Re: [Freeipa-users] fail joining an ubuntu 12.04 to a freeipa server with ipa-client-install

Mon, 14 May 2012 10:06:17 -0700 

pasqual milvaques wrote:

the people frrm ubuntu pointed me to this bug.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127

enabling ssl3 in the server with this orders served as a workaround:

ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on

exit

but the client doesn't join completly the domain because in the system
there is no system wide nss database:

New SSSD config will be created.
root : INFO New SSSD config will be created
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t
CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=certutil: function failed: security library: bad
database.

Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1292, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1279, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1124, in install
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA",
"-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273,
in run
raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned
non-zero exit status 255
pasqual@ubuntuprovesfreeipa:~$

It can create it with this commands:
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb

but asks for a password. there are some obscure references about using a
password file called pwdfile.txt that resides in the server but I'm not
sure with what to do now. perhaps the password must be blank. any idea?
It isn't mandatory to set a password, there isn't one by default in Fedora installations. If you do set a password and place it in a file you can pass the file location with -f. Arguably a password in a file is about as secure as a password-less database: for both you are relying on FS permissions (and perhaps SELinux if configured). 

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to