On 7/22/19 12:22 AM, Ben Schofield via FreeIPA-users wrote:
Hi,
I would check the permissions of the file /etc/ipa/ca.crt on the client
(the host where you run ipa user-find). 0644 is expected. If SElinux is
enabled, it should have unconfined_u:object_r:etc_t:s0.
Does this file contain the self-signed CA?
You can also have a look at the permissions of the files in
/var/lib/ipa-client/pki:
# ls -l /var/lib/ipa-client/pki
total 8
-rw-r--r--. 1 root root 3034 Jul 22 10:04 ca-bundle.pem
-rw-r--r--. 1 root root 3034 Jul 22 10:04 kdc-ca-bundle.pem
These files should also contain the self-signed CA.
flo
Hi flo,
I ran the command "ipa user-find" on the server itself, and was able to
successfully list all users.
Permissions of the ca.crt are also expected 0644
-rw-r--r-- 1 root root 1302 Jun 26 15:38 ca.crt
Yes this file contains the self-signed CA.
SElinux is disabled on the server and clients.
Permissions of the files in /var/lib/ipa-client/pki are also expected 0644
-rw-r--r-- 1 root root 1302 Jun 26 15:41 ca-bundle.pem
-rw-r--r-- 1 root root 1302 Jun 26 15:41 kdc-ca-bundle.pem
They also contain the same self-signed CA.
Yusuf