On 7/22/19 12:22 AM, Ben Schofield via FreeIPA-users wrote: Hi, I would check the permissions of the file /etc/ipa/ca.crt on the client (the host where you run ipa user-find). 0644 is expected. If SElinux is enabled, it should have unconfined_u:object_r:etc_t:s0. Does this file contain the self-signed CA?
You can also have a look at the permissions of the files in /var/lib/ipa-client/pki: # ls -l /var/lib/ipa-client/pki total 8 -rw-r--r--. 1 root root 3034 Jul 22 10:04 ca-bundle.pem -rw-r--r--. 1 root root 3034 Jul 22 10:04 kdc-ca-bundle.pem These files should also contain the self-signed CA.
flo
Hi flo,
I ran the command "ipa user-find" on the server itself, and was able to successfully list all users. Permissions of the ca.crt are also expected 0644 -rw-r--r-- 1 root root 1302 Jun 26 15:38 ca.crt Yes this file contains the self-signed CA.
SElinux is disabled on the server and clients.
Permissions of the files in /var/lib/ipa-client/pki are also expected 0644 -rw-r--r-- 1 root root 1302 Jun 26 15:41 ca-bundle.pem -rw-r--r-- 1 root root 1302 Jun 26 15:41 kdc-ca-bundle.pem They also contain the same self-signed CA.
Yusuf