Bug 1251225

Summary: IPA default CAACL does not allow cert-request for services after upgrade
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: ipaAssignee: Fraser Tweedale <ftweedal>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: dpal, drieden, ftweedal, mbasti, rcritten, xdong
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:05:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2015-08-06 17:52:46 UTC 
Description of problem:

On an IPA Master running on RHEL7.1, I upgrade to 7.2 and now I cannot by default request certs for service principals:

[root@rhel7-9 ~]# ipa cert-request --add --principal=EXAMPLE/$(hostname) /tmp/cert-req.csr
ipa: ERROR: Insufficient access: Principal 'EXAMPLE/rhel7-9.example.com' is not permitted to use CA '.' with profile 'caIPAserviceCert' for certificate issuance.

For the new default CAACL created during upgrade I see this:

[root@rhel7-9 ~]# ipa caacl-find
----------------
1 CA ACL matched
----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  User category: all
  Host category: all
  Profiles: caIPAserviceCert
----------------------------
Number of entries returned 1
----------------------------


Version-Release number of selected component (if applicable):
ipa-server-4.2.0-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Install IPA Master on RHEL7.1
2.  Upgrade to IPA version 4.2 (update to RHEL7.2)
3.  Attempt to request a service cert:

cat > /tmp/cert-req.conf <<EOF
[ req ]
default_bits = 2048
default_keyfile = /tmp/cert-req.key
distinguished_name = test_key_file
prompt = no
output_password = ..

[ test_key_file ]
C = US
ST = CA
L = SFO
O = RedHat Technology
OU = RedHat IT
CN = rhel7-9.example.com
EOF

openssl req -new -config /tmp/cert-req.conf -out /tmp/cert-req.csr

ipa cert-request --add --principal=EXAMPLE/$(hostname) /tmp/cert-req.csr

Actual results:

ipa: ERROR: Insufficient access: Principal 'EXAMPLE/rhel7-9.example.com' is not permitted to use CA '.' with profile 'caIPAserviceCert' for certificate issuance.

Expected results:

I expected this to work as it did in RHEL7.1 but, now I'm not sure.  I need confirmation here.

Additional info:
Comment 2 Fraser Tweedale 2015-08-07 07:01:30 UTC 
It's a bug; quite likely due to enforcing the caacl before the
new service is added.
Comment 3 Jan Cholasta 2015-08-07 08:02:28 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5185
Comment 4 Martin Bašti 2015-08-11 15:28:38 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9bbc798741c2872eaa6cc29d92c8b90104d65ee8
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/8685c0d7b2463d0eef05ff351137afcc291621ec
Comment 7 Scott Poore 2015-08-20 18:25:47 UTC 
Verified.

Version ::

ipa-server-4.2.0-5.el7.x86_64


Results ::

After yum update:

[root@rhel7-8 yum.repos.d]# ipa caacl-find
----------------
1 CA ACL matched
----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
  Profiles: caIPAserviceCert
----------------------------
Number of entries returned 1
----------------------------
Comment 8 errata-xmlrpc 2015-11-19 12:05:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html