On 15/04/16 15:16, Harald Dunkel wrote:
Hi David,
Hello Harri,
the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the
permissions are set to:
$ ls -dl /etc/ipa/nssdb/
drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/
$ ls -l /etc/ipa/nssdb/
total 80
-rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db
-rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db
-rw-------. 1 root root 40 Apr 15 14:00 pwdfile.txt
-rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db
Please check the permission on your system. If it's different and you (or
system admin) haven't changed it please file a ticket
(https://fedorahosted.org/freeipa/newticket).
Sorry, I should have mentioned that the client runs Debian
with freeipa 4.0.5.
# ls -al /etc/ipa/
total 24
drwxr-xr-x 2 root root 4096 Dec 29 08:32 .
drwxr-xr-x 190 root root 12288 Apr 15 12:44 ..
-rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt
-rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf
No nssdb. AFAICS only the ipa servers in my lan have a
directory /etc/ipa/nssdb (CentOS 7).
On the clients I can see a cert8.db in /etc/pki/nssdb.
Looking at the time stamp it seems to be related to freeipa.
# ls -al /etc/pki/nssdb/
total 76
drwxr-xr-x 2 root root 4096 Dec 29 08:32 .
drwxr-xr-x 3 root root 4096 Dec 28 16:09 ..
-rw------- 1 root root 65536 Dec 29 08:32 cert8.db
-rw------- 1 root root 16384 Dec 29 08:32 key3.db
-rw------- 1 root root 16384 Dec 29 08:32 secmod.db
No pwdfile.txt . I would guess the key database has been created
with --empty-password.
Does this look familiar, or is this misconfigured and weird?
Sorry for asking stupid questions, but the setup in my lan is
all I have. I have never had a chance to see another freeipa
installation. Hope you don't mind?
Regards
Harri
Hello Harri,
actually the version and OS information makes a difference :-)
Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I
don't recall at what version we switched to /etc/ipa/nssdb but it was
some time ago.
I have reproduced the issue on Debian and after changing the access
rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command
needs to access the IPA CA certificate stored there to verify identity
of FreeIPA server.
I haven't seen this issue on Fedora so I'm adding Timo who is porting
FreeIPA on debian. Timo have you met this issue?
--
David Kupka
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
