[Freeipa-users] ipa -v ping lies about the cert database
David Kupka
dkupka at redhat.com
Fri Apr 15 12:15:28 UTC 2016
On 15/04/16 11:42, Harald Dunkel wrote:
> Hi folks,
>
> If I run "kinit admin; ipa -v ping" as a regular user, then I get
>
> ipa: INFO: trying https://ipa2.example.com/ipa/json
> ipa: INFO: Connection to https://ipa2.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
> ipa: INFO: trying https://ipa1.example.com/ipa/json
> ipa: INFO: Connection to https://ipa1.example.com/ipa/json failed with (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.
> ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa2.example.com/ipa/json, https://ipa1.example.com/ipa/json
>
> Using root there is no problem. Obviously this is a Unix
> access problem, not an old database.
>
> I would like to avoid running maintenance scripts as root,
> if possible. The error message doesn't include any path
> information, so I wonder how I can fix the access problem
> without opening the system too wide?
>
>
> Every helpful hint is highly appreciated
> Harri
>
Hello Harri,
the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default
the permissions are set to:
$ ls -dl /etc/ipa/nssdb/
drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/
$ ls -l /etc/ipa/nssdb/
total 80
-rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db
-rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db
-rw-------. 1 root root 40 Apr 15 14:00 pwdfile.txt
-rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db
Please check the permission on your system. If it's different and you
(or system admin) haven't changed it please file a ticket
(https://fedorahosted.org/freeipa/newticket).
--
David Kupka
More information about the Freeipa-users
mailing list