Bug 1537279

Summary: Certificate is not removed from cache when it's removed from the override
Product: Red Hat Enterprise Linux 7 Reporter: Jakub Hrozek <jhrozek>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: fidencio, grajaiya, jhrozek, ksiddiqu, lslebodn, mkosek, mzidek, ndehadra, pbrezina, sbose, sgoveas, sumenon, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-1.16.2-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:41:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2018-01-22 20:01:39 UTC 
This bug is created as a clone of upstream ticket:
https://pagure.io/SSSD/sssd/issue/3603

After investigating the issue #3602 (https://pagure.io/SSSD/sssd/issue/3602) seems that a similar issue may happen with certificates.

I've talked to @sbose and we agreed on opening this to investigate whether it's the case and then provide a proper fix for this in case a bug is also present.

Steps to reproduce will be added later on when someone starts working on this bug.
Comment 1 Jakub Hrozek 2018-01-22 20:02:52 UTC 
Rough steps to reproduce:

- add a certificate to an override of a subdomain user
- request the certificate with the dbus API
- remove the certificate from the override
- request the certificate again

If there are no certificates returned for a sub-domain user from the IPA
server to the client we should make sure they are not present in the
client's cache anymore and remove the whole attribute from the cached user
entry.
Comment 2 Jakub Hrozek 2018-03-14 16:22:13 UTC 
* master:
 * 5e04cbb
 * 4300385
Comment 6 Sudhir Menon 2018-08-23 13:29:23 UTC 
Fix is seen. Verified on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

[root@master httpd]# rpm -q ipa-server sssd samba krb5-server pki-server selinux-policy
ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
samba-4.8.3-4.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-5.el7.noarch
selinux-policy-3.13.1-215.el7.noarch


1. Added trusted AD user in 'Default Trust View'
[root@master ~]# ipa idoverrideuser-add 'Default trust View'
Anchor to override: aduser20
------------------------------------------------
Added User ID override "aduser20"
------------------------------------------------
  Anchor to override: aduser20

2. Added certificate for the trusted AD user in idview
[root@master ~]# ipa idoverrideuser-add-cert 'Default Trust View' aduser20 --certificate="$(cat /tmp/ipauser1.crt|sed '/CERT/d'|tr -d '\r\n')"
--------------------------------------------------------------
Added certificates to idoverrideuser "aduser20"
--------------------------------------------------------------
  Anchor to override: aduser20
  Certificate: MIIEBjCCAu6gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtBUE9MTE8uVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDgyMzA5MDE0M1oXDTIwMDgyMzA5MDE0M1owKTEUMBIGA1UECgwLQVBPTExPLlRFU1QxETAPBgNVBAMMCGlwYXVzZXIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/0IKnRf1SsNaqo15fEgMlQaZ8LonNbHk1SsaGZ6DwyBbKBYlWDo7eZcKsVeKMc8mK4iIskTHOHuqusVm2OqtCdhlQMM15B3cOzsN1lWVELkzZXubOR8u4awW7231aSd7jEtFHxwEkVzHTulYhYE62XnikHFYY74zRoN6KnMSXXFfH1tMV6SeP31MkNXg9IcfXo+7zFbjFykFWteXCcBXbW7bGrM1uEjAsRI6bPvbRpGpdzMvQ6/RG915qH1XM2sOv1Z3URp/Xlks3LupiFQTPYSHO11t/Ql96OOEBa7hED2uHPRY8bdzyMPv/iZ9QpLldgnWGmxIgGsJ+SrexuHGiQIDAQABo4IBKjCCASYwHwYDVR0jBBgwFoAUUfztxibL54WCGI3Yzh+csgF9TAkwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLWNhLmFwb2xsby50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB2BgNVHR8EbzBtMGugM6Axhi9odHRwOi8vaXBhLWNhLmFwb2xsby50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUhp/FF3HBj3lOWdiMnpb/zT1kgM8wDQYJKoZIhvcNAQELBQADggEBAI1g3SNzorOPy9feYym0P0auP4267CDXrHVhVbtAomG3qYoeqOH0E1JK/+Nvnlm5H6ThvqEinMGAUJCltduneP2Py+Hn1fvenAWa7OpyRAGvfRLvzqtfMYAq6vCC6jny2BtOgFQ5lZxiu0YYJ3Np5YvSRYKnosMQQFPLSnIyjplyQ4qQhKWWS8fthd1VyGkXi/B3HcxqDddXHKwLlzjColnZFw/HkJuwXXhG6DbtGlJa9MTcD9WLmBoJq+Q92lfe47l479SAhgyoUc+wvHyMHbmFmKuIoO0uQBR/FZzgx3m1Tz30nlEV8YLc3qFCUiw6+41R/pUp2lTrRfnw0odzPzo=

3. sss_cache -E
4. run the below dbus-send commands

[root@master ~]#     dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/ipauser1.crt)" uint32:10
method return time=1535028715.335103 sender=:1.1717 -> destination=:1.1724 serial=13 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/ipaad2016_2etest/1577608160"
   ]

[root@master httpd]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipaad2016_2etest/1577608160 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name
method return time=1535030667.990435 sender=:1.1740 -> destination=:1.1747 serial=13 reply_serial=2
   variant       string "aduser20"

5. Removed the user certificate from view for the user.

[root@master ~]# ipa idoverrideuser-remove-cert 'Default Trust View' aduser20 --certificate="$(cat /tmp/ipauser1.crt|sed '/CERT/d'|tr -d '\r\n')"
------------------------------------------------------------------
Removed certificates from idoverrideuser "aduser20"
------------------------------------------------------------------
  Anchor to override: aduser20

6. sss_cache -E

7.  Object is not displayed since cert has been removed.
[root@master ~]#     dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/ipauser1.crt)" uint32:10
method return time=1535028736.269931 sender=:1.1717 -> destination=:1.1725 serial=15 reply_serial=2
   array [
   ]

[root@master httpd]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipaad2016_2etest/1577608160 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name
method return time=1535030667.990435 sender=:1.1740 -> destination=:1.1747 serial=13 reply_serial=2
   variant       string "aduser20"
Comment 8 errata-xmlrpc 2018-10-30 10:41:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3158