Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1446087
Description of problem: unfortunately I have not reproduced this locally. But I will describe what I see in customer environment. - Customer has created a RHEL7 replica from a RHEL6 master. - He tries to see the certificates associated to a service in the console. And the certificates cannot be found. - We see the query that is done has this filter: '(&(&(objectClass=krbprincipal)(objectClass=krbprincipalaux)(objectClass=krbtic ketpolicyaux)(objectClass=ipaobject)(objectClass=ipaservice)(objectClass=pkiuse r))(krbCanonicalName=HTTP/<hostname>@<REALM>)(userCertificate=*))' usercertificate but the entries have no krbCanonicalName attribute. So, some queries like the former one fails to find any information. Version-Release number of selected component (if applicable): ipa-server-4.4.0-14.el7_3.6.x86_64 How reproducible: only customer for the moment. Additional info: The workaround to generate the attribute would be: ipa service-add-principal HTTP/`hostname` HTTP/work.around ipa service-remove-principal HTTP/`hostname` HTTP/work.around
Cause is that cert-find --service krbCanonicalName in filter when it should not - this attr is not guaranteed to be present.
cert-find --service
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1446087
Metadata Update from @pvoborni: - Issue priority set to: major - Issue set to the milestone: FreeIPA 4.5.1
Metadata Update from @fbarreto: - Issue assigned to fbarreto
Metadata Update from @mbasti: - Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)
Metadata Update from @mbasti: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
master:
ipa-4-5:
Log in to comment on this ticket.