Bug 1308935

* master: 659232f194f83ec7c450ce89c3fd41e4e74409f2
* sssd-1-13: 90bd6598f0d8ad9fa8d05419c7e14b64e09e8a54

This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions

Verified.

Version ::

sssd-1.14.0-41.el7.x86_64

Results ::


[root@master ~]# ipa user-add bob --first=f --last=l
----------------
Added user "bob"
----------------
  User login: bob
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/bob
  GECOS: f l
  Login shell: /bin/sh
  Principal name: bob
  Principal alias: bob
  Email address: bob
  UID: 989000033
  GID: 989000033
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# openssl req -x509 -new -newkey rsa:2048 -nodes -keyout bobs_cert.key -out bobs_cert.pem -subj "/CN=bob"
Generating a 2048 bit RSA private key
..........................................................................................+++
.............+++
writing new private key to 'bobs_cert.key'
-----
[root@master ~]# ipa user-add-cert bob --certificate="$USERCERT"
--------------------------------
Added certificates to user "bob"
--------------------------------
  User login: bob
  Certificate: MII...

[root@master ~]# ipa user-find --all --raw bob
--------------
1 user matched
--------------
  dn: uid=bob,cn=users,cn=accounts,dc=ipa,dc=test
  uid: bob
  givenname: f
  sn: l
  cn: f l
  initials: fl
  homedirectory: /home/bob
  gecos: f l
  loginshell: /bin/sh
  krbcanonicalname: bob
  krbprincipalname: bob
  mail: bob
  uidnumber: 989000033
  gidnumber: 989000033
  usercertificate: MIIC7zCCAdegAwIBAgIJANdRXOOfZnUmMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNVBAMMA2JvYjAeFw0xNjA5MTYxODE3MTlaFw0xNjEwMTYxODE3MTlaMA4xDDAKBgNVBAMMA2JvYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/RZtfo6YgqAqlCtc92vZ8+TxA9gNcCqgsNid33XR+BPVX0WoLPFPQqOEASdS7H4Si3afPtJA9mcPU6bZYCBBAKKFftb0+dcvDnHeT1cx7yJ3ZDLcIBFFhWeqFgBjpFIPmIlBT4t1sG0H1/L/pBtZovcDnDq55D6dbJXz3xWYI9nRU5DYNPc1v+JS4n3Z6liSbKOU++Qpu7T+SYBXfMNGeCZ+BW6g1GQjhSeDoKl3JyHBM6+/W4KV0jdLx98c4ZuHrzFGEt5kGYgiGcVvQjZOosFnuZhs5TPcqAE0h8DR4D6F5TEcfH0fFU0XbY+rE+8bvY2H3GIB3a0o0DG1ZkK3ECAwEAAaNQME4wHQYDVR0OBBYEFOy1MpQQw6bRAPixYUi3VKnaMxl+MB8GA1UdIwQYMBaAFOy1MpQQw6bRAPixYUi3VKnaMxl+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBANrzc9XbJuBDU7QcMrBtXev9IbAXAne9Ak9sOUnNh7FKtXNpImClIVUXb+7snlTGRnkrDiEgZCU72TQ/vLblM7Atu4MWpA+jPRE2CO4TRZhAys7je1m7YiuP66g1dfBvJnL/qg+7G+vGx+bhdxCeQjF8in5VViIjpXnOE3E41WbLKTWOtpNSbwT2q2txv+csd0PBE1OubK2VCRLB8hq0d7WjoHBt2PJBPwNJfc9Ob54HbaGzRUr1hiEGujSZ7uPTRRf39kROXfn8a2KD5pi80C5G2bQCkHCOR3zuGYEyfTIuZ8v94tEdmEhTQLgBqHS0L9MgwJJCb71uho5/QPS/BIY=
  nsaccountlock: FALSE
  displayName: f l
  ipaNTSecurityIdentifier: S-1-5-21-1754518222-3126848558-1974457199-1033
  ipaUniqueID: 9ec03988-7c39-11e6-9535-52540054adfa
  memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: ipaobject
  objectClass: person
  objectClass: top
  objectClass: ipasshuser
  objectClass: inetorgperson
  objectClass: organizationalperson
  objectClass: krbticketpolicyaux
  objectClass: krbprincipalaux
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry
  objectClass: ipantuserattrs
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# yum -y install sssd-dbus > /var/log/sssd-dbus.log 2>&1

[root@master ~]# grep ifp /etc/sssd/sssd.conf 
[ifp]

[root@master ~]# sed -i 's/\(services = .*$\)/\1, ifp/' /etc/sssd/sssd.conf

[root@master ~]# service sssd restart
Redirecting to /bin/systemctl restart  sssd.service


[root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat bobs_cert.pem)"
method return sender=:1.57 -> dest=:1.58 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033"

[root@master ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033 org.freedesktop.DBus.Properties.GetAll string:"org.freedesktop.sssd.infopipe.Users.User"
method return sender=:1.57 -> dest=:1.69 reply_serial=2
   array [
      dict entry(
         string "name"
         variant             string "bob"
      )
      dict entry(
         string "uidNumber"
         variant             uint32 989000033
      )
      dict entry(
         string "gidNumber"
         variant             uint32 989000033
      )
      dict entry(
         string "gecos"
         variant             string "f l"
      )
      dict entry(
         string "homeDirectory"
         variant             string "/home/bob"
      )
      dict entry(
         string "loginShell"
         variant             string "/bin/sh"
      )
      dict entry(
         string "groups"
         variant             array [
               object path "/org/freedesktop/sssd/infopipe/Groups/ipa_2etest/989000033"
            ]
      )
      dict entry(
         string "extraAttributes"
         variant             array [
            ]
      )
   ]

[root@master ~]# ipa user-mod bob --certificate=""
-------------------
Modified user "bob"
-------------------
  User login: bob
  First name: f
  Last name: l
  Home directory: /home/bob
  Login shell: /bin/sh
  Principal name: bob
  Principal alias: bob
  Email address: bob
  UID: 989000033
  GID: 989000033
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-find --all --raw bob
--------------
1 user matched
--------------
  dn: uid=bob,cn=users,cn=accounts,dc=ipa,dc=test
  uid: bob
  givenname: f
  sn: l
  cn: f l
  initials: fl
  homedirectory: /home/bob
  gecos: f l
  loginshell: /bin/sh
  krbcanonicalname: bob
  krbprincipalname: bob
  mail: bob
  uidnumber: 989000033
  gidnumber: 989000033
  nsaccountlock: FALSE
  displayName: f l
  ipaNTSecurityIdentifier: S-1-5-21-1754518222-3126848558-1974457199-1033
  ipaUniqueID: 9ec03988-7c39-11e6-9535-52540054adfa
  memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test
  mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=ipa,dc=test
  objectClass: ipaobject
  objectClass: person
  objectClass: top
  objectClass: ipasshuser
  objectClass: inetorgperson
  objectClass: organizationalperson
  objectClass: krbticketpolicyaux
  objectClass: krbprincipalaux
  objectClass: inetuser
  objectClass: posixaccount
  objectClass: ipaSshGroupOfPubKeys
  objectClass: mepOriginEntry
  objectClass: ipantuserattrs
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(openssl x509 < bobs_cert.pem)"
method return sender=:1.57 -> dest=:1.70 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033"


[root@master ~]# sss_cache -E

[root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(openssl x509 < bobs_cert.pem)"
Error org.freedesktop.sssd.Error.NotFound: User not found

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2476.html