On 20/02/14 23:08, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On 20/02/14 21:38, Rob Crittenden wrote:

I am surprised too. I dumped the PKI CA certificate from /etc/pki/nssdb
before and after I updated it into text files, and diff'ed them. No
differences was reported.

I can't think of a reason it would be using the sqlite database at
all. You don't have NSS_DEFAULT_DB_TYPE set somewhere do you? I'd find
it hard to believe that this would be set EVERYWHERE.

If we want to brute force things, trying strace against a client that
isn't working to confirm that it is trying to open cert9 might give us
a data point at least.

I have NSS_DEFAULT_DB_TYPE set to "sql".

Oh, ok, that's why then. You're telling NSS to use sqlite databases and we only configure the older database style so the client isn't finding its CA cert.

So you can either not set that or migrate all the client databases. I'm a little surprised the servers aren't blowing up on you too.

Ohh so true...unset NSS_DEFAULT_DB_TYPE and it's all working fine! I can't believe it was something this silly!

I've found the file where the NSS_DEFAULT_DB_TYPE is set to "sql" for our environment. This file has not been changed since Sep 2012. It's only set for a select amount of our accounts (mine being one of them) - that's why the servers isn't blowing up. And is why the webui is still working...

We installed IPA in early 2012 and I've not had issues using the "ipa" command on any machines until a few weeks ago - and yes, NSS_DEFAULT_DB_TYPE=sql has been in the environment for my account the whole time.

We recently installed a set of patches upgrading our servers to RHEL 6.5+(some updates) from 6.4. It would seem like something changed with this set of patches. And it also explains why this did not happen in the test environment as the same accounts are not being utilised there.

Thank you for your assistance resolving these issues we've had recently. :)


Freeipa-users mailing list

Reply via email to