[Freeipa-users] ipa -v ping lies about the cert database

David Kupka dkupka at redhat.com
Mon Apr 18 07:14:27 UTC 2016 

On 15/04/16 15:16, Harald Dunkel wrote:
> Hi David,
>
>> Hello Harri,
>>
>> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by default the permissions are set to:
>>
>> $ ls -dl /etc/ipa/nssdb/
>> drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/
>>
>> $ ls -l /etc/ipa/nssdb/
>> total 80
>> -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db
>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db
>> -rw-------. 1 root root    40 Apr 15 14:00 pwdfile.txt
>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db
>>
>> Please check the permission on your system. If it's different and you (or system admin) haven't changed it please file a ticket (https://fedorahosted.org/freeipa/newticket).
>>
>
> Sorry, I should have mentioned that the client runs Debian
> with freeipa 4.0.5.
>
> # ls -al /etc/ipa/
> total 24
> drwxr-xr-x   2 root root  4096 Dec 29 08:32 .
> drwxr-xr-x 190 root root 12288 Apr 15 12:44 ..
> -rw-r--r--   1 root root  1792 Dec 29 08:32 ca.crt
> -rw-r--r--   1 root root   194 Dec 29 08:32 default.conf
>
>
> No nssdb. AFAICS only the ipa servers in my lan have a
> directory /etc/ipa/nssdb (CentOS 7).
>
> On the clients I can see a cert8.db in /etc/pki/nssdb.
> Looking at the time stamp it seems to be related to freeipa.
>
> # ls -al /etc/pki/nssdb/
> total 76
> drwxr-xr-x 2 root root  4096 Dec 29 08:32 .
> drwxr-xr-x 3 root root  4096 Dec 28 16:09 ..
> -rw------- 1 root root 65536 Dec 29 08:32 cert8.db
> -rw------- 1 root root 16384 Dec 29 08:32 key3.db
> -rw------- 1 root root 16384 Dec 29 08:32 secmod.db
>
> No pwdfile.txt . I would guess the key database has been created
> with --empty-password.
>
> Does this look familiar, or is this misconfigured and weird?
>
>
> Sorry for asking stupid questions, but the setup in my lan is
> all I have. I have never had a chance to see another freeipa
> installation. Hope you don't mind?
>
>
> Regards
> Harri
>

Hello Harri,
actually the version and OS information makes a difference :-)

Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I 
don't recall at what version we switched to /etc/ipa/nssdb but it was 
some time ago.

I have reproduced the issue on Debian and after changing the access 
rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command 
needs to access the IPA CA certificate stored there to verify identity 
of FreeIPA server.

I haven't seen this issue on Fedora so I'm adding Timo who is porting 
FreeIPA on debian. Timo have you met this issue?

-- 
David Kupka

More information about the Freeipa-users mailing list