Description of problem:

I am seeing ACI errors when I try to add a vault as a container owner.

[Mon Aug 01 20:49:36.009521 2016] [:error] [pid 6419] ipa: INFO:
[jsonserver_kerb] testuser2@EXAMPLE.COM: vault_add_internal/1(u'test_vault',
ipavaulttype=u'standard', username=u'testuser', version=u'2.211'): ACIError


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-4.el7.x86_64

How reproducible:
always


Steps to Reproduce:

1. Create and setup users

ipa user-add testuser --first=f --last=l --password
kinit testuser
kdestroy -A
kinit admin
ipa user-add testuser2 --first=f --last=l --password
kinit testuser2
kdestroy -A
kinit admin

2. Add vault to setup base container

ipa vault-add testuservault --user=testuser --type=standard

3.  To see what is happening, show vault to check container

ipa vault-show testuservault --user=testuser --all

4.  Add second user as owner of container for first user

ipa vaultcontainer-add-owner --user=testuser --users=testuser2

5.  Add a vault as the second user

kdestroy -A
kinit testuser2
ipa vault-add --type=standard --user=testuser test_vault


Actual results:

# ipa vault-add --type=standard --user=testuser test_vault
ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry
'cn=testuser,cn=users,cn=vaults,cn=kra,dc=example,dc=com'.



Expected results:

# ipa vault-add --type=standard --user=testuser test_vault
------------------------
Added vault "test_vault"
------------------------
  Vault name: test_vault
  Type: standard
  Owner users: testuser2
  Vault user: testuser


Additional info: