] and set password [Password_123] success 
:: [   LOG    ] :: [add_test_user] success
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   LOG    ] :: add user [test_user] as member of group [test_group]: ipa group-add-member test_group --users=test_user
:: [   PASS   ] :: Command 'ipa group-add-member test_group --users=test_user' (Expected 0, got 0)
:: [   LOG    ] :: there is no real upper-bound of password length, I will try some bigger but resonable number here [30]
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   LOG    ] :: [Local_KinitAsAdmin] success
:: [   PASS   ] :: Command '/usr/bin/kdestroy -qA ' (Expected 0, got 0)
:: [   LOG    ] :: len=[30] edge=[30]
:: [   LOG    ] :: minlength=[30], now continue test
:: [   LOG    ] :: minlength=[30], current len [29],password=[bC9~πdN0=ðxB3=špD2+№gM2+đnE5%]
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   PASS   ] :: validating current password (Expected 0, got 0)
:: [   PASS   ] :: password change failed, this is expected 
:: [   LOG    ] :: minlength=[30], current len [30],class=[5]
:: [   LOG    ] :: minlength=[30], current len [30],password=[qI4,ðjG7+وnF8%๐uC4=čjE9#đtT1%è]
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   PASS   ] :: validating current password (Expected 0, got 0)
:: [   PASS   ] :: password change success is expected 
:: [   LOG    ] :: minlength=[30], current len [31],password=[cJ4=ènK8+èrC7=ŵmO5%ðsK6,ðjJ2/đb]
:: [   PASS   ] :: Command 'rlDistroDiff keyctl' (Expected 0, got 0)
:: [   PASS   ] :: validating current password (Expected 0, got 0)
:: [   PASS   ] :: password change success is expected 
:: [   LOG    ] :: Duration: 41s
:: [   LOG    ] :: Assertions: 17 good, 0 bad
:: [   PASS   ] :: RESULT: grouppolicy check length maximum value

Comment 13 errata-xmlrpc 2016-11-04 06:00:15 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.