When certmonger tries to request a certificate for a service principal, it always does it with add=True option. This instructs cert-req command to create a new service for which the hosts usually do not have privileges and it usually ends with error messages like:
add=True
cert-req
# ipa-getcert request -d /etc/httpd/nssdb -n Server-Cert -K test/`hostname` -N CN=`hostname`,O=EXAMPLE.COM -D san.host.example.test -g 2048 New signing request "20140915143901" added. # ipa-getcert list -i 20140915143901 Number of certificates and requests being tracked: 8. Request ID '20140915143901': status: CA_REJECTED ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: You need to be a member of the serviceadmin role to add services). stuck: yes ...
Users can be easily confused with the error as they are not aware of these internal mechanics. This resulted already in 2 user confusions ([thread 1], http://www.redhat.com/archives/freeipa-users/2014-September/msg00252.html thread 2).
We should either improve the error message or change the mechanics.
I've been looking into changing the mechanics. It is probably ok for a host to be able to create its own services.
The ACI for this is rather tricky and depends on a fix in 389-ds 1.3.2, https://fedorahosted.org/389/ticket/47894.
This is the ACI I'm experimenting with. So far so good but I haven't fully tested it:
dn: cn=services,cn=accounts,dc=example,dc=com changetype: modify add: aci aci: (targetattr = "*") (version 3.0;acl "Allow host to add its own services"; allow (add) userattr = "managedby#SELFDN" ; )
I should add that the fix for SAN is a bit different, as in that case the error is the same but for different reasons (adding a service to a host that doesn't exist, isn't you or isn't managed by you)
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1112605 (Red Hat Enterprise Linux 7)
Related ticket: https://fedorahosted.org/freeipa/ticket/4567
Note that the fix to allow host add it's own certificate may require ACI extension - https://fedorahosted.org/389/ticket/47904.
Given this is just error message fix in the end, we can fix in 4.0.x as the SAN feature was introduced in this release.
master:
ipa-4-1:
ipa-4-0:
Metadata Update from @mkosek: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.0.4
Login to comment on this ticket.