On 15/04/16 15:16, Harald Dunkel wrote:
Hi David,

Hello Harri,

the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the 
permissions are set to:

$ ls -dl /etc/ipa/nssdb/
drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/

$ ls -l /etc/ipa/nssdb/
total 80
-rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db
-rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db
-rw-------. 1 root root    40 Apr 15 14:00 pwdfile.txt
-rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db

Please check the permission on your system. If it's different and you (or 
system admin) haven't changed it please file a ticket 

Sorry, I should have mentioned that the client runs Debian
with freeipa 4.0.5.

# ls -al /etc/ipa/
total 24
drwxr-xr-x   2 root root  4096 Dec 29 08:32 .
drwxr-xr-x 190 root root 12288 Apr 15 12:44 ..
-rw-r--r--   1 root root  1792 Dec 29 08:32 ca.crt
-rw-r--r--   1 root root   194 Dec 29 08:32 default.conf

No nssdb. AFAICS only the ipa servers in my lan have a
directory /etc/ipa/nssdb (CentOS 7).

On the clients I can see a cert8.db in /etc/pki/nssdb.
Looking at the time stamp it seems to be related to freeipa.

# ls -al /etc/pki/nssdb/
total 76
drwxr-xr-x 2 root root  4096 Dec 29 08:32 .
drwxr-xr-x 3 root root  4096 Dec 28 16:09 ..
-rw------- 1 root root 65536 Dec 29 08:32 cert8.db
-rw------- 1 root root 16384 Dec 29 08:32 key3.db
-rw------- 1 root root 16384 Dec 29 08:32 secmod.db

No pwdfile.txt . I would guess the key database has been created
with --empty-password.

Does this look familiar, or is this misconfigured and weird?

Sorry for asking stupid questions, but the setup in my lan is
all I have. I have never had a chance to see another freeipa
installation. Hope you don't mind?


Hello Harri,
actually the version and OS information makes a difference :-)

Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I don't recall at what version we switched to /etc/ipa/nssdb but it was some time ago.

I have reproduced the issue on Debian and after changing the access rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command needs to access the IPA CA certificate stored there to verify identity of FreeIPA server.

I haven't seen this issue on Fedora so I'm adding Timo who is porting FreeIPA on debian. Timo have you met this issue?

David Kupka

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to