Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 640723

Summary: user-mod: --setattr - allowed to change krbprincipalname
Product: [Retired] freeIPA Reporter: Jenny Severance <jgalipea>
Component: ipa-admintoolsAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: low    
Version: 2.0CC: benl, dpal, jgalipea, yzhang
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.0.0-1.fc15 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-03-27 07:16:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2010-10-06 17:14:31 UTC 
Description of problem:
user-mod --setattr and --addattr should not be allowed on krbprincipalname attribute.  It is possible to even do this with the initial admin account and render you unable to kinit as admin and administer at all.

<snip>

# admin, users, accounts, testrelm
dn: uid=admin,cn=users,cn=accounts,dc=testrelm
objectClass: top
objectClass: person
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: inetuser
objectClass: mepOriginEntry
uid: admin
krbPrincipalName: blah@blah   <===========================================
cn: Administrator
sn: Administrator
uidNumber: 855188378
gidNumber: 855188378
homeDirectory: /home/admin
loginShell: /bin/bash
gecos: Administrator
mepManagedEntry: cn=admin,cn=groups,cn=accounts,dc=testrelm
memberOf: cn=admins,cn=groups,cn=accounts,dc=testrelm
memberOf: cn=replicaadmin,cn=rolegroups,cn=accounts,dc=testrelm
memberOf: cn=managereplica,cn=taskgroups,cn=accounts,dc=testrelm
memberOf: cn=deletereplica,cn=taskgroups,cn=accounts,dc=testrelm
krbPrincipalKey:: MIICLqADAgEBoQMCAQGiAwIBAaMDAgEApIICFjCCAhIwZaAYMBagAwIBAKEP
 BA1URVNUUkVMTWFkbWluoUkwR6ADAgESoUAEPiAAtC0JfzoKEgyNPgdcpNQ40ol/0L5rsJsq88c/X
 F5cXKdW/9WRk2FINyjToP59CvD/4wzP4LJvsUuURd3SMFWgGDAWoAMCAQChDwQNVEVTVFJFTE1hZG
 1pbqE5MDegAwIBEaEwBC4QADIGCcEb0tjVQyoui6sbQVpj5eVOvFfEmEAssdPIdC9Iyb0+visWP4k
 VwkCHMF2gGDAWoAMCAQChDwQNVEVTVFJFTE1hZG1pbqFBMD+gAwIBEKE4BDYYAJ+9xnKOLvaETpGc
 sf/i/A/1xEyzckfZeu+eHsxRzUbHML/BD0hRgs9iNkqGqk/B3PpEfXswVaAYMBagAwIBAKEPBA1UR
 VNUUkVMTWFkbWluoTkwN6ADAgEXoTAELhAAgUBvobYZvncmy3RGjus8WA4uRX1ARnYfnRzqj8hNEZ
 0CVk0K89PeWlqTJfEwTaAYMBagAwIBAKEPBA1URVNUUkVMTWFkbWluoTEwL6ADAgEIoSgEJggAYG5
 Yc4SXgh1U6oNhDHBpTqu9AIf0qSXzMSfcj3R3pOwu72qnME2gGDAWoAMCAQChDwQNVEVTVFJFTE1h
 ZG1pbqExMC+gAwIBA6EoBCYIAPdmB/GJ0rP9rbCdJTCqjjWKtnTisQVoqgM40lVOp0O7H/8YWA==
krbLastPwdChange: 20101004171923Z
krbPasswordExpiration: 20110102171923Z
userPassword:: e1NTSEF9UmtqSEVza3BJY1dhcWpaN2FmWmNpQVdVMENia3hmb1cvVkJBdkE9PQ=
</snip>

Version-Release number of selected component (if applicable):

ipa-server-1.91-0.2010100120gitaa7ecb6.fc12.i686
ipa-admintools-1.91-0.2010100120gitaa7ecb6.fc12.i686


How reproducible:
always

Steps to Reproduce:
1. install and configure ipa server
2. kinit as admin to be able to administer
   # kinit admin
3.  ipa user-mod --setattr=krbprincipalname=blah@blah admin
  
Actual results:
step three is successful

Expected results:
error message stating the operation is not allowed.

Additional info:
Comment 1 Rob Crittenden 2010-10-06 17:31:59 UTC 
https://fedorahosted.org/freeipa/ticket/332
Comment 2 Dmitri Pal 2010-12-10 22:54:24 UTC 
master: d644d17adf117321747db1e4e22a771fbea3b09e
Comment 3 Dmitri Pal 2010-12-10 22:55:03 UTC 
master: d644d17adf117321747db1e4e22a771fbea3b09e
Comment 4 Jenny Severance 2011-06-10 20:26:13 UTC 
verified

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-user-cli-mod-035: setattr and addattr krbPrincipalName
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa user-mod --setattr krbPrincipalName=test sup34
:: [   LOG    ] :: "ipa user-mod --setattr krbPrincipalName=test sup34" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalName' attribute of entry 'uid=sup34,cn=users,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   LOG    ] :: Executing: ipa user-mod --setattr krbPrincipalName=test sup34
:: [   LOG    ] :: "ipa user-mod --setattr krbPrincipalName=test sup34" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'krbPrincipalName' attribute of entry 'uid=sup34,cn=users,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --addattr.
:: [   LOG    ] :: Duration: 10s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-user-cli-mod-035: setattr and addattr krbPrincipalName


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.0.0                             Vendor: Red Hat, Inc.
Release     : 23.el6                        Build Date: Wed 20 Apr 2011 09:57:13 AM EDT
Install Date: Thu 19 May 2011 12:47:52 PM EDT      Build Host: x86-003.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.0.0-23.el6.src.rpm
Size        : 2565882                          License: GPLv3+
Signature   : RSA/8, Thu 21 Apr 2011 03:48:25 PM EDT, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server