[Freeipa-users] ipa -v ping lies about the cert database
Timo Aaltonen
tjaalton at ubuntu.com
Mon Apr 18 12:08:25 UTC 2016
18.04.2016, 10:14, David Kupka kirjoitti:
> On 15/04/16 15:16, Harald Dunkel wrote:
>> Hi David,
>>
>>> Hello Harri,
>>>
>>> the FreeIPA certificate database is stored in /etc/ipa/nssdb, by
>>> default the permissions are set to:
>>>
>>> $ ls -dl /etc/ipa/nssdb/
>>> drwxr-xr-x. 2 root root 73 Apr 15 14:00 /etc/ipa/nssdb/
>>>
>>> $ ls -l /etc/ipa/nssdb/
>>> total 80
>>> -rw-r--r--. 1 root root 65536 Apr 15 14:00 cert8.db
>>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 key3.db
>>> -rw-------. 1 root root 40 Apr 15 14:00 pwdfile.txt
>>> -rw-r--r--. 1 root root 16384 Apr 15 14:00 secmod.db
>>>
>>> Please check the permission on your system. If it's different and you
>>> (or system admin) haven't changed it please file a ticket
>>> (https://fedorahosted.org/freeipa/newticket).
>>>
>>
>> Sorry, I should have mentioned that the client runs Debian
>> with freeipa 4.0.5.
>>
>> # ls -al /etc/ipa/
>> total 24
>> drwxr-xr-x 2 root root 4096 Dec 29 08:32 .
>> drwxr-xr-x 190 root root 12288 Apr 15 12:44 ..
>> -rw-r--r-- 1 root root 1792 Dec 29 08:32 ca.crt
>> -rw-r--r-- 1 root root 194 Dec 29 08:32 default.conf
>>
>>
>> No nssdb. AFAICS only the ipa servers in my lan have a
>> directory /etc/ipa/nssdb (CentOS 7).
>>
>> On the clients I can see a cert8.db in /etc/pki/nssdb.
>> Looking at the time stamp it seems to be related to freeipa.
>>
>> # ls -al /etc/pki/nssdb/
>> total 76
>> drwxr-xr-x 2 root root 4096 Dec 29 08:32 .
>> drwxr-xr-x 3 root root 4096 Dec 28 16:09 ..
>> -rw------- 1 root root 65536 Dec 29 08:32 cert8.db
>> -rw------- 1 root root 16384 Dec 29 08:32 key3.db
>> -rw------- 1 root root 16384 Dec 29 08:32 secmod.db
>>
>> No pwdfile.txt . I would guess the key database has been created
>> with --empty-password.
>>
>> Does this look familiar, or is this misconfigured and weird?
>>
>>
>> Sorry for asking stupid questions, but the setup in my lan is
>> all I have. I have never had a chance to see another freeipa
>> installation. Hope you don't mind?
>>
>>
>> Regards
>> Harri
>>
>
> Hello Harri,
> actually the version and OS information makes a difference :-)
>
> Older version of FreeIPA client was using NSSDB in /etc/pki/nssdb, I
> don't recall at what version we switched to /etc/ipa/nssdb but it was
> some time ago.
>
> I have reproduced the issue on Debian and after changing the access
> rights (# chmod ga+r /etc/pki/nssdb/*) it works for me. ipa command
> needs to access the IPA CA certificate stored there to verify identity
> of FreeIPA server.
>
> I haven't seen this issue on Fedora so I'm adding Timo who is porting
> FreeIPA on debian. Timo have you met this issue?
The old package used to create /etc/pki/nssdb on postinst, but with 644
permissions so I'm not sure why they have 600 here. 4.1.4 in
experimental migrated to /etc/ipa/nssdb, and I'm about to upload 4.3.1
to unstable this week, which should fix this for good.
--
t
More information about the Freeipa-users
mailing list