18.04.2016, 10:14, David Kupka kirjoitti: > On 15/04/16 15:16, Harald Dunkel wrote: >> Hi David, >> >>> Hello Harri, >>> >>> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by >>> default the permissions are set to: >>> >>> $ ls -dl /etc/ipa/nssdb/ >>> drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/ >>> >>> $ ls -l /etc/ipa/nssdb/ >>> total 80 >>> -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db >>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db >>> -rw-------. 1 root root 40 Apr 15 14:00 pwdfile.txt >>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db >>> >>> Please check the permission on your system. If it's different and you >>> (or system admin) haven't changed it please file a ticket >>> (https://fedorahosted.org/freeipa/newticket). >>> >> >> Sorry, I should have mentioned that the client runs Debian >> with freeipa 4.0.5. >> >> # ls -al /etc/ipa/ >> total 24 >> drwxr-xr-x 2 root root 4096 Dec 29 08:32 . >> drwxr-xr-x 190 root root 12288 Apr 15 12:44 .. >> -rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt >> -rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf >> >> >> No nssdb. AFAICS only the ipa servers in my lan have a >> directory /etc/ipa/nssdb (CentOS 7). >> >> On the clients I can see a cert8.db in /etc/pki/nssdb. >> Looking at the time stamp it seems to be related to freeipa. >> >> # ls -al /etc/pki/nssdb/ >> total 76 >> drwxr-xr-x 2 root root 4096 Dec 29 08:32 . >> drwxr-xr-x 3 root root 4096 Dec 28 16:09 .. >> -rw------- 1 root root 65536 Dec 29 08:32 cert8.db >> -rw------- 1 root root 16384 Dec 29 08:32 key3.db >> -rw------- 1 root root 16384 Dec 29 08:32 secmod.db >> >> No pwdfile.txt . I would guess the key database has been created >> with --empty-password. >> >> Does this look familiar, or is this misconfigured and weird? >> >> >> Sorry for asking stupid questions, but the setup in my lan is >> all I have. I have never had a chance to see another freeipa >> installation. Hope you don't mind? >> >> >> Regards >> Harri >> > > Hello Harri, > actually the version and OS information makes a difference :-) > > Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I > don't recall at what version we switched to /etc/ipa/nssdb but it was > some time ago. > > I have reproduced the issue on Debian and after changing the access > rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command > needs to access the IPA CA certificate stored there to verify identity > of FreeIPA server. > > I haven't seen this issue on Fedora so I'm adding Timo who is porting > FreeIPA on debian. Timo have you met this issue?
The old package used to create /etc/pki/nssdb on postinst, but with 644 permissions so I'm not sure why they have 600 here. 4.1.4 in experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1 to unstable this week, which should fix this for good. -- t -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
