Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2934 I have org.freedesktop.sssd.infopipe.Users.FindByCertificate working based on https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate. When however I remove the certificate from the user with {{{ dn: uid=bob,cn=users,cn=accounts,dc=example,dc=test changetype: modify delete: usercertificate;binary }}} and verify it's gone with {{{ ipa user-find --all --raw bob }}} another {{{ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$( openssl x509 < client.crt )" }}} still finds the user: {{{ method return sender=:1.136 -> dest=:1.137 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/example_2etest/569400006" }}} Even if I attempt to purge the SSSD cache with {{{ sss_cache -E }}} the {{{dbus-send}}} call still finds the user. Only running {{{ rm -rf /var/lib/sss/db/*cache* ; systemctl restart sssd }}} seems to finaly give me {{{ Error org.freedesktop.sssd.Error.NotFound: User not found }}}
* master: 659232f194f83ec7c450ce89c3fd41e4e74409f2 * sssd-1-13: 90bd6598f0d8ad9fa8d05419c7e14b64e09e8a54
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
Verified. Version :: sssd-1.14.0-41.el7.x86_64 Results :: [root@master ~]# ipa user-add bob --first=f --last=l ---------------- Added user "bob" ---------------- User login: bob First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/bob GECOS: f l Login shell: /bin/sh Principal name: bob Principal alias: bob Email address: bob UID: 989000033 GID: 989000033 Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# openssl req -x509 -new -newkey rsa:2048 -nodes -keyout bobs_cert.key -out bobs_cert.pem -subj "/CN=bob" Generating a 2048 bit RSA private key ..........................................................................................+++ .............+++ writing new private key to 'bobs_cert.key' ----- [root@master ~]# ipa user-add-cert bob --certificate="$USERCERT" -------------------------------- Added certificates to user "bob" -------------------------------- User login: bob Certificate: MII... [root@master ~]# ipa user-find --all --raw bob -------------- 1 user matched -------------- dn: uid=bob,cn=users,cn=accounts,dc=ipa,dc=test uid: bob givenname: f sn: l cn: f l initials: fl homedirectory: /home/bob gecos: f l loginshell: /bin/sh krbcanonicalname: bob krbprincipalname: bob mail: bob uidnumber: 989000033 gidnumber: 989000033 usercertificate: MIIC7zCCAdegAwIBAgIJANdRXOOfZnUmMA0GCSqGSIb3DQEBCwUAMA4xDDAKBgNVBAMMA2JvYjAeFw0xNjA5MTYxODE3MTlaFw0xNjEwMTYxODE3MTlaMA4xDDAKBgNVBAMMA2JvYjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN/RZtfo6YgqAqlCtc92vZ8+TxA9gNcCqgsNid33XR+BPVX0WoLPFPQqOEASdS7H4Si3afPtJA9mcPU6bZYCBBAKKFftb0+dcvDnHeT1cx7yJ3ZDLcIBFFhWeqFgBjpFIPmIlBT4t1sG0H1/L/pBtZovcDnDq55D6dbJXz3xWYI9nRU5DYNPc1v+JS4n3Z6liSbKOU++Qpu7T+SYBXfMNGeCZ+BW6g1GQjhSeDoKl3JyHBM6+/W4KV0jdLx98c4ZuHrzFGEt5kGYgiGcVvQjZOosFnuZhs5TPcqAE0h8DR4D6F5TEcfH0fFU0XbY+rE+8bvY2H3GIB3a0o0DG1ZkK3ECAwEAAaNQME4wHQYDVR0OBBYEFOy1MpQQw6bRAPixYUi3VKnaMxl+MB8GA1UdIwQYMBaAFOy1MpQQw6bRAPixYUi3VKnaMxl+MAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBANrzc9XbJuBDU7QcMrBtXev9IbAXAne9Ak9sOUnNh7FKtXNpImClIVUXb+7snlTGRnkrDiEgZCU72TQ/vLblM7Atu4MWpA+jPRE2CO4TRZhAys7je1m7YiuP66g1dfBvJnL/qg+7G+vGx+bhdxCeQjF8in5VViIjpXnOE3E41WbLKTWOtpNSbwT2q2txv+csd0PBE1OubK2VCRLB8hq0d7WjoHBt2PJBPwNJfc9Ob54HbaGzRUr1hiEGujSZ7uPTRRf39kROXfn8a2KD5pi80C5G2bQCkHCOR3zuGYEyfTIuZ8v94tEdmEhTQLgBqHS0L9MgwJJCb71uho5/QPS/BIY= nsaccountlock: FALSE displayName: f l ipaNTSecurityIdentifier: S-1-5-21-1754518222-3126848558-1974457199-1033 ipaUniqueID: 9ec03988-7c39-11e6-9535-52540054adfa memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=ipa,dc=test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# yum -y install sssd-dbus > /var/log/sssd-dbus.log 2>&1 [root@master ~]# grep ifp /etc/sssd/sssd.conf [ifp] [root@master ~]# sed -i 's/\(services = .*$\)/\1, ifp/' /etc/sssd/sssd.conf [root@master ~]# service sssd restart Redirecting to /bin/systemctl restart sssd.service [root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat bobs_cert.pem)" method return sender=:1.57 -> dest=:1.58 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033" [root@master ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033 org.freedesktop.DBus.Properties.GetAll string:"org.freedesktop.sssd.infopipe.Users.User" method return sender=:1.57 -> dest=:1.69 reply_serial=2 array [ dict entry( string "name" variant string "bob" ) dict entry( string "uidNumber" variant uint32 989000033 ) dict entry( string "gidNumber" variant uint32 989000033 ) dict entry( string "gecos" variant string "f l" ) dict entry( string "homeDirectory" variant string "/home/bob" ) dict entry( string "loginShell" variant string "/bin/sh" ) dict entry( string "groups" variant array [ object path "/org/freedesktop/sssd/infopipe/Groups/ipa_2etest/989000033" ] ) dict entry( string "extraAttributes" variant array [ ] ) ] [root@master ~]# ipa user-mod bob --certificate="" ------------------- Modified user "bob" ------------------- User login: bob First name: f Last name: l Home directory: /home/bob Login shell: /bin/sh Principal name: bob Principal alias: bob Email address: bob UID: 989000033 GID: 989000033 Account disabled: False Password: False Member of groups: ipausers Kerberos keys available: False [root@master ~]# ipa user-find --all --raw bob -------------- 1 user matched -------------- dn: uid=bob,cn=users,cn=accounts,dc=ipa,dc=test uid: bob givenname: f sn: l cn: f l initials: fl homedirectory: /home/bob gecos: f l loginshell: /bin/sh krbcanonicalname: bob krbprincipalname: bob mail: bob uidnumber: 989000033 gidnumber: 989000033 nsaccountlock: FALSE displayName: f l ipaNTSecurityIdentifier: S-1-5-21-1754518222-3126848558-1974457199-1033 ipaUniqueID: 9ec03988-7c39-11e6-9535-52540054adfa memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ipa,dc=test mepManagedEntry: cn=bob,cn=groups,cn=accounts,dc=ipa,dc=test objectClass: ipaobject objectClass: person objectClass: top objectClass: ipasshuser objectClass: inetorgperson objectClass: organizationalperson objectClass: krbticketpolicyaux objectClass: krbprincipalaux objectClass: inetuser objectClass: posixaccount objectClass: ipaSshGroupOfPubKeys objectClass: mepOriginEntry objectClass: ipantuserattrs ---------------------------- Number of entries returned 1 ---------------------------- [root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(openssl x509 < bobs_cert.pem)" method return sender=:1.57 -> dest=:1.70 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/ipa_2etest/989000033" [root@master ~]# sss_cache -E [root@master ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(openssl x509 < bobs_cert.pem)" Error org.freedesktop.sssd.Error.NotFound: User not found
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2016-2476.html