Bug 1252556 - Missing CLI param and ACL for vault service operations
Missing CLI param and ACL for vault service operations
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-11 12:46 EDT by Jan Cholasta
Modified: 2015-11-19 07:05 EST (History)
6 users (show)

See Also:
Fixed In Version: ipa-4.2.0-15.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:05:24 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jan Cholasta 2015-08-11 12:46:17 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5172

The current implementation is missing a CLI param and an ACL to support vault operations as described in this page:
http://www.freeipa.org/page/V4/Password_Vault_1.0#Service_Operations

There are two issues:

1. Currently the CLI to manage the vault owners/members can only accept users and groups. It should also accept services so that the admin can create a vault then allow the services to access the vault.

2. There should be an ACL to allow a service to create its own service container (/services/<service name>/). This is similar to the current ACL that allows a user to create its own user container (/users/<username>/). This way a service can create private service vaults. Otherwise a service vault can only be created by the admin as described in #1 (which might be sufficient).

Proposed milestone: 4.2.1
Comment 3 Scott Poore 2015-10-12 15:25:26 EDT
Moving back to assigned as it looks like I cannot create a new vault (and container) as a service.

[root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sv1test.privkey -out sv1test.csr -subj "/CN=$(hostname)"
Generating a 2048 bit RSA private key
......................................+++
.................+++
writing new private key to 'sv1test.privkey'
-----

[root@rhel7-1 ~]# ipa service-add sv1test/$(hostname)
-------------------------------------------------------
Added service "sv1test/rhel7-1.example.com@EXAMPLE.COM"
-------------------------------------------------------
  Principal: sv1test/rhel7-1.example.com@EXAMPLE.COM
  Managed by: rhel7-1.example.com

[root@rhel7-1 ~]# ipa cert-request sv1test.csr --principal="sv1test/$(hostname)" --profile-id=caIPAserviceCert 
  Certificate: MII...
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Mon Oct 12 18:29:11 2015 UTC
  Not After: Thu Oct 12 18:29:11 2017 UTC
  Fingerprint (MD5): c6:da:7f:02:88:b9:58:4c:65:c7:d5:93:9f:c7:fa:94
  Fingerprint (SHA1): 61:15:90:50:56:52:f5:ed:7c:e0:81:48:a6:c1:66:94:f6:93:ff:46
  Serial number: 21
  Serial number (hex): 0x15

[root@rhel7-1 ~]# ipa service-show sv1test/$(hostname) --out sv1test.crt
-------------------------------------------
Certificate(s) stored in file 'sv1test.crt'
-------------------------------------------
  Principal: sv1test/rhel7-1.example.com@EXAMPLE.COM
  Certificate: MII...
  Keytab: False
  Managed by: rhel7-1.example.com
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Serial Number: 21
  Serial Number (hex): 0x15
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Mon Oct 12 18:29:11 2015 UTC
  Not After: Thu Oct 12 18:29:11 2017 UTC
  Fingerprint (MD5): c6:da:7f:02:88:b9:58:4c:65:c7:d5:93:9f:c7:fa:94
  Fingerprint (SHA1): 61:15:90:50:56:52:f5:ed:7c:e0:81:48:a6:c1:66:94:f6:93:ff:46

[root@rhel7-1 ~]# openssl x509 -pubkey -in sv1test.crt -noout > sv1test.pubkey

[root@rhel7-1 ~]# ls -ltr sv1test.*
-rw-r--r--. 1 root root 1704 Oct 12 13:26 sv1test.privkey
-rw-r--r--. 1 root root  903 Oct 12 13:26 sv1test.csr
-rw-r--r--. 1 root root 1472 Oct 12 13:30 sv1test.crt
-rw-r--r--. 1 root root  451 Oct 12 13:31 sv1test.pubkey

[root@rhel7-1 ~]# ipa-getkeytab -s $(hostname) -p sv1test/$(hostname) -k /tmp/sv1test.keytab
Keytab successfully retrieved and stored in: /tmp/sv1test.keytab

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_aK8fi6Q
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
10/12/2015 13:32:38  10/13/2015 13:22:34  ldap/rhel7-1.example.com@EXAMPLE.COM
10/12/2015 13:22:34  10/13/2015 13:22:34  HTTP/rhel7-1.example.com@EXAMPLE.COM
10/12/2015 13:22:34  10/13/2015 13:22:34  krbtgt/EXAMPLE.COM@EXAMPLE.COM

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_aK8fi6Q
Default principal: sv1test/rhel7-1.example.com@EXAMPLE.COM

Valid starting       Expires              Service principal
10/12/2015 13:33:03  10/13/2015 13:33:03  krbtgt/EXAMPLE.COM@EXAMPLE.COM

[root@rhel7-1 ~]# echo 1234556 > secret.in

[root@rhel7-1 ~]# ipa vault-add sv1test_vault --service sv1test/$(hostname) --type asymmetric --public-key-file sv1test.pubkey 
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=sv1test/rhel7-1.example.com@EXAMPLE.COM,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.
Comment 4 Scott Poore 2015-10-12 15:28:44 EDT
Note that if I create a role with "Vault Administrators" privilege with that service as member, I can add a new vault as that service.

[root@rhel7-1 ~]# kinit admin
Password for admin@EXAMPLE.COM: 

[root@rhel7-1 ~]# ipa role-add sv1admins
----------------------
Added role "sv1admins"
----------------------
  Role name: sv1admins
[root@rhel7-1 ~]# ipa role-add-privilege sv1admins --privileges="Vault Administrators"
  Role name: sv1admins
  Privileges: Vault Administrators
----------------------------
Number of privileges added 1
----------------------------

[root@rhel7-1 ~]# ipa role-add-member sv1admins --service=sv1test/$(hostname)
  Role name: sv1admins
  Privileges: Vault Administrators
  Member services: sv1test/rhel7-1.example.com@EXAMPLE.COM
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_dncB1a7
Default principal: sv1test/rhel7-1.example.com@EXAMPLE.COM

Valid starting       Expires              Service principal
10/12/2015 13:49:31  10/13/2015 13:49:31  krbtgt/EXAMPLE.COM@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-add sv1test_vault --service sv1test/$(hostname) --type asymmetric --public-key-file sv1test.pubkey 
---------------------------
Added vault "sv1test_vault"
---------------------------
  Vault name: sv1test_vault
  Type: asymmetric
  Public key: LS...
  Owner services: sv1test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv1test/rhel7-1.example.com@EXAMPLE.COM

But, it's my understanding here that I should be able to create the service vault as the service without doing this.

Also note that a quick check shows that adding user vault still works as expected:

[root@rhel7-1 ~]# ipa user-add uv1test --first=f --last=l --password
Password: 
Enter Password again to verify: 
--------------------
Added user "uv1test"
--------------------
  User login: uv1test
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/uv1test
  GECOS: f l
  Login shell: /bin/sh
  Kerberos principal: uv1test@EXAMPLE.COM
  Email address: uv1test@example.com
  UID: 349400001
  GID: 349400001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-1 ~]# kinit uv1test
Password for uv1test@EXAMPLE.COM: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_fPMErjf
Default principal: uv1test@EXAMPLE.COM

Valid starting       Expires              Service principal
10/12/2015 14:09:14  10/13/2015 14:09:14  krbtgt/EXAMPLE.COM@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-add uv1test_vault --password Pa55w0rd1
---------------------------
Added vault "uv1test_vault"
---------------------------
  Vault name: uv1test_vault
  Type: symmetric
  Salt: UN7uaGwOIVgkTJ2mntsuXA==
  Owner users: uv1test
  Vault user: uv1test
Comment 5 Jan Cholasta 2015-10-13 03:51:19 EDT
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5361
Comment 9 Scott Poore 2015-10-13 15:37:29 EDT
Verified

Version ::

ipa-server-4.2.0-15.el7.x86_64


Results ::

[root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sv2test.privkey -out sv2test.csr -subj "/CN=$(hostname)"
Generating a 2048 bit RSA private key
............................................................................+++
..............................+++
writing new private key to 'sv2test.privkey'
-----

[root@rhel7-1 ~]# kinit admin
Password for admin@EXAMPLE.COM: 

[root@rhel7-1 ~]# ipa service-add sv2test/$(hostname)
-------------------------------------------------------
Added service "sv2test/rhel7-1.example.com@EXAMPLE.COM"
-------------------------------------------------------
  Principal: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Managed by: rhel7-1.example.com

[root@rhel7-1 ~]# ipa cert-request sv2test.csr --principal="sv2test/$(hostname)" --profile-id=caIPAserviceCert
  Certificate: MII...
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Tue Oct 13 18:47:06 2015 UTC
  Not After: Fri Oct 13 18:47:06 2017 UTC
  Fingerprint (MD5): 5d:63:3d:11:bb:fa:aa:f0:ae:1d:64:52:03:ba:97:97
  Fingerprint (SHA1): 2d:80:99:48:1d:7d:b4:d0:ff:35:c7:b0:cc:5a:65:72:ca:1c:65:8a
  Serial number: 22
  Serial number (hex): 0x16

[root@rhel7-1 ~]# ipa service-show sv2test/$(hostname) --out sv2test.crt
-------------------------------------------
Certificate(s) stored in file 'sv2test.crt'
-------------------------------------------
  Principal: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Certificate: MII...
  Keytab: False
  Managed by: rhel7-1.example.com
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Serial Number: 22
  Serial Number (hex): 0x16
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Tue Oct 13 18:47:06 2015 UTC
  Not After: Fri Oct 13 18:47:06 2017 UTC
  Fingerprint (MD5): 5d:63:3d:11:bb:fa:aa:f0:ae:1d:64:52:03:ba:97:97
  Fingerprint (SHA1): 2d:80:99:48:1d:7d:b4:d0:ff:35:c7:b0:cc:5a:65:72:ca:1c:65:8a

[root@rhel7-1 ~]# openssl x509 -pubkey -in sv2test.crt -noout > sv2test.pubkey
 
[root@rhel7-1 ~]# ipa-getkeytab -s $(hostname) -p sv2test/$(hostname) -k /tmp/sv2test.keytab
Keytab successfully retrieved and stored in: /tmp/sv2test.keytab

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH
Default principal: admin@EXAMPLE.COM

Valid starting       Expires              Service principal
10/13/2015 13:50:01  10/14/2015 13:46:26  ldap/rhel7-1.example.com@EXAMPLE.COM
10/13/2015 13:46:32  10/14/2015 13:46:26  HTTP/rhel7-1.example.com@EXAMPLE.COM
10/13/2015 13:46:27  10/14/2015 13:46:26  krbtgt/EXAMPLE.COM@EXAMPLE.COM

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab 

[root@rhel7-1 ~]# klist 
Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH
Default principal: sv2test/rhel7-1.example.com@EXAMPLE.COM

Valid starting       Expires              Service principal
10/13/2015 13:51:06  10/14/2015 13:51:06  krbtgt/EXAMPLE.COM@EXAMPLE.COM

[root@rhel7-1 ~]# echo 1234556 > secret.in

[root@rhel7-1 ~]# ipa vault-add sv2test_vault --service sv2test/$(hostname) --type asymmetric --public-key-file sv2test.pubkey 
---------------------------
Added vault "sv2test_vault"
---------------------------
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS...
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-archive sv2test_vault --service sv2test/$(hostname) --in secret.in
----------------------------------------
Archived data into vault "sv2test_vault"
----------------------------------------

[root@rhel7-1 ~]# ipa vault-retrieve sv2test_vault --service sv2test/$(hostname) --private-key-file=sv2test.privkey --out secret.out 
-----------------------------------------
Retrieved data from vault "sv2test_vault"
-----------------------------------------

[root@rhel7-1 ~]# cat secret.out
1234556

[root@rhel7-1 ~]# 


####### Expected failure adding new service owner as non-admin service
####### per https://bugzilla.redhat.com/show_bug.cgi?id=1258965#c4

[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Failed owners: 
    owner user: 
    owner group: 
    owner service: sv1test/rhel7-1.example.com@EXAMPLE.COM: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test/rhel7-1.example.com@example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.
------------------------
Number of owners added 0
------------------------

####### Add new service owner for container

[root@rhel7-1 ~]# kinit admin
Password for admin@EXAMPLE.COM: 
[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM, sv1test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
------------------------
Number of owners added 1
------------------------

######## Fail to add service owner with service non-admin

[root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab 

[root@rhel7-1 ~]# ipa vault-add-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Failed owners: 
    owner user: 
    owner group: 
    owner service: sv1test/rhel7-1.example.com@EXAMPLE.COM: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test_vault,cn=sv2test/rhel7-1.example.com@example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.
------------------------
Number of owners added 0
------------------------

######## Add new service vault owner 

[root@rhel7-1 ~]# kinit admin
Password for admin@EXAMPLE.COM: 
[root@rhel7-1 ~]# ipa vault-add-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM, sv1test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
------------------------
Number of owners added 1
------------------------

######## Add new service vault member

[root@rhel7-1 ~]# ipa vault-add-member sv2test_vault --service=sv2test/$(hostname) --services=svc1/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM, sv1test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Member services: svc1/rhel7-1.example.com@EXAMPLE.COM
-------------------------
Number of members added 1
-------------------------


############# show vault

[root@rhel7-1 ~]# ipa vault-show --service=sv2test/$(hostname)
Vault name: sv2test_vault
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM, sv1test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Member services: svc1/rhel7-1.example.com@EXAMPLE.COM


############ remove members as second owner

[root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab 

[root@rhel7-1 ~]# ipa vault-remove-member sv2test_vault --service=sv2test/$(hostname) --services=svc1/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM, sv1test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
---------------------------
Number of members removed 1
---------------------------

########### Fail to remove second owner as original owner

[root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab [root@rhel7-1 ~]# ipa vault-remove-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM, sv1test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Failed owners: 
    owner user: 
    owner group: 
    owner service: sv1test/rhel7-1.example.com@EXAMPLE.COM: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test_vault,cn=sv2test/rhel7-1.example.com@example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.
--------------------------
Number of owners removed 0
--------------------------

####### Remove owner as admin

[root@rhel7-1 ~]# kinit admin
Password for admin@EXAMPLE.COM: 
[root@rhel7-1 ~]# ipa vault-remove-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com@EXAMPLE.COM
  Vault service: sv2test/rhel7-1.example.com@EXAMPLE.COM
--------------------------
Number of owners removed 1
--------------------------
Comment 10 errata-xmlrpc 2015-11-19 07:05:24 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.