Description of problem: Adding a service with --certificate option makes this service as "enabled" even though "keytab: false" because of which executing "ipa service-disable" command on this service succeeds without any error. Version-Release number of selected component (if applicable): freeipa-admintools-2.0-0.2011012803git7b04b22.fc14.x86_64 How reproducible: Always Steps to Reproduce: 1. ipa service-add TEST/gsrf14ipas.testrelm@testrelm --certificate=<your certificate in bytes> 2. ipa service-show TEST/gsrf14ipas.testrelm@testrelm --all # dn: krbprincipalname=test/gsrf14ipas.testrelm@testrelm,cn=services,cn=accounts,dc=testrelm # Principal: TEST/gsrf14ipas.testrelm@TESTRELM # Certificate: MIICdzCCAeCgAwIBAgICA+owDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeVEVTVFJFTE0gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyNzA0NDE1MloXDTIxMDEyNzA0NDE1MlowMTERMA8GA1UEChMIVEVTVFJFTE0xHDAaBgNVBAMTE2dzcmYxNGlwYXMudGVzdHJlbG0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0CIgKH8fe3hhAlSW00PNxyqYu8vD78lWbbarlF8dkFDvfutomPsyfag+fY+fPZ6h0e9gTNEoeD9mdyOeahRh34nbQds1+/rO2aAMaeiHMjXYVNH0KQbUhgvsukTJloM6saodSbz91kbPPSzqxcQhZvsaL3yU4JjVpdXaoEtxjwVdVUn0ph0RJWusAynWrKMVlGpJt2pNyOoHwcw7TX2MLkDimsXYyZH7RbNPRn56MUnD2KFoWoMYnIeePYU61lrKGpqO0Z+kUf7JISTG+cxULrpun89R2t4J7kNDq8veNsiwXjUb/tbWzX44uN7kuVuKj147bV13wBJUQoYiAZdAgMBAAGjIjAgMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBSAwDQYJKoZIhvcNAQEFBQADgYEAmNHlwgkHf2wJsBiT7ATE49W1dFEL7VA5pY1sPMqtZmKSeaBzUS5KfU6wR9Wt4/Ba1sBA/dktWkpLOhSMVpQYfrlpPb2cxHP7Js2YhzjfuLsutrSmqeMT3iO2/Gh7P5RHZX8Dls9cnZKpZ5dOjhip+Amkt8VEx7VltpECPRXqY= # has_keytab: False <--- # ipauniqueid: 652f6b38-2aca-11e0-85fa-525400ec600a # issuer: CN=TESTRELM Certificate Authority # managedby_host: gsrf14ipas.testrelm # md5_fingerprint: c5:dd:58:3d:c1:52:6b:40:53:0d:3b:84:04:24:69:96 # objectclass: krbprincipal, krbprincipalaux, krbticketpolicyaux, ipaobject, ipaservice, pkiuser, top # serial_number: 1002 # sha1_fingerprint: 56:85:98:cf:84:c2:e2:35:31:44:c8:fb:f6:b5:b3:0d:d2:5c:cd:85 # subject: CN=gsrf14ipas.testrelm,O=TESTRELM # valid_not_after: Wed Jan 27 04:41:52 2021 UTC # valid_not_before: Thu Jan 27 04:41:52 2011 UTC 3. Try disabling the above service ipa service-disable TEST/gsrf14ipas.testrelm@TESTRELM Actual results: #------------------------------------------------------------- #Removed kerberos key from "TEST/gsrf14ipas.testrelm@TESTRELM" #------------------------------------------------------------- Expected results: ipa: ERROR: This entry is already disabled Additional info:
This may be a difference of expectations. Disabling a service disables everything about it: keytab, certs, etc. So if anything is set on it then it will do so and return success.
Output in fact seems misleading though my exception is yet different from both yours. This means that there is in fact ambiguity we need to look into. Thus opening a ticket.
https://fedorahosted.org/freeipa/ticket/872
Fixed in 2f0e8e3a3d9de78d3711c73b480d79f68f0de0d0. Both host and service disable operation should be much clearer after this patch.