[Freeipa-users] Solaris 10 client configuration using profile
Rob Crittenden
rcritten at redhat.com
Tue Oct 28 22:29:35 UTC 2014
Rob Crittenden wrote:
> sipazzo wrote:
>> Yes I did generate the database on the IPA server and copied it over. I thought that was what the instructions indicated to do:
>
> So NSS is not known for the greatest error messages. The error you're
> seeing, SEC_ERROR_LEGACY_DATABASE, can happen for any number of reasons,
> including there being no database at all or there is a database but the
> wrong version. So using native tools was a shot in the dark.
>
> truss might be of some help here to figure out what it is trying to open.
Replying to myself.
Check /etc/nsswitch.conf. I'll bet you've got ldap defined for every
service. If so, this is the reason.
What you need to do is edit /etc/nsswitch.ldap and replace at least
hosts and ipnodes with:
hosts: files dns
ipnodes: files dns
Now, to back out what you've done, I'd do this:
- edit /etc/nsswitch.conf and do the above hosts & inodes replacement
- ldapclient -v uninit
- edit /etc/nsswitch.ldap and fix it up
- re-run ldapclient -v init <options>
That should do the trick. It did for me anyway.
Note that the BZ instructions have that openssl PEM conversion thing.
That isn't necessary as the CA is already in PEM format.
rob
More information about the Freeipa-users
mailing list