Bug 1489895
Summary: | Issues with certificate mapping rules | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Sumit Bose <sbose> | |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
Severity: | urgent | Docs Contact: | ||
Priority: | high | |||
Version: | 7.4 | CC: | ekeck, fidencio, grajaiya, jhrozek, lslebodn, mkosek, mzidek, ndehadra, pbrezina, sbose, sgoveas, spoore, tscherf | |
Target Milestone: | rc | Keywords: | ZStream | |
Target Release: | --- | Flags: | spoore:
needinfo+
|
|
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.16.0-1.el7 | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1493916 (view as bug list) | Environment: | ||
Last Closed: | 2018-04-10 17:16:19 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1493916 |
Description
Sumit Bose
2017-09-08 15:10:42 UTC
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3508 master: * f2e70ec742cd7aab82b74d7e4b424ba3258da7aa * f5a8cd60c6f377af1954b58f007d16cf3f6dc846 IPA-VERSION: ipa-server-4.5.4-6.el7.x86_64 SSSD-VERSION: sssd-1.16.0-10.el7.x86_64 Verified the bug based on tests performed in below scenarios: Scenario 1: Scenario with EKU crash: [root@auto-hv-01-guest08 ~]# kinit admin Password for admin: [root@auto-hv-01-guest08 ~]# ipa certmaprule-add ekutest '-maprule=|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})' '-matchrule=<EKU>1.3.6.1.5.5.7.3.1' --domain=nd071217a.test --domain=ipaad2012r2.test ------------------------------------------------- Added Certificate Identity Mapping Rule "ekutest" ------------------------------------------------- Rule name: ekutest Mapping rule: |(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500}) Matching rule: <EKU>1.3.6.1.5.5.7.3.1 Domain name: nd071217a.test, ipaad2012r2.test Enabled: TRUE [root@auto-hv-01-guest08 ~]# systemctl restart sssd [root@auto-hv-01-guest08 ~]# ps -ef | grep sssd root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files root 5907 11101 0 04:26 pts/0 00:00:00 grep --color=auto sssd [root@auto-hv-01-guest08 ~]# sleep 60 [root@auto-hv-01-guest08 ~]# ps -ef | grep sssd root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files root 5911 11101 0 04:28 pts/0 00:00:00 grep --color=auto sssd [root@auto-hv-01-guest08 ~]# # PIDS for sssd are same, bug not found, thus VERIFIED [root@auto-hv-01-guest08 ~]# ipa certmaprule-del ekutest --------------------------------------------------- Deleted Certificate Identity Mapping Rule "ekutest" --------------------------------------------------- Scenario 2: 2. Scenario with AD Trust certmap offline-online crash of sssd_be: [root@auto-hv-01-guest06 ~]# ipa certmaprule-add adtest --maprule='(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))' --matchrule='<ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test' --domain=ipaadcs12r2.test --domain=nd071217b.test ------------------------------------------------ Added Certificate Identity Mapping Rule "adtest" ------------------------------------------------ Rule name: adtest Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test Domain name: ipaadcs12r2.test, nd071217b.test Enabled: TRUE [root@auto-hv-01-guest06 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd; sleep 10 [root@auto-hv-01-guest06 ~]# ipa certmaprule-find adtest ------------------------------------------- 1 Certificate Identity Mapping Rule matched ------------------------------------------- Rule name: adtest Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test Domain name: ipaadcs12r2.test, nd071217b.test Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- [root@auto-hv-01-guest06 ~]# ipa certmap-match /root/adcerts/adcertsingleuser1.crt -------------- 1 user matched -------------- Domain: ipaadcs12r2.test User logins: adcertsingleuser1 ---------------------------- Number of entries returned 1 ---------------------------- [root@auto-hv-01-guest06 ~]# bash -x script2.sh + set -x ++ pidof sssd_be + OLDPID=1850 ++ cat /var/run/sssd.pid + SSSD_PID=1849 + kill -USR1 1849 + sleep 10 + kill -USR2 1849 + sss_cache -E + sleep 10 + ipa certmap-match /root/adcerts/adcertsingleuser1.crt -------------- 1 user matched -------------- Domain: ipaadcs12r2.test User logins: adcertsingleuser1 ---------------------------- Number of entries returned 1 ---------------------------- ++ pidof sssd_be + NEWPID=1850 + '[' 1850 '!=' 1850 ']' + echo bug_not_found bug_not_found [root@auto-hv-01-guest06 ~]# cat /var/log/messages | grep "segfault" [root@auto-hv-01-guest06 ~]# Thus based on observations above, marking the status of this bug to "VERIFIED" Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929 |