Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1445445

Summary: Smart card login fails if same cert mapped to IdM user and AD user
Product: Red Hat Enterprise Linux 7 Reporter: Florence Blanc-Renaud <frenaud>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: high Docs Contact:
Priority: unspecified    
Version: 7.4CC: grajaiya, jhrozek, jreznik, ksiddiqu, lmiksik, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas, spoore, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.15.2-43.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 09:04:18 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1449726    
Bug Blocks:    

Description Florence Blanc-Renaud 2017-04-25 16:39:14 UTC 
Description of problem:

Configure IPA with an AD trust, then add the same smart card certificate to a user defined in IdM and to a different user defined in AD. Console login with the Smart Card fails.
If the certificate is mapped only to the AD user, console login succeeds.

Version-Release number of selected component (if applicable):
ipa-server 4.5.0-6.el7
sssd 1.15.2-15.el7

How reproducible:


Steps to Reproduce:
1. Configure ipa server with ipa-server-install
2. Prepare the server with ipa-adtrust-install
3. Add the AD trust ipa trust-add --type=ad domain-ad.com --admin Administrator --password --two-way=true
4. Add the smart card cert to an ipa user
kinit admin
CERT=`cat cert.pem | tail -n +2 | head -n -1 | tr -d '\r\n'`
ipa user-add idmuser --first idmuser --last idmuser --certificate $CERT
5. Add the same smart card cert to an AD user bob
6. Check that the cert is mapped to both user
ipa certmap-match cert.pem
---------------
2 users matched
---------------
  Domain: domain-ad.com
  User logins: bob

  Domain: DOMAIN-IDM.COM
  User logins: idmuser
----------------------------
Number of entries returned 2
----------------------------
7. Try to login to the console using the smart card (DOMAIN-AD\bob)


Actual results:
The login console does not prompt for the sc pin but rather for the password.


Expected results:
The login console should prompt for the smart card pin

Additional info:
If the certificate is removed from the idmuser entry, then the smart card login is successful.
Comment 2 Sumit Bose 2017-04-27 14:17:22 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3385
Comment 4 Jakub Hrozek 2017-05-04 09:44:37 UTC 
* master: 92d8b072f8c521e1b4effe109b5caedabd36ed6f
Comment 6 Scott Poore 2017-05-17 17:03:11 UTC 
Moving this one back to assigned because, there are problems with lookups to multiple domains.  I'm also marking this one as depends on bug #1449726.

Results:

Testing just with base level dbus-send shows only the IPA user when running on an IPA Client.  When run from an IPA Server with an AD Trust it does show both IPA and AD Users configured with the cert (or certmapdata).


Search from IPA Server:

[root@auto-hv-02-guest08 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10
method return sender=:1.1114 -> dest=:1.1118 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131"
      object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401105"
      object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401106"
   ]


Search from IPA Client:

[root@auto-hv-02-guest03 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10
method return sender=:1.36 -> dest=:1.37 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131"
   ]


When I remove the certificate from the IPA server and rerun the search, I can then see the AD Users configured with the cert:

[root@auto-hv-02-guest08 ~]# ipa user-mod demosc1 --certificate=''
-----------------------
Modified user "demosc1"
-----------------------
  User login: demosc1
  First name: demosc
  Last name: demosc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1
  Principal alias: demosc1
  Email address: demosc1
  UID: 576400131
  GID: 576400131
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


Search from IPA Client again after cert removed from IPA user:

[root@auto-hv-02-guest03 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10 ; date
method return sender=:1.68 -> dest=:1.72 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401105"
      object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401106"
   ]
Wed May 17 12:56:48 EDT 2017

# ^^^ Note there was a delay in getting expected returns but, we're looking into that issue separately.
Comment 8 Sumit Bose 2017-05-23 15:55:26 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3405
Comment 9 Sumit Bose 2017-05-23 15:58:13 UTC 
(In reply to Sumit Bose from comment #8)
> Upstream ticket:
> https://pagure.io/SSSD/sssd/issue/3405

This upstream ticket fixes the delay of about 1 minute which was seen in some tests.
Comment 10 Sumit Bose 2017-05-24 09:11:02 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3407
Comment 11 Sumit Bose 2017-05-24 09:12:32 UTC 
(In reply to Sumit Bose from comment #10)
> Upstream ticket:
> https://pagure.io/SSSD/sssd/issue/3407

This upstream ticket should fix the actual lookup failure.
Comment 12 Jakub Hrozek 2017-05-24 14:09:15 UTC 
Ticket 3407 was fixed with commit eb7095099b2dd0afb1d028dbc15d8c5a897d90f8
Comment 13 Scott Poore 2017-05-25 00:31:47 UTC 
Should this be moved to ON_QA if the fixed in version is updated?  Is this ready for me to test?
Comment 14 Jakub Hrozek 2017-05-25 07:24:32 UTC 
(In reply to Scott Poore from comment #13)
> Should this be moved to ON_QA if the fixed in version is updated?  Is this
> ready for me to test?

I would prefer to only move the BZ to ON_QA when all three related upstream tickets are fixed. So far we still need to fix #3405.

That said, at least according to comment #11, since upstream #3407 is fixed, it would worth be retesting to see if you at least see an improvement.
Comment 15 Lukas Slebodnik 2017-05-25 11:29:21 UTC 
Additional fixes from Ticket 3407:

master:
* eb404bcdbbff7e080a93d816e17b8cec04f79fc4
* 3e3034199b44e01899ec7ba8152fef3738a0e093
Comment 16 Lukas Slebodnik 2017-05-31 13:20:08 UTC 
Fixes for ticket 3405

master:
* 29ee3e0945f8935a2eb01913ba00b540e0a94f01
Comment 19 Scott Poore 2017-06-05 23:45:42 UTC 
Verified.

Version ::

sssd-1.15.2-43.el7.x86_64

Results ::

# On Server:

[root@auto-hv-02-guest08 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1.crt)" uint32:10
method return sender=:1.706 -> dest=:1.707 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1505600004"
      object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401105"
   ]


# On Client:

[root@dhcp129-184 testing]# ipa certmaprule-find
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: testrealm_and_ipaadcs12r2
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Domain name: testrelm.test, ipaadcs12r2.test
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------


[root@dhcp129-184 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1.crt)" uint32:10
method return sender=:1.1269 -> dest=:1.1272 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1505600004"
      object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401105"
   ]


[root@dhcp129-184 testing]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@dhcp129-184 testing]# ipa certmap-match /root/testing/demosc1.crt
---------------
2 users matched
---------------
  Domain: TESTRELM.TEST
  User logins: demosc1

  Domain: ipaadcs12r2.test
  User logins: tempuser1
----------------------------
Number of entries returned 2
----------------------------

[root@dhcp129-184 testing]# su - demosc3 -c "su - demosc1 -c whoami"
PIN for demosc1 (OpenSC Card)
demosc1

[root@dhcp129-184 testing]# su - demosc3 -c "su - tempuser1 -c whoami"
PIN for demosc1 (OpenSC Card)
tempuser1

[root@dhcp129-184 testing]# su - demosc3 -c "su - tempuser2 -c whoami"
Password: 
su: Authentication failure

^^ Last test is expected to fail because the cert is not assigned or mapped for that user.
Comment 20 errata-xmlrpc 2017-08-01 09:04:18 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294