Bug 1308935
Summary: | After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Jakub Hrozek <jhrozek> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | Steeve Goveas <sgoveas> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 7.3 | CC: | grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, spoore | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.14.0-0.2.beta1.el7 | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1308939 (view as bug list) | Environment: | ||
Last Closed: | 2016-11-04 07:16:06 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1308939 |
Description
Jakub Hrozek
2016-02-16 14:09:32 UTC
* master: 659232f194f83ec7c450ce89c3fd41e4e74409f2 * sssd-1-13: 90bd6598f0d8ad9fa8d05419c7e14b64e09e8a54 This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions Verified. Version :: sssd-1.14.0-41.el7.x86_64 Results :: [root@master ~]# ipa user-add bob --first=f --last=l ---------------- Added user "bob" ---------------- User login: bob First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/bob GECOS: f l Login shell: /bin/sh Principal name: bob Principal alias: bob Email address: bob UID: 989000033 GID: 989000033 Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# openssl req -x509 -new -newkey rsa:2048 -nodes -keyout bobs_cert.key -out bobs_cert.pem -subj "/CN=bob" Generating a 2048 bit RSA private key ..........................................................................................+++ .............+++ writing new private key to 'bobs_cert.key' ----- [root@master ~]# ipa user-add-cert bob --certificate="$USERCERT" -------------------------------- Added certificates to user "bob" -------------------------------- User login: bob Certificate: MII... [root@master ~]# ipa user-find --all --raw bob -------------- 1 user matched -------------- dn: uid=bob,cn=users,cn=accounts,dc=ipa,dc=test uid: bob givenname: f sn: l cn: f l initials: fl homedirectory: /home/bob gecos: f l loginshell: /bin/sh krbcanonicalname: bob krbprincipalname: bob mail: bob uidnumber: 989000033 gidnumber: 989000033 usercertificate: MIIC7zCCAdegAwIBAgIJANdRXOOfZnUmMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNVBAMMA2JvYjAeFw0xNjA5MTYxODE3MTlaFw0xNjEwMTYxODE3MTlaMA4xDDAKBgNVBAMMA2JvYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/RZtfo6YgqAqlCtc92vZ8+TxA9gNcCqgsNid33XR+BPVX0WoLPFPQqOEASdS7H4Si3afPtJA9mcPU6bZYCBBAKKFftb0+dcvDnHeT1cx7yJ3ZDLcIBFFhWeqFgBjpFIPmIlBT4t1sG0H1/L/pBtZovcDnDq55D6dbJXz3xWYI9nRU5DYNPc1v+JS4n3Z6liSbKOU++Qpu7T+SYBXfMNGeCZ+BW6g1GQjhSeDoKl3JyHBM6+/W4KV0jdLx98c4ZuHrzFGEt5kGYgiGcVvQjZOosFnuZhs5TPcqAE0h8DR4D6F5TEcfH0fFU0XbY+rE+8bvY2H3GIB3a0o0DG1ZkK3ECAwEAAaNQME4wHQYDVR0OBBYEFOy1MpQQw6bRAPixYUi3VKnaMxl+MB8GA1UdIwQYMBaAFOy1MpQQw6bRAPixYUi3VKnaMxl+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBANrzc9XbJuBDU7QcMrBtXev9IbAXAne9Ak9sOUnNh7FKtXNpImClIVUXb+7snlTGRnkrDiEgZCU72TQ/vLblM7Atu4MWpA+jPRE2CO4TRZhAys7je1m7YiuP66g1dfBvJnL/qg+7G+vGx+bhdxCeQjF8in5VViIjpXnOE3E41WbLKTWOtpNSbwT2q2txv+csd0PBE1OubK2VCRLB8hq0d7WjoHBt2PJBPwNJfc9Ob54HbaGzRUr1hiEGujSZ7uPTRRf39kROXfn8a2KD5pi80C5G2bQCkHCOR3zuGYEyfTIuZ8v94tEdmEhTQLgBqHS0L9MgwJJCb71uho5/QPS/BIY= nsaccountlock: FALSE displayName: f l ipaNTSecurityIdentifier: S-1-5-21-1754518222-3126848558-1974457199-1033 ipaUniqueID: 9ec03988-7c39-11e6-9535-52540054adfa memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=ipa,dc=test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# yum -y install sssd-dbus > /var/log/sssd-dbus.log 2>&1 [root@master ~]# grep ifp /etc/sssd/sssd.conf [ifp] [root@master ~]# sed -i 's/\(services = .*$\)/\1, ifp/' /etc/sssd/sssd.conf [root@master ~]# service sssd restart Redirecting to /bin/systemctl restart sssd.service [root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat bobs_cert.pem)" method return sender=:1.57 -> dest=:1.58 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033" [root@master ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033 org.freedesktop.DBus.Properties.GetAll string:"org.freedesktop.sssd.infopipe.Users.User" method return sender=:1.57 -> dest=:1.69 reply_serial=2 array [ dict entry( string "name" variant string "bob" ) dict entry( string "uidNumber" variant uint32 989000033 ) dict entry( string "gidNumber" variant uint32 989000033 ) dict entry( string "gecos" variant string "f l" ) dict entry( string "homeDirectory" variant string "/home/bob" ) dict entry( string "loginShell" variant string "/bin/sh" ) dict entry( string "groups" variant array [ object path "/org/freedesktop/sssd/infopipe/Groups/ipa_2etest/989000033" ] ) dict entry( string "extraAttributes" variant array [ ] ) ] [root@master ~]# ipa user-mod bob --certificate="" ------------------- Modified user "bob" ------------------- User login: bob First name: f Last name: l Home directory: /home/bob Login shell: /bin/sh Principal name: bob Principal alias: bob Email address: bob UID: 989000033 GID: 989000033 Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa user-find --all --raw bob -------------- 1 user matched -------------- dn: uid=bob,cn=users,cn=accounts,dc=ipa,dc=test uid: bob givenname: f sn: l cn: f l initials: fl homedirectory: /home/bob gecos: f l loginshell: /bin/sh krbcanonicalname: bob krbprincipalname: bob mail: bob uidnumber: 989000033 gidnumber: 989000033 nsaccountlock: FALSE displayName: f l ipaNTSecurityIdentifier: S-1-5-21-1754518222-3126848558-1974457199-1033 ipaUniqueID: 9ec03988-7c39-11e6-9535-52540054adfa memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=ipa,dc=test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(openssl x509 < bobs_cert.pem)" method return sender=:1.57 -> dest=:1.70 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033" [root@master ~]# sss_cache -E [root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(openssl x509 < bobs_cert.pem)" Error org.freedesktop.sssd.Error.NotFound: User not found Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html |