Bug 1308939

Fixed upstream:
    * master: 659232f194f83ec7c450ce89c3fd41e4e74409f2
    * sssd-1-13: 90bd6598f0d8ad9fa8d05419c7e14b64e09e8a54

Jakub,

Can you clarify what was fixed?  Clearing the cache may still be necessary depending on timing, correct?

In a quick check, I saw this:

[root@rhel6-3 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
method return sender=:1.19 -> dest=:1.22 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/example_2ecom/471200001"

[root@rhel6-3 ~]# sss_cache -E

[root@rhel6-3 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
Error org.freedesktop.sssd.Error.NotFound: User not found

Thanks,
Scott

Sure, the cache might be either cleared or you need to set a short timeout and wait until it passes.

Verified.

Version ::

sssd-1.13.3-17.el6.x86_64


Results ::

[root@ibm-x3650m4-01-vm-06 ~]# ipa user-add testuser1 --first=test --last=user1
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: test
  Last name: user1
  Full name: test user1
  Display name: test user1
  Initials: tu
  Home directory: /home/testuser1
  GECOS field: test user1
  Login shell: /bin/sh
  Kerberos principal: testuser1
  Email address: testuser1
  UID: 1037000001
  GID: 1037000001
  Password: False
  Kerberos keys available: False

[root@ibm-x3650m4-01-vm-06 ~]# openssl req -x509 -new -newkey rsa:2048 -nodes \
>     -keyout rsakey.pem -out rsacert.pem -subj "/CN=testuser1"
Generating a 2048 bit RSA private key
...................+++
.....................+++
writing new private key to 'rsakey.pem'
-----

[root@ibm-x3650m4-01-vm-06 ~]# USERCERT="$(grep -v "\-----" rsacert.pem | tr -d '[\n]')"

[root@ibm-x3650m4-01-vm-06 ~]# ldapmodify -x -D "cn=Directory Manager" -w Secret123 <<EOF
> dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test
> changetype: modify
> add: userCertificate;binary
> userCertificate;binary::$USERCERT
> EOF
modifying entry "uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test"

[root@ibm-x3650m4-01-vm-06 ~]# ipa user-find --all --raw testuser1
--------------
1 user matched
--------------
  dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test
  uid: testuser1
  givenname: test
  sn: user1
  cn: test user1
  displayname: test user1
  initials: tu
  homedirectory: /home/testuser1
  gecos: test user1
  loginshell: /bin/sh
  krbprincipalname: testuser1
  mail: testuser1
  uidnumber: 1037000001
  gidnumber: 1037000001
  nsaccountlock: False
  has_password: False
  has_keytab: False
  ipauniqueid: eac4ffea-e0ed-11e5-bc2c-5254013ce12e
  krbpwdpolicyreference: cn=global_policy,cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
  mepmanagedentry: cn=testuser1,cn=groups,cn=accounts,dc=testrelm,dc=test
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: ipasshuser
  objectclass: ipaSshGroupOfPubKeys
  objectclass: mepOriginEntry
  usercertificate;binary: MIIC+zCCAeOgAwIBAgIJAOFfKpOprqN1MA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNVBAMMCXRlc3R1c2VyMTAeFw0xNjAzMDMwMzEzNDNaFw0xNjA0MDIwMzEzNDNaMBQxEjAQBgNVBAMMCXRlc3R1c2VyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfl5AwIScgFsCBCPxDYrlnMc/RnHF06aAszS+Ye3WSKEtFZ2CV3KrWDRa8ZqUNIo4f4Yy3XL5KFkxK/nnatoA3Xx5KSgXGLBhRJFtT7N5XoE25q6nVa4mWfNX49pBg1ikDzM9dofXg+aJzw7l5ISai4fu5fkVoBsRHzVBJbk7o5UrWAYwXf7V/M5KVrFLQJHtAy1hXIJAY1M+VUbAO4fLvYEibW52/qiEMfnGwADWXF2kE0f3SXrfhN+N8j0BymQ6xc3LISkPCLhmw4Jhp1KDq63n+JtXKWjGuhsNhyqV0GrYyboHFo6FDVk38KxaKJD+Rk+qlAfe2dF9F2/vbM5p8CAwEAAaNQME4wHQYDVR0OBBYEFCUYh6YRBUT5IzptYbXR1IEkV0OKMB8GA1UdIwQYMBaAFCUYh6YRBUT5IzptYbXR1IEkV0OKMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKP8C9dhKsNIhE4FUU6EVjnRwtpJpOt1MVtBGNunNjWIJMGbdZeQNqjN4c7bdSQdhMbwbDNhF1CvzgbJClIkAGMFptco/VC1wqpF0iwkxNWgS428SmqwujiNkwAyGwAop5tcjR+kcl6rBGdj98xGM5fHLO9YDKeeaFTsaTVTCrLUL9Iozl6npBwvlZEo4cYyFN3xe8Xec0f14K4LBZoQoq+dB72yrl6Omx/GfuWXEhkKqvShMnPr+SoTgV4KgSBR+NLSmHXxuFBXhz/kPOEFz+7jOHRBPHi9DhiJBH7lhhm1sCVAUuAXrj5WmtFXfbdTjJUpTeDroVE+cnBFJ4KNjKA=
----------------------------
Number of entries returned 1
----------------------------

[root@ibm-x3650m4-01-vm-06 ~]# yum -y install sssd-dbus > /var/log/sssd-dbus.log 2>&1

[root@ibm-x3650m4-01-vm-06 ~]# sed -i 's/\(services = .*$\)/\1, ifp/' /etc/sssd/sssd.conf

[root@ibm-x3650m4-01-vm-06 ~]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
method return sender=:1.22 -> dest=:1.23 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1037000001"

[root@ibm-x3650m4-01-vm-06 ~]# id testuser1
uid=1037000001(testuser1) gid=1037000001(testuser1) groups=1037000001(testuser1)

[root@ibm-x3650m4-01-vm-06 ~]# ldapmodify -x -D "cn=Directory Manager" -w Secret123 <<EOF
> dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test
> changetype: modify
> delete: usercertificate;binary
> EOF
modifying entry "uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test"


[root@ibm-x3650m4-01-vm-06 ~]# ipa user-find --all --raw testuser1
--------------
1 user matched
--------------
  dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test
  uid: testuser1
  givenname: test
  sn: user1
  cn: test user1
  displayname: test user1
  initials: tu
  homedirectory: /home/testuser1
  gecos: test user1
  loginshell: /bin/sh
  krbprincipalname: testuser1
  mail: testuser1
  uidnumber: 1037000001
  gidnumber: 1037000001
  nsaccountlock: False
  has_password: False
  has_keytab: False
  ipauniqueid: eac4ffea-e0ed-11e5-bc2c-5254013ce12e
  krbpwdpolicyreference: cn=global_policy,cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
  mepmanagedentry: cn=testuser1,cn=groups,cn=accounts,dc=testrelm,dc=test
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: ipasshuser
  objectclass: ipaSshGroupOfPubKeys
  objectclass: mepOriginEntry
----------------------------
Number of entries returned 1
----------------------------

[root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
method return sender=:1.22 -> dest=:1.24 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1037000001"

[root@ibm-x3650m4-01-vm-06 ~]# sss_cache -E

[root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
Error org.freedesktop.sssd.Error.NotFound: User not found

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html