Hide Forgot
Description of problem: While trying to test IPA Smart Card functionality, I ran into a problem searching for users by certificate using the dbus-send method: [root@master ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat testuser100.pem)" Error org.freedesktop.sssd.Error.NotFound: User not found Version-Release number of selected component (if applicable): ipa-server-4.5.0-8.el7.x86_64 sssd-1.15.2-17.el7.x86_64 How reproducible: Unknown but, appears to be reproducible. Steps to Reproduce: 1. Install IPA Server 2. Create user and generate cert 3. search for user with SSSD D-Bus FindByCertificate Actual results: Cannot find user. Expected results: Finds user with cerificate. Additional info: [root@master ~]# ipa user-add testuser100 --first=f --last=l --password Password: Enter Password again to verify: ------------------------ Added user "testuser100" ------------------------ User login: testuser100 First name: f Last name: l Full name: f l Display name: f l Initials: fl Home directory: /home/testuser100 GECOS: f l Login shell: /bin/sh Principal name: testuser100@TESTRELM.TEST Principal alias: testuser100@TESTRELM.TEST Email address: testuser100@testrelm.test UID: 604400003 GID: 604400003 Password: True Member of groups: ipausers Kerberos keys available: True [root@master ~]# kinit testuser100 Password for testuser100@TESTRELM.TEST: Password expired. You must change it now. Enter new password: Enter it again: [root@master ~]# kdestroy -A [root@master ~]# kinit admin Password for admin@TESTRELM.TEST: [root@master ~]# openssl req -out testuser100.csr -new -newkey rsa:1024 -nodes -keyout testuser100.key -subj '/CN=testuser100' Generating a 1024 bit RSA private key ...............++++++ ...................++++++ writing new private key to 'testuser100.key' ----- [root@master ~]# ipa cert-request testuser100.csr --principal=testuser100 --certificate-out=testuser100.pem Issuing CA: ipa Certificate: MIIDjTCCAnWgAwIBAgIBEjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTAxMTczMjI1WhcNMTkwNTAyMTczMjI1WjAuMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRQwEgYDVQQDDAt0ZXN0dXNlcjEwMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9/heovurrJtJYO+amRPHQ5oXHlhRRIC5o2G/e9eUPTG2cQuZdY62vN3O6c64ONoSIOdIO3k/P7+VTTyDcvTyh16ITe6tqIGjGACduYXgeKn3GwYxALEHCPSbr3oeJeTUFJuLlxQ6KL2ygy4Z8pYDc5++ewvVoUS/WXlqyYA8NasCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFNv1rOQ/swr5bwPcixbkKa9ldAl5MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRQpu7g+DS8fSO8rpWjYJ2Fw6LwhzANBgkqhkiG9w0BAQsFAAOCAQEALy0gI6Y0d1O2SxN02/3uBlizNdLsv/vvkyzeUyamVFbpjGpkIerrIJ0I7Kh93ZP8dwZQTpqu+aRVRT0EWTqCAKhUev17LbMAPj9aLw/TrukDtmdwlMd+Ld3uPPx5yUuy89uclllRANHMPkCjsdMVVGwEJ4Kwcmzg22nnCjERU1rQ9WFtjHR6Pukp2AY8PpBJKU2zH80l2GhxM7yGAuk5O7293qq0KQVf2QsPyBpK0LERJAHnOvX7RwgbgExT9pyiGTYNn2SzcHYEW79eod7aA8SKriPbXfrY5m/fDRQ0w+sAKHVKQ/dIXkL7MWNcxIFzNA7sX5TkMDTU+gyZ87R6AQ== Subject: CN=testuser100,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Mon May 01 17:32:25 2017 UTC Not After: Thu May 02 17:32:25 2019 UTC Serial number: 18 Serial number (hex): 0x12 [root@master ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat testuser100.pem)" Error org.freedesktop.sssd.Error.NotFound: User not found
Created attachment 1275456 [details] sssd ifp log
Created attachment 1275457 [details] sssd domain log
adding keyword regression based on this search feature being added in but #1202724
sorry, bug #1202724
Note that ListByCertificate doesn't appear to return anything either: [root@master ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat testuser100.pem)" uint32:10 method return sender=:1.48 -> dest=:1.57 reply_serial=2 array [ ]
FYI, a little more testing revealed this is happening when certmaprules are added: ipa certmaprule-add testrule1 --matchrule='<ISSUER>CN=Certificate,O=TESTRELM.TEST' --maprule='(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})' Then IPA (and maybe) D-Bus need to be restarted. I reproduced this on a fresh install. First the FindBuCertificate worked. Then I added a certmap rule (like above). It still worked, so I restart IPA, SSSD, and D-Bus, and it failed.
Thinking that maybe added certmapdata to a user might help, [root@mgmt2 ~]# ipa user-add-certmapdata testuser1 --certificate=$(cat testuser1.crt|sed '/CERT/d'|tr -d '\r\n') ---------------------------------------------- Added certificate mappings to user "testuser1" ---------------------------------------------- User login: testuser1 Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=testuser1 [root@mgmt2 ~]# systemctl stop sssd [root@mgmt2 ~]# rm -rf /var/lib/sss/{db,mc}/* [root@mgmt2 ~]# ipactl restart Stopping pki-tomcatd Service Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful [root@mgmt2 ~]# systemctl start sssd [root@mgmt2 ~]# systemctl restart dbus PolicyKit daemon disconnected from the bus. We are no longer a registered authentication agent. [root@mgmt2 log]# ipa user-remove-cert testuser1 --certificate=MIIE... ------------------------------------------ Removed certificates from user "testuser1" ------------------------------------------ User login: testuser1 [root@mgmt2 ~]# ipa certmap-match testuser1.crt --------------- 0 users matched --------------- ---------------------------- Number of entries returned 0 ---------------------------- [root@mgmt2 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat testuser1.crt)" uint32:10 method return sender=:1.5 -> dest=:1.9 reply_serial=2 array [ ] [root@mgmt2 ~]#
There is a typo in your matching rule '<ISSUER>CN=Certificate,O=TESTRELM.TEST' vs '<ISSUER>CN=Certificate Authority,O=TESTRELM.TEST' After changing it the user was found: # dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat testuser1.crt)" uint32:10 method return sender=:1.57 -> dest=:1.58 reply_serial=2 array [ object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1991200001" ] # ipa certmap-match testuser1.crt -------------- 1 user matched -------------- Domain: TESTRELM.TEST User logins: testuser1 ------------------------------------- Anzahl der zurückgegebenen Einträge 1 ------------------------------------- Closing as NOTABUG.
Ok, so with no cert added for the user and with proper rules and certmapdata, yes, I can see it work now on a different server as well. However, if I leave the certmaprule, remove the certmapdata from the user, and add the whole certificate to the user, I cannot find the user: [root@mgmt2 ~]# ipa user-show testuser1 User login: testuser1 First name: f Last name: l Home directory: /home/testuser1 Login shell: /bin/sh Principal name: testuser1@TESTRELM.TEST Principal alias: testuser1@TESTRELM.TEST Email address: testuser1@testrelm.test UID: 1991200001 GID: 1991200001 Certificate: MIIE... Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@mgmt2 ~]# ipa certmaprule-find ------------------------------------------- 1 Certificate Identity Mapping Rule matched ------------------------------------------- Rule name: testrule1 Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}) Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- [root@mgmt2 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; ipactl restart ; systemctl start sssd ; systemctl restart dbus; echo "sleeping...."; sleep 60 Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting ipa-otpd Service Restarting ipa-dnskeysyncd Service Starting pki-tomcatd Service ipa: INFO: The ipactl command was successful PolicyKit daemon disconnected from the bus. We are no longer a registered authentication agent. sleeping.... [root@mgmt2 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat testuser1.crt)" Error org.freedesktop.sssd.Error.NotFound: User not found What's wrong in that scenario? So, the issue appears to be when a certmaprule exists but, the user has the whole cert and no certmapdata set.
(In reply to Scott Poore from comment #11) > Ok, so with no cert added for the user and with proper rules and > certmapdata, yes, I can see it work now on a different server as well. > > > However, if I leave the certmaprule, remove the certmapdata from the user, > and add the whole certificate to the user, I cannot find the user: > ... > > What's wrong in that scenario? So, the issue appears to be when a > certmaprule exists but, the user has the whole cert and no certmapdata set. That's expected. If there are no certmap rules added SSSD will look for the whole certificate as in older version. If you add certmap rules only the rules will be used. So, if you want to search a user with the whole certificate you have to add a rule with a mapping rule like '(userCertificate;binary={cert!bin})' HTH bye, Sumit
Ok, I think we've answered my questions here. There were actually two separate issues that caused this "apparent" failure: https://pagure.io/SSSD/sssd/issue/3387 dbus infopipe activation issue. If I waited a little longer and re-ran, it works if there isn't a problem with the rules. https://pagure.io/SSSD/sssd/issue/3388 problem with multiple matching rules where if I have a user with whole cert but, two different rules for same issuer, it may not always match. workaround for those two: 1. wait longer and re-run dbus-send search. 2. combine two rules into a single rule per issuer: ipa certmaprule-add combined --matchrule='<ISSUER>CN=Certificate Authority,O=TESTRELM.TEST' --maprule='(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))' Those two bugs will be cloned to bz separately.
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3387
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3388
* master: 1a89fc33d1b9b1070c7ab83fb0314e538ac46736
Verified. Version :: sssd-1.15.2-30.el7.x86_64 Results :: # dbus searches seem to work with no delay like before and when infopipe isn't started when sssd is. 2017-05-19 14:50:30 MDT [root@dhcp129-184 testing]# ipa user-add-cert demosc1 --certificate=$(cat /root/testing/demosc1_cert1.crt|sed '/CERT/d'|tr -d '\r\n') ------------------------------------ Added certificates to user "demosc1" ------------------------------------ Anmeldename: demosc1 Zertifikat: MII... 2017-05-19 14:50:41 MDT [root@dhcp129-184 testing]# ipa user-add-cert demosc2 --certificate=$(cat /root/testing/demosc1_cert1.crt|sed '/CERT/d'|tr -d '\r\n') ------------------------------------ Added certificates to user "demosc2" ------------------------------------ Anmeldename: demosc2 Zertifikat: MII... 2017-05-19 14:50:47 MDT [root@dhcp129-184 testing]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 2017-05-19 14:51:03 MDT [root@dhcp129-184 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10 method return sender=:1.691 -> dest=:1.692 reply_serial=2 array [ object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131" object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400132" ] 2017-05-19 14:51:07 MDT [root@dhcp129-184 testing]# vim /etc/sssd/sssd.conf 2017-05-19 14:52:30 MDT [root@dhcp129-184 testing]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 2017-05-19 14:52:35 MDT [root@dhcp129-184 testing]# ps -ef|grep sssd root 2126 1 0 14:52 ? 00:00:00 /usr/sbin/sssd -i -f root 2129 2126 0 14:52 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.test --uid 0 --gid 0 --debug-to-files root 2130 2126 0 14:52 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files root 2131 2126 0 14:52 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files root 2132 2126 0 14:52 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files root 2133 2126 0 14:52 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files root 2134 2126 0 14:52 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files root 2139 1899 0 14:52 pts/0 00:00:00 grep --color=auto sssd 2017-05-19 14:52:44 MDT [root@dhcp129-184 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10 method return sender=:1.696 -> dest=:1.695 reply_serial=2 array [ object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131" object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400132" ] 2017-05-19 14:52:48 MDT [root@dhcp129-184 testing]# ps -ef|grep sssd_ifp root 2142 1 0 14:52 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --debug-to-files --dbus-activated root 2144 1899 0 14:52 pts/0 00:00:00 grep --color=auto sssd_ifp
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294