Bug 673487

Summary: Disabling a service with certificate succeeds even when "keytab: false".
Product: [Retired] freeIPA Reporter: Gowrishankar Rajaiyan <grajaiya>
Component: ipa-admintoolsAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: benl, dpal, jgalipea, mkosek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: freeipa-2.1.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-28 09:26:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Gowrishankar Rajaiyan 2011-01-28 12:07:55 UTC 
Description of problem:
Adding a service with --certificate option makes this service as "enabled" even though "keytab: false" because of which executing "ipa service-disable" command on this service succeeds without any error.

Version-Release number of selected component (if applicable):
freeipa-admintools-2.0-0.2011012803git7b04b22.fc14.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ipa service-add TEST/gsrf14ipas.testrelm@testrelm --certificate=<your certificate in bytes>
2. ipa service-show TEST/gsrf14ipas.testrelm@testrelm --all
#  dn: krbprincipalname=test/gsrf14ipas.testrelm@testrelm,cn=services,cn=accounts,dc=testrelm
#  Principal: TEST/gsrf14ipas.testrelm@TESTRELM
#  Certificate: MIICdzCCAeCgAwIBAgICA+owDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeVEVTVFJFTE0gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyNzA0NDE1MloXDTIxMDEyNzA0NDE1MlowMTERMA8GA1UEChMIVEVTVFJFTE0xHDAaBgNVBAMTE2dzcmYxNGlwYXMudGVzdHJlbG0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0CIgKH8fe3hhAlSW00PNxyqYu8vD78lWbbarlF8dkFDvfutomPsyfag+fY+fPZ6h0e9gTNEoeD9mdyOeahRh34nbQds1+/rO2aAMaeiHMjXYVNH0KQbUhgvsukTJloM6saodSbz91kbPPSzqxcQhZvsaL3yU4JjVpdXaoEtxjwVdVUn0ph0RJWusAynWrKMVlGpJt2pNyOoHwcw7TX2MLkDimsXYyZH7RbNPRn56MUnD2KFoWoMYnIeePYU61lrKGpqO0Z+kUf7JISTG+cxULrpun89R2t4J7kNDq8veNsiwXjUb/tbWzX44uN7kuVuKj147bV13wBJUQoYiAZdAgMBAAGjIjAgMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBSAwDQYJKoZIhvcNAQEFBQADgYEAmNHlwgkHf2wJsBiT7ATE49W1dFEL7VA5pY1sPMqtZmKSeaBzUS5KfU6wR9Wt4/Ba1sBA/dktWkpLOhSMVpQYfrlpPb2cxHP7Js2YhzjfuLsutrSmqeMT3iO2/Gh7P5RHZX8Dls9cnZKpZ5dOjhip+Amkt8VEx7VltpECPRXqY=
#  has_keytab: False   <---                                               
#  ipauniqueid: 652f6b38-2aca-11e0-85fa-525400ec600a
#  issuer: CN=TESTRELM Certificate Authority
#  managedby_host: gsrf14ipas.testrelm
#  md5_fingerprint: c5:dd:58:3d:c1:52:6b:40:53:0d:3b:84:04:24:69:96
#  objectclass: krbprincipal, krbprincipalaux, krbticketpolicyaux, ipaobject, ipaservice, pkiuser, top
#  serial_number: 1002
#  sha1_fingerprint: 56:85:98:cf:84:c2:e2:35:31:44:c8:fb:f6:b5:b3:0d:d2:5c:cd:85
#  subject: CN=gsrf14ipas.testrelm,O=TESTRELM
#  valid_not_after: Wed Jan 27 04:41:52 2021 UTC
#  valid_not_before: Thu Jan 27 04:41:52 2011 UTC

3. Try disabling the above service
ipa service-disable TEST/gsrf14ipas.testrelm@TESTRELM
  
Actual results:
#-------------------------------------------------------------
#Removed kerberos key from "TEST/gsrf14ipas.testrelm@TESTRELM"
#------------------------------------------------------------- 

Expected results:
ipa: ERROR: This entry is already disabled

Additional info:
Comment 1 Rob Crittenden 2011-01-28 14:41:59 UTC 
This may be a difference of expectations.

Disabling a service disables everything about it: keytab, certs, etc.

So if anything is set on it then it will do so and return success.
Comment 2 Dmitri Pal 2011-01-28 19:26:50 UTC 
Output in fact seems misleading though my exception is yet different from both yours. This means that there is in fact ambiguity we need to look into. Thus opening a ticket.
Comment 3 Dmitri Pal 2011-01-28 19:27:57 UTC 
https://fedorahosted.org/freeipa/ticket/872
Comment 4 Martin Kosek 2011-02-17 09:11:59 UTC 
Fixed in 2f0e8e3a3d9de78d3711c73b480d79f68f0de0d0. Both host and service disable operation should be much clearer after this patch.