Bug 1254693 - vault --service does not normalize service principal
vault --service does not normalize service principal
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa (Show other bugs)
7.2
Unspecified Unspecified
medium Severity unspecified
: rc
: ---
Assigned To: IPA Maintainers
Namita Soman
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-18 12:38 EDT by Petr Vobornik
Modified: 2015-11-19 07:05 EST (History)
3 users (show)

See Also:
Fixed In Version: ipa-4.2.0-5.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 07:05:47 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Vobornik 2015-08-18 12:38:07 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5233

Commands:
* `ipa vault-add test --service=foo/domain`
* `ipa vault-add test --service=foo/domain@REALM`

should be the same but they are not - it creates two distinct vault containers.

Service principal should be normalized.
Comment 1 Petr Vobornik 2015-08-18 12:40:38 EDT
fixed upstream:

master:
    76ab7d9bae1a1381af9e7ed51297b00823cce857 vault: normalize service principal in service vault operations 

ipa-4-2:
    c38e8c3ceb63673815dcf4269b67075f4b10f5cb vault: normalize service principal in service vault operations
Comment 3 Scott Poore 2015-10-12 11:09:10 EDT
Verified.

Version ::

ipa-server-4.2.0-13.el7.x86_64

Results ::

[root@rhel7-1 ~]# ipa vault-add test_short --service=test/example.com
New password: 
Verify password: 
------------------------
Added vault "test_short"
------------------------
  Vault name: test_short
  Type: symmetric
  Salt: YaQ5kn3tiaUbSUWCtXIsjg==
  Owner users: admin
  Vault service: test/example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-add test_long --service=test/example.com@EXAMPLE.COM
New password: 
Verify password: 
-----------------------
Added vault "test_long"
-----------------------
  Vault name: test_long
  Type: symmetric
  Salt: jcZdHSvMoUHY7tDLHXod8g==
  Owner users: admin
  Vault service: test/example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ldapsearch -Y GSSAPI -o ldif-wrap=no -b cn=test/example.com@EXAMPLE.COM,cn=services,cn=vaults,cn=kra,dc=example,dc=com
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=test/example.com@EXAMPLE.COM,cn=services,cn=vaults,cn=kra,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# test/example.com@EXAMPLE.COM, services, vaults, kra, example.com
dn: cn=test/example.com@EXAMPLE.COM,cn=services,cn=vaults,cn=kra,dc=example,dc=com
objectClass: ipaVaultContainer
objectClass: top
owner: uid=admin,cn=users,cn=accounts,dc=example,dc=com
cn: test/example.com@EXAMPLE.COM

# test_short, test/example.com@EXAMPLE.COM, services, vaults, kra, example.com
dn: cn=test_short,cn=test/example.com@EXAMPLE.COM,cn=services,cn=vaults,cn=kra,dc=example,dc=com
ipaVaultType: symmetric
ipaVaultSalt:: YaQ5kn3tiaUbSUWCtXIsjg==
objectClass: ipaVault
objectClass: top
owner: uid=admin,cn=users,cn=accounts,dc=example,dc=com
cn: test_short

# test_long, test/example.com@EXAMPLE.COM, services, vaults, kra, example.com
dn: cn=test_long,cn=test/example.com@EXAMPLE.COM,cn=services,cn=vaults,cn=kra,dc=example,dc=com
ipaVaultType: symmetric
ipaVaultSalt:: jcZdHSvMoUHY7tDLHXod8g==
objectClass: ipaVault
objectClass: top
owner: uid=admin,cn=users,cn=accounts,dc=example,dc=com
cn: test_long

# search result
search: 4
result: 0 Success

# numResponses: 4
# numEntries: 3

[root@rhel7-1 ~]# ldapsearch -Y GSSAPI -o ldif-wrap=no -b cn=test/example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com
SASL/GSSAPI authentication started
SASL username: admin@EXAMPLE.COM
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=test/example.com,cn=services,cn=vaults,cn=kra,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 4
result: 32 No such object
matchedDN: cn=services,cn=vaults,cn=kra,dc=example,dc=com

# numResponses: 1

[root@rhel7-1 ~]# ipa vault-del test_short --service=test/example.com@EXAMPLE.COM
--------------------------
Deleted vault "test_short"
--------------------------

[root@rhel7-1 ~]# ipa vault-del test_long --service=test/example.com
-------------------------
Deleted vault "test_long"
-------------------------

[root@rhel7-1 ~]# ipa vault-find --service=test/example.com
----------------
0 vaults matched
----------------
----------------------------
Number of entries returned 0
----------------------------

[root@rhel7-1 ~]# ipa vaultcontainer-show --service=test/example.com
  Owner users: admin
  Vault service: test/example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vaultcontainer-show --service=test/example.com@EXAMPLE.COM
  Owner users: admin
  Vault service: test/example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-add test2_short --service=test/example.com
New password: 
Verify password: 
-------------------------
Added vault "test2_short"
-------------------------
  Vault name: test2_short
  Type: symmetric
  Salt: pDn2Db5DVgAiy2iHmn8j9w==
  Owner users: admin
  Vault service: test/example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-add test2_long --service=test/example.com@EXAMPLE.COM
New password: 
Verify password: 
------------------------
Added vault "test2_long"
------------------------
  Vault name: test2_long
  Type: symmetric
  Salt: dQvaWruBT7lReD38zb1c1A==
  Owner users: admin
  Vault service: test/example.com@EXAMPLE.COM

[root@rhel7-1 ~]# ipa vault-find --service=test/example.com
----------------
2 vaults matched
----------------
  Vault name: test2_long
  Type: symmetric
  Vault service: test/example.com@EXAMPLE.COM

  Vault name: test2_short
  Type: symmetric
  Vault service: test/example.com@EXAMPLE.COM
----------------------------
Number of entries returned 2
----------------------------

[root@rhel7-1 ~]# ipa vault-find --service=test/example.com@EXAMPLE.COM
----------------
2 vaults matched
----------------
  Vault name: test2_long
  Type: symmetric
  Vault service: test/example.com@EXAMPLE.COM

  Vault name: test2_short
  Type: symmetric
  Vault service: test/example.com@EXAMPLE.COM
----------------------------
Number of entries returned 2
----------------------------


[root@rhel7-1 ~]# ipa vault-find --services
----------------
2 vaults matched
----------------
  Vault name: test2_long
  Type: symmetric
  Vault service: test/example.com@EXAMPLE.COM

  Vault name: test2_short
  Type: symmetric
  Vault service: test/example.com@EXAMPLE.COM
----------------------------
Number of entries returned 2
----------------------------
Comment 4 errata-xmlrpc 2015-11-19 07:05:47 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.