Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1525644

Summary: dbus-send unable to find user by CAC cert
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.5CC: fidencio, grajaiya, jhrozek, lmiksik, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas, tscherf
Target Milestone: rcKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.0-14.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:20:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2017-12-13 19:23:36 UTC 
Description of problem:

I'm trying to use dbus-send to verify that I can lookup users by certificates.  When using some certs, the search fails.


Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

Version-Release number of selected component (if applicable):
sssd-1.16.0-12

How reproducible:
unknown.  happening with cert I export from a CAC card.

Steps to Reproduce:
1. Setup IPA server and client to use Smart Card Authentication
2. Setup certmaprules for mapping the cert:
3. Add certmapdata to user
4. run dbus-send search:

# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10

Actual results:

Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

Expected results:

Finds the user

Additional info:


[root@seceng-idm-1 sssd]# ipa certmaprule-show maprule_9
  Rule name: maprule_9
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=DOD OM CA-32,OU=PKI,OU=DoD,O=U.S. Government,C=US
  Domain name: testrelm.test, ipaadcs12r2.test
  Enabled: TRUE


[root@seceng-idm-1 sssd]# ipa user-show ipauser1
  User login: ipauser1
  First name: ipauser1
  Last name: lastname
  Home directory: /home/ipauser1
  Login shell: /bin/bash
  Principal name: ipauser1
  Principal alias: ipauser1
  Email address: ipauser1
  UID: 908200127
  GID: 908200127
  Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD OM CA-32<S>C=US,O=U.S.
                            Government,OU=DoD,OU=PKI,OU=NOAA,CN=name.id.of.user
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@seceng-idm-1 sssd]# openssl x509 -in /tmp/cac_card_01_piv_auth.crt -noout -subject -issuer
subject= /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=NOAA/CN=name.id.of.user
issuer= /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD OM CA-32
Comment 4 Sumit Bose 2017-12-13 19:37:15 UTC 
In the journal messages like:

    sssd[13828]: process 13980: arguments to dbus_message_iter_append_basic() were incorrect, assertion "_dbus_check_is_valid_path (*string_p)" failed in file ../../dbus/dbus-message.c line 2759

can be found.

The reason is that the first path in the list_ctx->paths array is 0x0 when calling iface_ifp_users_ListByName_finish(). I think the reason is that ifp_list_ctx_remaining_capacity() is called multiple times during the request once for each domain by ifp_users_list_copy() to collect the results fro all domains.

With commit b0b9222f7dd62b19ec702afe295ec71624888e87 talloc_zero_array() is called always when ifp_list_ctx_remaining_capacity() is called overwriting existing results. I guess some realloc scheme would be better there.
Comment 6 Sumit Bose 2017-12-15 11:08:37 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3608
Comment 7 Jakub Hrozek 2017-12-15 16:11:54 UTC 
* master: 510ac193900a7bb9dfae10c0ca4607c224b265af
Comment 9 Scott Poore 2017-12-15 17:09:45 UTC 
Verified.

Version ::

sssd-1.16.0-14.el7.x86_64

Quick reproducer before updating on test host:

[root@seceng-idm-1 tmp]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10
Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

Now upgrade sssd to fixed version:

[root@seceng-idm-1 tmp]# yum update sssd
Loaded plugins: auto-update-debuginfo, fastestmirror, product-id, search-disabled-repos, subscription-
              : manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Loading mirror speeds from cached hostfile
...
Updated:
  sssd.x86_64 0:1.16.0-14.el7                                                                          

Dependency Updated:
  libipa_hbac.x86_64 0:1.16.0-14.el7                 libsss_autofs.x86_64 0:1.16.0-14.el7             
  libsss_idmap.x86_64 0:1.16.0-14.el7                libsss_sudo.x86_64 0:1.16.0-14.el7               
  python-libipa_hbac.x86_64 0:1.16.0-14.el7          python-sssdconfig.noarch 0:1.16.0-14.el7         
  sssd-ad.x86_64 0:1.16.0-14.el7                     sssd-client.x86_64 0:1.16.0-14.el7               
  sssd-common.x86_64 0:1.16.0-14.el7                 sssd-common-pac.x86_64 0:1.16.0-14.el7           
  sssd-dbus.x86_64 0:1.16.0-14.el7                   sssd-ipa.x86_64 0:1.16.0-14.el7                  
  sssd-krb5.x86_64 0:1.16.0-14.el7                   sssd-krb5-common.x86_64 0:1.16.0-14.el7          
  sssd-ldap.x86_64 0:1.16.0-14.el7                   sssd-proxy.x86_64 0:1.16.0-14.el7                

Complete!

Reset sssd and cache to run a clean test:

[root@seceng-idm-1 tmp]# !systemctl
systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 


And, test:

[root@seceng-idm-1 tmp]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10
method return time=1513357456.425038 sender=:1.1767 -> destination=:1.1768 serial=5 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/908200222"
      object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401145"
   ]


I also upgraded SSSD on the IPA server to confirm with ipa certmap-match where I saw the problem first:

[root@seceng-idm-1 tmp]# ipa certmap-match /tmp/cac_card_01_piv_auth.crt
---------------
2 users matched
---------------
  Domain: TESTRELM.TEST
  User logins: ipauser1

  Domain: ipaadcs12r2.test
  User logins: adcacuser1
----------------------------
Number of entries returned 2
----------------------------
Comment 12 errata-xmlrpc 2018-04-10 17:20:30 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929