Description of problem: cannot manage certificates with the console when having several instance running with different uid, even when using the same primary group cannot open nss db the file and directory permissions are not correct in /etc/dirsrv/ related to bugzilla number 455629 with summary rhds80 - multiple instance uid's - cannot manage cert and keys which had been fixed in 8.1 and was working Version-Release number of selected component (if applicable): redhat-ds-8.2.0-2.el5dsrv redhat-ds-base-8.2.0-12.el5dsrv redhat-ds-console-8.2.0-4.el5dsrv redhat-ds-admin-8.2.0-3.el5dsrv How reproducible: always Steps to Reproduce: 1. groupadd -r ldap1 useradd -r -g ldap1 ldap1 grep ldap /etc/passwd /etc/group /etc/passwd:ldap1:x:101:102::/home/ldap1:/bin/bash /etc/group:ldap1:x:102: 2. /usr/sbin/setup-ds-admin.pl --silent --file=/root/HowTo-ds82.ms2-test2.lab.sjc.redhat.com.1instance.389.8888.inf 3. verify I can manage cert in console works ok 4. useradd -r -g ldap1 ldap2 5. create a second instance in console, as a test, can be silent install 6. verify I can manage cert in console for second instance, broken with "Unexpected Failure - Unable to open certificate database." Actual results: console debug output CommManager> New CommRecord (http://ms2-test2.lab.sjc.redhat.com:8888/admin-serv/tasks/configuration/SecurityOp) http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] open> Ready http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] accept> http://ms2-test2.lab.sjc.redhat.com:8888/admin-serv/tasks/configuration/SecurityOp http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> POST \ http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> /admin-serv/tasks/configuration/SecurityOp \ http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> HTTP/1.0 http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Host: ms2-test2.lab.sjc.redhat.com:8888 http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Connection: Keep-Alive http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> User-Agent: Red-Hat-Management-Console/1.1.5 http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Accept-Language: en http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Authorization: Basic \ http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> dWlkPWFkbWluLG91PUFkbWluaXN0cmF0b3JzLG91PVRvcG9sb2d5TWFuYWdlbWVudCxvPU5ldHNjYXBlUm9vdDpwYXNzd29yZA== \ http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Content-Length:78 http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Content-Type: application/x-www-form-urlencoded http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Content-Transfer-Encoding: 7bit http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> Writing 78 bytes... http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] send> 78 bytes written http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> HTTP/1.1 200 OK http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Date: Wed, 28 Jul 2010 00:06:05 GMT http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Server: Apache/2.2 HttpChannel.invoke: admin version = 2.2 http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Admin-Server: Red Hat-Administrator/8.2.0 HttpChannel.invoke: admin version = 8.2.0 http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Connection: close http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Content-Type: text/html http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> Reading unknown length bytes... http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] recv> 151 bytes read http://ms2-test2.lab.sjc.redhat.com:8888/[7:0] close> Closed Content-type: text/html NMC_Status: 1 NMC_ErrType: Unexpected Failure NMC_ErrInfo: Internal error NMC_ErrDetail: Unable to open certificate database. Focus gained javax.swing.JButton[,0,0,38x37,alignmentX=0.0,alignmentY=0.5,border=javax.swing.plaf.BorderUIResource$CompoundBorderUIResource@1029f93b,flags=296,maximumSize=,minimumSize=,preferredSize=,defaultIcon=com/netscape/management/client/images/task.gif,disabledIcon=,disabledSelectedIcon=,margin=java.awt.Insets[top=0,left=0,bottom=0,right=0],paintBorder=true,paintFocus=true,pressedIcon=,rolloverEnabled=false,rolloverIcon=,rolloverSelectedIcon=,selectedIcon=,text=,defaultCapable=true] Expected results: Additional info: workaround, fix permissions: ls -la /etc/dirsrv/slapd-ms2-test22 total 320 drwx------ 3 ldap2 root 4096 Jul 27 17:03 . drwxrwxr-x 7 root ldap1 4096 Jul 27 17:03 .. -rw-rw---- 1 ldap2 ldap1 65536 Jul 27 17:03 cert8.db -r-------- 1 ldap2 root 3595 Jul 27 17:03 certmap.conf -rw------- 1 ldap2 ldap1 56875 Jul 27 17:03 dse.ldif -rw------- 1 ldap2 ldap1 56294 Jul 27 17:03 dse.ldif.bak -rw------- 1 ldap2 root 44994 Jul 27 17:03 dse.ldif.startOK -r-------- 1 ldap2 root 31164 Jul 27 17:03 dse_original.ldif -rw-rw---- 1 ldap2 ldap1 16384 Jul 27 17:03 key3.db drwx------ 2 ldap2 root 4096 Jul 27 17:03 schema -rw-rw---- 1 ldap2 ldap1 16384 Jul 27 17:03 secmod.db -r-------- 1 ldap2 root 5366 Jul 27 17:03 slapd-collations.conf chgrp ldap1 /etc/dirsrv/slapd-ms2-test22 chmod g+rwx /etc/dirsrv/slapd-ms2-test22 ls -l /etc/dirsrv/ total 20 drwx------ 2 ldap1 root 4096 Jul 27 2010 admin-serv drwxr-xr-x 2 root root 4096 Jul 27 2010 config drwxr-xr-x 2 root root 4096 Jul 27 2010 schema drwxrwx--- 3 ldap1 ldap1 4096 Jul 27 17:19 slapd-ms2-test2 drwxrwx--- 3 ldap2 ldap1 4096 Jul 27 17:19 slapd-ms2-test22 also, probably needed chmod g+r /etc/dirsrv/slapd-ms2-test22/certmap.conf ls -la /etc/dirsrv/slapd-ms2-test22 total 348 drwxrwx--- 3 ldap2 ldap1 4096 Jul 27 17:19 . drwxrwxr-x 7 root ldap1 4096 Jul 27 17:03 .. -rw-rw---- 1 ldap2 ldap1 65536 Jul 27 17:19 cert8.db -r--r----- 1 ldap2 root 3595 Jul 27 17:03 certmap.conf -rw------- 1 ldap2 ldap1 58375 Jul 27 17:19 dse.ldif -rw------- 2 ldap2 ldap1 58376 Jul 27 17:19 dse.ldif.bak -rw------- 2 ldap2 ldap1 58376 Jul 27 17:19 dse.ldif.startOK -r-------- 1 ldap2 root 31164 Jul 27 17:03 dse_original.ldif -rw-rw---- 1 ldap2 ldap1 16384 Jul 27 17:19 key3.db drwx------ 2 ldap2 root 4096 Jul 27 17:19 schema -rw-rw---- 1 ldap2 ldap1 16384 Jul 27 17:03 secmod.db -r-------- 1 ldap2 root 5366 Jul 27 17:03 slapd-collations.conf when I created a 3rd instance using setup-ds-admin.pl, with a third uid in the same primary group, like: id ldap3 uid=103(ldap3) gid=102(ldap1) groups=102(ldap1) I was able to manage certificates just fine, only creating from the console seem to create the problem correct permissions I got for the 3rd instance created with setup-ds-admin.pl : [root@ms2-test2 ~]# ls -la /etc/dirsrv/ total 44 drwxrwxr-x 8 root ldap1 4096 Jul 27 17:42 . drwxr-xr-x 100 root root 12288 Jul 27 17:41 .. drwx------ 2 ldap1 root 4096 Jul 27 2010 admin-serv drwxr-xr-x 2 root root 4096 Jul 27 2010 config drwxr-xr-x 2 root root 4096 Jul 27 2010 schema drwxrwx--- 3 ldap1 ldap1 4096 Jul 27 17:19 slapd-ms2-test2 drwxrwx--- 3 ldap2 ldap1 4096 Jul 27 17:19 slapd-ms2-test22 drwxrwx--- 3 ldap3 ldap1 4096 Jul 27 17:42 slapd-ms2-test2-391 [root@ms2-test2 ~]# ls -la /etc/dirsrv/slapd-ms2-test2-391/ total 320 drwxrwx--- 3 ldap3 ldap1 4096 Jul 27 17:42 . drwxrwxr-x 8 root ldap1 4096 Jul 27 17:42 .. -rw-rw---- 1 ldap3 ldap1 65536 Jul 27 17:42 cert8.db -r--r----- 1 ldap3 ldap1 3595 Jul 27 17:42 certmap.conf -rw------- 1 ldap3 ldap1 56923 Jul 27 17:42 dse.ldif -rw------- 1 ldap3 ldap1 56342 Jul 27 17:42 dse.ldif.bak -rw------- 1 ldap3 root 45036 Jul 27 17:42 dse.ldif.startOK -r--r----- 1 ldap3 ldap1 31203 Jul 27 17:42 dse_original.ldif -rw-rw---- 1 ldap3 ldap1 16384 Jul 27 17:42 key3.db drwxrwx--- 2 ldap3 ldap1 4096 Jul 27 17:42 schema -rw-rw---- 1 ldap3 ldap1 16384 Jul 27 17:42 secmod.db -r--r----- 1 ldap3 ldap1 5366 Jul 27 17:42 slapd-collations.conf [root@ms2-test2 ~]# incorrect permissions for a 4th instance created in the console: [root@ms2-test2 ~]# ls -la /etc/dirsrv/ total 48 drwxrwxr-x 9 root ldap1 4096 Jul 27 18:37 . drwxr-xr-x 100 root root 12288 Jul 27 18:36 .. drwx------ 2 ldap1 root 4096 Jul 27 2010 admin-serv drwxr-xr-x 2 root root 4096 Jul 27 2010 config drwxr-xr-x 2 root root 4096 Jul 27 2010 schema drwxrwx--- 3 ldap1 ldap1 4096 Jul 27 17:19 slapd-ms2-test2 drwxrwx--- 3 ldap2 ldap1 4096 Jul 27 17:19 slapd-ms2-test22 drwxrwx--- 3 ldap3 ldap1 4096 Jul 27 17:42 slapd-ms2-test2-391 drwx------ 3 ldap4 root 4096 Jul 27 18:37 slapd-ms2-test24 [root@ms2-test2 ~]# ls -la /etc/dirsrv/slapd-ms2-test24 total 320 drwx------ 3 ldap4 root 4096 Jul 27 18:37 . drwxrwxr-x 9 root ldap1 4096 Jul 27 18:37 .. -rw-rw---- 1 ldap4 ldap1 65536 Jul 27 18:37 cert8.db -r-------- 1 ldap4 root 3595 Jul 27 18:37 certmap.conf -rw------- 1 ldap4 ldap1 56875 Jul 27 18:37 dse.ldif -rw------- 1 ldap4 ldap1 56294 Jul 27 18:37 dse.ldif.bak -rw------- 1 ldap4 root 44994 Jul 27 18:37 dse.ldif.startOK -r-------- 1 ldap4 root 31164 Jul 27 18:37 dse_original.ldif -rw-rw---- 1 ldap4 ldap1 16384 Jul 27 18:37 key3.db drwx------ 2 ldap4 root 4096 Jul 27 18:37 schema -rw-rw---- 1 ldap4 ldap1 16384 Jul 27 18:37 secmod.db -r-------- 1 ldap4 root 5366 Jul 27 18:37 slapd-collations.conf [root@ms2-test2 ~]#
note: > 5. create a second instance in console, as a test, can be silent install this step must be done in the console, not setup-ds-admin.pl
I have reproduced this issue, but I have also confirmed that this is not a regression. The same behavior is observed with RHDS 8.1. I think that we should doc this for 8.2 along with a workaround of changing the permissions, but we should target this for 9.0.
Created attachment 480261 [details] Patch
Prior to my patch, the ownership/permissions on the config directories of my two test instances looked like this (slapd-localhost was created by setup-ds-admin.pl and slapd-localhost2 was created by Console): [root@localhost ~]# ls -al /etc/dirsrv/slapd-localhost total 344 drwxrwx---. 3 slapd1 slapd 4096 Feb 22 11:32 . drwxrwxr-x. 7 root slapd 4096 Feb 22 11:39 .. -rw-rw----. 1 slapd1 slapd 65536 Feb 22 11:32 cert8.db -r--r-----. 1 slapd1 slapd 3595 Feb 22 11:32 certmap.conf -rw-------. 1 slapd1 slapd 70704 Feb 22 11:32 dse.ldif -rw-------. 1 slapd1 slapd 70067 Feb 22 11:32 dse.ldif.bak -rw-------. 1 slapd1 root 46034 Feb 22 11:32 dse.ldif.startOK -r--r-----. 1 slapd1 slapd 31500 Feb 22 11:32 dse_original.ldif -rw-rw----. 1 slapd1 slapd 16384 Feb 22 11:32 key3.db drwxrwx---. 2 slapd1 slapd 4096 Feb 22 11:32 schema -rw-rw----. 1 slapd1 slapd 16384 Feb 22 11:32 secmod.db -r--r-----. 1 slapd1 slapd 5366 Feb 22 11:32 slapd-collations.conf [root@localhost ~]# ls -al /etc/dirsrv/slapd-localhost2 total 320 drwx------. 3 slapd2 root 4096 Feb 22 11:39 . drwxrwxr-x. 7 root slapd 4096 Feb 22 11:39 .. -rw-rw----. 1 slapd2 slapd 65536 Feb 22 11:39 cert8.db -r--------. 1 slapd2 root 3595 Feb 22 11:39 certmap.conf -rw-------. 1 slapd2 slapd 58618 Feb 22 11:39 dse.ldif -rw-------. 1 slapd2 slapd 58037 Feb 22 11:39 dse.ldif.bak -rw-------. 1 slapd2 root 46697 Feb 22 11:39 dse.ldif.startOK -r--------. 1 slapd2 root 31515 Feb 22 11:39 dse_original.ldif -rw-rw----. 1 slapd2 slapd 16384 Feb 22 11:39 key3.db drwx------. 2 slapd2 root 4096 Feb 22 11:39 schema -rw-rw----. 1 slapd2 slapd 16384 Feb 22 11:39 secmod.db -r--------. 1 slapd2 root 5366 Feb 22 11:39 slapd-collations.conf After my patch, the ownership/permissions are consistent between the two instances: [root@localhost ~]# ls -al /etc/dirsrv/slapd-localhost total 344 drwxrwx---. 3 slapd1 slapd 4096 Feb 22 13:32 . drwxrwxr-x. 7 root slapd 4096 Feb 22 13:34 .. -rw-rw----. 1 slapd1 slapd 65536 Feb 22 13:32 cert8.db -r--r-----. 1 slapd1 slapd 3595 Feb 22 13:32 certmap.conf -rw-------. 1 slapd1 slapd 70704 Feb 22 13:32 dse.ldif -rw-------. 1 slapd1 slapd 70067 Feb 22 13:32 dse.ldif.bak -rw-------. 1 slapd1 root 46034 Feb 22 13:32 dse.ldif.startOK -r--r-----. 1 slapd1 slapd 31500 Feb 22 13:32 dse_original.ldif -rw-rw----. 1 slapd1 slapd 16384 Feb 22 13:32 key3.db drwxrwx---. 2 slapd1 slapd 4096 Feb 22 13:32 schema -rw-rw----. 1 slapd1 slapd 16384 Feb 22 13:32 secmod.db -r--r-----. 1 slapd1 slapd 5366 Feb 22 13:32 slapd-collations.conf [root@localhost ~]# ls -al /etc/dirsrv/slapd-localhost2 total 320 drwxrwx---. 3 slapd2 slapd 4096 Feb 22 13:34 . drwxrwxr-x. 7 root slapd 4096 Feb 22 13:34 .. -rw-rw----. 1 slapd2 slapd 65536 Feb 22 13:34 cert8.db -r--r-----. 1 slapd2 slapd 3595 Feb 22 13:34 certmap.conf -rw-------. 1 slapd2 slapd 58618 Feb 22 13:34 dse.ldif -rw-------. 1 slapd2 slapd 58037 Feb 22 13:34 dse.ldif.bak -rw-------. 1 slapd2 root 46697 Feb 22 13:34 dse.ldif.startOK -r--r-----. 1 slapd2 slapd 31515 Feb 22 13:34 dse_original.ldif -rw-rw----. 1 slapd2 slapd 16384 Feb 22 13:34 key3.db drwxrwx---. 2 slapd2 slapd 4096 Feb 22 13:34 schema -rw-rw----. 1 slapd2 slapd 16384 Feb 22 13:34 secmod.db -r--r-----. 1 slapd2 slapd 5366 Feb 22 13:34 slapd-collations.conf
Pushed to master. Thanks to Rich for his review! Counting objects: 9, done. Delta compression using up to 2 threads. Compressing objects: 100% (5/5), done. Writing objects: 100% (5/5), 822 bytes, done. Total 5 (delta 4), reused 0 (delta 0) To ssh://git.fedorahosted.org/git/389/admin.git 82b2fd2..f5a1e66 master -> master
[root@rheltest ~]# ls -al /etc/dirsrv/slapd-rheltest total 340 drwxrwx---. 3 nobody nobody 4096 Jul 5 16:49 . drwxrwxr-x. 7 root nobody 4096 Jul 5 18:18 .. -rw-rw----. 1 nobody nobody 65536 Jul 5 16:49 cert8.db -r--r-----. 1 nobody nobody 3595 Jul 5 16:49 certmap.conf -rw-------. 1 nobody nobody 70198 Jul 5 16:49 dse.ldif -rw-------. 1 nobody nobody 69553 Jul 5 16:49 dse.ldif.bak -rw-------. 1 nobody root 45523 Jul 5 16:49 dse.ldif.startOK -r--r-----. 1 nobody nobody 31741 Jul 5 16:49 dse_original.ldif -rw-rw----. 1 nobody nobody 16384 Jul 5 16:49 key3.db drwxrwx---. 2 nobody nobody 4096 Jul 5 16:49 schema -rw-rw----. 1 nobody nobody 16384 Jul 5 16:49 secmod.db -r--r-----. 1 nobody nobody 5366 Jul 5 16:49 slapd-collations.conf [root@rheltest ~]# ls -al /etc/dirsrv/slapd-rheltest1 total 316 drwxrwx---. 3 nobody nobody 4096 Jul 5 18:18 . drwxrwxr-x. 7 root nobody 4096 Jul 5 18:18 .. -rw-rw----. 1 nobody nobody 65536 Jul 5 18:18 cert8.db -r--r-----. 1 nobody nobody 3595 Jul 5 18:18 certmap.conf -rw-------. 1 nobody nobody 57513 Jul 5 18:18 dse.ldif -rw-------. 1 nobody nobody 56932 Jul 5 18:18 dse.ldif.bak -rw-------. 1 nobody root 45594 Jul 5 18:18 dse.ldif.startOK -r--r-----. 1 nobody nobody 31808 Jul 5 18:18 dse_original.ldif -rw-rw----. 1 nobody nobody 16384 Jul 5 18:18 key3.db drwxrwx---. 2 nobody nobody 4096 Jul 5 18:18 schema -rw-rw----. 1 nobody nobody 16384 Jul 5 18:18 secmod.db -r--r-----. 1 nobody nobody 5366 Jul 5 18:18 slapd-collations.conf Hence VERIFIED