Hide Forgot
+++ This bug was initially created as a clone of Bug #1308935 +++ This bug is created as a clone of upstream ticket: https://fedorahosted.org/sssd/ticket/2934 I have org.freedesktop.sssd.infopipe.Users.FindByCertificate working based on https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate. When however I remove the certificate from the user with {{{ dn: uid=bob,cn=users,cn=accounts,dc=example,dc=test changetype: modify delete: usercertificate;binary }}} and verify it's gone with {{{ ipa user-find --all --raw bob }}} another {{{ dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$( openssl x509 < client.crt )" }}} still finds the user: {{{ method return sender=:1.136 -> dest=:1.137 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/example_2etest/569400006" }}} Even if I attempt to purge the SSSD cache with {{{ sss_cache -E }}} the {{{dbus-send}}} call still finds the user. Only running {{{ rm -rf /var/lib/sss/db/*cache* ; systemctl restart sssd }}} seems to finaly give me {{{ Error org.freedesktop.sssd.Error.NotFound: User not found }}}
Fixed upstream: * master: 659232f194f83ec7c450ce89c3fd41e4e74409f2 * sssd-1-13: 90bd6598f0d8ad9fa8d05419c7e14b64e09e8a54
Jakub, Can you clarify what was fixed? Clearing the cache may still be necessary depending on timing, correct? In a quick check, I saw this: [root@rhel6-3 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)" method return sender=:1.19 -> dest=:1.22 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/example_2ecom/471200001" [root@rhel6-3 ~]# sss_cache -E [root@rhel6-3 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)" Error org.freedesktop.sssd.Error.NotFound: User not found Thanks, Scott
Sure, the cache might be either cleared or you need to set a short timeout and wait until it passes.
Verified. Version :: sssd-1.13.3-17.el6.x86_64 Results :: [root@ibm-x3650m4-01-vm-06 ~]# ipa user-add testuser1 --first=test --last=user1 ---------------------- Added user "testuser1" ---------------------- User login: testuser1 First name: test Last name: user1 Full name: test user1 Display name: test user1 Initials: tu Home directory: /home/testuser1 GECOS field: test user1 Login shell: /bin/sh Kerberos principal: testuser1 Email address: testuser1 UID: 1037000001 GID: 1037000001 Password: False Kerberos keys available: False [root@ibm-x3650m4-01-vm-06 ~]# openssl req -x509 -new -newkey rsa:2048 -nodes \ > -keyout rsakey.pem -out rsacert.pem -subj "/CN=testuser1" Generating a 2048 bit RSA private key ...................+++ .....................+++ writing new private key to 'rsakey.pem' ----- [root@ibm-x3650m4-01-vm-06 ~]# USERCERT="$(grep -v "\-----" rsacert.pem | tr -d '[\n]')" [root@ibm-x3650m4-01-vm-06 ~]# ldapmodify -x -D "cn=Directory Manager" -w Secret123 <<EOF > dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test > changetype: modify > add: userCertificate;binary > userCertificate;binary::$USERCERT > EOF modifying entry "uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test" [root@ibm-x3650m4-01-vm-06 ~]# ipa user-find --all --raw testuser1 -------------- 1 user matched -------------- dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test uid: testuser1 givenname: test sn: user1 cn: test user1 displayname: test user1 initials: tu homedirectory: /home/testuser1 gecos: test user1 loginshell: /bin/sh krbprincipalname: testuser1 mail: testuser1 uidnumber: 1037000001 gidnumber: 1037000001 nsaccountlock: False has_password: False has_keytab: False ipauniqueid: eac4ffea-e0ed-11e5-bc2c-5254013ce12e krbpwdpolicyreference: cn=global_policy,cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test memberof: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test mepmanagedentry: cn=testuser1,cn=groups,cn=accounts,dc=testrelm,dc=test objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: ipasshuser objectclass: ipaSshGroupOfPubKeys objectclass: mepOriginEntry usercertificate;binary: MIIC+zCCAeOgAwIBAgIJAOFfKpOprqN1MA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNVBAMMCXRlc3R1c2VyMTAeFw0xNjAzMDMwMzEzNDNaFw0xNjA0MDIwMzEzNDNaMBQxEjAQBgNVBAMMCXRlc3R1c2VyMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMfl5AwIScgFsCBCPxDYrlnMc/RnHF06aAszS+Ye3WSKEtFZ2CV3KrWDRa8ZqUNIo4f4Yy3XL5KFkxK/nnatoA3Xx5KSgXGLBhRJFtT7N5XoE25q6nVa4mWfNX49pBg1ikDzM9dofXg+aJzw7l5ISai4fu5fkVoBsRHzVBJbk7o5UrWAYwXf7V/M5KVrFLQJHtAy1hXIJAY1M+VUbAO4fLvYEibW52/qiEMfnGwADWXF2kE0f3SXrfhN+N8j0BymQ6xc3LISkPCLhmw4Jhp1KDq63n+JtXKWjGuhsNhyqV0GrYyboHFo6FDVk38KxaKJD+Rk+qlAfe2dF9F2/vbM5p8CAwEAAaNQME4wHQYDVR0OBBYEFCUYh6YRBUT5IzptYbXR1IEkV0OKMB8GA1UdIwQYMBaAFCUYh6YRBUT5IzptYbXR1IEkV0OKMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKP8C9dhKsNIhE4FUU6EVjnRwtpJpOt1MVtBGNunNjWIJMGbdZeQNqjN4c7bdSQdhMbwbDNhF1CvzgbJClIkAGMFptco/VC1wqpF0iwkxNWgS428SmqwujiNkwAyGwAop5tcjR+kcl6rBGdj98xGM5fHLO9YDKeeaFTsaTVTCrLUL9Iozl6npBwvlZEo4cYyFN3xe8Xec0f14K4LBZoQoq+dB72yrl6Omx/GfuWXEhkKqvShMnPr+SoTgV4KgSBR+NLSmHXxuFBXhz/kPOEFz+7jOHRBPHi9DhiJBH7lhhm1sCVAUuAXrj5WmtFXfbdTjJUpTeDroVE+cnBFJ4KNjKA= ---------------------------- Number of entries returned 1 ---------------------------- [root@ibm-x3650m4-01-vm-06 ~]# yum -y install sssd-dbus > /var/log/sssd-dbus.log 2>&1 [root@ibm-x3650m4-01-vm-06 ~]# sed -i 's/\(services = .*$\)/\1, ifp/' /etc/sssd/sssd.conf [root@ibm-x3650m4-01-vm-06 ~]# service sssd restart Stopping sssd: [ OK ] Starting sssd: [ OK ] [root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)" method return sender=:1.22 -> dest=:1.23 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1037000001" [root@ibm-x3650m4-01-vm-06 ~]# id testuser1 uid=1037000001(testuser1) gid=1037000001(testuser1) groups=1037000001(testuser1) [root@ibm-x3650m4-01-vm-06 ~]# ldapmodify -x -D "cn=Directory Manager" -w Secret123 <<EOF > dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test > changetype: modify > delete: usercertificate;binary > EOF modifying entry "uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test" [root@ibm-x3650m4-01-vm-06 ~]# ipa user-find --all --raw testuser1 -------------- 1 user matched -------------- dn: uid=testuser1,cn=users,cn=accounts,dc=testrelm,dc=test uid: testuser1 givenname: test sn: user1 cn: test user1 displayname: test user1 initials: tu homedirectory: /home/testuser1 gecos: test user1 loginshell: /bin/sh krbprincipalname: testuser1 mail: testuser1 uidnumber: 1037000001 gidnumber: 1037000001 nsaccountlock: False has_password: False has_keytab: False ipauniqueid: eac4ffea-e0ed-11e5-bc2c-5254013ce12e krbpwdpolicyreference: cn=global_policy,cn=TESTRELM.TEST,cn=kerberos,dc=testrelm,dc=test memberof: cn=ipausers,cn=groups,cn=accounts,dc=testrelm,dc=test mepmanagedentry: cn=testuser1,cn=groups,cn=accounts,dc=testrelm,dc=test objectclass: top objectclass: person objectclass: organizationalperson objectclass: inetorgperson objectclass: inetuser objectclass: posixaccount objectclass: krbprincipalaux objectclass: krbticketpolicyaux objectclass: ipaobject objectclass: ipasshuser objectclass: ipaSshGroupOfPubKeys objectclass: mepOriginEntry ---------------------------- Number of entries returned 1 ---------------------------- [root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)" method return sender=:1.22 -> dest=:1.24 reply_serial=2 object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1037000001" [root@ibm-x3650m4-01-vm-06 ~]# sss_cache -E [root@ibm-x3650m4-01-vm-06 ~]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat rsacert.pem)" Error org.freedesktop.sssd.Error.NotFound: User not found
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-0782.html