Bug 1252556
| Summary: | Missing CLI param and ACL for vault service operations | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Jan Cholasta <jcholast> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.2 | CC: | jcholast, lmiksik, mkosek, pvoborni, rcritten, spoore |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.2.0-15.el7 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2015-11-19 12:05:24 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Jan Cholasta
2015-08-11 16:46:17 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/0dd95a19ee87a04836f12ad4c1194ad31ac22b93 ipa-4-2: https://fedorahosted.org/freeipa/changeset/f2117475b8a49b37845529089ea2d5b48f27bfda Moving back to assigned as it looks like I cannot create a new vault (and container) as a service. [root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sv1test.privkey -out sv1test.csr -subj "/CN=$(hostname)" Generating a 2048 bit RSA private key ......................................+++ .................+++ writing new private key to 'sv1test.privkey' ----- [root@rhel7-1 ~]# ipa service-add sv1test/$(hostname) ------------------------------------------------------- Added service "sv1test/rhel7-1.example.com" ------------------------------------------------------- Principal: sv1test/rhel7-1.example.com Managed by: rhel7-1.example.com [root@rhel7-1 ~]# ipa cert-request sv1test.csr --principal="sv1test/$(hostname)" --profile-id=caIPAserviceCert Certificate: MII... Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Mon Oct 12 18:29:11 2015 UTC Not After: Thu Oct 12 18:29:11 2017 UTC Fingerprint (MD5): c6:da:7f:02:88:b9:58:4c:65:c7:d5:93:9f:c7:fa:94 Fingerprint (SHA1): 61:15:90:50:56:52:f5:ed:7c:e0:81:48:a6:c1:66:94:f6:93:ff:46 Serial number: 21 Serial number (hex): 0x15 [root@rhel7-1 ~]# ipa service-show sv1test/$(hostname) --out sv1test.crt ------------------------------------------- Certificate(s) stored in file 'sv1test.crt' ------------------------------------------- Principal: sv1test/rhel7-1.example.com Certificate: MII... Keytab: False Managed by: rhel7-1.example.com Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM Serial Number: 21 Serial Number (hex): 0x15 Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Mon Oct 12 18:29:11 2015 UTC Not After: Thu Oct 12 18:29:11 2017 UTC Fingerprint (MD5): c6:da:7f:02:88:b9:58:4c:65:c7:d5:93:9f:c7:fa:94 Fingerprint (SHA1): 61:15:90:50:56:52:f5:ed:7c:e0:81:48:a6:c1:66:94:f6:93:ff:46 [root@rhel7-1 ~]# openssl x509 -pubkey -in sv1test.crt -noout > sv1test.pubkey [root@rhel7-1 ~]# ls -ltr sv1test.* -rw-r--r--. 1 root root 1704 Oct 12 13:26 sv1test.privkey -rw-r--r--. 1 root root 903 Oct 12 13:26 sv1test.csr -rw-r--r--. 1 root root 1472 Oct 12 13:30 sv1test.crt -rw-r--r--. 1 root root 451 Oct 12 13:31 sv1test.pubkey [root@rhel7-1 ~]# ipa-getkeytab -s $(hostname) -p sv1test/$(hostname) -k /tmp/sv1test.keytab Keytab successfully retrieved and stored in: /tmp/sv1test.keytab [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_aK8fi6Q Default principal: admin Valid starting Expires Service principal 10/12/2015 13:32:38 10/13/2015 13:22:34 ldap/rhel7-1.example.com 10/12/2015 13:22:34 10/13/2015 13:22:34 HTTP/rhel7-1.example.com 10/12/2015 13:22:34 10/13/2015 13:22:34 krbtgt/EXAMPLE.COM [root@rhel7-1 ~]# kdestroy -A [root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_aK8fi6Q Default principal: sv1test/rhel7-1.example.com Valid starting Expires Service principal 10/12/2015 13:33:03 10/13/2015 13:33:03 krbtgt/EXAMPLE.COM [root@rhel7-1 ~]# echo 1234556 > secret.in [root@rhel7-1 ~]# ipa vault-add sv1test_vault --service sv1test/$(hostname) --type asymmetric --public-key-file sv1test.pubkey ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=sv1test/rhel7-1.example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'. Note that if I create a role with "Vault Administrators" privilege with that service as member, I can add a new vault as that service. [root@rhel7-1 ~]# kinit admin Password for admin: [root@rhel7-1 ~]# ipa role-add sv1admins ---------------------- Added role "sv1admins" ---------------------- Role name: sv1admins [root@rhel7-1 ~]# ipa role-add-privilege sv1admins --privileges="Vault Administrators" Role name: sv1admins Privileges: Vault Administrators ---------------------------- Number of privileges added 1 ---------------------------- [root@rhel7-1 ~]# ipa role-add-member sv1admins --service=sv1test/$(hostname) Role name: sv1admins Privileges: Vault Administrators Member services: sv1test/rhel7-1.example.com ------------------------- Number of members added 1 ------------------------- [root@rhel7-1 ~]# kdestroy -A [root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_dncB1a7 Default principal: sv1test/rhel7-1.example.com Valid starting Expires Service principal 10/12/2015 13:49:31 10/13/2015 13:49:31 krbtgt/EXAMPLE.COM [root@rhel7-1 ~]# ipa vault-add sv1test_vault --service sv1test/$(hostname) --type asymmetric --public-key-file sv1test.pubkey --------------------------- Added vault "sv1test_vault" --------------------------- Vault name: sv1test_vault Type: asymmetric Public key: LS... Owner services: sv1test/rhel7-1.example.com Vault service: sv1test/rhel7-1.example.com But, it's my understanding here that I should be able to create the service vault as the service without doing this. Also note that a quick check shows that adding user vault still works as expected: [root@rhel7-1 ~]# ipa user-add uv1test --first=f --last=l --password Password: Enter Password again to verify: -------------------- Added user "uv1test" -------------------- User login: uv1test First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/uv1test GECOS: f l Login shell: /bin/sh Kerberos principal: uv1test Email address: uv1test UID: 349400001 GID: 349400001 Password: True Member of groups: ipausers Kerberos keys available: True [root@rhel7-1 ~]# kinit uv1test Password for uv1test: Password expired. You must change it now. Enter new password: Enter it again: [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_fPMErjf Default principal: uv1test Valid starting Expires Service principal 10/12/2015 14:09:14 10/13/2015 14:09:14 krbtgt/EXAMPLE.COM [root@rhel7-1 ~]# ipa vault-add uv1test_vault --password Pa55w0rd1 --------------------------- Added vault "uv1test_vault" --------------------------- Vault name: uv1test_vault Type: symmetric Salt: UN7uaGwOIVgkTJ2mntsuXA== Owner users: uv1test Vault user: uv1test Upstream ticket: https://fedorahosted.org/freeipa/ticket/5361 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/2f3450249ded2c14d2ca55f15bdcace7007a6ebb ipa-4-2: https://fedorahosted.org/freeipa/changeset/285043e3880cf11ed7edd39f2918c1fcdc623cc9 Verified Version :: ipa-server-4.2.0-15.el7.x86_64 Results :: [root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sv2test.privkey -out sv2test.csr -subj "/CN=$(hostname)" Generating a 2048 bit RSA private key ............................................................................+++ ..............................+++ writing new private key to 'sv2test.privkey' ----- [root@rhel7-1 ~]# kinit admin Password for admin: [root@rhel7-1 ~]# ipa service-add sv2test/$(hostname) ------------------------------------------------------- Added service "sv2test/rhel7-1.example.com" ------------------------------------------------------- Principal: sv2test/rhel7-1.example.com Managed by: rhel7-1.example.com [root@rhel7-1 ~]# ipa cert-request sv2test.csr --principal="sv2test/$(hostname)" --profile-id=caIPAserviceCert Certificate: MII... Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Tue Oct 13 18:47:06 2015 UTC Not After: Fri Oct 13 18:47:06 2017 UTC Fingerprint (MD5): 5d:63:3d:11:bb:fa:aa:f0:ae:1d:64:52:03:ba:97:97 Fingerprint (SHA1): 2d:80:99:48:1d:7d:b4:d0:ff:35:c7:b0:cc:5a:65:72:ca:1c:65:8a Serial number: 22 Serial number (hex): 0x16 [root@rhel7-1 ~]# ipa service-show sv2test/$(hostname) --out sv2test.crt ------------------------------------------- Certificate(s) stored in file 'sv2test.crt' ------------------------------------------- Principal: sv2test/rhel7-1.example.com Certificate: MII... Keytab: False Managed by: rhel7-1.example.com Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM Serial Number: 22 Serial Number (hex): 0x16 Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Tue Oct 13 18:47:06 2015 UTC Not After: Fri Oct 13 18:47:06 2017 UTC Fingerprint (MD5): 5d:63:3d:11:bb:fa:aa:f0:ae:1d:64:52:03:ba:97:97 Fingerprint (SHA1): 2d:80:99:48:1d:7d:b4:d0:ff:35:c7:b0:cc:5a:65:72:ca:1c:65:8a [root@rhel7-1 ~]# openssl x509 -pubkey -in sv2test.crt -noout > sv2test.pubkey [root@rhel7-1 ~]# ipa-getkeytab -s $(hostname) -p sv2test/$(hostname) -k /tmp/sv2test.keytab Keytab successfully retrieved and stored in: /tmp/sv2test.keytab [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH Default principal: admin Valid starting Expires Service principal 10/13/2015 13:50:01 10/14/2015 13:46:26 ldap/rhel7-1.example.com 10/13/2015 13:46:32 10/14/2015 13:46:26 HTTP/rhel7-1.example.com 10/13/2015 13:46:27 10/14/2015 13:46:26 krbtgt/EXAMPLE.COM [root@rhel7-1 ~]# kdestroy -A [root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH Default principal: sv2test/rhel7-1.example.com Valid starting Expires Service principal 10/13/2015 13:51:06 10/14/2015 13:51:06 krbtgt/EXAMPLE.COM [root@rhel7-1 ~]# echo 1234556 > secret.in [root@rhel7-1 ~]# ipa vault-add sv2test_vault --service sv2test/$(hostname) --type asymmetric --public-key-file sv2test.pubkey --------------------------- Added vault "sv2test_vault" --------------------------- Vault name: sv2test_vault Type: asymmetric Public key: LS... Owner services: sv2test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com [root@rhel7-1 ~]# ipa vault-archive sv2test_vault --service sv2test/$(hostname) --in secret.in ---------------------------------------- Archived data into vault "sv2test_vault" ---------------------------------------- [root@rhel7-1 ~]# ipa vault-retrieve sv2test_vault --service sv2test/$(hostname) --private-key-file=sv2test.privkey --out secret.out ----------------------------------------- Retrieved data from vault "sv2test_vault" ----------------------------------------- [root@rhel7-1 ~]# cat secret.out 1234556 [root@rhel7-1 ~]# ####### Expected failure adding new service owner as non-admin service ####### per https://bugzilla.redhat.com/show_bug.cgi?id=1258965#c4 [root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=sv2test/$(hostname) --services=sv1test/$(hostname) Owner services: sv2test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com Failed owners: owner user: owner group: owner service: sv1test/rhel7-1.example.com: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test/rhel7-1.example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'. ------------------------ Number of owners added 0 ------------------------ ####### Add new service owner for container [root@rhel7-1 ~]# kinit admin Password for admin: [root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=sv2test/$(hostname) --services=sv1test/$(hostname) Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com ------------------------ Number of owners added 1 ------------------------ ######## Fail to add service owner with service non-admin [root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab [root@rhel7-1 ~]# ipa vault-add-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname) Vault name: sv2test_vault Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner services: sv2test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com Failed owners: owner user: owner group: owner service: sv1test/rhel7-1.example.com: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test_vault,cn=sv2test/rhel7-1.example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'. ------------------------ Number of owners added 0 ------------------------ ######## Add new service vault owner [root@rhel7-1 ~]# kinit admin Password for admin: [root@rhel7-1 ~]# ipa vault-add-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname) Vault name: sv2test_vault Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com ------------------------ Number of owners added 1 ------------------------ ######## Add new service vault member [root@rhel7-1 ~]# ipa vault-add-member sv2test_vault --service=sv2test/$(hostname) --services=svc1/$(hostname) Vault name: sv2test_vault Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com Member services: svc1/rhel7-1.example.com ------------------------- Number of members added 1 ------------------------- ############# show vault [root@rhel7-1 ~]# ipa vault-show --service=sv2test/$(hostname) Vault name: sv2test_vault Vault name: sv2test_vault Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com Member services: svc1/rhel7-1.example.com ############ remove members as second owner [root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab [root@rhel7-1 ~]# ipa vault-remove-member sv2test_vault --service=sv2test/$(hostname) --services=svc1/$(hostname) Vault name: sv2test_vault Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com --------------------------- Number of members removed 1 --------------------------- ########### Fail to remove second owner as original owner [root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab [root@rhel7-1 ~]# ipa vault-remove-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname) Vault name: sv2test_vault Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com Failed owners: owner user: owner group: owner service: sv1test/rhel7-1.example.com: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test_vault,cn=sv2test/rhel7-1.example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'. -------------------------- Number of owners removed 0 -------------------------- ####### Remove owner as admin [root@rhel7-1 ~]# kinit admin Password for admin: [root@rhel7-1 ~]# ipa vault-remove-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname) Vault name: sv2test_vault Type: asymmetric Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg== Owner services: sv2test/rhel7-1.example.com Vault service: sv2test/rhel7-1.example.com -------------------------- Number of owners removed 1 -------------------------- Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html |