Bug 1308935

Summary: After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Steeve Goveas <sgoveas>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, pbrezina, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.14.0-0.2.beta1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1308939 (view as bug list) Environment:
Last Closed: 2016-11-04 07:16:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1308939    

Description Jakub Hrozek 2016-02-16 14:09:32 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2934

I have org.freedesktop.sssd.infopipe.Users.FindByCertificate working based on https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate.

When however I remove the certificate from the user with

{{{
dn: uid=bob,cn=users,cn=accounts,dc=example,dc=test
changetype: modify
delete: usercertificate;binary
}}}

and verify it's gone with

{{{
ipa user-find --all --raw bob
}}}

another

{{{
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$( openssl x509 < client.crt )"
}}}

still finds the user:

{{{
method return sender=:1.136 -> dest=:1.137 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/example_2etest/569400006"
}}}

Even if I attempt to purge the SSSD cache with 

{{{
sss_cache -E
}}}

the {{{dbus-send}}} call still finds the user.

Only running

{{{
rm -rf /var/lib/sss/db/*cache* ; systemctl restart sssd
}}}

seems to finaly give me

{{{
Error org.freedesktop.sssd.Error.NotFound: User not found
}}}

Comment 1 Jakub Hrozek 2016-03-01 15:56:05 UTC
* master: 659232f194f83ec7c450ce89c3fd41e4e74409f2
* sssd-1-13: 90bd6598f0d8ad9fa8d05419c7e14b64e09e8a54

Comment 2 Mike McCune 2016-03-28 23:37:25 UTC
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Comment 4 Scott Poore 2016-09-16 18:44:44 UTC
Verified.

Version ::

sssd-1.14.0-41.el7.x86_64

Results ::


[root@master ~]# ipa user-add bob --first=f --last=l
----------------
Added user "bob"
----------------
  User login: bob
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/bob
  GECOS: f l
  Login shell: /bin/sh
  Principal name: bob
  Principal alias: bob
  Email address: bob
  UID: 989000033
  GID: 989000033
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# openssl req -x509 -new -newkey rsa:2048 -nodes -keyout bobs_cert.key -out bobs_cert.pem -subj "/CN=bob"
Generating a 2048 bit RSA private key
..........................................................................................+++
.............+++
writing new private key to 'bobs_cert.key'
-----
[root@master ~]# ipa user-add-cert bob --certificate="$USERCERT"
--------------------------------
Added certificates to user "bob"
--------------------------------
  User login: bob
  Certificate: MII...

[root@master ~]# ipa user-find --all --raw bob
--------------
1 user matched
--------------
  dn: uid=bob,cn=users,cn=accounts,dc=ipa,dc=test
  uid: bob
  givenname: f
  sn: l
  cn: f l
  initials: fl
  homedirectory: /home/bob
  gecos: f l
  loginshell: /bin/sh
  krbcanonicalname: bob
  krbprincipalname: bob
  mail: bob
  uidnumber: 989000033
  gidnumber: 989000033
  usercertificate: MIIC7zCCAdegAwIBAgIJANdRXOOfZnUmMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNVBAMMA2JvYjAeFw0xNjA5MTYxODE3MTlaFw0xNjEwMTYxODE3MTlaMA4xDDAKBgNVBAMMA2JvYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/RZtfo6YgqAqlCtc92vZ8+TxA9gNcCqgsNid33XR+BPVX0WoLPFPQqOEASdS7H4Si3afPtJA9mcPU6bZYCBBAKKFftb0+dcvDnHeT1cx7yJ3ZDLcIBFFhWeqFgBjpFIPmIlBT4t1sG0H1/L/pBtZovcDnDq55D6dbJXz3xWYI9nRU5DYNPc1v+JS4n3Z6liSbKOU++Qpu7T+SYBXfMNGeCZ+BW6g1GQjhSeDoKl3JyHBM6+/W4KV0jdLx98c4ZuHrzFGEt5kGYgiGcVvQjZOosFnuZhs5TPcqAE0h8DR4D6F5TEcfH0fFU0XbY+rE+8bvY2H3GIB3a0o0DG1ZkK3ECAwEAAaNQME4wHQYDVR0OBBYEFOy1MpQQw6bRAPixYUi3VKnaMxl+MB8GA1UdIwQYMBaAFOy1MpQQw6bRAPixYUi3VKnaMxl+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBANrzc9XbJuBDU7QcMrBtXev9IbAXAne9Ak9sOUnNh7FKtXNpImClIVUXb+7snlTGRnkrDiEgZCU72TQ/vLblM7Atu4MWpA+jPRE2CO4TRZhAys7je1m7YiuP66g1dfBvJnL/qg+7G+vGx+bhdxCeQjF8in5VViIjpXnOE3E41WbLKTWOtpNSbwT2q2txv+csd0PBE1OubK2VCRLB8hq0d7WjoHBt2PJBPwNJfc9Ob54HbaGzRUr1hiEGujSZ7uPTRRf39kROXfn8a2KD5pi80C5G2bQCkHCOR3zuGYEyfTIuZ8v94tEdmEhTQLgBqHS0L9MgwJJCb71uho5/QPS/BIY=
  nsaccountlock: FALSE
  displayName: f l
  ipaNTSecurityIdentifier: S-1-5-21-1754518222-3126848558-1974457199-1033
  ipaUniqueID: 9ec03988-7c39-11e6-9535-52540054adfa
  memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: ipaobject
  objectClass: person
  objectClass: top
  objectClass: ipasshuser
  objectClass: inetorgperson
  objectClass: organizationalperson
  objectClass: krbticketpolicyaux
  objectClass: krbprincipalaux
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry
  objectClass: ipantuserattrs
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# yum -y install sssd-dbus > /var/log/sssd-dbus.log 2>&1

[root@master ~]# grep ifp /etc/sssd/sssd.conf 
[ifp]

[root@master ~]# sed -i 's/\(services = .*$\)/\1, ifp/' /etc/sssd/sssd.conf

[root@master ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service


[root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat bobs_cert.pem)"
method return sender=:1.57 -> dest=:1.58 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033"

[root@master ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033 org.freedesktop.DBus.Properties.GetAll string:"org.freedesktop.sssd.infopipe.Users.User"
method return sender=:1.57 -> dest=:1.69 reply_serial=2
   array [
      dict entry(
         string "name"
         variant             string "bob"
      )
      dict entry(
         string "uidNumber"
         variant             uint32 989000033
      )
      dict entry(
         string "gidNumber"
         variant             uint32 989000033
      )
      dict entry(
         string "gecos"
         variant             string "f l"
      )
      dict entry(
         string "homeDirectory"
         variant             string "/home/bob"
      )
      dict entry(
         string "loginShell"
         variant             string "/bin/sh"
      )
      dict entry(
         string "groups"
         variant             array [
               object path "/org/freedesktop/sssd/infopipe/Groups/ipa_2etest/989000033"
            ]
      )
      dict entry(
         string "extraAttributes"
         variant             array [
            ]
      )
   ]

[root@master ~]# ipa user-mod bob --certificate=""
-------------------
Modified user "bob"
-------------------
  User login: bob
  First name: f
  Last name: l
  Home directory: /home/bob
  Login shell: /bin/sh
  Principal name: bob
  Principal alias: bob
  Email address: bob
  UID: 989000033
  GID: 989000033
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-find --all --raw bob
--------------
1 user matched
--------------
  dn: uid=bob,cn=users,cn=accounts,dc=ipa,dc=test
  uid: bob
  givenname: f
  sn: l
  cn: f l
  initials: fl
  homedirectory: /home/bob
  gecos: f l
  loginshell: /bin/sh
  krbcanonicalname: bob
  krbprincipalname: bob
  mail: bob
  uidnumber: 989000033
  gidnumber: 989000033
  nsaccountlock: FALSE
  displayName: f l
  ipaNTSecurityIdentifier: S-1-5-21-1754518222-3126848558-1974457199-1033
  ipaUniqueID: 9ec03988-7c39-11e6-9535-52540054adfa
  memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: ipaobject
  objectClass: person
  objectClass: top
  objectClass: ipasshuser
  objectClass: inetorgperson
  objectClass: organizationalperson
  objectClass: krbticketpolicyaux
  objectClass: krbprincipalaux
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry
  objectClass: ipantuserattrs
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(openssl x509 < bobs_cert.pem)"
method return sender=:1.57 -> dest=:1.70 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033"


[root@master ~]# sss_cache -E

[root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(openssl x509 < bobs_cert.pem)"
Error org.freedesktop.sssd.Error.NotFound: User not found

Comment 6 errata-xmlrpc 2016-11-04 07:16:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html