1362333 – ipa vault container owner cannot add vault

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1362333 - ipa vault container owner cannot add vault

Summary: ipa vault container owner cannot add vault

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Kaleem
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-08-02 02:04 UTC by Scott Poore
Modified:	2016-11-04 05:59 UTC (History)
CC List:	6 users (show)
Fixed In Version:	ipa-4.4.0-9.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-11-04 05:59:56 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2016:2404	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2016-11-03 13:56:18 UTC

Description Scott Poore 2016-08-02 02:04:52 UTC

Description of problem:

I am seeing ACI errors when I try to add a vault as a container owner.

[Mon Aug 01 20:49:36.009521 2016] [:error] [pid 6419] ipa: INFO: [jsonserver_kerb] testuser2: vault_add_internal/1(u'test_vault', ipavaulttype=u'standard', username=u'testuser', version=u'2.211'): ACIError


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-4.el7.x86_64

How reproducible:
always


Steps to Reproduce:

1. Create and setup users

ipa user-add testuser --first=f --last=l --password
kinit testuser
kdestroy -A
kinit admin
ipa user-add testuser2 --first=f --last=l --password
kinit testuser2
kdestroy -A
kinit admin

2. Add vault to setup base container

ipa vault-add testuservault --user=testuser --type=standard

3.  To see what is happening, show vault to check container

ipa vault-show testuservault --user=testuser --all

4.  Add second user as owner of container for first user

ipa vaultcontainer-add-owner --user=testuser --users=testuser2

5.  Add a vault as the second user

kdestroy -A
kinit testuser2
ipa vault-add --type=standard --user=testuser test_vault


Actual results:

# ipa vault-add --type=standard --user=testuser test_vault
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com'.



Expected results:

# ipa vault-add --type=standard --user=testuser test_vault
------------------------
Added vault "test_vault"
------------------------
  Vault name: test_vault
  Type: standard
  Owner users: testuser2
  Vault user: testuser


Additional info:

Comment 3 Martin Bašti 2016-08-02 15:00:31 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6159

Comment 4 Martin Bašti 2016-08-17 15:58:04 UTC

This looks like DS issues for me:

I see that ACI is there, and it looks correct to me.

dn: cn=vaults,cn=kra,$SUFFIX
aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)


I downgraded DS and it works.
* Does not work with 389-ds-base-1.3.5.13-1.fc24.x86_64
* Works with: 389-ds-base-1.3.5.6-1.fc24.x86_64

Comment 7 Martin Bašti 2016-08-18 05:52:06 UTC

Hello, I'm providing more info as was requested.

# kinited as user testuser2
$ klist
Ticket cache: KEYRING:persistent:0:0
Default principal: testuser2.IDM.LAB.ENG.BRQ.REDHAT.COM


# related connection in access log

[18/Aug/2016:07:44:16.055671837 +0200] conn=40 op=0 BIND dn="" method=sasl version=3 mech=GSSAPI
[18/Aug/2016:07:44:16.096290593 +0200] conn=40 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[18/Aug/2016:07:44:16.097988040 +0200] conn=40 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
[18/Aug/2016:07:44:16.100159937 +0200] conn=40 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
[18/Aug/2016:07:44:16.100440466 +0200] conn=40 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
[18/Aug/2016:07:44:16.102011530 +0200] conn=40 op=2 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=testuser2,cn=users,cn=accounts,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
[18/Aug/2016:07:44:16.351386603 +0200] conn=40 op=3 SRCH base="cn=schema" scope=0 filter="(objectClass=*)" attrs="attributeTypes objectClasses"
[18/Aug/2016:07:44:16.535467902 +0200] conn=40 op=3 RESULT err=0 tag=101 nentries=1 etime=0
[18/Aug/2016:07:44:16.807864049 +0200] conn=40 op=4 SRCH base="cn=ipaconfig,cn=etc,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=0 filter="(objectClass=*)" attrs=ALL
[18/Aug/2016:07:44:16.809484884 +0200] conn=40 op=4 RESULT err=0 tag=101 nentries=1 etime=0
[18/Aug/2016:07:44:16.811682693 +0200] conn=40 op=5 SRCH base="cn=masters,cn=ipa,cn=etc,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com" scope=2 filter="(&(objectClass=ipaConfigObject)(cn=KRA)
)" attrs=ALL
[18/Aug/2016:07:44:16.815205245 +0200] conn=40 op=5 RESULT err=0 tag=101 nentries=1 etime=0
[18/Aug/2016:07:44:16.817619633 +0200] conn=40 op=6 ADD dn="cn=testuser,cn=users,cn=vaults,cn=kra,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
[18/Aug/2016:07:44:16.819135581 +0200] conn=40 op=6 RESULT err=50 tag=105 nentries=0 etime=0
[18/Aug/2016:07:44:16.826946705 +0200] conn=40 op=7 UNBIND
[18/Aug/2016:07:44:16.826995981 +0200] conn=40 op=7 fd=119 closed - U1


container entry:
# testuser, users, vaults, kra, dom-058-107.abc.idm.lab.eng.brq.redhat.com
dn: cn=testuser,cn=users,cn=vaults,cn=kra,dc=dom-058-107,dc=abc,dc=idm,dc=lab,
 dc=eng,dc=brq,dc=redhat,dc=com
objectClass: ipaVaultContainer
objectClass: top
owner: uid=admin,cn=users,cn=accounts,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=e
 ng,dc=brq,dc=redhat,dc=com
owner: uid=testuser2,cn=users,cn=accounts,dc=dom-058-107,dc=abc,dc=idm,dc=lab,
 dc=eng,dc=brq,dc=redhat,dc=com
cn: testuser

Comment 8 Ludwig 2016-08-18 07:24:17 UTC

does testuser2 have the rights to add the testuser entry ?
can we see the aci and what is attempted to be added ?

does the entry already exist when the ADD is attempted ? If the entry already exists and testuser2 does not have access right the CVE fix did change the return code, before it would be "already exists" and now it is "insufficient access"

is there a simple reproducer ?

Comment 9 Martin Bašti 2016-08-18 07:38:40 UTC

Reproducer is in bug description.

dn: cn=vaults,cn=kra,$SUFFIX
aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)

I hope that this ACI allows user to add vaults into container, testuser2 is owner of container. (see comment 7)

Comment 10 Ludwig 2016-08-18 07:59:56 UTC

but the failing add is this:

[18/Aug/2016:07:44:16.817619633 +0200] conn=40 op=6 ADD dn="cn=testuser,cn=users,cn=vaults,cn=kra,dc=dom-058-107,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com"
[18/Aug/2016:07:44:16.819135581 +0200] conn=40 op=6 RESULT err=50 tag=105 nentries=0 etime=0

and this seems to be the container entry itself

Comment 11 Martin Bašti 2016-08-18 08:04:59 UTC

Ahh, I didn't noticed that, thank you.

So this is IPA bug then, same as other revealed by changing behavior of DS, instead of duplicated error we are receiving ACI error now (as expected after fixed CVE).

Comment 12 Martin Bašti 2016-08-18 11:06:22 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6b7d6417d403c983691c790c1e60cfe32bf1c420

Comment 14 Scott Poore 2016-09-14 13:14:04 UTC

Verified.

Version ::

ipa-server-4.4.0-11.el7.x86_64

Results ::

[root@vm1 ~]# echo Secret123|kinit admin
Password for admin: 

[root@vm1 ~]# echo redhat|ipa user-add testuser --first=f --last=l --password
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 492600001
  GID: 492600001
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@vm1 ~]# echo -e "redhat\nSecret123\nSecret123" | kinit testuser
Password for testuser: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@vm1 ~]# kdestroy -A

[root@vm1 ~]# echo Secret123|kinit admin
Password for admin: 

[root@vm1 ~]# echo redhat|ipa user-add testuser2 --first=f --last=l --password
----------------------
Added user "testuser2"
----------------------
  User login: testuser2
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser2
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testuser2
  Principal alias: testuser2
  Email address: testuser2
  UID: 492600003
  GID: 492600003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@vm1 ~]# echo -e "redhat\nSecret123\nSecret123" | kinit testuser2
Password for testuser2: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@vm1 ~]# kdestroy -A

[root@vm1 ~]# echo Secret123|kinit admin
Password for admin: 

[root@vm1 ~]# ipa vault-add testuservault --user=testuser --type=standard
ipa: ERROR: KRA service is not enabled

[root@vm1 ~]# 

[root@vm1 ~]# ipa-kra-install
Directory Manager password: 


===================================================================
This program will setup Dogtag KRA for the IPA Server.


Configuring KRA server (pki-tomcatd). Estimated time: 2 minutes 6 seconds
  [1/8]: configuring KRA instance
  [2/8]: create KRA agent
  [3/8]: restarting KRA
  [4/8]: configure certmonger for renewals
  [5/8]: configure certificate renewals
  [6/8]: configure HTTP to proxy connections
  [7/8]: add vault container
  [8/8]: apply LDAP updates
Done configuring KRA server (pki-tomcatd).
Restarting the directory server
The ipa-kra-install command was successful

[root@vm1 ~]# ipa vault-add testuservault --user=testuser --type=standard
---------------------------
Added vault "testuservault"
---------------------------
  Vault name: testuservault
  Type: standard
  Owner users: admin
  Vault user: testuser

[root@vm1 ~]# ipa vault-show testuservault --user=testuser --all
  dn: cn=testuservault,cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com
  Vault name: testuservault
  Type: standard
  Owner users: admin
  Vault user: testuser
  objectclass: top, ipaVault

[root@vm1 ~]# ipa vaultcontainer-add-owner --user=testuser --users=testuser2
  Owner users: admin, testuser2
  Vault user: testuser
------------------------
Number of owners added 1
------------------------

[root@vm1 ~]# ipa vault-show testuservault --user=testuser --all
  dn: cn=testuservault,cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com
  Vault name: testuservault
  Type: standard
  Owner users: admin
  Vault user: testuser
  objectclass: top, ipaVault

[root@vm1 ~]# ipa vaultcontainer-show --user=testuser --all
  dn: cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com
  Owner users: admin, testuser2
  Vault user: testuser
  cn: testuser
  objectclass: ipaVaultContainer, top

[root@vm1 ~]# kdestroy -A

[root@vm1 ~]# echo Secret123|kinit testuser2
Password for testuser2: 

[root@vm1 ~]# ipa vault-add --type=standard --user=testuser test_vault
------------------------
Added vault "test_vault"
------------------------
  Vault name: test_vault
  Type: standard
  Owner users: testuser2
  Vault user: testuser

Comment 16 errata-xmlrpc 2016-11-04 05:59:56 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html

Note You need to log in before you can comment on or make changes to this bug.