Bug 1364197
| Summary: | caacl: error when instantiating rules with service principals | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Petr Vobornik <pvoborni> |
| Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | mbasti, pvoborni, rcritten, spoore |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.4.0-6.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 06:00:19 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Petr Vobornik
2016-08-04 16:46:46 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9dac0a13f101277948b4ce73b21b1d7ec75848b6 Verified using reproducer from upstream ticket. Version :: ipa-server-4.4.0-10.el7.x86_64 Results :: [root@vm1 ~]# kdestroy -A [root@vm1 ~]# kinit admin Password for admin: [root@vm1 ~]# ipa dnszone-add 73.168.192.in-addr.arpa. --skip-overlap-check Zone name: 73.168.192.in-addr.arpa. Active zone: TRUE Authoritative nameserver: vm1.example.com. Administrator e-mail address: hostmaster SOA serial: 1473780797 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-subdomain 73.168.192.in-addr.arpa. PTR; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm1 ~]# ipa host-add master1.example.com --ip-address=192.168.73.201 -------------------------------- Added host "master1.example.com" -------------------------------- Host name: master1.example.com Principal name: host/master1.example.com Principal alias: host/master1.example.com Password: False Keytab: False Managed by: master1.example.com [root@vm1 ~]# ipa host-add master2.example.com --ip-address=192.168.73.202 -------------------------------- Added host "master2.example.com" -------------------------------- Host name: master2.example.com Principal name: host/master2.example.com Principal alias: host/master2.example.com Password: False Keytab: False Managed by: master2.example.com [root@vm1 ~]# ipa service-add svc/master1.example.com --------------------------------------------------- Added service "svc/master1.example.com" --------------------------------------------------- Principal name: svc/master1.example.com Principal alias: svc/master1.example.com Managed by: master1.example.com [root@vm1 ~]# ipa service-add svc/master2.example.com --------------------------------------------------- Added service "svc/master2.example.com" --------------------------------------------------- Principal name: svc/master2.example.com Principal alias: svc/master2.example.com Managed by: master2.example.com [root@vm1 ~]# ipa service-add-host svc/master1.example.com --hosts master2.example.com Principal name: svc/master1.example.com Principal alias: svc/master1.example.com Managed by: master1.example.com, master2.example.com ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa certprofile-show --out=caIPAtest.txt caIPAserviceCert ---------------------------------------------------- Profile configuration stored in file 'caIPAtest.txt' ---------------------------------------------------- Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE [root@vm1 ~]# sed -i '/^profileId/d' caIPAtest.txt [root@vm1 ~]# ipa certprofile-import caIPAtest --file=caIPAtest.txt --desc="Test profile" --store=true ---------------------------- Imported profile "caIPAtest" ---------------------------- Profile ID: caIPAtest Profile description: Test profile Store issued certificates: TRUE [root@vm1 ~]# ipa caacl-add test_caacl --desc "test caacl" ------------------------- Added CA ACL "test_caacl" ------------------------- ACL name: test_caacl Description: test caacl Enabled: TRUE [root@vm1 ~]# ipa caacl-add-ca test_caacl --cas ipa ACL name: test_caacl Description: test caacl Enabled: TRUE CAs: ipa ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa caacl-add-profile test_caacl --certprofiles caIPAtest ACL name: test_caacl Description: test caacl Enabled: TRUE CAs: ipa Profiles: caIPAtest ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa caacl-add-host test_caacl --hosts master2.example.com ACL name: test_caacl Description: test caacl Enabled: TRUE CAs: ipa Profiles: caIPAtest Hosts: master2.example.com ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa caacl-add-service test_caacl --services svc/master2.example.com \ > --services svc/master1.example.com ACL name: test_caacl Description: test caacl Enabled: TRUE CAs: ipa Profiles: caIPAtest Hosts: master2.example.com Services: svc/master2.example.com, svc/master1.example.com ------------------------- Number of members added 2 ------------------------- [root@vm1 ~]# cat > /tmp/master2-san.cnf <<EOF > [req] > req_extensions = v3_req > distinguished_name =req_distinguished_name > prompt = no > encrypt_key = no > default_bits = 2048 > > [req_distinguished_name] > commonName = master2.example.com > > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA:FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName = @alt_names > > [alt_names] > DNS.1 = master2.example.com > DNS.2 = master1.example.com > EOF [root@vm1 ~]# openssl req -config /tmp/master2-san.cnf -new -nodes -out master2_example.com.csr Generating a 2048 bit RSA private key ...................................+++ ..................+++ writing new private key to stdout -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC91PwkeDJW/F6u ...key truncated... -----END PRIVATE KEY----- ----- [root@vm1 ~]# ipa-getkeytab -p host/master2.example.com -k /root/master2.keytab Keytab successfully retrieved and stored in: /root/master2.keytab [root@vm1 ~]# kinit -kt /root/master2.keytab host/master2.example.com [root@vm1 ~]# ipa cert-request master2_example.com.csr \ > --principal 'svc/master2.example.com' \ > --profile-id caIPAtest Issuing CA: ipa Certificate: MIIERjCCAy6gAwIBAgIBDjANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwG...certificate truncated... Subject: CN=master2.example.com,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Tue Sep 13 15:35:46 2016 UTC Not After: Fri Sep 14 15:35:46 2018 UTC Fingerprint (MD5): ae:81:39:a2:8b:fa:8d:1d:13:eb:67:ff:0f:02:e0:35 Fingerprint (SHA1): c6:bc:36:fd:1b:ce:54:9f:32:73:a9:29:c8:93:52:54:58:32:92:28 Serial number: 14 Serial number (hex): 0xE Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |