#6159 ipa vault container owner cannot add vault
Closed: Fixed None Opened 5 years ago by mbasti.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1362333

Description of problem:

I am seeing ACI errors when I try to add a vault as a container owner.

[Mon Aug 01 20:49:36.009521 2016] [:error] [pid 6419] ipa: INFO:
[jsonserver_kerb] testuser2@EXAMPLE.COM: vault_add_internal/1(u'test_vault',
ipavaulttype=u'standard', username=u'testuser', version=u'2.211'): ACIError

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

1. Create and setup users

ipa user-add testuser --first=f --last=l --password
kinit testuser
kdestroy -A
kinit admin
ipa user-add testuser2 --first=f --last=l --password
kinit testuser2
kdestroy -A
kinit admin

2. Add vault to setup base container

ipa vault-add testuservault --user=testuser --type=standard

3.  To see what is happening, show vault to check container

ipa vault-show testuservault --user=testuser --all

4.  Add second user as owner of container for first user

ipa vaultcontainer-add-owner --user=testuser --users=testuser2

5.  Add a vault as the second user

kdestroy -A
kinit testuser2
ipa vault-add --type=standard --user=testuser test_vault

Actual results:

# ipa vault-add --type=standard --user=testuser test_vault
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry

Expected results:

# ipa vault-add --type=standard --user=testuser test_vault
Added vault "test_vault"
  Vault name: test_vault
  Type: standard
  Owner users: testuser2
  Vault user: testuser

Additional info:

I see that ACI is there, and it looks correct to me.

dn: cn=vaults,cn=kra,$SUFFIX
aci: (targetfilter="(objectClass=ipaVault)")(version 3.0; acl "Container owners can add vaults in the container"; allow(add) userattr="parent[1].owner#USERDN" and userattr="owner#SELFDN";)

It looks for me that newer DS broke it, I downgraded DS and it works.

  • Does not work with 389-ds-base-
  • Works with: 389-ds-base-

It is actually IPA bug, dirsrv changed behavior due fixed CVE on DS side.


  • 6b7d641 Fix: container owner should be able to add vault

Metadata Update from @mbasti:
- Issue assigned to mbasti
- Issue set to the milestone: FreeIPA 4.4.1

5 years ago

Login to comment on this ticket.