Bug 1364197 - caacl: error when instantiating rules with service principals
Summary: caacl: error when instantiating rules with service principals
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords: Regression
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-08-04 16:46 UTC by Petr Vobornik
Modified: 2016-11-04 06:00 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 06:00:19 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Petr Vobornik 2016-08-04 16:46:46 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/6146

Due to a regression in Principal refactor, when a CA ACL includes individual
service principals TypeError is thrown; a kerberos.Principal object is received
where a string is expected.

Traceback: http://pastebin.test.redhat.com/396397
Steps to reproduce: http://pastebin.test.redhat.com/396446

Comment 2 Martin Bašti 2016-08-05 09:52:37 UTC
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/9dac0a13f101277948b4ce73b21b1d7ec75848b6

Comment 4 Scott Poore 2016-09-13 15:39:43 UTC
Verified using reproducer from upstream ticket.

Version ::

ipa-server-4.4.0-10.el7.x86_64

Results ::

[root@vm1 ~]# kdestroy -A

[root@vm1 ~]# kinit admin
Password for admin@EXAMPLE.COM: 

[root@vm1 ~]# ipa dnszone-add 73.168.192.in-addr.arpa. --skip-overlap-check
  Zone name: 73.168.192.in-addr.arpa.
  Active zone: TRUE
  Authoritative nameserver: vm1.example.com.
  Administrator e-mail address: hostmaster
  SOA serial: 1473780797
  SOA refresh: 3600
  SOA retry: 900
  SOA expire: 1209600
  SOA minimum: 3600
  BIND update policy: grant EXAMPLE.COM krb5-subdomain 73.168.192.in-addr.arpa. PTR;
  Dynamic update: FALSE
  Allow query: any;
  Allow transfer: none;

[root@vm1 ~]# ipa host-add master1.example.com --ip-address=192.168.73.201
--------------------------------
Added host "master1.example.com"
--------------------------------
  Host name: master1.example.com
  Principal name: host/master1.example.com@EXAMPLE.COM
  Principal alias: host/master1.example.com@EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: master1.example.com

[root@vm1 ~]# ipa host-add master2.example.com --ip-address=192.168.73.202
--------------------------------
Added host "master2.example.com"
--------------------------------
  Host name: master2.example.com
  Principal name: host/master2.example.com@EXAMPLE.COM
  Principal alias: host/master2.example.com@EXAMPLE.COM
  Password: False
  Keytab: False
  Managed by: master2.example.com

[root@vm1 ~]# ipa service-add svc/master1.example.com
---------------------------------------------------
Added service "svc/master1.example.com@EXAMPLE.COM"
---------------------------------------------------
  Principal name: svc/master1.example.com@EXAMPLE.COM
  Principal alias: svc/master1.example.com@EXAMPLE.COM
  Managed by: master1.example.com

[root@vm1 ~]# ipa service-add svc/master2.example.com
---------------------------------------------------
Added service "svc/master2.example.com@EXAMPLE.COM"
---------------------------------------------------
  Principal name: svc/master2.example.com@EXAMPLE.COM
  Principal alias: svc/master2.example.com@EXAMPLE.COM
  Managed by: master2.example.com

[root@vm1 ~]# ipa service-add-host svc/master1.example.com --hosts master2.example.com
  Principal name: svc/master1.example.com@EXAMPLE.COM
  Principal alias: svc/master1.example.com@EXAMPLE.COM
  Managed by: master1.example.com, master2.example.com
-------------------------
Number of members added 1
-------------------------

[root@vm1 ~]# ipa certprofile-show --out=caIPAtest.txt caIPAserviceCert
----------------------------------------------------
Profile configuration stored in file 'caIPAtest.txt'
----------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@vm1 ~]# sed -i '/^profileId/d'  caIPAtest.txt

[root@vm1 ~]# ipa certprofile-import caIPAtest --file=caIPAtest.txt --desc="Test profile" --store=true
----------------------------
Imported profile "caIPAtest"
----------------------------
  Profile ID: caIPAtest
  Profile description: Test profile
  Store issued certificates: TRUE

[root@vm1 ~]# ipa caacl-add test_caacl --desc "test caacl"
-------------------------
Added CA ACL "test_caacl"
-------------------------
  ACL name: test_caacl
  Description: test caacl
  Enabled: TRUE

[root@vm1 ~]# ipa caacl-add-ca test_caacl --cas ipa
  ACL name: test_caacl
  Description: test caacl
  Enabled: TRUE
  CAs: ipa
-------------------------
Number of members added 1
-------------------------

[root@vm1 ~]# ipa caacl-add-profile test_caacl --certprofiles caIPAtest
  ACL name: test_caacl
  Description: test caacl
  Enabled: TRUE
  CAs: ipa
  Profiles: caIPAtest
-------------------------
Number of members added 1
-------------------------

[root@vm1 ~]# ipa caacl-add-host test_caacl --hosts master2.example.com
  ACL name: test_caacl
  Description: test caacl
  Enabled: TRUE
  CAs: ipa
  Profiles: caIPAtest
  Hosts: master2.example.com
-------------------------
Number of members added 1
-------------------------

[root@vm1 ~]# ipa caacl-add-service test_caacl --services svc/master2.example.com \
>     --services svc/master1.example.com
  ACL name: test_caacl
  Description: test caacl
  Enabled: TRUE
  CAs: ipa
  Profiles: caIPAtest
  Hosts: master2.example.com
  Services: svc/master2.example.com@EXAMPLE.COM, svc/master1.example.com@EXAMPLE.COM
-------------------------
Number of members added 2
-------------------------

[root@vm1 ~]# cat > /tmp/master2-san.cnf <<EOF
> [req]
> req_extensions = v3_req
> distinguished_name =req_distinguished_name
> prompt = no
> encrypt_key = no
> default_bits = 2048
> 
> [req_distinguished_name]
> commonName = master2.example.com
> 
> [ v3_req ]
> 
> # Extensions to add to a certificate request
> 
> basicConstraints = CA:FALSE
> keyUsage = nonRepudiation, digitalSignature, keyEncipherment
> subjectAltName = @alt_names
> 
> [alt_names]
> DNS.1 = master2.example.com
> DNS.2 = master1.example.com
> EOF

[root@vm1 ~]# openssl req -config /tmp/master2-san.cnf -new -nodes -out master2_example.com.csr
Generating a 2048 bit RSA private key
...................................+++
..................+++
writing new private key to stdout
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC91PwkeDJW/F6u
...key truncated...
-----END PRIVATE KEY-----
-----

[root@vm1 ~]# ipa-getkeytab -p host/master2.example.com@EXAMPLE.COM -k /root/master2.keytab
Keytab successfully retrieved and stored in: /root/master2.keytab

[root@vm1 ~]# kinit -kt /root/master2.keytab host/master2.example.com

[root@vm1 ~]# ipa cert-request master2_example.com.csr \
>     --principal 'svc/master2.example.com@EXAMPLE.COM' \
>     --profile-id caIPAtest
  Issuing CA: ipa
  Certificate: MIIERjCCAy6gAwIBAgIBDjANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwG...certificate truncated...
  Subject: CN=master2.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Tue Sep 13 15:35:46 2016 UTC
  Not After: Fri Sep 14 15:35:46 2018 UTC
  Fingerprint (MD5): ae:81:39:a2:8b:fa:8d:1d:13:eb:67:ff:0f:02:e0:35
  Fingerprint (SHA1): c6:bc:36:fd:1b:ce:54:9f:32:73:a9:29:c8:93:52:54:58:32:92:28
  Serial number: 14
  Serial number (hex): 0xE

Comment 6 errata-xmlrpc 2016-11-04 06:00:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.