Bug 1391799

Summary: cert-request rejects request with correct krb5PrincipalName SAN
Product: Red Hat Enterprise Linux 7 Reporter: Abhijeet Kasurde <akasurde>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED NOTABUG QA Contact: Kaleem <ksiddiqu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: akasurde, drieden, ipa-maint, ksiddiqu, mbabinsk, mbasti, nsoman, pvoborni, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1252517 Environment:
Last Closed: 2016-11-15 04:04:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1252517    
Bug Blocks:    

Comment 1 Abhijeet Kasurde 2016-11-04 05:20:10 UTC 
Fix is not available in RHEL 7.3 ::

# grep " principal_string:" . -ir
./ipaserver/plugins/cert.py:                if name != principal_string:
# rpm -q ipa-server
ipa-server-4.4.0-12.el7.x86_64
Comment 3 Martin Babinsky 2016-11-14 09:39:23 UTC 
I have repeated the steps to reproduce on my VM and was able to succesfully request a certificate containing valid KRBPrincipalName SAN.

1.)
 cat tuser-krb5p.cnf 
[ req ]
prompt = no
encrypt_key = no

distinguished_name = dn
req_extensions = exts

[ dn ]
commonName = "tuser"

[ exts ]
subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:krb5principal

[ krb5principal ]
realm = EXPLICIT:0,GeneralString:IPA.TEST
principalname = EXPLICIT:1,SEQUENCE:principalname

[ principalname ]
nametype = EXPLICIT:0,INT:0
namestring = EXPLICIT:1,SEQUENCE:namestring

[ namestring ]
part1 = GeneralString:tuser

2.) ]# ipa caacl_add all_users --usercat=all --profilecat=all
------------------------
Added CA ACL "all_users"
------------------------
  ACL name: all_users
  Enabled: TRUE
  Profile category: all
  User category: all

3.) # openssl req -out tuser.csr -new -newkey rsa:2048 -nodes -keyout tuser.key -config tuser-krb5p.cnf 
Generating a 2048 bit RSA private key

4.) 
# kinit 
# ipa cert-request tuser.csr --principal tuser
 Issuing CA: ipa
  Certificate: MIIE...
  Subject: CN=tuser,O=IPA.TEST
  Subject Kerberos principal name: tuser
  Issuer: CN=Certificate Authority,O=IPA.TEST
  Serial number: 12
  Serial number (hex): 0xC

Is there a real regression in this use-case? If yes, then please provide a recent reproducer. Otherwise I will close the BZ as INSUFFICIENT_INFO.

(Also grepping for some boolean in the code is not a indication of the presence of a fix. In this case there was an extensive refactoring because of changes in principal processing in the framework. The passing testcase determines whether the fix is in place, not the code.)
Comment 4 Abhijeet Kasurde 2016-11-15 04:04:38 UTC 
Hi Martin,

Cerprofile operations are working in my environment. The only difference was in cert profile configuration file. 

I am sorry that I searched a boolean value related in the code and not seen the code behind it. I will debug the code before putting BZ. 

Closing issues with status - NOT-A-BUG

Thanks.