1731433 – ipa service-find does not list cifs service created by ipa-client-samba

Bug 1731433 - ipa service-find does not list cifs service created by ipa-client-samba

Summary: ipa service-find does not list cifs service created by ipa-client-samba

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	freeipa
Sub Component:
Version:	30
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	IPA Maintainers
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1731437
TreeView+	depends on / blocked

Reported:	2019-07-19 12:10 UTC by Sergey Orlov
Modified:	2019-11-20 01:02 UTC (History)
CC List:	9 users (show)
Fixed In Version:	freeipa-4.8.2-1.fc31
Clone Of:
Clones:	1731437 (view as bug list)
Environment:
Last Closed:	2019-11-20 01:02:11 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Sergey Orlov 2019-07-19 12:10:13 UTC

Description of problem:
ipa-client-samba utility creates cifs service, which is not listed by "ipa service-find", though it can be viewed using "ipa service-show"


Version-Release number of selected component (if applicable):
freeipa-server-4.8.0-1.fc30.x86_64

How reproducible:
Always


Steps to Reproduce:
1. Setup topology: install ipa server, run ipa-adtrust-install on server, setup ipa client.
2. run ipa-client-samba on client
3. run ipa service-find

Actual results:
cifs service for client is not listed

Expected results:
record for principal cifs/client1.testrelm.test in output


Additional info:
"ipa service-show cifs/client1.testrelm.test" shows the desired service.

Extract from /var/log/dirsrv/slapd-TESTRELM-TEST/access captured during execution of ipa service-find:
SRCH base="cn=services,cn=accounts,dc=testrelm,dc=test" scope=1 filter="(&(&(objectClass=ipaService)(!(objectClass=posixAccount))(!(|(krbPrincipalName=kadmin/*)(krbPrincipalName=K/M@*)(krbPrincipalName=krbtgt/*))))(&(objectClass=krbprincipal)(objectClass=krbprincipalaux)(objectClass=krbticketpolicyaux)(objectClass=ipaobject)(objectClass=ipaservice)(objectClass=pkiuser)))" attrs="userCertificate krbPrincipalName ipaKrbAuthzData ipaAllowedToPerform krbPrincipalAuthInd krbCanonicalName"

Thing to note here is "!(objectClass=posixAccount)"
And as the service record contains this objectClass, the record is removed from search results:
ipa service-show cifs/client1.testrelm.test --raw --all
  dn: krbprincipalname=cifs/client1.testrelm.test,cn=services,cn=accounts,dc=testrelm,dc=test
  krbcanonicalname: cifs/client1.testrelm.test
...
  objectClass: posixaccount
...


The filter was introduced in commit 789fec4381 in year 2009.

Comment 1 Rob Crittenden 2019-07-19 12:54:42 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/8013

Comment 2 Rob Crittenden 2019-07-19 17:15:30 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/e771fa59ff65545ff1e84f1cd30e06556fabcee3

Comment 3 Rob Crittenden 2019-07-19 19:17:27 UTC

Fixed upstream
ipa-4-8:
https://pagure.io/freeipa/c/2f9cbffb6e57ded2d0107f457241f33b17869a96

Comment 4 Fedora Update System 2019-11-12 20:48:18 UTC

FEDORA-2019-75a963e4cb has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb

Comment 5 Fedora Update System 2019-11-13 10:53:04 UTC

freeipa-4.8.2-1.fc31 has been pushed to the Fedora 31 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2019-75a963e4cb

Comment 6 Fedora Update System 2019-11-20 01:02:11 UTC

freeipa-4.8.2-1.fc31 has been pushed to the Fedora 31 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.