Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/freeipa/ticket/6146 Due to a regression in Principal refactor, when a CA ACL includes individual service principals TypeError is thrown; a kerberos.Principal object is received where a string is expected. Traceback: http://pastebin.test.redhat.com/396397 Steps to reproduce: http://pastebin.test.redhat.com/396446
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9dac0a13f101277948b4ce73b21b1d7ec75848b6
Verified using reproducer from upstream ticket. Version :: ipa-server-4.4.0-10.el7.x86_64 Results :: [root@vm1 ~]# kdestroy -A [root@vm1 ~]# kinit admin Password for admin@EXAMPLE.COM: [root@vm1 ~]# ipa dnszone-add 73.168.192.in-addr.arpa. --skip-overlap-check Zone name: 73.168.192.in-addr.arpa. Active zone: TRUE Authoritative nameserver: vm1.example.com. Administrator e-mail address: hostmaster SOA serial: 1473780797 SOA refresh: 3600 SOA retry: 900 SOA expire: 1209600 SOA minimum: 3600 BIND update policy: grant EXAMPLE.COM krb5-subdomain 73.168.192.in-addr.arpa. PTR; Dynamic update: FALSE Allow query: any; Allow transfer: none; [root@vm1 ~]# ipa host-add master1.example.com --ip-address=192.168.73.201 -------------------------------- Added host "master1.example.com" -------------------------------- Host name: master1.example.com Principal name: host/master1.example.com@EXAMPLE.COM Principal alias: host/master1.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: master1.example.com [root@vm1 ~]# ipa host-add master2.example.com --ip-address=192.168.73.202 -------------------------------- Added host "master2.example.com" -------------------------------- Host name: master2.example.com Principal name: host/master2.example.com@EXAMPLE.COM Principal alias: host/master2.example.com@EXAMPLE.COM Password: False Keytab: False Managed by: master2.example.com [root@vm1 ~]# ipa service-add svc/master1.example.com --------------------------------------------------- Added service "svc/master1.example.com@EXAMPLE.COM" --------------------------------------------------- Principal name: svc/master1.example.com@EXAMPLE.COM Principal alias: svc/master1.example.com@EXAMPLE.COM Managed by: master1.example.com [root@vm1 ~]# ipa service-add svc/master2.example.com --------------------------------------------------- Added service "svc/master2.example.com@EXAMPLE.COM" --------------------------------------------------- Principal name: svc/master2.example.com@EXAMPLE.COM Principal alias: svc/master2.example.com@EXAMPLE.COM Managed by: master2.example.com [root@vm1 ~]# ipa service-add-host svc/master1.example.com --hosts master2.example.com Principal name: svc/master1.example.com@EXAMPLE.COM Principal alias: svc/master1.example.com@EXAMPLE.COM Managed by: master1.example.com, master2.example.com ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa certprofile-show --out=caIPAtest.txt caIPAserviceCert ---------------------------------------------------- Profile configuration stored in file 'caIPAtest.txt' ---------------------------------------------------- Profile ID: caIPAserviceCert Profile description: Standard profile for network services Store issued certificates: TRUE [root@vm1 ~]# sed -i '/^profileId/d' caIPAtest.txt [root@vm1 ~]# ipa certprofile-import caIPAtest --file=caIPAtest.txt --desc="Test profile" --store=true ---------------------------- Imported profile "caIPAtest" ---------------------------- Profile ID: caIPAtest Profile description: Test profile Store issued certificates: TRUE [root@vm1 ~]# ipa caacl-add test_caacl --desc "test caacl" ------------------------- Added CA ACL "test_caacl" ------------------------- ACL name: test_caacl Description: test caacl Enabled: TRUE [root@vm1 ~]# ipa caacl-add-ca test_caacl --cas ipa ACL name: test_caacl Description: test caacl Enabled: TRUE CAs: ipa ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa caacl-add-profile test_caacl --certprofiles caIPAtest ACL name: test_caacl Description: test caacl Enabled: TRUE CAs: ipa Profiles: caIPAtest ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa caacl-add-host test_caacl --hosts master2.example.com ACL name: test_caacl Description: test caacl Enabled: TRUE CAs: ipa Profiles: caIPAtest Hosts: master2.example.com ------------------------- Number of members added 1 ------------------------- [root@vm1 ~]# ipa caacl-add-service test_caacl --services svc/master2.example.com \ > --services svc/master1.example.com ACL name: test_caacl Description: test caacl Enabled: TRUE CAs: ipa Profiles: caIPAtest Hosts: master2.example.com Services: svc/master2.example.com@EXAMPLE.COM, svc/master1.example.com@EXAMPLE.COM ------------------------- Number of members added 2 ------------------------- [root@vm1 ~]# cat > /tmp/master2-san.cnf <<EOF > [req] > req_extensions = v3_req > distinguished_name =req_distinguished_name > prompt = no > encrypt_key = no > default_bits = 2048 > > [req_distinguished_name] > commonName = master2.example.com > > [ v3_req ] > > # Extensions to add to a certificate request > > basicConstraints = CA:FALSE > keyUsage = nonRepudiation, digitalSignature, keyEncipherment > subjectAltName = @alt_names > > [alt_names] > DNS.1 = master2.example.com > DNS.2 = master1.example.com > EOF [root@vm1 ~]# openssl req -config /tmp/master2-san.cnf -new -nodes -out master2_example.com.csr Generating a 2048 bit RSA private key ...................................+++ ..................+++ writing new private key to stdout -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC91PwkeDJW/F6u ...key truncated... -----END PRIVATE KEY----- ----- [root@vm1 ~]# ipa-getkeytab -p host/master2.example.com@EXAMPLE.COM -k /root/master2.keytab Keytab successfully retrieved and stored in: /root/master2.keytab [root@vm1 ~]# kinit -kt /root/master2.keytab host/master2.example.com [root@vm1 ~]# ipa cert-request master2_example.com.csr \ > --principal 'svc/master2.example.com@EXAMPLE.COM' \ > --profile-id caIPAtest Issuing CA: ipa Certificate: MIIERjCCAy6gAwIBAgIBDjANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwG...certificate truncated... Subject: CN=master2.example.com,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Tue Sep 13 15:35:46 2016 UTC Not After: Fri Sep 14 15:35:46 2018 UTC Fingerprint (MD5): ae:81:39:a2:8b:fa:8d:1d:13:eb:67:ff:0f:02:e0:35 Fingerprint (SHA1): c6:bc:36:fd:1b:ce:54:9f:32:73:a9:29:c8:93:52:54:58:32:92:28 Serial number: 14 Serial number (hex): 0xE
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html