Bug 673487 - Disabling a service with certificate succeeds even when "keytab: false".
Summary: Disabling a service with certificate succeeds even when "keytab: false".
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: freeIPA
Classification: Retired
Component: ipa-admintools
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-28 12:07 UTC by Gowrishankar Rajaiyan
Modified: 2015-01-04 23:46 UTC (History)
4 users (show)

Fixed In Version: freeipa-2.1.0-1.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-03-28 09:26:47 UTC
Embargoed:

Attachments (Terms of Use)

Description Gowrishankar Rajaiyan 2011-01-28 12:07:55 UTC 
Description of problem:
Adding a service with --certificate option makes this service as "enabled" even though "keytab: false" because of which executing "ipa service-disable" command on this service succeeds without any error.

Version-Release number of selected component (if applicable):
freeipa-admintools-2.0-0.2011012803git7b04b22.fc14.x86_64

How reproducible:
Always

Steps to Reproduce:
1. ipa service-add TEST/gsrf14ipas.testrelm@testrelm --certificate=<your certificate in bytes>
2. ipa service-show TEST/gsrf14ipas.testrelm@testrelm --all
#  dn: krbprincipalname=test/gsrf14ipas.testrelm@testrelm,cn=services,cn=accounts,dc=testrelm
#  Principal: TEST/gsrf14ipas.testrelm@TESTRELM
#  Certificate: MIICdzCCAeCgAwIBAgICA+owDQYJKoZIhvcNAQEFBQAwKTEnMCUGA1UEAxMeVEVTVFJFTE0gQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTExMDEyNzA0NDE1MloXDTIxMDEyNzA0NDE1MlowMTERMA8GA1UEChMIVEVTVFJFTE0xHDAaBgNVBAMTE2dzcmYxNGlwYXMudGVzdHJlbG0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQD0CIgKH8fe3hhAlSW00PNxyqYu8vD78lWbbarlF8dkFDvfutomPsyfag+fY+fPZ6h0e9gTNEoeD9mdyOeahRh34nbQds1+/rO2aAMaeiHMjXYVNH0KQbUhgvsukTJloM6saodSbz91kbPPSzqxcQhZvsaL3yU4JjVpdXaoEtxjwVdVUn0ph0RJWusAynWrKMVlGpJt2pNyOoHwcw7TX2MLkDimsXYyZH7RbNPRn56MUnD2KFoWoMYnIeePYU61lrKGpqO0Z+kUf7JISTG+cxULrpun89R2t4J7kNDq8veNsiwXjUb/tbWzX44uN7kuVuKj147bV13wBJUQoYiAZdAgMBAAGjIjAgMBEGCWCGSAGG+EIBAQQEAwIGQDALBgNVHQ8EBAMCBSAwDQYJKoZIhvcNAQEFBQADgYEAmNHlwgkHf2wJsBiT7ATE49W1dFEL7VA5pY1sPMqtZmKSeaBzUS5KfU6wR9Wt4/Ba1sBA/dktWkpLOhSMVpQYfrlpPb2cxHP7Js2YhzjfuLsutrSmqeMT3iO2/Gh7P5RHZX8Dls9cnZKpZ5dOjhip+Amkt8VEx7VltpECPRXqY=
#  has_keytab: False   <---                                               
#  ipauniqueid: 652f6b38-2aca-11e0-85fa-525400ec600a
#  issuer: CN=TESTRELM Certificate Authority
#  managedby_host: gsrf14ipas.testrelm
#  md5_fingerprint: c5:dd:58:3d:c1:52:6b:40:53:0d:3b:84:04:24:69:96
#  objectclass: krbprincipal, krbprincipalaux, krbticketpolicyaux, ipaobject, ipaservice, pkiuser, top
#  serial_number: 1002
#  sha1_fingerprint: 56:85:98:cf:84:c2:e2:35:31:44:c8:fb:f6:b5:b3:0d:d2:5c:cd:85
#  subject: CN=gsrf14ipas.testrelm,O=TESTRELM
#  valid_not_after: Wed Jan 27 04:41:52 2021 UTC
#  valid_not_before: Thu Jan 27 04:41:52 2011 UTC

3. Try disabling the above service
ipa service-disable TEST/gsrf14ipas.testrelm@TESTRELM
  
Actual results:
#-------------------------------------------------------------
#Removed kerberos key from "TEST/gsrf14ipas.testrelm@TESTRELM"
#------------------------------------------------------------- 

Expected results:
ipa: ERROR: This entry is already disabled

Additional info:
Comment 1 Rob Crittenden 2011-01-28 14:41:59 UTC 
This may be a difference of expectations.

Disabling a service disables everything about it: keytab, certs, etc.

So if anything is set on it then it will do so and return success.
Comment 2 Dmitri Pal 2011-01-28 19:26:50 UTC 
Output in fact seems misleading though my exception is yet different from both yours. This means that there is in fact ambiguity we need to look into. Thus opening a ticket.
Comment 3 Dmitri Pal 2011-01-28 19:27:57 UTC 
https://fedorahosted.org/freeipa/ticket/872
Comment 4 Martin Kosek 2011-02-17 09:11:59 UTC 
Fixed in 2f0e8e3a3d9de78d3711c73b480d79f68f0de0d0. Both host and service disable operation should be much clearer after this patch.
Note You need to log in before you can comment on or make changes to this bug.