Bug 1731433

Summary: ipa service-find does not list cifs service created by ipa-client-samba
Product: [Fedora] Fedora Reporter: Sergey Orlov <sorlov>
Component: freeipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 30CC: abokovoy, contribs, ipa-maint, jcholast, jhrozek, pvoborni, rcritten, ssorce, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-4.8.2-1.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1731437 (view as bug list) Environment:
Last Closed: 2019-11-20 01:02:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1731437    

Description Sergey Orlov 2019-07-19 12:10:13 UTC 
Description of problem:
ipa-client-samba utility creates cifs service, which is not listed by "ipa service-find", though it can be viewed using "ipa service-show"


Version-Release number of selected component (if applicable):
freeipa-server-4.8.0-1.fc30.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Setup topology: install ipa server, run ipa-adtrust-install on server, setup ipa client.
2. run ipa-client-samba on client
3. run ipa service-find

Actual results:
cifs service for client is not listed

Expected results:
record for principal cifs/client1.testrelm.test in output


Additional info:
"ipa service-show cifs/client1.testrelm.test" shows the desired service.

Extract from /var/log/dirsrv/slapd-TESTRELM-TEST/access captured during execution of ipa service-find:
SRCH base="cn=services,cn=accounts,dc=testrelm,dc=test" scope=1 filter="(&(&(objectClass=ipaService)(!(objectClass=posixAccount))(!(|(krbPrincipalName=kadmin/*)(krbPrincipalName=K/M@*)(krbPrincipalName=krbtgt/*))))(&(objectClass=krbprincipal)(objectClass=krbprincipalaux)(objectClass=krbticketpolicyaux)(objectClass=ipaobject)(objectClass=ipaservice)(objectClass=pkiuser)))" attrs="userCertificate krbPrincipalName ipaKrbAuthzData ipaAllowedToPerform krbPrincipalAuthInd krbCanonicalName"

Thing to note here is "!(objectClass=posixAccount)"
And as the service record contains this objectClass, the record is removed from search results:
ipa service-show cifs/client1.testrelm.test --raw --all
  dn: krbprincipalname=cifs/client1.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
  krbcanonicalname: cifs/client1.testrelm.test
...
  objectClass: posixaccount
...


The filter was introduced in commit 789fec4381 in year 2009.
Comment 1 Rob Crittenden 2019-07-19 12:54:42 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/8013
Comment 2 Rob Crittenden 2019-07-19 17:15:30 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/e771fa59ff65545ff1e84f1cd30e06556fabcee3
Comment 3 Rob Crittenden 2019-07-19 19:17:27 UTC 
Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/2f9cbffb6e57ded2d0107f457241f33b17869a96
Comment 4 Fedora Update System 2019-11-12 20:48:18 UTC 
FEDORA-2019-75a963e4cb has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb
Comment 5 Fedora Update System 2019-11-13 10:53:04 UTC 
freeipa-4.8.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb
Comment 6 Fedora Update System 2019-11-20 01:02:11 UTC 
freeipa-4.8.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.