pasqual milvaques wrote:
the people frrm ubuntu pointed me to this bug.
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=663127
enabling ssl3 in the server with this orders served as a workaround:
ldapmodify -D "cn=directory manager" -W -p 389 -h localhost -x
dn: cn=encryption,cn=config
changetype: modify
replace: nsSSL3
nsSSL3: on
exit
but the client doesn't join completly the domain because in the system
there is no system wide nss database:
New SSSD config will be created.
root : INFO New SSSD config will be created
Configured /etc/sssd/sssd.conf
root : DEBUG args=/usr/bin/certutil -A -d /etc/pki/nssdb -n IPA CA -t
CT,C,C -a -i /etc/ipa/ca.crt
root : DEBUG stdout=
root : DEBUG stderr=certutil: function failed: security library: bad
database.
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 1292, in <module>
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 1279, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 1124, in install
run(["/usr/bin/certutil", "-A", "-d", "/etc/pki/nssdb", "-n", "IPA CA",
"-t", "CT,C,C", "-a", "-i", "/etc/ipa/ca.crt"])
File "/usr/lib/python2.7/dist-packages/ipapython/ipautil.py", line 273,
in run
raise CalledProcessError(p.returncode, args)
subprocess.CalledProcessError: Command '/usr/bin/certutil -A -d
/etc/pki/nssdb -n IPA CA -t CT,C,C -a -i /etc/ipa/ca.crt' returned
non-zero exit status 255
pasqual@ubuntuprovesfreeipa:~$
It can create it with this commands:
mkdir -p /etc/pki/nssdb
certutil -N -d /etc/pki/nssdb
but asks for a password. there are some obscure references about using a
password file called pwdfile.txt that resides in the server but I'm not
sure with what to do now. perhaps the password must be blank. any idea?
It isn't mandatory to set a password, there isn't one by default in
Fedora installations. If you do set a password and place it in a file
you can pass the file location with -f. Arguably a password in a file is
about as secure as a password-less database: for both you are relying on
FS permissions (and perhaps SELinux if configured).
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users