1252556 – Missing CLI param and ACL for vault service operations

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1252556 - Missing CLI param and ACL for vault service operations

Summary: Missing CLI param and ACL for vault service operations

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-11 16:46 UTC by Jan Cholasta
Modified:	2015-11-19 12:05 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.2.0-15.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 12:05:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Jan Cholasta 2015-08-11 16:46:17 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5172

The current implementation is missing a CLI param and an ACL to support vault operations as described in this page:
http://www.freeipa.org/page/V4/Password_Vault_1.0#Service_Operations

There are two issues:

1. Currently the CLI to manage the vault owners/members can only accept users and groups. It should also accept services so that the admin can create a vault then allow the services to access the vault.

2. There should be an ACL to allow a service to create its own service container (/services/<service name>/). This is similar to the current ACL that allows a user to create its own user container (/users/<username>/). This way a service can create private service vaults. Otherwise a service vault can only be created by the admin as described in #1 (which might be sufficient).

Proposed milestone: 4.2.1

Comment 1 Jan Cholasta 2015-08-17 06:12:48 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/0dd95a19ee87a04836f12ad4c1194ad31ac22b93
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/f2117475b8a49b37845529089ea2d5b48f27bfda

Comment 3 Scott Poore 2015-10-12 19:25:26 UTC

Moving back to assigned as it looks like I cannot create a new vault (and container) as a service.

[root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sv1test.privkey -out sv1test.csr -subj "/CN=$(hostname)"
Generating a 2048 bit RSA private key
......................................+++
.................+++
writing new private key to 'sv1test.privkey'
-----

[root@rhel7-1 ~]# ipa service-add sv1test/$(hostname)
-------------------------------------------------------
Added service "sv1test/rhel7-1.example.com"
-------------------------------------------------------
  Principal: sv1test/rhel7-1.example.com
  Managed by: rhel7-1.example.com

[root@rhel7-1 ~]# ipa cert-request sv1test.csr --principal="sv1test/$(hostname)" --profile-id=caIPAserviceCert 
  Certificate: MII...
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Mon Oct 12 18:29:11 2015 UTC
  Not After: Thu Oct 12 18:29:11 2017 UTC
  Fingerprint (MD5): c6:da:7f:02:88:b9:58:4c:65:c7:d5:93:9f:c7:fa:94
  Fingerprint (SHA1): 61:15:90:50:56:52:f5:ed:7c:e0:81:48:a6:c1:66:94:f6:93:ff:46
  Serial number: 21
  Serial number (hex): 0x15

[root@rhel7-1 ~]# ipa service-show sv1test/$(hostname) --out sv1test.crt
-------------------------------------------
Certificate(s) stored in file 'sv1test.crt'
-------------------------------------------
  Principal: sv1test/rhel7-1.example.com
  Certificate: MII...
  Keytab: False
  Managed by: rhel7-1.example.com
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Serial Number: 21
  Serial Number (hex): 0x15
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Mon Oct 12 18:29:11 2015 UTC
  Not After: Thu Oct 12 18:29:11 2017 UTC
  Fingerprint (MD5): c6:da:7f:02:88:b9:58:4c:65:c7:d5:93:9f:c7:fa:94
  Fingerprint (SHA1): 61:15:90:50:56:52:f5:ed:7c:e0:81:48:a6:c1:66:94:f6:93:ff:46

[root@rhel7-1 ~]# openssl x509 -pubkey -in sv1test.crt -noout > sv1test.pubkey

[root@rhel7-1 ~]# ls -ltr sv1test.*
-rw-r--r--. 1 root root 1704 Oct 12 13:26 sv1test.privkey
-rw-r--r--. 1 root root  903 Oct 12 13:26 sv1test.csr
-rw-r--r--. 1 root root 1472 Oct 12 13:30 sv1test.crt
-rw-r--r--. 1 root root  451 Oct 12 13:31 sv1test.pubkey

[root@rhel7-1 ~]# ipa-getkeytab -s $(hostname) -p sv1test/$(hostname) -k /tmp/sv1test.keytab
Keytab successfully retrieved and stored in: /tmp/sv1test.keytab

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_aK8fi6Q
Default principal: admin

Valid starting       Expires              Service principal
10/12/2015 13:32:38  10/13/2015 13:22:34  ldap/rhel7-1.example.com
10/12/2015 13:22:34  10/13/2015 13:22:34  HTTP/rhel7-1.example.com
10/12/2015 13:22:34  10/13/2015 13:22:34  krbtgt/EXAMPLE.COM

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_aK8fi6Q
Default principal: sv1test/rhel7-1.example.com

Valid starting       Expires              Service principal
10/12/2015 13:33:03  10/13/2015 13:33:03  krbtgt/EXAMPLE.COM

[root@rhel7-1 ~]# echo 1234556 > secret.in

[root@rhel7-1 ~]# ipa vault-add sv1test_vault --service sv1test/$(hostname) --type asymmetric --public-key-file sv1test.pubkey 
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=sv1test/rhel7-1.example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.

Comment 4 Scott Poore 2015-10-12 19:28:44 UTC

Note that if I create a role with "Vault Administrators" privilege with that service as member, I can add a new vault as that service.

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa role-add sv1admins
----------------------
Added role "sv1admins"
----------------------
  Role name: sv1admins
[root@rhel7-1 ~]# ipa role-add-privilege sv1admins --privileges="Vault Administrators"
  Role name: sv1admins
  Privileges: Vault Administrators
----------------------------
Number of privileges added 1
----------------------------

[root@rhel7-1 ~]# ipa role-add-member sv1admins --service=sv1test/$(hostname)
  Role name: sv1admins
  Privileges: Vault Administrators
  Member services: sv1test/rhel7-1.example.com
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_dncB1a7
Default principal: sv1test/rhel7-1.example.com

Valid starting       Expires              Service principal
10/12/2015 13:49:31  10/13/2015 13:49:31  krbtgt/EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-add sv1test_vault --service sv1test/$(hostname) --type asymmetric --public-key-file sv1test.pubkey 
---------------------------
Added vault "sv1test_vault"
---------------------------
  Vault name: sv1test_vault
  Type: asymmetric
  Public key: LS...
  Owner services: sv1test/rhel7-1.example.com
  Vault service: sv1test/rhel7-1.example.com

But, it's my understanding here that I should be able to create the service vault as the service without doing this.

Also note that a quick check shows that adding user vault still works as expected:

[root@rhel7-1 ~]# ipa user-add uv1test --first=f --last=l --password
Password: 
Enter Password again to verify: 
--------------------
Added user "uv1test"
--------------------
  User login: uv1test
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/uv1test
  GECOS: f l
  Login shell: /bin/sh
  Kerberos principal: uv1test
  Email address: uv1test
  UID: 349400001
  GID: 349400001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-1 ~]# kinit uv1test
Password for uv1test: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_fPMErjf
Default principal: uv1test

Valid starting       Expires              Service principal
10/12/2015 14:09:14  10/13/2015 14:09:14  krbtgt/EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-add uv1test_vault --password Pa55w0rd1
---------------------------
Added vault "uv1test_vault"
---------------------------
  Vault name: uv1test_vault
  Type: symmetric
  Salt: UN7uaGwOIVgkTJ2mntsuXA==
  Owner users: uv1test
  Vault user: uv1test

Comment 5 Jan Cholasta 2015-10-13 07:51:19 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5361

Comment 6 Jan Cholasta 2015-10-13 12:34:34 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/2f3450249ded2c14d2ca55f15bdcace7007a6ebb
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/285043e3880cf11ed7edd39f2918c1fcdc623cc9

Comment 9 Scott Poore 2015-10-13 19:37:29 UTC

Verified

Version ::

ipa-server-4.2.0-15.el7.x86_64


Results ::

[root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sv2test.privkey -out sv2test.csr -subj "/CN=$(hostname)"
Generating a 2048 bit RSA private key
............................................................................+++
..............................+++
writing new private key to 'sv2test.privkey'
-----

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa service-add sv2test/$(hostname)
-------------------------------------------------------
Added service "sv2test/rhel7-1.example.com"
-------------------------------------------------------
  Principal: sv2test/rhel7-1.example.com
  Managed by: rhel7-1.example.com

[root@rhel7-1 ~]# ipa cert-request sv2test.csr --principal="sv2test/$(hostname)" --profile-id=caIPAserviceCert
  Certificate: MII...
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Tue Oct 13 18:47:06 2015 UTC
  Not After: Fri Oct 13 18:47:06 2017 UTC
  Fingerprint (MD5): 5d:63:3d:11:bb:fa:aa:f0:ae:1d:64:52:03:ba:97:97
  Fingerprint (SHA1): 2d:80:99:48:1d:7d:b4:d0:ff:35:c7:b0:cc:5a:65:72:ca:1c:65:8a
  Serial number: 22
  Serial number (hex): 0x16

[root@rhel7-1 ~]# ipa service-show sv2test/$(hostname) --out sv2test.crt
-------------------------------------------
Certificate(s) stored in file 'sv2test.crt'
-------------------------------------------
  Principal: sv2test/rhel7-1.example.com
  Certificate: MII...
  Keytab: False
  Managed by: rhel7-1.example.com
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Serial Number: 22
  Serial Number (hex): 0x16
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Tue Oct 13 18:47:06 2015 UTC
  Not After: Fri Oct 13 18:47:06 2017 UTC
  Fingerprint (MD5): 5d:63:3d:11:bb:fa:aa:f0:ae:1d:64:52:03:ba:97:97
  Fingerprint (SHA1): 2d:80:99:48:1d:7d:b4:d0:ff:35:c7:b0:cc:5a:65:72:ca:1c:65:8a

[root@rhel7-1 ~]# openssl x509 -pubkey -in sv2test.crt -noout > sv2test.pubkey
 
[root@rhel7-1 ~]# ipa-getkeytab -s $(hostname) -p sv2test/$(hostname) -k /tmp/sv2test.keytab
Keytab successfully retrieved and stored in: /tmp/sv2test.keytab

[root@rhel7-1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH
Default principal: admin

Valid starting       Expires              Service principal
10/13/2015 13:50:01  10/14/2015 13:46:26  ldap/rhel7-1.example.com
10/13/2015 13:46:32  10/14/2015 13:46:26  HTTP/rhel7-1.example.com
10/13/2015 13:46:27  10/14/2015 13:46:26  krbtgt/EXAMPLE.COM

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab 

[root@rhel7-1 ~]# klist 
Ticket cache: KEYRING:persistent:0:krb_ccache_A4Gs4bH
Default principal: sv2test/rhel7-1.example.com

Valid starting       Expires              Service principal
10/13/2015 13:51:06  10/14/2015 13:51:06  krbtgt/EXAMPLE.COM

[root@rhel7-1 ~]# echo 1234556 > secret.in

[root@rhel7-1 ~]# ipa vault-add sv2test_vault --service sv2test/$(hostname) --type asymmetric --public-key-file sv2test.pubkey 
---------------------------
Added vault "sv2test_vault"
---------------------------
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS...
  Owner services: sv2test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com

[root@rhel7-1 ~]# ipa vault-archive sv2test_vault --service sv2test/$(hostname) --in secret.in
----------------------------------------
Archived data into vault "sv2test_vault"
----------------------------------------

[root@rhel7-1 ~]# ipa vault-retrieve sv2test_vault --service sv2test/$(hostname) --private-key-file=sv2test.privkey --out secret.out 
-----------------------------------------
Retrieved data from vault "sv2test_vault"
-----------------------------------------

[root@rhel7-1 ~]# cat secret.out
1234556

[root@rhel7-1 ~]# 


####### Expected failure adding new service owner as non-admin service
####### per https://bugzilla.redhat.com/show_bug.cgi?id=1258965#c4

[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Owner services: sv2test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
  Failed owners: 
    owner user: 
    owner group: 
    owner service: sv1test/rhel7-1.example.com: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test/rhel7-1.example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.
------------------------
Number of owners added 0
------------------------

####### Add new service owner for container

[root@rhel7-1 ~]# kinit admin
Password for admin: 
[root@rhel7-1 ~]# ipa vaultcontainer-add-owner --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
------------------------
Number of owners added 1
------------------------

######## Fail to add service owner with service non-admin

[root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab 

[root@rhel7-1 ~]# ipa vault-add-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
  Failed owners: 
    owner user: 
    owner group: 
    owner service: sv1test/rhel7-1.example.com: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test_vault,cn=sv2test/rhel7-1.example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.
------------------------
Number of owners added 0
------------------------

######## Add new service vault owner 

[root@rhel7-1 ~]# kinit admin
Password for admin: 
[root@rhel7-1 ~]# ipa vault-add-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
------------------------
Number of owners added 1
------------------------

######## Add new service vault member

[root@rhel7-1 ~]# ipa vault-add-member sv2test_vault --service=sv2test/$(hostname) --services=svc1/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
  Member services: svc1/rhel7-1.example.com
-------------------------
Number of members added 1
-------------------------


############# show vault

[root@rhel7-1 ~]# ipa vault-show --service=sv2test/$(hostname)
Vault name: sv2test_vault
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
  Member services: svc1/rhel7-1.example.com


############ remove members as second owner

[root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab 

[root@rhel7-1 ~]# ipa vault-remove-member sv2test_vault --service=sv2test/$(hostname) --services=svc1/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
---------------------------
Number of members removed 1
---------------------------

########### Fail to remove second owner as original owner

[root@rhel7-1 ~]# kinit sv2test/$(hostname) -k -t /tmp/sv2test.keytab [root@rhel7-1 ~]# ipa vault-remove-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com, sv1test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
  Failed owners: 
    owner user: 
    owner group: 
    owner service: sv1test/rhel7-1.example.com: Insufficient access: Insufficient 'write' privilege to the 'owner' attribute of entry 'cn=sv2test_vault,cn=sv2test/rhel7-1.example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.
--------------------------
Number of owners removed 0
--------------------------

####### Remove owner as admin

[root@rhel7-1 ~]# kinit admin
Password for admin: 
[root@rhel7-1 ~]# ipa vault-remove-owner sv2test_vault --service=sv2test/$(hostname) --services=sv1test/$(hostname)
  Vault name: sv2test_vault
  Type: asymmetric
  Public key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUF1U2NDeEFPb29ieGsySWtQVDhCaQpOQWhpZDk0a3VBQTVGQnNmRzZLSzY3UWJlOWdXOGFpcklxUHpNTTFxUGNTVlkyRG9JbEk2MDc0SXk1YkV3OTRFCjVCZjVuYWdONXZvRXZaOGFtOFlQTTFQQWFRQVJRSXVGNWlkd1RUNGRzOUJQQmw2b3d5bVN3ekNHdk5TdDNPNnIKODF2VGNNa3VINTE2cFRTczFqSFkvL0pvN2ZtV2ZBeDVRVElqYkRzb2JWNTZDWWJ4RGxsb0VDOWlkckJ4UVdpbgpJemRPL2s4alV2Z0lpOStRWlVXWjQ1eVZOYUFXQ2RTcHBxRkNsVTkzT1pvTlBtNTEzT2NKMnlNM0tRWWJwTmhFCjdraExhT0czclJaYlJXS0FSM1h3SGJrZnEydTAyM3I2S1d1UGl5VW1SdkYwOVdFVnRGU015RktLdnJOSURCb3UKR1FJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
  Owner services: sv2test/rhel7-1.example.com
  Vault service: sv2test/rhel7-1.example.com
--------------------------
Number of owners removed 1
--------------------------

Comment 10 errata-xmlrpc 2015-11-19 12:05:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.