Re: [Freeipa-users] ipa -v ping lies about the cert database
On 05/13/16 14:48, Lukas Slebodnik wrote: > You might see in ticket that planned milestone is "Future Releases" > that isn't any particular release (4.4.x ...) > > It basically mean that patches are welcome. > That's how it works in open source world. > > LS > Sorry, I got confused about the comment on https://bugzilla.redhat.com/show_bug.cgi?id=1296665. I thought the "Changing version to '24'." means it is supposed to be fixed for F24. This bug was reported >4 months ago. Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
On (12/05/16 16:16), Harald Dunkel wrote: >On 04/26/16 17:29, Timo Aaltonen wrote: >> >> I guess 4.3.1 would need to be in sid first, and it just got rejected >> because of the minified javascript (bug #787593). Don't know when >> that'll get fixed. >> > >Since 24beta is out without fixing > > https://fedorahosted.org/freeipa/ticket/5639 > You might see in ticket that planned milestone is "Future Releases" that isn't any particular release (4.4.x ...) It basically mean that patches are welcome. That's how it works in open source world. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
On 04/26/16 17:29, Timo Aaltonen wrote: > > I guess 4.3.1 would need to be in sid first, and it just got rejected > because of the minified javascript (bug #787593). Don't know when > that'll get fixed. > Since 24beta is out without fixing https://fedorahosted.org/freeipa/ticket/5639 I wonder if the Fedora folks really care about this bug. Did they kick out the freeipa RPMs for breaking the guidelines? Do you think it would be possible to put freeipa packages suitable for Debian/sid & Ubuntu on freeipa.org, in parallel to the RPMs for Fedora? Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
On 04/26/2016 05:29 PM, Timo Aaltonen wrote: > > I guess 4.3.1 would need to be in sid first, and it just got rejected > because of the minified javascript (bug #787593). Don't know when > that'll get fixed. > Is this 3rd party code? Anyway, I was talking about a *private* backport of freeipa 4.3.1 and its dependencies to Jessie. Of course I would be glad to make these backports available in the official jessie-backports as well, but I would need a sponsor for uploading. Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
27.04.2016, 09:24, Harald Dunkel kirjoitti: > On 04/26/2016 05:29 PM, Timo Aaltonen wrote: >> >> I guess 4.3.1 would need to be in sid first, and it just got rejected >> because of the minified javascript (bug #787593). Don't know when >> that'll get fixed. >> > > Is this 3rd party code? yes: https://fedorahosted.org/freeipa/ticket/5639 > Anyway, I was talking about a *private* backport of freeipa 4.3.1 > and its dependencies to Jessie. Of course I would be glad to make > these backports available in the official jessie-backports as well, > but I would need a sponsor for uploading. Go for it, at least if the dependencies are manageable. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
26.04.2016, 16:52, Harald Dunkel kirjoitti: > Hi Timo, > > On 04/18/2016 02:08 PM, Timo Aaltonen wrote: >> >> The old package used to create /etc/pki/nssdb on postinst, but with 644 >> permissions so I'm not sure why they have 600 here. 4.1.4 in >> experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 >> to unstable this week, which should fix this for good. >> > > AFAICS there are just a few pending dependencies for 4.3.1 > on Jessie. Would you recommend to backport? I already did > it for sssd. I guess 4.3.1 would need to be in sid first, and it just got rejected because of the minified javascript (bug #787593). Don't know when that'll get fixed. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
Hi Timo, On 04/18/2016 02:08 PM, Timo Aaltonen wrote: > > The old package used to create /etc/pki/nssdb on postinst, but with 644 > permissions so I'm not sure why they have 600 here. 4.1.4 in > experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 > to unstable this week, which should fix this for good. > AFAICS there are just a few pending dependencies for 4.3.1 on Jessie. Would you recommend to backport? I already did it for sssd. Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
18.04.2016, 10:14, David Kupka kirjoitti: > On 15/04/16 15:16, Harald Dunkel wrote: >> Hi David, >> >>> Hello Harri, >>> >>> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by >>> default the permissions are set to: >>> >>> $ ls -dl /etc/ipa/nssdb/ >>> drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ >>> >>> $ ls -l /etc/ipa/nssdb/ >>> total 80 >>> -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db >>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db >>> -rw---. 1 root root40 Apr 15 14:00 pwdfile.txt >>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db >>> >>> Please check the permission on your system. If it's different and you >>> (or system admin) haven't changed it please file a ticket >>> (https://fedorahosted.org/freeipa/newticket). >>> >> >> Sorry, I should have mentioned that the client runs Debian >> with freeipa 4.0.5. >> >> # ls -al /etc/ipa/ >> total 24 >> drwxr-xr-x 2 root root 4096 Dec 29 08:32 . >> drwxr-xr-x 190 root root 12288 Apr 15 12:44 .. >> -rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt >> -rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf >> >> >> No nssdb. AFAICS only the ipa servers in my lan have a >> directory /etc/ipa/nssdb (CentOS 7). >> >> On the clients I can see a cert8.db in /etc/pki/nssdb. >> Looking at the time stamp it seems to be related to freeipa. >> >> # ls -al /etc/pki/nssdb/ >> total 76 >> drwxr-xr-x 2 root root 4096 Dec 29 08:32 . >> drwxr-xr-x 3 root root 4096 Dec 28 16:09 .. >> -rw--- 1 root root 65536 Dec 29 08:32 cert8.db >> -rw--- 1 root root 16384 Dec 29 08:32 key3.db >> -rw--- 1 root root 16384 Dec 29 08:32 secmod.db >> >> No pwdfile.txt . I would guess the key database has been created >> with --empty-password. >> >> Does this look familiar, or is this misconfigured and weird? >> >> >> Sorry for asking stupid questions, but the setup in my lan is >> all I have. I have never had a chance to see another freeipa >> installation. Hope you don't mind? >> >> >> Regards >> Harri >> > > Hello Harri, > actually the version and OS information makes a difference :-) > > Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I > don't recall at what version we switched to /etc/ipa/nssdb but it was > some time ago. > > I have reproduced the issue on Debian and after changing the access > rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command > needs to access the IPA CA certificate stored there to verify identity > of FreeIPA server. > > I haven't seen this issue on Fedora so I'm adding Timo who is porting > FreeIPA on debian. Timo have you met this issue? The old package used to create /etc/pki/nssdb on postinst, but with 644 permissions so I'm not sure why they have 600 here. 4.1.4 in experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 to unstable this week, which should fix this for good. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
Hi David, > Hello Harri, > > the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the > permissions are set to: > > $ ls -dl /etc/ipa/nssdb/ > drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ > > $ ls -l /etc/ipa/nssdb/ > total 80 > -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db > -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db > -rw---. 1 root root40 Apr 15 14:00 pwdfile.txt > -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db > > Please check the permission on your system. If it's different and you (or > system admin) haven't changed it please file a ticket > (https://fedorahosted.org/freeipa/newticket). > Sorry, I should have mentioned that the client runs Debian with freeipa 4.0.5. # ls -al /etc/ipa/ total 24 drwxr-xr-x 2 root root 4096 Dec 29 08:32 . drwxr-xr-x 190 root root 12288 Apr 15 12:44 .. -rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt -rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf No nssdb. AFAICS only the ipa servers in my lan have a directory /etc/ipa/nssdb (CentOS 7). On the clients I can see a cert8.db in /etc/pki/nssdb. Looking at the time stamp it seems to be related to freeipa. # ls -al /etc/pki/nssdb/ total 76 drwxr-xr-x 2 root root 4096 Dec 29 08:32 . drwxr-xr-x 3 root root 4096 Dec 28 16:09 .. -rw--- 1 root root 65536 Dec 29 08:32 cert8.db -rw--- 1 root root 16384 Dec 29 08:32 key3.db -rw--- 1 root root 16384 Dec 29 08:32 secmod.db No pwdfile.txt . I would guess the key database has been created with --empty-password. Does this look familiar, or is this misconfigured and weird? Sorry for asking stupid questions, but the setup in my lan is all I have. I have never had a chance to see another freeipa installation. Hope you don't mind? Regards Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa -v ping lies about the cert database
On 15/04/16 11:42, Harald Dunkel wrote: Hi folks, If I run "kinit admin; ipa -v ping" as a regular user, then I get ipa: INFO: trying https://ipa2.example.com/ipa/json ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. ipa: INFO: trying https://ipa1.example.com/ipa/json ipa: INFO: Connection to https://ipa1.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa2.example.com/ipa/json, https://ipa1.example.com/ipa/json Using root there is no problem. Obviously this is a Unix access problem, not an old database. I would like to avoid running maintenance scripts as root, if possible. The error message doesn't include any path information, so I wonder how I can fix the access problem without opening the system too wide? Every helpful hint is highly appreciated Harri Hello Harri, the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the permissions are set to: $ ls -dl /etc/ipa/nssdb/ drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ $ ls -l /etc/ipa/nssdb/ total 80 -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db -rw---. 1 root root40 Apr 15 14:00 pwdfile.txt -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db Please check the permission on your system. If it's different and you (or system admin) haven't changed it please file a ticket (https://fedorahosted.org/freeipa/newticket). -- David Kupka -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa -v ping lies about the cert database
Hi folks, If I run "kinit admin; ipa -v ping" as a regular user, then I get ipa: INFO: trying https://ipa2.example.com/ipa/json ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. ipa: INFO: trying https://ipa1.example.com/ipa/json ipa: INFO: Connection to https://ipa1.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa2.example.com/ipa/json, https://ipa1.example.com/ipa/json Using root there is no problem. Obviously this is a Unix access problem, not an old database. I would like to avoid running maintenance scripts as root, if possible. The error message doesn't include any path information, so I wonder how I can fix the access problem without opening the system too wide? Every helpful hint is highly appreciated Harri -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project