Bug 1736845
Summary: | [RFE] Backporting certificate matching rules for files, AD and LDAP provider [rhel-7.9.z] | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | amitkuma |
Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> |
Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.8 | CC: | afarley, atikhono, david.ward, ddas, fedoraproject, g63it, grajaiya, jhrozek, jreznik, lslebodn, mescanfe, mzidek, pbrezina, raymond.rocker, sbose, sgoveas, shokumar, spoore, sssd-maint, tbrunell, thalman, tmihinto, tscherf, vmishra |
Target Milestone: | rc | Keywords: | FutureFeature, Reopened, Triaged, ZStream |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | sync-to-jira qetodo | ||
Fixed In Version: | sssd-1.16.5-10.el7_9.7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-02 12:03:31 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
amitkuma
2019-08-02 07:40:58 UTC
The RHEL 7 product is too far in the lifecycle phase to get this added into here in time. This should be done in RHEL 8. There is a possibility to use IdM with Trust to AD, that will allow Smart Card Authentication to the RHEL 7 environment. I would suggest using this method, as it is fully features and works well for this. Since IdM is bundled with RHEL, you do not have any additional costs, other than building the VMs to do so. Please see here: Identity Management Guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/index Window Integration Guide https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#trust Smart Cards https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#user-auth-smart-cards ||There is a possibility to use IdM with Trust to AD, that will allow Smart Card Authentication to the RHEL 7 environment. I would suggest using this method, as it is fully features and works well for this. Hey Amy Why customer will install configure additional idm server then configure ipa client for AD use case! His box is directly connected to AD and he wants code to be ported to RHEL-7. Business justification already provided! Moving this to RHEL 8, due to RHEL 7 lifecycle, new features cannot be added. There is too much to do to get it into late-life product. Pretty sure this exists in RHEL 8, and this request is specifically a request to backport it to RHEL 7. Please consider reopening this issue. I will work with my TAM to work on the internal side of this. Also please reassign back to RHEL7. There is a working pull-request with the required changes back ported to 1.16. If accepted, then will directly address this ticket. https://github.com/SSSD/sssd/pull/5176 Many of us in the Gov't sector, where smart cards are the accepted standard, will soon be required to have full MFA support implanted as part of the Cybersecurity Maturity Model Certification (CMMC) based on the NIST 800-171. This includes the already requirement for gov't agencies, but all of industry as well. RHEL7 still has ~4 years of of Maintenance support, and many gov't systems may not have the ability to update to RHEL8 for much of that time. Hello Karl, please work with your Red Hat support representative on this issue, to see if you can find some solution that works for you. RHEL-7 is already in https://access.redhat.com/support/policy/updates/errata#Maintenance_Support_1_Phase and "The focus for minor releases during this phase lies on resolving urgent- or high-priority bugs." Backporting bigger non-trivial RFE at this stage for all RHEL customers would be risky. This is why RHEL-8 was suggested. Hi Martin, We are already in contact with our Red Hat support and we've had an open pending case on this issue for quite a while. One of the discussion points brought up by our agent is this article. This was way prior to RHEL7's shift to Maintenance Support Phase 1. https://www.redhat.com/en/blog/smart-card-support-red-hat-enterprise-linux For whatever reason now in 7.8, that feature has still not been fully implemented. Based on the article, mapping of arbitrary certificate attributes was supposed to be implemented/feature complete ~7.4 fully replacing the need for pam_pkcs11. (note that today the sss-certmap man page is included with RHEL7.8's libcertmap RPM, and nowhere is it documented that this is an IPA only feature. only digging though code did we find this). With this perspective, one could point out this is not a new feature, but is a bug fix as it does not work as documented. We understand that such a port may require resources to do so if doing so from scratch. To solve this, the upstream branch for sssd 1.16 has a set of patches already submitted for review. Please read the pull request here. https://github.com/SSSD/sssd/pull/5176 This should drastically reduce the resources needed to include full certmapping as discussed in the article into a future dot release of RHEL7. I will lastly point out, moving to RHEL8 is a well understood goal. However, with countless RHEL7 systems still not on the migration plan for many organizations due to application support, or other reasons, it's not reasonable to demand everyone shift to RHEL8 overnight. Cybersecurity policies and enforcement is changing, and US Gov't wide efforts like CMMC are putting pressure on Red Hat gov't and industry customers to find a solution for all established systems including RHEL7. Lastly, please retag this issue to RHEL7. Back in December this issue was changed to RHEL8 and it is not a RHEL8 problem. In case it is beneficial for anyone following this issue — here is a Copr repository that contains the latest SSSD package in RHEL 7.8, and simply adding the patches that are in the upstream pull request (as-is). https://copr.fedorainfracloud.org/coprs/dpward/sssd/ Please reopen this RFE until we get clear guidance from mgmt about the future inclusion in RHEL7.x with Mr. Ward's patch set, if accepted into the 1.16 branch. for everyones SA - the PR for the upstream sssd/1.16 branch has accepted the patch set to resolve this issue. https://github.com/SSSD/sssd/pull/5176 This might be included in one of the following RHEL7.9 batch updates. https://github.com/SSSD/sssd/pull/5176: * `sssd-1-16` * 6b3b4b0bf945814e8886b900dcda18de25f38bb4 - certmap: mention special regex characters in man page * 451410e72514bd68e4b56b1a42c97ade6783e74b - test: add certificate without KU to certmap tests * e7966dfa40b9a7fcde79a07f146ae5283a7bc8e5 - certmap: allow missing KU in OpenSSL version * 6e9e6673916b61197df8a809f56c73d8bdbb868c - CONFIG: validator rules & test * eec9d72a242b2b05369f0eb89c4ebcda26d59802 - intg: add Smartcard authentication tests * cc2840fbb494ac686e9a3ae0016827a44d14769f - test_ca: set a password/PIN to nss databases * 0a989c62b4a3b73f23d9b6956ac81afaed9901f7 - test_ca: test library only for readable * 5a47b213b11cbf74dad47594d1826985f6b68f22 - PAM: use better PAM error code for failed Smartcard authentication * b6907d7cd5ab7568971ddb48f3932f106e86fe06 - doc: add certificate mapping section to man page * d75b196312c4cec767c196c663ff969b6aebcd6b - PAM: add certificate matching rules from all domains * 167ab7206913c17617a8e5ada7567d91f8ed6e11 - responder: make sure SSS_DP_CERT is passed to files provider * 69def7a3e81313a30ceae937f9cde5d62e999c3d - files: add support for Smartcard authentication * e96ba56ea8037d58e1335f7dacd3b19919bc4135 - confdb: add special handling for rules for the files provider * d304f5a9e60f7f6eb915a10067ee2e5e5f14c369 - sysdb: sysdb_certmap_add() handle domains more flexible * 53befb320c2b60a420a2588425fd5004ceec791a - AD/LDAP: read certificate mapping rules from config file * 670a1ca6b7b22bb3a1079111528ee7e4aafd97e5 - confdb: add confdb_certmap_to_sysdb() * 14c15cc6db16726419fbf6df76b5c83aec49192a - sysdb: add attr_map attribute to sysdb_ldb_msg_attr_to_certmap_info() * f867c2a293651043072afe1dd7a8a78a05e5fe4d - sysdb_ldb_msg_attr_to_certmap_info: set SSS_CERTMAP_MIN_PRIO * 8ef2cc11008ef86f4dfcbc267c797bf8ee265455 - sysdb: extract sysdb_ldb_msg_attr_to_certmap_info() call Verified. Version :: sssd-1.16.5-10.el7_9.7.x86_64 Results :: existing IPA Smart Card Auth regression tests were run against this update with all tests passing. Also tested basic functionality of the feature for files, ldap, and ad providers. Very basic 389-ds-base ldap server installed on test host to provide ldap service. Pre-existing Windows 2019 AD server used for AD provider tests. Softhsm used to simular smart card. [root@rhel7-9 test_ca]# cat /etc/sssd/sssd.conf [sssd] domains = adcs.test, files_test, ldap_test config_file_version = 2 services = nss, pam [domain/files_test] debug_level = 9 id_provider = files [domain/ldap_test] debug_level = 9 id_provider = ldap ldap_uri = ldap://localhost:389 ldap_search_base = dc=example,dc=com ldap_user_search_base = ou=People,dc=example,dc=com [domain/adcs.test] ad_domain = adcs.test krb5_realm = ADCS.TEST realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad [pam] debug_level = 9 pam_cert_auth = True p11_child_timeout = 60 [root@rhel7-9 test_ca]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.orig [root@rhel7-9 test_ca]# vim /etc/pam.d/system-auth [root@rhel7-9 test_ca]# diff /etc/pam.d/system-auth /etc/pam.d/system-auth.orig 10c10 < #auth sufficient pam_unix.so nullok try_first_pass --- > auth sufficient pam_unix.so nullok try_first_pass [root@rhel7-9 test_ca]# touch /etc/sssd/conf.d/certmap.conf [root@rhel7-9 test_ca]# chmod 600 /etc/sssd/conf.d/certmap.conf [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/files_test/localuser1] debug_level = 9 matchrule = <SUBJECT>.*CN=localuser1.* EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens [root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf [root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat The token has been initialized. [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# pushd $TEST_CA /opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# NAME=localuser1 [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \ > --label ${NAME} -p redhat --set-id 0 -d 0 Using slot with index 0 (0x0) Created private key: Private Key Object; RSA label: localuser1 ID: 00 Usage: decrypt, sign, unwrap Result:Private Key Object; RSA label: localuser1 ID: 00 Usage: decrypt, sign, unwrap [root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \ > --label ${NAME} -p redhat --set-id 0 -d 0 Using slot with index 0 (0x0) Created certificate: Certificate Object; type = X.509 cert label: localuser1 subject: DN: O=Example, OU=Example Test, CN=localuser1 ID: 00 Result:Certificate Object; type = X.509 cert label: localuser1 subject: DN: O=Example, OU=Example Test, CN=localuser1 ID: 00 [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# popd /opt/test_ca /opt/test_ca /etc/sssd [root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/files_5ftest/1000 localuser1 [root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami' PIN for My token 1 localuser1 [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/files_test/localuser1] debug_level = 9 matchrule = <SUBJECT>.*CN=userdoesnotexist.* EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt Did not match user with cert [root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami' Password: su: Authentication failure [root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami' Password: su: Authentication failure [root@rhel7-9 test_ca]# # side effect of commenting out pam_unix from system-auth [root@rhel7-9 test_ca]# # may require more complex pam setup to fall through properly [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/files_test/localuser1] debug_level = 9 matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test localuser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/files_5ftest/1000 localuser1 [root@rhel7-9 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami' PIN for My token 1 localuser1 [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# # LDAP provider tests [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/ldap_test/dsuser1] debug_level = 9 matchrule = <SUBJECT>.*CN=dsuser1.* EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens [root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf [root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat The token has been initialized. [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# pushd $TEST_CA /opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# NAME=dsuser1 [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \ > --label ${NAME} -p redhat --set-id 0 -d 0 Using slot with index 0 (0x0) Created private key: Private Key Object; RSA label: dsuser1 ID: 00 Usage: decrypt, sign, unwrap Result:Private Key Object; RSA label: dsuser1 ID: 00 Usage: decrypt, sign, unwrap [root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \ > --label ${NAME} -p redhat --set-id 0 -d 0 Using slot with index 0 (0x0) Created certificate: Certificate Object; type = X.509 cert label: dsuser1 subject: DN: O=Example, OU=Example Test, CN=dsuser1 ID: 00 Result:Certificate Object; type = X.509 cert label: dsuser1 subject: DN: O=Example, OU=Example Test, CN=dsuser1 ID: 00 [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# popd /opt/test_ca /opt/test_ca /etc/sssd [root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071 dsuser1 [root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami' PIN for My token 1 dsuser1 [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/ldap_test/dsuser1] debug_level = 9 matchrule = <SUBJECT>.*CN=userdoesnotexistinds.* EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt Did not match user with cert [root@rhel7-9 test_ca]# # PASS (This test should fail because certmap rule doesn't match) [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/ldap_test/dsuser1] debug_level = 9 matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071 dsuser1 [root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami' PIN for My token 1 dsuser1 [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# # AD Provider tests [root@rhel7-9 test_ca]# ... [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens [root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf [root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat The token has been initialized. [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# pushd $TEST_CA /opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# NAME=aduser1 [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \ > --label ${NAME} -p redhat --set-id 0 -d 0 Using slot with index 0 (0x0) Created private key: Private Key Object; RSA label: aduser1 ID: 00 Usage: decrypt, sign, unwrap Result:Private Key Object; RSA label: aduser1 ID: 00 Usage: decrypt, sign, unwrap [root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \ > --label ${NAME} -p redhat --set-id 0 -d 0 Using slot with index 0 (0x0) Created certificate: Certificate Object; type = X.509 cert label: aduser1 subject: DN: O=Example, OU=Example Test, CN=aduser1 ID: 00 Result:Certificate Object; type = X.509 cert label: aduser1 subject: DN: O=Example, OU=Example Test, CN=aduser1 ID: 00 [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# popd /opt/test_ca /opt/test_ca /etc/sssd [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF > [certmap/adcs.test/aduser1] > matchrule = <SUBJECT>.*CN=aduser1.* > EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 aduser1 [root@rhel7-9 test_ca]# su - aduser1 -c 'su - aduser1 -c whoami' PIN for My token 1 aduser1 [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/adcs.test/aduser1] matchrule = <SUBJECT>.*CN=userdoesnotexistinad.* EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt Did not match user with cert [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/adcs.test/aduser1] matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 aduser1 [root@rhel7-9 test_ca]# su - aduser1 -c 'su - aduser1 -c whoami' PIN for My token 1 aduser1 [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/adcs.test/aduser1] matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example maprule = (samAccountName={subject_principal.short_name}) > EOF [root@rhel7-9 test_ca]# cat /etc/sssd/conf.d/certmap.conf [certmap/adcs.test/aduser1] matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example maprule = (samAccountName={subject_principal.short_name}) [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 aduser1 [root@rhel7-9 test_ca]# su - aduser1 -c 'su - aduser1 -c whoami' PIN for My token 1 aduser1 [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/adcs.test/aduser1] matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example maprule = (samAccountName={subject.short_name}) EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 aduser1 [root@rhel7-9 test_ca]# grep "Please check for typos" /var/log/sssd/sssd_pam.log (2020-12-22 11:14:50): [pam] [p11_refresh_certmap_ctx] (0x0020): sss_certmap_add_rule failed for rule [aduser1] with error [22][Invalid argument], skipping. Please check for typos and if rule syntax is supported. [root@rhel7-9 test_ca]# date Tue Dec 22 11:15:05 CST 2020 [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF [certmap/adcs.test/aduser1] matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example maprule = (samAccountName={subject.short_name}) [certmap/adcs.test/aduser1_dne] > matchrule = <SUBJECT>.*CN=userdoesnotexist.* > EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt Did not match user with cert [root@rhel7-9 test_ca]# # with only the one rule that had typo, default will find cert [root@rhel7-9 test_ca]# # with extra rule that doesn't match, no user matched as expected [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF > [certmap/adcs.test/aduser1] > matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example > maprule = (altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}) > EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601161 aduser2 [root@rhel7-9 test_ca]# # NOTE: aduser2 is who matched this time because we're using altSecurityIdentities. This was previously configured in AD with ldapmodify command [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# su - aduser2 -c 'su - aduser2 -c whoami' PIN for My token 1 aduser2 [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# cat > /etc/sssd/conf.d/certmap.conf <<EOF > [certmap/adcs.test/localuser1] > matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example > EOF [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test aduser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 aduser1 [root@rhel7-9 test_ca]# CERTFILE=dsuser1.crt [root@rhel7-9 test_ca]# USERCERT=$(cat ${CERTFILE}|sed '/CERT/d'|tr -d '\r\n') [root@rhel7-9 test_ca]# AD_ISSUER='O=Example,OU=Example Test,CN=Example Test CA' [root@rhel7-9 test_ca]# AD_SUBJECT='O=Example,OU=Example Test,CN=aduser1' [root@rhel7-9 test_ca]# ldapmodify -x -D "$AD_ADMIN" -w Secret123 -h $AD_SERVER <<EOF > dn: CN=ad user1,CN=Users,DC=adcs,DC=test > changetype: modify > add: userCertificate;binary > userCertificate;binary::$USERCERT > EOF modifying entry "CN=ad user1,CN=Users,DC=adcs,DC=test" [root@rhel7-9 test_ca]# # previous was mis cut-and paste...was for delete, not add [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 /org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071 aduser1 dsuser1 [root@rhel7-9 test_ca]# # See both ad and ds user found now ... [root@rhel7-9 test_ca]# rm -rf /var/lib/sss/tokens [root@rhel7-9 test_ca]# mkdir /var/lib/sss/tokens [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf [root@rhel7-9 test_ca]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat The token has been initialized. [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# pushd $TEST_CA /opt/test_ca /opt/test_ca /opt/test_ca /etc/sssd [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# NAME=dsuser1 [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.key -y privkey \ > --label ${NAME} -p redhat --set-id 0 -d 0 Using slot with index 0 (0x0) Created private key: Private Key Object; RSA label: dsuser1 ID: 00 Usage: decrypt, sign, unwrap Result:Private Key Object; RSA label: dsuser1 ID: 00 Usage: decrypt, sign, unwrap [root@rhel7-9 test_ca]# pkcs11-tool --module libsofthsm2.so --slot-index 0 -w ${NAME}.crt -y cert \ > --label ${NAME} -p redhat --set-id 0 -d 0 Using slot with index 0 (0x0) Created certificate: Certificate Object; type = X.509 cert label: dsuser1 subject: DN: O=Example, OU=Example Test, CN=dsuser1 ID: 00 Result:Certificate Object; type = X.509 cert label: dsuser1 subject: DN: O=Example, OU=Example Test, CN=dsuser1 ID: 00 [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# popd /opt/test_ca /opt/test_ca /etc/sssd [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# [root@rhel7-9 test_ca]# cat /etc/sssd/conf.d/certmap.conf [certmap/adcs.test/localuser1] matchrule = <ISSUER>CN=Example Test CA,OU=Example Test,O=Example [root@rhel7-9 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd [root@rhel7-9 test_ca]# /tmp/dbus_test dsuser1.crt Matched the following user(s): /org/freedesktop/sssd/infopipe/Users/adcs_2etest/1697601103 /org/freedesktop/sssd/infopipe/Users/ldap_5ftest/1670071 aduser1 dsuser1 [root@rhel7-9 test_ca]# su - dsuser1 -c 'su - dsuser1 -c whoami' PIN for My token 1 dsuser1 [root@rhel7-9 test_ca]# su - aduser1 -c 'su - aduser1 -c whoami' PIN for My token 1 aduser1 [root@rhel7-9 test_ca]# # PASS ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:0341 |