Bug 1400529
Summary: | cert-request is not aware of Kerberos principal aliases | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Thorsten Scherf <tscherf> | ||||
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> | ||||
Status: | CLOSED ERRATA | QA Contact: | Abhijeet Kasurde <akasurde> | ||||
Severity: | unspecified | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.3 | CC: | akasurde, ftweedal, ldelouw, mbabinsk, pvoborni, pvomacka, rcritten | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Unspecified | ||||||
Whiteboard: | |||||||
Fixed In Version: | ipa-4.5.0-1.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2017-08-01 09:44:33 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Thorsten Scherf
2016-12-01 12:37:57 UTC
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/dfbdb5323863e6c3d681c1b33b1eb9d2efefd6c7 Marking BZ as failedQA as fix is not ported in RHEL IPA build. When pushing the patch I forgot to include the commit in ipa-4-5 branch to this BZ, that's why it was not picked up during build process. Pavel can you please include it in the next build of ipa? Sorry for the inconveniece. Fixed upstream: ipa-4-5: https://pagure.io/freeipa/c/dfbdb5323863e6c3d681c1b33b1eb9d2efefd6c7 Disregard my previous comment, the fix was pushed to master before ipa-4-5 was even forked so it should be there. In that case this seems to be either a legitimate bug or an issue in tests (given that the fix was provided upstream tests that are green). Fraser, can you investigate this with Abhijeet? As Martin wrote above, the fix is already in IPA build. So the issue will be caused by something else. Abhijeet, The --principal option to `ipa cert-request` must be the canonical princpial name. What this change does is allows information in the CSR to match the principal aliases. There is a separate ticket[1] (not yet implemented) to allow principal aliases to be used as the --principal argument. [1] https://pagure.io/freeipa/issue/6531 So to test this, use the canonical princpial name as the --principal argument, but include principal aliases in the CSR. e.g., try the following combinations, for appropriate instantiations of DOMAIN and OTHERDOMAIN. 1) Canonical principal name "test/DOMAIN", CN = "OTHERDOMAIN" 2) Canonical principal name "test/DOMAIN", CN = "DOMAIN", SAN dnsName = "OTHERDOMAIN" Note that when comparing SERVICE principal names, because the CN and SAN dnsName are merely domain names, we prepend THE SAME SERVICE PREFIX as appears in the canonical princpial. Therefore if the canonical principal name is test/DOMAIN, and the CN is OTHERDOMAIN, we look for "test/OTHERDOMAIN" among the principal alises. Another IMPORTANT note: your steps for creating a CSR with the subjectAltName extension are wrong -- you cannot put it in the Subject Name (-subj option) as you have done. Instead, create a config file like the below and supply the '-config FILENAME' option to `openssl req`. --- [ req ] prompt = no encrypt_key = no distinguished_name = dn req_extensions = exts [ dn ] commonName = "testhost1.ipa.local" [ exts ] subjectAltName=DNS:testhost2.ipa.local --- Hope that helps! Verified using IPA server version:: ipa-server-4.5.0-16.el7.x86_64 Marking BZ as verified. See attachment for console.log. Created attachment 1286095 [details]
console.log
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304 |