Bug 618897

Summary: rhds82 - manage cert with several instance and uid - cannot open nss db if instance created from console
Product: Red Hat Directory Server Reporter: Marc Sauton <msauton>
Component: UI - ConfigurationAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.2CC: amsharma, dlackey, jgalipea, nkinder, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-06 14:37:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 434915    
Attachments:
Description Flags
Patch nkinder: review?, rmeggins: review+

Description Marc Sauton 2010-07-28 01:43:24 UTC
Description of problem:

cannot manage certificates with the console when having several instance running with different uid, even when using the same primary group
cannot open nss db
the file and directory permissions are not correct in /etc/dirsrv/

related to
bugzilla number 455629 with summary
rhds80 - multiple instance uid's - cannot manage cert and keys
which had been fixed in 8.1 and was working


Version-Release number of selected component (if applicable):

redhat-ds-8.2.0-2.el5dsrv
redhat-ds-base-8.2.0-12.el5dsrv
redhat-ds-console-8.2.0-4.el5dsrv
redhat-ds-admin-8.2.0-3.el5dsrv


How reproducible:
always


Steps to Reproduce:

1. groupadd -r ldap1
useradd -r -g ldap1 ldap1
grep ldap /etc/passwd /etc/group
/etc/passwd:ldap1:x:101:102::/home/ldap1:/bin/bash
/etc/group:ldap1:x:102:

2. /usr/sbin/setup-ds-admin.pl --silent --file=/root/HowTo-ds82.ms2-test2.lab.sjc.redhat.com.1instance.389.8888.inf

3. verify I can manage cert in console works ok

4. useradd -r -g ldap1 ldap2

5. create a second instance in console, as a test, can be silent install

6. verify I can manage cert in console for second instance, broken with "Unexpected Failure - Unable to open certificate database."

  
Actual results:

console debug output

CommManager> New CommRecord (http://ms2-test2.lab.sjc.redhat.com:8888/admin-serv/tasks/configuration/SecurityOp)
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] open> Ready
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] accept> http://ms2-test2.lab.sjc.redhat.com:8888/admin-serv/tasks/configuration/SecurityOp
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> POST  \
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> /admin-serv/tasks/configuration/SecurityOp \
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send>  HTTP/1.0
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Host: ms2-test2.lab.sjc.redhat.com:8888
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Connection: Keep-Alive
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> User-Agent: Red-Hat-Management-Console/1.1.5
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Accept-Language: en
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Authorization: Basic  \
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> dWlkPWFkbWluLG91PUFkbWluaXN0cmF0b3JzLG91PVRvcG9sb2d5TWFuYWdlbWVudCxvPU5ldHNjYXBlUm9vdDpwYXNzd29yZA== \
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send>
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Content-Length:78
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Content-Type: application/x-www-form-urlencoded
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Content-Transfer-Encoding: 7bit
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send>
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Writing 78 bytes...
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> 78 bytes written
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> HTTP/1.1 200 OK
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Date: Wed, 28 Jul 2010 00:06:05 GMT
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Server: Apache/2.2
HttpChannel.invoke: admin version = 2.2
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Admin-Server: Red Hat-Administrator/8.2.0
HttpChannel.invoke: admin version = 8.2.0
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Connection: close
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Content-Type: text/html
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv>
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Reading unknown length bytes...
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> 151 bytes read
http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] close> Closed
Content-type: text/html

NMC_Status: 1
NMC_ErrType: Unexpected Failure
NMC_ErrInfo: Internal error
NMC_ErrDetail: Unable to open certificate database.


Focus gained javax.swing.JButton[,0,0,38x37,alignmentX=0.0,alignmentY=0.5,border=javax.swing.plaf.BorderUIResource$CompoundBorderUIResource@1029f93b,flags=296,maximumSize=,minimumSize=,preferredSize=,defaultIcon=com/netscape/management/client/images/task.gif,disabledIcon=,disabledSelectedIcon=,margin=java.awt.Insets[top=0,left=0,bottom=0,right=0],paintBorder=true,paintFocus=true,pressedIcon=,rolloverEnabled=false,rolloverIcon=,rolloverSelectedIcon=,selectedIcon=,text=,defaultCapable=true]



Expected results:


Additional info:

workaround, fix permissions:

ls -la /etc/dirsrv/slapd-ms2-test22
total 320
drwx------ 3 ldap2 root   4096 Jul 27 17:03 .
drwxrwxr-x 7 root  ldap1  4096 Jul 27 17:03 ..
-rw-rw---- 1 ldap2 ldap1 65536 Jul 27 17:03 cert8.db
-r-------- 1 ldap2 root   3595 Jul 27 17:03 certmap.conf
-rw------- 1 ldap2 ldap1 56875 Jul 27 17:03 dse.ldif
-rw------- 1 ldap2 ldap1 56294 Jul 27 17:03 dse.ldif.bak
-rw------- 1 ldap2 root  44994 Jul 27 17:03 dse.ldif.startOK
-r-------- 1 ldap2 root  31164 Jul 27 17:03 dse_original.ldif
-rw-rw---- 1 ldap2 ldap1 16384 Jul 27 17:03 key3.db
drwx------ 2 ldap2 root   4096 Jul 27 17:03 schema
-rw-rw---- 1 ldap2 ldap1 16384 Jul 27 17:03 secmod.db
-r-------- 1 ldap2 root   5366 Jul 27 17:03 slapd-collations.conf

chgrp ldap1 /etc/dirsrv/slapd-ms2-test22
chmod g+rwx /etc/dirsrv/slapd-ms2-test22

ls -l /etc/dirsrv/
total 20
drwx------ 2 ldap1 root  4096 Jul 27  2010 admin-serv
drwxr-xr-x 2 root  root  4096 Jul 27  2010 config
drwxr-xr-x 2 root  root  4096 Jul 27  2010 schema
drwxrwx--- 3 ldap1 ldap1 4096 Jul 27 17:19 slapd-ms2-test2
drwxrwx--- 3 ldap2 ldap1 4096 Jul 27 17:19 slapd-ms2-test22

also, probably needed
chmod g+r /etc/dirsrv/slapd-ms2-test22/certmap.conf

ls -la /etc/dirsrv/slapd-ms2-test22
total 348
drwxrwx--- 3 ldap2 ldap1  4096 Jul 27 17:19 .
drwxrwxr-x 7 root  ldap1  4096 Jul 27 17:03 ..
-rw-rw---- 1 ldap2 ldap1 65536 Jul 27 17:19 cert8.db
-r--r----- 1 ldap2 root   3595 Jul 27 17:03 certmap.conf
-rw------- 1 ldap2 ldap1 58375 Jul 27 17:19 dse.ldif
-rw------- 2 ldap2 ldap1 58376 Jul 27 17:19 dse.ldif.bak
-rw------- 2 ldap2 ldap1 58376 Jul 27 17:19 dse.ldif.startOK
-r-------- 1 ldap2 root  31164 Jul 27 17:03 dse_original.ldif
-rw-rw---- 1 ldap2 ldap1 16384 Jul 27 17:19 key3.db
drwx------ 2 ldap2 root   4096 Jul 27 17:19 schema
-rw-rw---- 1 ldap2 ldap1 16384 Jul 27 17:03 secmod.db
-r-------- 1 ldap2 root   5366 Jul 27 17:03 slapd-collations.conf


when I created a 3rd instance using setup-ds-admin.pl, with a third uid in the same primary group, like:
id ldap3
uid=103(ldap3) gid=102(ldap1) groups=102(ldap1)

I was able to manage certificates just fine, only creating from the console seem to create the problem


correct permissions I got for the 3rd instance created with setup-ds-admin.pl :

[root@ms2-test2 ~]# ls -la /etc/dirsrv/
total 44
drwxrwxr-x   8 root  ldap1  4096 Jul 27 17:42 .
drwxr-xr-x 100 root  root  12288 Jul 27 17:41 ..
drwx------   2 ldap1 root   4096 Jul 27  2010 admin-serv
drwxr-xr-x   2 root  root   4096 Jul 27  2010 config
drwxr-xr-x   2 root  root   4096 Jul 27  2010 schema
drwxrwx---   3 ldap1 ldap1  4096 Jul 27 17:19 slapd-ms2-test2
drwxrwx---   3 ldap2 ldap1  4096 Jul 27 17:19 slapd-ms2-test22
drwxrwx---   3 ldap3 ldap1  4096 Jul 27 17:42 slapd-ms2-test2-391
[root@ms2-test2 ~]# ls -la /etc/dirsrv/slapd-ms2-test2-391/
total 320
drwxrwx--- 3 ldap3 ldap1  4096 Jul 27 17:42 .
drwxrwxr-x 8 root  ldap1  4096 Jul 27 17:42 ..
-rw-rw---- 1 ldap3 ldap1 65536 Jul 27 17:42 cert8.db
-r--r----- 1 ldap3 ldap1  3595 Jul 27 17:42 certmap.conf
-rw------- 1 ldap3 ldap1 56923 Jul 27 17:42 dse.ldif
-rw------- 1 ldap3 ldap1 56342 Jul 27 17:42 dse.ldif.bak
-rw------- 1 ldap3 root  45036 Jul 27 17:42 dse.ldif.startOK
-r--r----- 1 ldap3 ldap1 31203 Jul 27 17:42 dse_original.ldif
-rw-rw---- 1 ldap3 ldap1 16384 Jul 27 17:42 key3.db
drwxrwx--- 2 ldap3 ldap1  4096 Jul 27 17:42 schema
-rw-rw---- 1 ldap3 ldap1 16384 Jul 27 17:42 secmod.db
-r--r----- 1 ldap3 ldap1  5366 Jul 27 17:42 slapd-collations.conf
[root@ms2-test2 ~]# 


incorrect permissions for a 4th instance created in the console:

[root@ms2-test2 ~]# ls -la /etc/dirsrv/
total 48
drwxrwxr-x   9 root  ldap1  4096 Jul 27 18:37 .
drwxr-xr-x 100 root  root  12288 Jul 27 18:36 ..
drwx------   2 ldap1 root   4096 Jul 27  2010 admin-serv
drwxr-xr-x   2 root  root   4096 Jul 27  2010 config
drwxr-xr-x   2 root  root   4096 Jul 27  2010 schema
drwxrwx---   3 ldap1 ldap1  4096 Jul 27 17:19 slapd-ms2-test2
drwxrwx---   3 ldap2 ldap1  4096 Jul 27 17:19 slapd-ms2-test22
drwxrwx---   3 ldap3 ldap1  4096 Jul 27 17:42 slapd-ms2-test2-391
drwx------   3 ldap4 root   4096 Jul 27 18:37 slapd-ms2-test24
[root@ms2-test2 ~]# ls -la /etc/dirsrv/slapd-ms2-test24
total 320
drwx------ 3 ldap4 root   4096 Jul 27 18:37 .
drwxrwxr-x 9 root  ldap1  4096 Jul 27 18:37 ..
-rw-rw---- 1 ldap4 ldap1 65536 Jul 27 18:37 cert8.db
-r-------- 1 ldap4 root   3595 Jul 27 18:37 certmap.conf
-rw------- 1 ldap4 ldap1 56875 Jul 27 18:37 dse.ldif
-rw------- 1 ldap4 ldap1 56294 Jul 27 18:37 dse.ldif.bak
-rw------- 1 ldap4 root  44994 Jul 27 18:37 dse.ldif.startOK
-r-------- 1 ldap4 root  31164 Jul 27 18:37 dse_original.ldif
-rw-rw---- 1 ldap4 ldap1 16384 Jul 27 18:37 key3.db
drwx------ 2 ldap4 root   4096 Jul 27 18:37 schema
-rw-rw---- 1 ldap4 ldap1 16384 Jul 27 18:37 secmod.db
-r-------- 1 ldap4 root   5366 Jul 27 18:37 slapd-collations.conf
[root@ms2-test2 ~]#

Comment 1 Marc Sauton 2010-07-28 01:45:52 UTC
note:

> 5. create a second instance in console, as a test, can be silent install

this step must be done in the console, not setup-ds-admin.pl

Comment 2 Nathan Kinder 2010-07-28 16:07:50 UTC
I have reproduced this issue, but I have also confirmed that this is not a regression.  The same behavior is observed with RHDS 8.1.

I think that we should doc this for 8.2 along with a workaround of changing the permissions, but we should target this for 9.0.

Comment 5 Nathan Kinder 2011-02-22 21:43:06 UTC
Created attachment 480261 [details]
Patch

Comment 6 Nathan Kinder 2011-02-22 21:45:32 UTC
Prior to my patch, the ownership/permissions on the config directories of my two test instances looked like this (slapd-localhost was created by setup-ds-admin.pl and slapd-localhost2 was created by Console):

[root@localhost ~]# ls -al /etc/dirsrv/slapd-localhost
total 344
drwxrwx---. 3 slapd1 slapd  4096 Feb 22 11:32 .
drwxrwxr-x. 7 root   slapd  4096 Feb 22 11:39 ..
-rw-rw----. 1 slapd1 slapd 65536 Feb 22 11:32 cert8.db
-r--r-----. 1 slapd1 slapd  3595 Feb 22 11:32 certmap.conf
-rw-------. 1 slapd1 slapd 70704 Feb 22 11:32 dse.ldif
-rw-------. 1 slapd1 slapd 70067 Feb 22 11:32 dse.ldif.bak
-rw-------. 1 slapd1 root  46034 Feb 22 11:32 dse.ldif.startOK
-r--r-----. 1 slapd1 slapd 31500 Feb 22 11:32 dse_original.ldif
-rw-rw----. 1 slapd1 slapd 16384 Feb 22 11:32 key3.db
drwxrwx---. 2 slapd1 slapd  4096 Feb 22 11:32 schema
-rw-rw----. 1 slapd1 slapd 16384 Feb 22 11:32 secmod.db
-r--r-----. 1 slapd1 slapd  5366 Feb 22 11:32 slapd-collations.conf
[root@localhost ~]# ls -al /etc/dirsrv/slapd-localhost2
total 320
drwx------. 3 slapd2 root   4096 Feb 22 11:39 .
drwxrwxr-x. 7 root   slapd  4096 Feb 22 11:39 ..
-rw-rw----. 1 slapd2 slapd 65536 Feb 22 11:39 cert8.db
-r--------. 1 slapd2 root   3595 Feb 22 11:39 certmap.conf
-rw-------. 1 slapd2 slapd 58618 Feb 22 11:39 dse.ldif
-rw-------. 1 slapd2 slapd 58037 Feb 22 11:39 dse.ldif.bak
-rw-------. 1 slapd2 root  46697 Feb 22 11:39 dse.ldif.startOK
-r--------. 1 slapd2 root  31515 Feb 22 11:39 dse_original.ldif
-rw-rw----. 1 slapd2 slapd 16384 Feb 22 11:39 key3.db
drwx------. 2 slapd2 root   4096 Feb 22 11:39 schema
-rw-rw----. 1 slapd2 slapd 16384 Feb 22 11:39 secmod.db
-r--------. 1 slapd2 root   5366 Feb 22 11:39 slapd-collations.conf

After my patch, the ownership/permissions are consistent between the two instances:

[root@localhost ~]# ls -al /etc/dirsrv/slapd-localhost
total 344
drwxrwx---. 3 slapd1 slapd  4096 Feb 22 13:32 .
drwxrwxr-x. 7 root   slapd  4096 Feb 22 13:34 ..
-rw-rw----. 1 slapd1 slapd 65536 Feb 22 13:32 cert8.db
-r--r-----. 1 slapd1 slapd  3595 Feb 22 13:32 certmap.conf
-rw-------. 1 slapd1 slapd 70704 Feb 22 13:32 dse.ldif
-rw-------. 1 slapd1 slapd 70067 Feb 22 13:32 dse.ldif.bak
-rw-------. 1 slapd1 root  46034 Feb 22 13:32 dse.ldif.startOK
-r--r-----. 1 slapd1 slapd 31500 Feb 22 13:32 dse_original.ldif
-rw-rw----. 1 slapd1 slapd 16384 Feb 22 13:32 key3.db
drwxrwx---. 2 slapd1 slapd  4096 Feb 22 13:32 schema
-rw-rw----. 1 slapd1 slapd 16384 Feb 22 13:32 secmod.db
-r--r-----. 1 slapd1 slapd  5366 Feb 22 13:32 slapd-collations.conf
[root@localhost ~]# ls -al /etc/dirsrv/slapd-localhost2
total 320
drwxrwx---. 3 slapd2 slapd  4096 Feb 22 13:34 .
drwxrwxr-x. 7 root   slapd  4096 Feb 22 13:34 ..
-rw-rw----. 1 slapd2 slapd 65536 Feb 22 13:34 cert8.db
-r--r-----. 1 slapd2 slapd  3595 Feb 22 13:34 certmap.conf
-rw-------. 1 slapd2 slapd 58618 Feb 22 13:34 dse.ldif
-rw-------. 1 slapd2 slapd 58037 Feb 22 13:34 dse.ldif.bak
-rw-------. 1 slapd2 root  46697 Feb 22 13:34 dse.ldif.startOK
-r--r-----. 1 slapd2 slapd 31515 Feb 22 13:34 dse_original.ldif
-rw-rw----. 1 slapd2 slapd 16384 Feb 22 13:34 key3.db
drwxrwx---. 2 slapd2 slapd  4096 Feb 22 13:34 schema
-rw-rw----. 1 slapd2 slapd 16384 Feb 22 13:34 secmod.db
-r--r-----. 1 slapd2 slapd  5366 Feb 22 13:34 slapd-collations.conf

Comment 7 Nathan Kinder 2011-02-22 22:08:17 UTC
Pushed to master.  Thanks to Rich for his review!

Counting objects: 9, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 822 bytes, done.
Total 5 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/admin.git
   82b2fd2..f5a1e66  master -> master

Comment 8 Amita Sharma 2011-07-05 12:50:04 UTC
[root@rheltest ~]# ls -al /etc/dirsrv/slapd-rheltest
total 340
drwxrwx---. 3 nobody nobody  4096 Jul  5 16:49 .
drwxrwxr-x. 7 root   nobody  4096 Jul  5 18:18 ..
-rw-rw----. 1 nobody nobody 65536 Jul  5 16:49 cert8.db
-r--r-----. 1 nobody nobody  3595 Jul  5 16:49 certmap.conf
-rw-------. 1 nobody nobody 70198 Jul  5 16:49 dse.ldif
-rw-------. 1 nobody nobody 69553 Jul  5 16:49 dse.ldif.bak
-rw-------. 1 nobody root   45523 Jul  5 16:49 dse.ldif.startOK
-r--r-----. 1 nobody nobody 31741 Jul  5 16:49 dse_original.ldif
-rw-rw----. 1 nobody nobody 16384 Jul  5 16:49 key3.db
drwxrwx---. 2 nobody nobody  4096 Jul  5 16:49 schema
-rw-rw----. 1 nobody nobody 16384 Jul  5 16:49 secmod.db
-r--r-----. 1 nobody nobody  5366 Jul  5 16:49 slapd-collations.conf
[root@rheltest ~]# ls -al /etc/dirsrv/slapd-rheltest1
total 316
drwxrwx---. 3 nobody nobody  4096 Jul  5 18:18 .
drwxrwxr-x. 7 root   nobody  4096 Jul  5 18:18 ..
-rw-rw----. 1 nobody nobody 65536 Jul  5 18:18 cert8.db
-r--r-----. 1 nobody nobody  3595 Jul  5 18:18 certmap.conf
-rw-------. 1 nobody nobody 57513 Jul  5 18:18 dse.ldif
-rw-------. 1 nobody nobody 56932 Jul  5 18:18 dse.ldif.bak
-rw-------. 1 nobody root   45594 Jul  5 18:18 dse.ldif.startOK
-r--r-----. 1 nobody nobody 31808 Jul  5 18:18 dse_original.ldif
-rw-rw----. 1 nobody nobody 16384 Jul  5 18:18 key3.db
drwxrwx---. 2 nobody nobody  4096 Jul  5 18:18 schema
-rw-rw----. 1 nobody nobody 16384 Jul  5 18:18 secmod.db
-r--r-----. 1 nobody nobody  5366 Jul  5 18:18 slapd-collations.conf


Hence VERIFIED