pasqual milvaques wrote:
the people frrm ubuntu pointed me to this bug.

enabling ssl3 in the server with this orders served as a workaround:

ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x

dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on


but the client doesn't join completly the domain because in the system
there is no system wide nss database:

New SSSD config will be created.
root : INFO New SSSD config will be created
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t
CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=certutil: function failed: security library: bad

Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1292, in <module>
File "/usr/sbin/ipa-client-install", line 1279, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1124, in install
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA",
"-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
File "/usr/lib/python2.7/dist-packages/ipapython/", line 273,
in run
raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned
non-zero exit status 255

It can create it with this commands:
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb

but asks for a password. there are some obscure references about using a
password file called pwdfile.txt that resides in the server but I'm not
sure with what to do now. perhaps the password must be blank. any idea?

It isn't mandatory to set a password, there isn't one by default in Fedora installations. If you do set a password and place it in a file you can pass the file location with -f. Arguably a password in a file is about as secure as a password-less database: for both you are relying on FS permissions (and perhaps SELinux if configured).


Freeipa-users mailing list

Reply via email to