ipa-replica-install with softhsm should check permission/ownership of /var/lib/softhsm/tokens to avoid install failure.
Currently we are adding pkiuser to group ods, if that is missing on replica/server the installation would fail. strace show the below error /var/lib/softhsm/tokens", 0x7fff117d7a00, 0) = -1 EACCES (Permission denied), which is caused due to pkiuser not being member of ods group.
org.mozilla.jss.NoSuchTokenException: No such token: ipa_token at org.mozilla.jss.CryptoManager.getTokenByName(CryptoManager.java:198) at com.netscape.cmsutil.crypto.CryptoUtil.getKeyStorageToken(CryptoUtil.java:404) at com.netscape.cmstools.cli.MainCLI.init(MainCLI.java:549) at com.netscape.cmstools.nss.NSSCertImportCLI.execute(NSSCertImportCLI.java:69) at org.dogtagpki.cli.CommandCLI.execute(CommandCLI.java:58) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at org.dogtagpki.cli.CLI.execute(CLI.java:353) at com.netscape.cmstools.cli.MainCLI.execute(MainCLI.java:659) at com.netscape.cmstools.cli.MainCLI.main(MainCLI.java:698) DEBUG: NSSDatabase.import_cert_chain(caSigningCert External CA) ends
Try to check permission to avoid this issue.
freeipa-server-4.12.1-1.fc41.x86_64 389-ds-base-3.1.0-10.fc41.x86_64 dogtag-pki-ca-11.5.0-3.fc41.1.noarch krb5-server-1.21.2-5.fc40.x86_64 softhsm-2.6.1-9.fc40.x86_64
Metadata Update from @rcritten: - Issue assigned to rcritten
PR https://github.com/freeipa/freeipa/pull/7435
master:
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-52222, https://issues.redhat.com/browse/RHEL-52223
ipa-4-12:
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.