Bug 1204504
| Summary: | [RFE] Add access control so hosts can create their own services | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Martin Kosek <mkosek> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.0 | CC: | jpazdziora, pvoborni, rcritten, spoore, tbabej |
| Target Milestone: | rc | Keywords: | FutureFeature |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-1.el7 | Doc Type: | Enhancement |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 12:02:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1181710 | ||
|
Description
Martin Kosek
2015-03-22 17:29:48 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ce50630d5ece036e35d8e11db8383e4e7e9159ae How can we verify this? Should we be able to use "ipa service-add" while using the host principal for a client? [root@client ~]# kdestroy -A [root@client ~]# kinit -kt /etc/krb5.keytab [root@client ~]# ipa service-add TEST/$(hostname)@TESTRELM.TEST ipa: ERROR: Host does not have corresponding DNS A/AAAA record [root@client ~]# dig +short client.testrelm.test 192.168.122.73 [root@client ~]# dig +short master.testrelm.test 192.168.122.71 [root@master httpd]# tail -1 error_log [Fri Sep 18 09:12:00.177142 2015] [:error] [pid 2265] ipa: INFO: [jsonserver_session] host/client.testrelm.test: service_add(u'TEST/client.testrelm.test', force=False, all=False, raw=False, version=u'2.156', no_members=False): DNSNotARecordError [root@client ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: host/client.testrelm.test Valid starting Expires Service principal 09/18/2015 09:11:55 09/19/2015 09:11:55 krbtgt/TESTRELM.TEST Scott, does it work with --force option? It should force it even if there is not a record in DNS. Probably issue here is that DNS tree is not readable by everyone so the DNS check fails. Yes, I forgot to mention that force works. [root@client ~]# ipa service-add DNS/$(hostname)@TESTRELM.TEST --force ------------------------------------------------------ Added service "DNS/client.testrelm.test" ------------------------------------------------------ Principal: DNS/client.testrelm.test Managed by: client.testrelm.test Should the DNS tree have permissions changes to in order to complete this bug or should that be opened as a separate bug? Doesn't seem like it should fail like that for what should be a read-only type operation? Thanks, Scott Hmm, now I noticed that the check is done by dns.resolver and not by checking DNS records directly in LDAP. answers = resolver.query(fqdn, rdatatype.A) So my previous statement is not really correct. Does it work for admin on the test machine? Wait, nevermind. I found the problem. My IPA master had reverted resolv.conf back to before IPA was installed when I booted the VM this morning. This works: [root@client ~]# ipa service-add TEST/client.testrelm.test ------------------------------------------------------- Added service "TEST/client.testrelm.test" ------------------------------------------------------- Principal: TEST/client.testrelm.test Managed by: client.testrelm.test [root@client ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: host/client.testrelm.test Valid starting Expires Service principal 09/18/2015 10:08:48 09/19/2015 10:08:43 HTTP/master.testrelm.test 09/18/2015 10:08:43 09/19/2015 10:08:43 krbtgt/TESTRELM.TEST So, is that enough to verify the bug, or do we need something else as well? It's enough. Verified. Version :: ipa-server-4.2.0-11.el7.x86_64 Results :: [root@client ~]# kdestroy -A [root@client ~]# kinit -kt /etc/krb5.keytab [root@client ~]# klist Ticket cache: KEYRING:persistent:0:0 Default principal: host/client.testrelm.test Valid starting Expires Service principal 09/18/2015 10:33:03 09/19/2015 10:33:03 krbtgt/TESTRELM.TEST [root@client ~]# ipa service-add EXAMPLE/$(hostname) ---------------------------------------------------------- Added service "EXAMPLE/client.testrelm.test" ---------------------------------------------------------- Principal: EXAMPLE/client.testrelm.test Managed by: client.testrelm.test Adding negative test to verify that cannot add for other host: [root@client ~]# ipa service-add TEST/master.testrelm.test ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=TEST/master.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test'. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |