Issue #6295: cert-request is not aware of Kerberos principal aliases - freeipa

freeipa

#6295 cert-request is not aware of Kerberos principal aliases

Closed: Fixed None Opened 7 years ago by mbabinsk.

It is currently not possible to use ipa cert-request to issue certificates for hosts/service using their principal aliases (see the minimal reproducer below).

[root@master1 ~]# ipa service-add test/`hostname`
----------------------------------------------
Added service "test/master1.ipa.test@IPA.TEST"
----------------------------------------------
  Principal name: test/master1.ipa.test@IPA.TEST
  Principal alias: test/master1.ipa.test@IPA.TEST
  Managed by: master1.ipa.test
[root@master1 ~]# ipa service-add-principal test/`hostname` test2/`hostname`
---------------------------------------------------------------------------
Added new aliases to the service principal "test/master1.ipa.test@IPA.TEST"
---------------------------------------------------------------------------
  Principal name: test/master1.ipa.test@IPA.TEST
  Principal alias: test2/master1.ipa.test@IPA.TEST, test/master1.ipa.test@IPA.TEST
[root@master1 ~]# kinit -kt /etc/krb5.keytab  host/`hostname`
[root@master1 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_50GX1N0
Default principal: host/master1.ipa.test@IPA.TEST

Valid starting       Expires              Service principal
09/05/2016 10:44:40  09/06/2016 10:44:40  krbtgt/IPA.TEST@IPA.TEST

[root@master1 ~]# openssl req -new -newkey rsa:2048 -keyout test2service.key -sha256 -nodes -subj '/CN=master1.ipa.test/subjectAltName=DNS.1=master1.ipa.test' -out test.csr
Generating a 2048 bit RSA private key
................................................+++
......................+++
writing new private key to 'test2service.key'
-----

[root@master1 ~]# ipa cert-request test.csr --principal test2/`hostname`
ipa: ERROR: The principal for this request doesn't exist.
[root@master1 ~]# ipa cert-request test.csr --principal test2/`hostname`@IPA.TEST
ipa: ERROR: The principal for this request doesn't exist.

[root@master1 ~]# ipa cert-request test.csr --principal test/`hostname`@IPA.TEST
  Issuing CA: ipa
  Certificate: MIIEA...
  Subject: CN=master1.ipa.test,O=IPA.TEST
  Issuer: CN=Certificate Authority,O=IPA.TEST
  Serial number: 11
  Serial number (hex): 0xB

The code should be updated to perform LDAP search for recipients by supplied 'krbprincipalname' value and then perform SAN DNS name checks and other operations against the list Principal objects returned by the search.

pvoborni commented 7 years ago

#6432 was closed as dup of this ticket.

tscherf commented 7 years ago

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1400529

mbabinsk commented 7 years ago

master:
- dfbdb53 cert-request: match names against principal aliases

Metadata Update from @mbabinsk:
- Issue assigned to ftweedal
- Issue set to the milestone: FreeIPA 4.5

7 years ago

Metadata

Assignee

ftweedal

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

FreeIPA 4.5

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Certificate management

blocking

None

on_review

None

keywords

None

test_coverage

wanted

reviewer

None

external_tracker

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1400529

tester

mkubik

changelog

None

design

None

freeipa

Source Code

#6295 cert-request is not aware of Kerberos principal aliases Closed: Fixed None Opened 7 years ago by mbabinsk.

Metadata

#6295 cert-request is not aware of Kerberos principal aliases

Closed: Fixed None Opened 7 years ago by mbabinsk.