-
Bug
-
Resolution: Done-Errata
-
Normal
-
rhel-9.5
-
ipa-4.12.0-7.el9
-
No
-
None
-
3
-
rhel-sst-idm-ipa
-
ssg_idm
-
24
-
26
-
1
-
QE ack, Dev ack
-
False
-
-
No
-
2024-Q3-Alpha-S3, 2024-Q3-Alpha-S4, 2024-Q3-Alpha-S5
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
None
Cloned from: https://pagure.io/freeipa/issue/9626 ### Issue ipa-replica-install with softhsm should check permission/ownership of /var/lib/softhsm/tokens to avoid install failure. #### Steps to Reproduce 1. Install IPA server 2. Copy the token from IPA server to Replica 3. Install replica using the token. #### Actual behavior Currently we are adding pkiuser to group ods, if that is missing on replica/server the installation would fail. strace show the below error /var/lib/softhsm/tokens", 0x7fff117d7a00, 0) = -1 EACCES (Permission denied), which is caused due to pkiuser not being member of ods group. org.mozilla.jss.NoSuchTokenException: No such token: ipa_token at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:198) at com.netscape.cmsutil.crypto.CryptoUtil.getKeyStorageToken(CryptoUtil.java:404) at com.netscape.cmstools.cli.MainCLI.init(MainCLI.java:549) at com.netscape.cmstools.nss.NSSCertImportCLI.execute(NSSCertImportCLI.java:69) at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698) DEBUG: NSSDatabase.import_cert_chain(caSigningCert External CA) ends #### Expected behavior Try to check permission to avoid this issue. #### Version/Release/Distribution freeipa-server-4.12.1-1.fc41.x86_64 389-ds-base-3.1.0-10.fc41.x86_64 dogtag-pki-ca-11.5.0-3.fc41.1.noarch krb5-server-1.21.2-5.fc40.x86_64 softhsm-2.6.1-9.fc40.x86_64
- links to
-
RHSA-2024:131668
ipa bug fix and enhancement update
