Bug 1308939 - After removing certificate from user in IPA and even after sss_cache, FindByCertificate still finds the user
After removing certificate from user in IPA and even after sss_cache, FindByC...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.8
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: SSSD Maintainers
Steeve Goveas
:
Depends On: 1308935
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-16 09:13 EST by Jakub Hrozek
Modified: 2016-05-10 16:26 EDT (History)
11 users (show)

See Also:
Fixed In Version: sssd-1.13.3-16.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1308935
Environment:
Last Closed: 2016-05-10 16:26:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jakub Hrozek 2016-02-16 09:13:29 EST
+++ This bug was initially created as a clone of Bug #1308935 +++

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2934

I have org.freedesktop.sssd.infopipe.Users.FindByCertificate working based on https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate.

When however I remove the certificate from the user with

{{{
dn: uid=bob,cn=users,cn=accounts,dc=example,dc=test
changetype: modify
delete: usercertificate;binary
}}}

and verify it's gone with

{{{
ipa user-find --all --raw bob
}}}

another

{{{
dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$( openssl x509 < client.crt )"
}}}

still finds the user:

{{{
method return sender=:1.136 -> dest=:1.137 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/example_2etest/569400006"
}}}

Even if I attempt to purge the SSSD cache with 

{{{
sss_cache -E
}}}

the {{{dbus-send}}} call still finds the user.

Only running

{{{
rm -rf /var/lib/sss/db/*cache* ; systemctl restart sssd
}}}

seems to finaly give me

{{{
Error org.freedesktop.sssd.Error.NotFound: User not found
}}}
Comment 2 Jakub Hrozek 2016-03-01 10:56:31 EST
Fixed upstream:
    * master: 659232f194f83ec7c450ce89c3fd41e4e74409f2
    * sssd-1-13: 90bd6598f0d8ad9fa8d05419c7e14b64e09e8a54
Comment 4 Scott Poore 2016-03-02 13:20:48 EST
Jakub,

Can you clarify what was fixed?  Clearing the cache may still be necessary depending on timing, correct?

In a quick check, I saw this:

[root@rhel6-3 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
method return sender=:1.19 -> dest=:1.22 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/example_2ecom/471200001"

[root@rhel6-3 ~]# sss_cache -E

[root@rhel6-3 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
Error org.freedesktop.sssd.Error.NotFound: User not found

Thanks,
Scott
Comment 5 Jakub Hrozek 2016-03-02 14:46:54 EST
Sure, the cache might be either cleared or you need to set a short timeout and wait until it passes.
Comment 6 Scott Poore 2016-03-02 22:26:49 EST
Verified.

Version ::

sssd-1.13.3-17.el6.x86_64


Results ::

[root@ibm-x3650m4-01-vm-06 ~]# ipa user-add testuser1 --first=test --last=user1
----------------------
Added user "testuser1"
----------------------
  User login: testuser1
  First name: test
  Last name: user1
  Full name: test user1
  Display name: test user1
  Initials: tu
  Home directory: /home/testuser1
  GECOS field: test user1
  Login shell: /bin/sh
  Kerberos principal: testuser1@TESTRELM.TEST
  Email address: testuser1@testrelm.test
  UID: 1037000001
  GID: 1037000001
  Password: False
  Kerberos keys available: False

[root@ibm-x3650m4-01-vm-06 ~]# openssl req -x509 -new -newkey rsa:2048 -nodes \
>     -keyout rsakey.pem -out rsacert.pem -subj "/CN=testuser1"
Generating a 2048 bit RSA private key
...................+++
.....................+++
writing new private key to 'rsakey.pem'
-----

[root@ibm-x3650m4-01-vm-06 ~]# USERCERT="$(grep -v "\-----" rsacert.pem | tr -d '[\n]')"

[root@ibm-x3650m4-01-vm-06 ~]# ldapmodify -x -D "cn=Directory Manager" -w Secret123 <<EOF
> dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test
> changetype: modify
> add: userCertificate;binary
> userCertificate;binary::$USERCERT
> EOF
modifying entry "uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test"

[root@ibm-x3650m4-01-vm-06 ~]# ipa user-find --all --raw testuser1
--------------
1 user matched
--------------
  dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test
  uid: testuser1
  givenname: test
  sn: user1
  cn: test user1
  displayname: test user1
  initials: tu
  homedirectory: /home/testuser1
  gecos: test user1
  loginshell: /bin/sh
  krbprincipalname: testuser1@TESTRELM.TEST
  mail: testuser1@testrelm.test
  uidnumber: 1037000001
  gidnumber: 1037000001
  nsaccountlock: False
  has_password: False
  has_keytab: False
  ipauniqueid: eac4ffea-e0ed-11e5-bc2c-5254013ce12e
  krbpwdpolicyreference: cn=global_policy,cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
  mepmanagedentry: cn=testuser1,cn=groups,cn=accounts,dc=testrelm,dc=test
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: ipasshuser
  objectclass: ipaSshGroupOfPubKeys
  objectclass: mepOriginEntry
  usercertificate;binary: MIIC+zCCAeOgAwIBAgIJAOFfKpOprqN1MA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNVBAMMCXRlc3R1c2VyMTAeFw0xNjAzMDMwMzEzNDNaFw0xNjA0MDIwMzEzNDNaMBQxEjAQBgNVBAMMCXRlc3R1c2VyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfl5AwIScgFsCBCPxDYrlnMc/RnHF06aAszS+Ye3WSKEtFZ2CV3KrWDRa8ZqUNIo4f4Yy3XL5KFkxK/nnatoA3Xx5KSgXGLBhRJFtT7N5XoE25q6nVa4mWfNX49pBg1ikDzM9dofXg+aJzw7l5ISai4fu5fkVoBsRHzVBJbk7o5UrWAYwXf7V/M5KVrFLQJHtAy1hXIJAY1M+VUbAO4fLvYEibW52/qiEMfnGwADWXF2kE0f3SXrfhN+N8j0BymQ6xc3LISkPCLhmw4Jhp1KDq63n+JtXKWjGuhsNhyqV0GrYyboHFo6FDVk38KxaKJD+Rk+qlAfe2dF9F2/vbM5p8CAwEAAaNQME4wHQYDVR0OBBYEFCUYh6YRBUT5IzptYbXR1IEkV0OKMB8GA1UdIwQYMBaAFCUYh6YRBUT5IzptYbXR1IEkV0OKMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKP8C9dhKsNIhE4FUU6EVjnRwtpJpOt1MVtBGNunNjWIJMGbdZeQNqjN4c7bdSQdhMbwbDNhF1CvzgbJClIkAGMFptco/VC1wqpF0iwkxNWgS428SmqwujiNkwAyGwAop5tcjR+kcl6rBGdj98xGM5fHLO9YDKeeaFTsaTVTCrLUL9Iozl6npBwvlZEo4cYyFN3xe8Xec0f14K4LBZoQoq+dB72yrl6Omx/GfuWXEhkKqvShMnPr+SoTgV4KgSBR+NLSmHXxuFBXhz/kPOEFz+7jOHRBPHi9DhiJBH7lhhm1sCVAUuAXrj5WmtFXfbdTjJUpTeDroVE+cnBFJ4KNjKA=
----------------------------
Number of entries returned 1
----------------------------

[root@ibm-x3650m4-01-vm-06 ~]# yum -y install sssd-dbus > /var/log/sssd-dbus.log 2>&1

[root@ibm-x3650m4-01-vm-06 ~]# sed -i 's/\(services = .*$\)/\1, ifp/' /etc/sssd/sssd.conf

[root@ibm-x3650m4-01-vm-06 ~]# service sssd restart
Stopping sssd: [  OK  ]
Starting sssd: [  OK  ]

[root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
method return sender=:1.22 -> dest=:1.23 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1037000001"

[root@ibm-x3650m4-01-vm-06 ~]# id testuser1
uid=1037000001(testuser1) gid=1037000001(testuser1) groups=1037000001(testuser1)

[root@ibm-x3650m4-01-vm-06 ~]# ldapmodify -x -D "cn=Directory Manager" -w Secret123 <<EOF
> dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test
> changetype: modify
> delete: usercertificate;binary
> EOF
modifying entry "uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test"


[root@ibm-x3650m4-01-vm-06 ~]# ipa user-find --all --raw testuser1
--------------
1 user matched
--------------
  dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test
  uid: testuser1
  givenname: test
  sn: user1
  cn: test user1
  displayname: test user1
  initials: tu
  homedirectory: /home/testuser1
  gecos: test user1
  loginshell: /bin/sh
  krbprincipalname: testuser1@TESTRELM.TEST
  mail: testuser1@testrelm.test
  uidnumber: 1037000001
  gidnumber: 1037000001
  nsaccountlock: False
  has_password: False
  has_keytab: False
  ipauniqueid: eac4ffea-e0ed-11e5-bc2c-5254013ce12e
  krbpwdpolicyreference: cn=global_policy,cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test
  memberof: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test
  mepmanagedentry: cn=testuser1,cn=groups,cn=accounts,dc=testrelm,dc=test
  objectclass: top
  objectclass: person
  objectclass: organizationalperson
  objectclass: inetorgperson
  objectclass: inetuser
  objectclass: posixaccount
  objectclass: krbprincipalaux
  objectclass: krbticketpolicyaux
  objectclass: ipaobject
  objectclass: ipasshuser
  objectclass: ipaSshGroupOfPubKeys
  objectclass: mepOriginEntry
----------------------------
Number of entries returned 1
----------------------------

[root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
method return sender=:1.22 -> dest=:1.24 reply_serial=2
   object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1037000001"

[root@ibm-x3650m4-01-vm-06 ~]# sss_cache -E

[root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)"
Error org.freedesktop.sssd.Error.NotFound: User not found
Comment 8 errata-xmlrpc 2016-05-10 16:26:40 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html

Note You need to log in before you can comment on or make changes to this bug.