Bug 1362333

Summary:	ipa vault container owner cannot add vault
Product:	Red Hat Enterprise Linux 7	Reporter:	Scott Poore <spoore>
Component:	ipa	Assignee:	IPA Maintainers <ipa-maint>
Status:	CLOSED ERRATA	QA Contact:	Kaleem <ksiddiqu>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	7.3	CC:	lkrispen, mbasti, nkinder, pvoborni, rcritten, rmeggins
Target Milestone:	rc	Keywords:	Regression
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	ipa-4.4.0-9.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-11-04 05:59:56 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Scott Poore 2016-08-02 02:04:52 UTC

Description of problem:

I am seeing ACI errors when I try to add a vault as a container owner.

[Mon Aug 01 20:49:36.009521 2016] [:error] [pid 6419] ipa: INFO: [jsonserver_kerb] testuser2: vault_add_internal/1(u'test_vault', ipavaulttype=u'standard', username=u'testuser', version=u'2.211'): ACIError


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-4.el7.x86_64

How reproducible:
always


Steps to Reproduce:

1. Create and setup users

ipa user-add testuser --first=f --last=l --password
kinit testuser
kdestroy -A
kinit admin
ipa user-add testuser2 --first=f --last=l --password
kinit testuser2
kdestroy -A
kinit admin

2. Add vault to setup base container

ipa vault-add testuservault --user=testuser --type=standard

3.  To see what is happening, show vault to check container

ipa vault-show testuservault --user=testuser --all

4.  Add second user as owner of container for first user

ipa vaultcontainer-add-owner --user=testuser --users=testuser2

5.  Add a vault as the second user

kdestroy -A
kinit testuser2
ipa vault-add --type=standard --user=testuser test_vault


Actual results:

# ipa vault-add --type=standard --user=testuser test_vault
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com'.



Expected results:

# ipa vault-add --type=standard --user=testuser test_vault
------------------------
Added vault "test_vault"
------------------------
  Vault name: test_vault
  Type: standard
  Owner users: testuser2
  Vault user: testuser


Additional info:

Comment 3 Martin Bašti 2016-08-02 15:00:31 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6159

Comment 4 Martin Bašti 2016-08-17 15:58:04 UTC

This looks like DS issues for me:

I see that ACI is there, and it looks correct to me.

dn: cn=vaults,cn=kra,$SUFFIX
aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)


I downgraded DS and it works.
* Does not work with 389-ds-base-1.3.5.13-1.fc24.x86_64
* Works with: 389-ds-base-1.3.5.6-1.fc24.x86_64

Comment 7 Martin Bašti 2016-08-18 05:52:06 UTC

Hello, I'm providing more info as was requested.

# kinited as user testuser2
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: testuser2.IDM.LAB.ENG.BRQ.REDHAT.COM


# related connection in access log

[18/Aug/2016:07:44:16.055671837 +0200] conn=40 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[18/Aug/2016:07:44:16.096290593 +0200] conn=40 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[18/Aug/2016:07:44:16.097988040 +0200] conn=40 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[18/Aug/2016:07:44:16.100159937 +0200] conn=40 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[18/Aug/2016:07:44:16.100440466 +0200] conn=40 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[18/Aug/2016:07:44:16.102011530 +0200] conn=40 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=testuser2,cn=users,cn=accounts,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
[18/Aug/2016:07:44:16.351386603 +0200] conn=40 op=3 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses"
[18/Aug/2016:07:44:16.535467902 +0200] conn=40 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[18/Aug/2016:07:44:16.807864049 +0200] conn=40 op=4 SRCH base="cn=ipaconfig,cn=etc,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[18/Aug/2016:07:44:16.809484884 +0200] conn=40 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[18/Aug/2016:07:44:16.811682693 +0200] conn=40 op=5 SRCH base="cn=masters,cn=ipa,cn=etc,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=KRA)
)" attrs=ALL
[18/Aug/2016:07:44:16.815205245 +0200] conn=40 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[18/Aug/2016:07:44:16.817619633 +0200] conn=40 op=6 ADD dn="cn=testuser,cn=users,cn=vaults,cn=kra,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
[18/Aug/2016:07:44:16.819135581 +0200] conn=40 op=6 RESULT err=50 tag=105 nentries=0 etime=0
[18/Aug/2016:07:44:16.826946705 +0200] conn=40 op=7 UNBIND
[18/Aug/2016:07:44:16.826995981 +0200] conn=40 op=7 fd=119 closed - U1


container entry:
# testuser, users, vaults, kra, dom-058-107.abc.idm.lab.eng.brq.redhat.com
dn: cn=testuser,cn=users,cn=vaults,cn=kra,dc=dom-058-107,dc=abc,dc=idm,dc=lab,
 dc=eng,dc=brq,dc=redhat,dc=com
objectClass: ipaVaultContainer
objectClass: top
owner: uid=admin,cn=users,cn=accounts,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=e
 ng,dc=brq,dc=redhat,dc=com
owner: uid=testuser2,cn=users,cn=accounts,dc=dom-058-107,dc=abc,dc=idm,dc=lab,
 dc=eng,dc=brq,dc=redhat,dc=com
cn: testuser

Comment 8 Ludwig 2016-08-18 07:24:17 UTC

does testuser2 have the rights to add the testuser entry ?
can we see the aci and what is attempted to be added ?

does the entry already exist when the ADD is attempted ? If the entry already exists and testuser2 does not have access right the CVE fix did change the return code, before it would be "already exists" and now it is "insufficient access"

is there a simple reproducer ?

Comment 9 Martin Bašti 2016-08-18 07:38:40 UTC

Reproducer is in bug description.

dn: cn=vaults,cn=kra,$SUFFIX
aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)

I hope that this ACI allows user to add vaults into container, testuser2 is owner of container. (see comment 7)

Comment 10 Ludwig 2016-08-18 07:59:56 UTC

but the failing add is this:

[18/Aug/2016:07:44:16.817619633 +0200] conn=40 op=6 ADD dn="cn=testuser,cn=users,cn=vaults,cn=kra,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
[18/Aug/2016:07:44:16.819135581 +0200] conn=40 op=6 RESULT err=50 tag=105 nentries=0 etime=0

and this seems to be the container entry itself

Comment 11 Martin Bašti 2016-08-18 08:04:59 UTC

Ahh, I didn't noticed that, thank you.

So this is IPA bug then, same as other revealed by changing behavior of DS, instead of duplicated error we are receiving ACI error now (as expected after fixed CVE).

Comment 12 Martin Bašti 2016-08-18 11:06:22 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6b7d6417d403c983691c790c1e60cfe32bf1c420

Comment 14 Scott Poore 2016-09-14 13:14:04 UTC

Verified.

Version ::

ipa-server-4.4.0-11.el7.x86_64

Results ::

[root@vm1 ~]# echo Secret123|kinit admin
Password for admin: 

[root@vm1 ~]# echo redhat|ipa user-add testuser --first=f --last=l --password
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 492600001
  GID: 492600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@vm1 ~]# echo -e "redhat\nSecret123\nSecret123" | kinit testuser
Password for testuser: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@vm1 ~]# kdestroy -A

[root@vm1 ~]# echo Secret123|kinit admin
Password for admin: 

[root@vm1 ~]# echo redhat|ipa user-add testuser2 --first=f --last=l --password
----------------------
Added user "testuser2"
----------------------
  User login: testuser2
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser2
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testuser2
  Principal alias: testuser2
  Email address: testuser2
  UID: 492600003
  GID: 492600003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@vm1 ~]# echo -e "redhat\nSecret123\nSecret123" | kinit testuser2
Password for testuser2: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@vm1 ~]# kdestroy -A

[root@vm1 ~]# echo Secret123|kinit admin
Password for admin: 

[root@vm1 ~]# ipa vault-add testuservault --user=testuser --type=standard
ipa: ERROR: KRA service is not enabled

[root@vm1 ~]# 

[root@vm1 ~]# ipa-kra-install
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

[root@vm1 ~]# ipa vault-add testuservault --user=testuser --type=standard
---------------------------
Added vault "testuservault"
---------------------------
  Vault name: testuservault
  Type: standard
  Owner users: admin
  Vault user: testuser

[root@vm1 ~]# ipa vault-show testuservault --user=testuser --all
  dn: cn=testuservault,cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com
  Vault name: testuservault
  Type: standard
  Owner users: admin
  Vault user: testuser
  objectclass: top, ipaVault

[root@vm1 ~]# ipa vaultcontainer-add-owner --user=testuser --users=testuser2
  Owner users: admin, testuser2
  Vault user: testuser
------------------------
Number of owners added 1
------------------------

[root@vm1 ~]# ipa vault-show testuservault --user=testuser --all
  dn: cn=testuservault,cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com
  Vault name: testuservault
  Type: standard
  Owner users: admin
  Vault user: testuser
  objectclass: top, ipaVault

[root@vm1 ~]# ipa vaultcontainer-show --user=testuser --all
  dn: cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com
  Owner users: admin, testuser2
  Vault user: testuser
  cn: testuser
  objectclass: ipaVaultContainer, top

[root@vm1 ~]# kdestroy -A

[root@vm1 ~]# echo Secret123|kinit testuser2
Password for testuser2: 

[root@vm1 ~]# ipa vault-add --type=standard --user=testuser test_vault
------------------------
Added vault "test_vault"
------------------------
  Vault name: test_vault
  Type: standard
  Owner users: testuser2
  Vault user: testuser

Comment 16 errata-xmlrpc 2016-11-04 05:59:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html