Description of problem: When trying to install RHOSP15 TLS Everywhere with IDM integration. The Documentation is incorrect and there are Python3 libraries missing. Version-Release number of selected component (if applicable): Red Hat OpenStack Platform 15 python3-novajoin-1.1.2-0.20190529150411.2c8c868.el8ost.noarch How reproducible: Easily Steps to Reproduce: 1. Install python3-novajoin 2. Try to run the novajoin-ipa-setup command 3. Observe the error Actual results: [stack@director lib]$ sudo /usr/libexec/novajoin-ipa-setup --principal admin --password “MY_PASSWORD” --server idm.mydomain.net --realm MYDOMAIN.NET --domain mydomain.net --hostname director.mydomain.net --precreate Traceback (most recent call last): File "/bin/novajoin-ipa-setup", line 23, in <module> from novajoin import configure_ipa File "/usr/lib/python3.6/site-packages/novajoin/configure_ipa.py", line 55, in <module> import nss.nss as nss ModuleNotFoundError: No module named 'nss' Expected results: Should not get a module error. Additional info: I installed python-nss with pip3 install python-nss. Copied it from /usr/local/lib64/python3.6/site-packages/nss to /usr/lib/python3.6/site-packages After that, I get a bit closer: Traceback (most recent call last): File "/bin/novajoin-ipa-setup", line 101, in <module> cafile = novajoin.create_cafile(opts.server, opts.realm) File "/usr/lib/python3.6/site-packages/novajoin/configure_ipa.py", line 205, in create_cafile ca_certs = self._get_ca_certs(server, realm) File "/usr/lib/python3.6/site-packages/novajoin/configure_ipa.py", line 149, in _get_ca_certs raise ConfigurationError("get_ca_certs() error: %s" % e) novajoin.errors.ConfigurationError: get_ca_certs() error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krbccd30f01xe/ccache)) So now I can kinit admin: [stack@director site-packages]$ sudo kinit admin Password for admin: [stack@director site-packages]$ sudo klist Ticket cache: KCM:0 Default principal: admin Valid starting Expires Service principal 05/10/19 23:26:22 06/10/19 23:26:20 krbtgt/MYDOMAIN.NET Try again, this time with --no-kinit: [stack@director site-packages]$ sudo /usr/libexec/novajoin-ipa-setup --principal admin --password “MY_PASSWORD” --server idm.mydomain.net --realm MYDOMAIN.NET --domain mydomain.net --hostname director.mydomain.net --precreate --no-kinit 1XaBKA9wFEeb9NoLYKo5rduFqaeJUvnjldyjHDAjym9g Traceback (most recent call last): File "/bin/novajoin-ipa-setup", line 136, in <module> if krb5_conf: NameError: name 'krb5_conf' is not defined This time, it returns a OTP token, but I get a traceback afterwards. If I don't include the --no-kinit, I just get the same error as before. This one: ( raise ConfigurationError("get_ca_certs() error: %s" % e) novajoin.errors.ConfigurationError: get_ca_certs() error: Insufficient access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (No Kerberos credentials available (default cache: /tmp/krbccd30f01xe/ccache)) )
python-nss isn't included in RHEL 8. It looks like the code which uses this import is no longer used so the create_nssdb() method can just be removed altogether.
I just updated my Director node and it seems to work now. It still has the python-nss package installed from pip, so that might have helped me with the initial error. But the krb5_conf issue is gone now. My overcloud is deployed as well. So it seems to be working.
(In reply to Brendan Shephard from comment #2) > I just updated my Director node and it seems to work now. It still has the > python-nss package installed from pip, so that might have helped me with the > initial error. But the krb5_conf issue is gone now. > > My overcloud is deployed as well. So it seems to be working. How did you actually work around this?
(In reply to Ian Pilcher from comment #6) > How did you actually work around this? Nevermind. I see that you still have python-nss installed via pip. So unless I'm very much mistaken, this is going to break internal TLS, as the overcloud nodes will presumably have the same issue. Marking this as a regression.
(In reply to Rob Crittenden from comment #1) > python-nss isn't included in RHEL 8. It looks like the code which uses this > import is no longer used so the create_nssdb() method can just be removed > altogether. scripts/novajoin-ipa-setup:100-112 if precreate_opts_specified: # IPA v4.5.0 switched client from NSS to OpenSSL if version.NUM_VERSION >= 40500: cafile = novajoin.create_cafile(opts.server, opts.realm) # Workaround for https://pagure.io/freeipa/issue/7145 try: args['tls_ca_cert'] = cafile.decode('UTF-8') except AttributeError: args['tls_ca_cert'] = cafile else: nss_db = novajoin.create_nssdb(opts.server, opts.realm) try: args['nss_dir'] = nss_db.secdir.decode('UTF-8') except AttributeError: args['nss_dir'] = nss_db.secdir Novajon is not branched, if we remove this code it will no longer work with IPA < v4.5.0. Is it safe to do this, or do we risk breaking someone's deployment that run with an older version of IPA? Another option would be to conditionally import nss.nss, and only raise the exception if IPA version < 40500 ?
Hitting the same issue with python3-novajoin-1.1.2-0.20190912190429.b971c78.el8ost.noarch Attempted the workaround but failed even after installing the nss with no luck. Traceback (most recent call last): File "/bin/novajoin-ipa-setup", line 23, in <module> from novajoin import configure_ipa File "/usr/lib/python3.6/site-packages/novajoin/configure_ipa.py", line 55, in <module> import nss.nss as nss
*** Bug 1791304 has been marked as a duplicate of this bug. ***
According to our records, this should be resolved by python-novajoin-1.2.1-0.20191217180446.265146e.el8ost. This build is available now.