Moving back to assigned as it looks like I cannot create a new vault (and container) as a service. [root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout sv1test.privkey -out sv1test.csr -subj "/CN=$(hostname)" Generating a 2048 bit RSA private key ......................................+++ .................+++ writing new private key to 'sv1test.privkey' ----- [root@rhel7-1 ~]# ipa service-add sv1test/$(hostname) ------------------------------------------------------- Added service "sv1test/rhel7-1.example.com@EXAMPLE.COM" ------------------------------------------------------- Principal: sv1test/rhel7-1.example.com@EXAMPLE.COM Managed by: rhel7-1.example.com [root@rhel7-1 ~]# ipa cert-request sv1test.csr --principal="sv1test/$(hostname)" --profile-id=caIPAserviceCert Certificate: MII... Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Mon Oct 12 18:29:11 2015 UTC Not After: Thu Oct 12 18:29:11 2017 UTC Fingerprint (MD5): c6:da:7f:02:88:b9:58:4c:65:c7:d5:93:9f:c7:fa:94 Fingerprint (SHA1): 61:15:90:50:56:52:f5:ed:7c:e0:81:48:a6:c1:66:94:f6:93:ff:46 Serial number: 21 Serial number (hex): 0x15 [root@rhel7-1 ~]# ipa service-show sv1test/$(hostname) --out sv1test.crt ------------------------------------------- Certificate(s) stored in file 'sv1test.crt' ------------------------------------------- Principal: sv1test/rhel7-1.example.com@EXAMPLE.COM Certificate: MII... Keytab: False Managed by: rhel7-1.example.com Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM Serial Number: 21 Serial Number (hex): 0x15 Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Mon Oct 12 18:29:11 2015 UTC Not After: Thu Oct 12 18:29:11 2017 UTC Fingerprint (MD5): c6:da:7f:02:88:b9:58:4c:65:c7:d5:93:9f:c7:fa:94 Fingerprint (SHA1): 61:15:90:50:56:52:f5:ed:7c:e0:81:48:a6:c1:66:94:f6:93:ff:46 [root@rhel7-1 ~]# openssl x509 -pubkey -in sv1test.crt -noout > sv1test.pubkey [root@rhel7-1 ~]# ls -ltr sv1test.* -rw-r--r--. 1 root root 1704 Oct 12 13:26 sv1test.privkey -rw-r--r--. 1 root root 903 Oct 12 13:26 sv1test.csr -rw-r--r--. 1 root root 1472 Oct 12 13:30 sv1test.crt -rw-r--r--. 1 root root 451 Oct 12 13:31 sv1test.pubkey [root@rhel7-1 ~]# ipa-getkeytab -s $(hostname) -p sv1test/$(hostname) -k /tmp/sv1test.keytab Keytab successfully retrieved and stored in: /tmp/sv1test.keytab [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_aK8fi6Q Default principal: admin@EXAMPLE.COM Valid starting Expires Service principal 10/12/2015 13:32:38 10/13/2015 13:22:34 ldap/rhel7-1.example.com@EXAMPLE.COM 10/12/2015 13:22:34 10/13/2015 13:22:34 HTTP/rhel7-1.example.com@EXAMPLE.COM 10/12/2015 13:22:34 10/13/2015 13:22:34 krbtgt/EXAMPLE.COM@EXAMPLE.COM [root@rhel7-1 ~]# kdestroy -A [root@rhel7-1 ~]# kinit sv1test/$(hostname) -k -t /tmp/sv1test.keytab [root@rhel7-1 ~]# klist Ticket cache: KEYRING:persistent:0:krb_ccache_aK8fi6Q Default principal: sv1test/rhel7-1.example.com@EXAMPLE.COM Valid starting Expires Service principal 10/12/2015 13:33:03 10/13/2015 13:33:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM [root@rhel7-1 ~]# echo 1234556 > secret.in [root@rhel7-1 ~]# ipa vault-add sv1test_vault --service sv1test/$(hostname) --type asymmetric --public-key-file sv1test.pubkey ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'cn=sv1test/rhel7-1.example.com@EXAMPLE.COM,cn=services,cn=vaults,cn=kra,dc=example,dc=com'.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1252556 (Red Hat Enterprise Linux 7)
master:
ipa-4-2:
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.2.3
Login to comment on this ticket.