Bug 1489895

Summary: Issues with certificate mapping rules
Product: Red Hat Enterprise Linux 7 Reporter: Sumit Bose <sbose>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: urgent Docs Contact:
Priority: high    
Version: 7.4CC: ekeck, fidencio, grajaiya, jhrozek, lslebodn, mkosek, mzidek, ndehadra, pbrezina, sbose, sgoveas, spoore, tscherf
Target Milestone: rcKeywords: ZStream
Target Release: ---Flags: spoore: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.0-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1493916 (view as bug list) Environment:
Last Closed: 2018-04-10 17:16:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1493916    

Description Sumit Bose 2017-09-08 15:10:42 UTC 
Description of problem:

Two issues were found related to certificate mapping rules.

1. If <EKU> is used in the matching rule with only OIDs, e.g. <EKU>1.2.3.4, the SSSD backend will crash. Since the rules are read during startup SSSD might even fail to start.

2. If the rules are re-read, e.g. during an offline-online cycle with
    kill -USR1 $(pidof sssd)
    kill -USR2 $(pidof sssd)
the SSSD backend might crash if the certificate mapping rules are evaluated for a trusted AD domain.
Comment 1 Jakub Hrozek 2017-09-11 13:56:46 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3508
Comment 4 Jakub Hrozek 2017-09-14 15:03:46 UTC 
master:
 * f2e70ec742cd7aab82b74d7e4b424ba3258da7aa
 * f5a8cd60c6f377af1954b58f007d16cf3f6dc846
Comment 17 Nikhil Dehadrai 2017-12-07 22:21:58 UTC 
IPA-VERSION: ipa-server-4.5.4-6.el7.x86_64
SSSD-VERSION: sssd-1.16.0-10.el7.x86_64

Verified the bug based on tests performed in below scenarios:

Scenario 1: Scenario with EKU crash:

[root@auto-hv-01-guest08 ~]# kinit admin
Password for admin: 
[root@auto-hv-01-guest08 ~]# ipa certmaprule-add ekutest '-maprule=|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})' '-matchrule=<EKU>1.3.6.1.5.5.7.3.1' --domain=nd071217a.test --domain=ipaad2012r2.test
-------------------------------------------------
Added Certificate Identity Mapping Rule "ekutest"
-------------------------------------------------
Rule name: ekutest
Mapping rule: |(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})
Matching rule: <EKU>1.3.6.1.5.5.7.3.1
Domain name: nd071217a.test, ipaad2012r2.test
Enabled: TRUE
[root@auto-hv-01-guest08 ~]# systemctl restart sssd
[root@auto-hv-01-guest08 ~]# ps -ef | grep sssd
root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files
root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files
root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files
root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
root 5907 11101 0 04:26 pts/0 00:00:00 grep --color=auto sssd

[root@auto-hv-01-guest08 ~]# sleep 60

[root@auto-hv-01-guest08 ~]# ps -ef | grep sssd
root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files
root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files
root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files
root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
root 5911 11101 0 04:28 pts/0 00:00:00 grep --color=auto sssd

[root@auto-hv-01-guest08 ~]# # PIDS for sssd are same, bug not found, thus VERIFIED
[root@auto-hv-01-guest08 ~]# ipa certmaprule-del ekutest
---------------------------------------------------
Deleted Certificate Identity Mapping Rule "ekutest"
---------------------------------------------------


Scenario 2: 2.  Scenario with AD Trust certmap offline-online crash of sssd_be:

[root@auto-hv-01-guest06 ~]# ipa certmaprule-add adtest --maprule='(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))' --matchrule='<ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test' --domain=ipaadcs12r2.test --domain=nd071217b.test
------------------------------------------------
Added Certificate Identity Mapping Rule "adtest"
------------------------------------------------
  Rule name: adtest
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test
  Domain name: ipaadcs12r2.test, nd071217b.test
  Enabled: TRUE


[root@auto-hv-01-guest06 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd; sleep 10
[root@auto-hv-01-guest06 ~]# ipa certmaprule-find adtest
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: adtest
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test
  Domain name: ipaadcs12r2.test, nd071217b.test
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

[root@auto-hv-01-guest06 ~]# ipa certmap-match /root/adcerts/adcertsingleuser1.crt 
--------------
1 user matched
--------------
  Domain: ipaadcs12r2.test
  User logins: adcertsingleuser1
----------------------------
Number of entries returned 1
----------------------------

[root@auto-hv-01-guest06 ~]# bash -x script2.sh 
+ set -x
++ pidof sssd_be
+ OLDPID=1850
++ cat /var/run/sssd.pid
+ SSSD_PID=1849
+ kill -USR1 1849
+ sleep 10
+ kill -USR2 1849
+ sss_cache -E
+ sleep 10
+ ipa certmap-match /root/adcerts/adcertsingleuser1.crt
--------------
1 user matched
--------------
  Domain: ipaadcs12r2.test
  User logins: adcertsingleuser1
----------------------------
Number of entries returned 1
----------------------------
++ pidof sssd_be
+ NEWPID=1850
+ '[' 1850 '!=' 1850 ']'
+ echo bug_not_found
bug_not_found

[root@auto-hv-01-guest06 ~]# cat /var/log/messages | grep "segfault"
[root@auto-hv-01-guest06 ~]#


Thus based on observations above, marking the status of this bug to "VERIFIED"
Comment 20 errata-xmlrpc 2018-04-10 17:16:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929