Bug 1447098 - sssd unable to search dbus for ipa user by certificate.
Summary: sssd unable to search dbus for ipa user by certificate.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-01 17:47 UTC by Scott Poore
Modified: 2020-05-02 18:40 UTC (History)
10 users (show)

Fixed In Version: sssd-1.15.2-30.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-08-01 09:06:23 UTC
Target Upstream Version:


Attachments (Terms of Use)
sssd ifp log (190.52 KB, text/plain)
2017-05-01 17:49 UTC, Scott Poore
no flags Details
sssd domain log (1.21 MB, text/plain)
2017-05-01 17:49 UTC, Scott Poore
no flags Details


Links
System ID Priority Status Summary Last Updated
Github SSSD sssd issues 4414 None None None 2020-05-02 18:40:36 UTC
Red Hat Product Errata RHEA-2017:2294 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Scott Poore 2017-05-01 17:47:32 UTC
Description of problem:


While trying to test IPA Smart Card functionality, I ran into a problem searching for users by certificate using the dbus-send method:

[root@master ~]# dbus-send --system --print-reply  --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat testuser100.pem)"
Error org.freedesktop.sssd.Error.NotFound: User not found


Version-Release number of selected component (if applicable):
ipa-server-4.5.0-8.el7.x86_64
sssd-1.15.2-17.el7.x86_64


How reproducible:
Unknown but, appears to be reproducible.

Steps to Reproduce:
1.  Install IPA Server
2.  Create user and generate cert
3.  search for user with SSSD D-Bus FindByCertificate



Actual results:

Cannot find user.

Expected results:

Finds user with cerificate.

Additional info:

[root@master ~]# ipa user-add testuser100 --first=f --last=l --password
Password: 
Enter Password again to verify: 
------------------------
Added user "testuser100"
------------------------
  User login: testuser100
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser100
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testuser100@TESTRELM.TEST
  Principal alias: testuser100@TESTRELM.TEST
  Email address: testuser100@testrelm.test
  UID: 604400003
  GID: 604400003
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


[root@master ~]# kinit testuser100
Password for testuser100@TESTRELM.TEST: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@master ~]# kdestroy -A

[root@master ~]# kinit admin
Password for admin@TESTRELM.TEST: 

[root@master ~]# openssl req -out testuser100.csr -new -newkey rsa:1024 -nodes -keyout testuser100.key -subj '/CN=testuser100'
Generating a 1024 bit RSA private key
...............++++++
...................++++++
writing new private key to 'testuser100.key'
-----


[root@master ~]# ipa cert-request testuser100.csr --principal=testuser100 --certificate-out=testuser100.pem
  Issuing CA: ipa
  Certificate: MIIDjTCCAnWgAwIBAgIBEjANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTAxMTczMjI1WhcNMTkwNTAyMTczMjI1WjAuMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRQwEgYDVQQDDAt0ZXN0dXNlcjEwMDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA9/heovurrJtJYO+amRPHQ5oXHlhRRIC5o2G/e9eUPTG2cQuZdY62vN3O6c64ONoSIOdIO3k/P7+VTTyDcvTyh16ITe6tqIGjGACduYXgeKn3GwYxALEHCPSbr3oeJeTUFJuLlxQ6KL2ygy4Z8pYDc5++ewvVoUS/WXlqyYA8NasCAwEAAaOCAS4wggEqMB8GA1UdIwQYMBaAFNv1rOQ/swr5bwPcixbkKa9ldAl5MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRQpu7g+DS8fSO8rpWjYJ2Fw6LwhzANBgkqhkiG9w0BAQsFAAOCAQEALy0gI6Y0d1O2SxN02/3uBlizNdLsv/vvkyzeUyamVFbpjGpkIerrIJ0I7Kh93ZP8dwZQTpqu+aRVRT0EWTqCAKhUev17LbMAPj9aLw/TrukDtmdwlMd+Ld3uPPx5yUuy89uclllRANHMPkCjsdMVVGwEJ4Kwcmzg22nnCjERU1rQ9WFtjHR6Pukp2AY8PpBJKU2zH80l2GhxM7yGAuk5O7293qq0KQVf2QsPyBpK0LERJAHnOvX7RwgbgExT9pyiGTYNn2SzcHYEW79eod7aA8SKriPbXfrY5m/fDRQ0w+sAKHVKQ/dIXkL7MWNcxIFzNA7sX5TkMDTU+gyZ87R6AQ==
  Subject: CN=testuser100,O=TESTRELM.TEST
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Mon May 01 17:32:25 2017 UTC
  Not After: Thu May 02 17:32:25 2019 UTC
  Serial number: 18
  Serial number (hex): 0x12


[root@master ~]# dbus-send --system --print-reply  --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat testuser100.pem)"
Error org.freedesktop.sssd.Error.NotFound: User not found

Comment 2 Scott Poore 2017-05-01 17:49:05 UTC
Created attachment 1275456 [details]
sssd ifp log

Comment 3 Scott Poore 2017-05-01 17:49:31 UTC
Created attachment 1275457 [details]
sssd domain log

Comment 4 Scott Poore 2017-05-01 17:50:30 UTC
adding keyword regression based on this search feature being added in but #1202724

Comment 6 Scott Poore 2017-05-01 17:51:10 UTC
sorry, bug #1202724

Comment 7 Scott Poore 2017-05-01 17:55:53 UTC
Note that ListByCertificate doesn't appear to return anything either:

[root@master ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat testuser100.pem)" uint32:10
method return sender=:1.48 -> dest=:1.57 reply_serial=2
   array [
   ]

Comment 8 Scott Poore 2017-05-01 22:46:22 UTC
FYI, a little more testing revealed this is happening when certmaprules are added:

ipa certmaprule-add testrule1 --matchrule='<ISSUER>CN=Certificate,O=TESTRELM.TEST' --maprule='(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})'


Then IPA (and maybe) D-Bus need to be restarted.

I reproduced this on a fresh install.  First the FindBuCertificate worked.  Then I added a certmap rule (like above).  It still worked, so I restart IPA, SSSD, and D-Bus, and it failed.

Comment 9 Scott Poore 2017-05-01 22:59:41 UTC
Thinking that maybe added certmapdata to a user might help, 

[root@mgmt2 ~]# ipa user-add-certmapdata testuser1 --certificate=$(cat testuser1.crt|sed '/CERT/d'|tr -d '\r\n')
----------------------------------------------
Added certificate mappings to user "testuser1"
----------------------------------------------
  User login: testuser1
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate
                            Authority<S>O=TESTRELM.TEST,CN=testuser1


[root@mgmt2 ~]# systemctl stop sssd

[root@mgmt2 ~]# rm -rf /var/lib/sss/{db,mc}/*

[root@mgmt2 ~]# ipactl restart
Stopping pki-tomcatd Service
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

[root@mgmt2 ~]# systemctl start sssd

[root@mgmt2 ~]# systemctl restart dbus
PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.

[root@mgmt2 log]# ipa user-remove-cert testuser1 --certificate=MIIE...
------------------------------------------
Removed certificates from user "testuser1"
------------------------------------------
  User login: testuser1


[root@mgmt2 ~]# ipa certmap-match testuser1.crt
---------------
0 users matched
---------------
----------------------------
Number of entries returned 0
----------------------------
[root@mgmt2 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat testuser1.crt)"  uint32:10
method return sender=:1.5 -> dest=:1.9 reply_serial=2
   array [
   ]
[root@mgmt2 ~]#

Comment 10 Sumit Bose 2017-05-02 08:58:41 UTC
There is a typo in your matching rule '<ISSUER>CN=Certificate,O=TESTRELM.TEST' vs '<ISSUER>CN=Certificate Authority,O=TESTRELM.TEST'

After changing it the user was found:

# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat testuser1.crt)" uint32:10
method return sender=:1.57 -> dest=:1.58 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/1991200001"
   ]


# ipa certmap-match testuser1.crt
--------------
1 user matched
--------------
  Domain: TESTRELM.TEST
  User logins: testuser1
-------------------------------------
Anzahl der zurückgegebenen Einträge 1
-------------------------------------


Closing as NOTABUG.

Comment 11 Scott Poore 2017-05-02 12:52:58 UTC
Ok, so with no cert added for the user and with proper rules and certmapdata, yes, I can see it work now on a different server as well.


However,  if I leave the certmaprule, remove the certmapdata from the user, and add the whole certificate to the user, I cannot find the user:

[root@mgmt2 ~]# ipa user-show testuser1
  User login: testuser1
  First name: f
  Last name: l
  Home directory: /home/testuser1
  Login shell: /bin/sh
  Principal name: testuser1@TESTRELM.TEST
  Principal alias: testuser1@TESTRELM.TEST
  Email address: testuser1@testrelm.test
  UID: 1991200001
  GID: 1991200001
  Certificate: MIIE...
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@mgmt2 ~]# ipa certmaprule-find
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: testrule1
  Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------


[root@mgmt2 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; ipactl restart ; systemctl start sssd ; systemctl restart dbus; echo "sleeping...."; sleep 60
Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
Starting pki-tomcatd Service
ipa: INFO: The ipactl command was successful
PolicyKit daemon disconnected from the bus.
We are no longer a registered authentication agent.
sleeping....



[root@mgmt2 ~]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.FindByCertificate string:"$(cat testuser1.crt)" 
Error org.freedesktop.sssd.Error.NotFound: User not found

What's wrong in that scenario?  So, the issue appears to be when a certmaprule exists but, the user has the whole cert and no certmapdata set.

Comment 12 Sumit Bose 2017-05-02 13:05:03 UTC
(In reply to Scott Poore from comment #11)
> Ok, so with no cert added for the user and with proper rules and
> certmapdata, yes, I can see it work now on a different server as well.
> 
> 
> However,  if I leave the certmaprule, remove the certmapdata from the user,
> and add the whole certificate to the user, I cannot find the user:
> 

...

> 
> What's wrong in that scenario?  So, the issue appears to be when a
> certmaprule exists but, the user has the whole cert and no certmapdata set.

That's expected. If there are no certmap rules added SSSD will look for the whole certificate as in older version.

If you add certmap rules only the rules will be used. So, if you want to search a user with the whole certificate you have to add a rule with a mapping rule like '(userCertificate;binary={cert!bin})'

HTH

bye,
Sumit

Comment 13 Scott Poore 2017-05-02 15:21:05 UTC
Ok, I think we've answered my questions here.

There were actually two separate issues that caused this "apparent" failure:

https://pagure.io/SSSD/sssd/issue/3387 

dbus infopipe activation issue. If I waited a little longer and re-ran, it works if there isn't a problem with the rules.

https://pagure.io/SSSD/sssd/issue/3388

problem with multiple matching rules where if I have a user with whole cert but, two different rules for same issuer, it may not always match.

workaround for those two:

1. wait longer and re-run dbus-send search.

2. combine two rules into a single rule per issuer:

ipa certmaprule-add combined --matchrule='<ISSUER>CN=Certificate Authority,O=TESTRELM.TEST' --maprule='(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))'

Those two bugs will be cloned to bz separately.

Comment 14 Jakub Hrozek 2017-05-03 20:26:54 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3387

Comment 15 Jakub Hrozek 2017-05-03 20:27:41 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3388

Comment 18 Sumit Bose 2017-05-17 14:42:54 UTC
* master: 1a89fc33d1b9b1070c7ab83fb0314e538ac46736

Comment 20 Scott Poore 2017-05-19 20:55:01 UTC
Verified.

Version ::

sssd-1.15.2-30.el7.x86_64

Results ::

# dbus searches seem to work with no delay like before and when infopipe isn't started when sssd is.

2017-05-19 14:50:30 MDT 
[root@dhcp129-184 testing]# ipa user-add-cert demosc1 --certificate=$(cat /root/testing/demosc1_cert1.crt|sed '/CERT/d'|tr -d '\r\n')
------------------------------------
Added certificates to user "demosc1"
------------------------------------
  Anmeldename: demosc1
  Zertifikat: MII...

2017-05-19 14:50:41 MDT 
[root@dhcp129-184 testing]# ipa user-add-cert demosc2 --certificate=$(cat /root/testing/demosc1_cert1.crt|sed '/CERT/d'|tr -d '\r\n')
------------------------------------
Added certificates to user "demosc2"
------------------------------------
  Anmeldename: demosc2
  Zertifikat: MII...

2017-05-19 14:50:47 MDT 
[root@dhcp129-184 testing]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

2017-05-19 14:51:03 MDT 
[root@dhcp129-184 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10
method return sender=:1.691 -> dest=:1.692 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131"
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400132"
   ]

2017-05-19 14:51:07 MDT 
[root@dhcp129-184 testing]# vim /etc/sssd/sssd.conf

2017-05-19 14:52:30 MDT 
[root@dhcp129-184 testing]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd
2017-05-19 14:52:35 MDT 
[root@dhcp129-184 testing]# ps -ef|grep sssd
root      2126     1  0 14:52 ?        00:00:00 /usr/sbin/sssd -i -f
root      2129  2126  0 14:52 ?        00:00:00 /usr/libexec/sssd/sssd_be --domain testrelm.test --uid 0 --gid 0 --debug-to-files
root      2130  2126  0 14:52 ?        00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --debug-to-files
root      2131  2126  0 14:52 ?        00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --debug-to-files
root      2132  2126  0 14:52 ?        00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --debug-to-files
root      2133  2126  0 14:52 ?        00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --debug-to-files
root      2134  2126  0 14:52 ?        00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --debug-to-files
root      2139  1899  0 14:52 pts/0    00:00:00 grep --color=auto sssd

2017-05-19 14:52:44 MDT 
[root@dhcp129-184 testing]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /root/testing/demosc1_cert1.crt)" uint32:10
method return sender=:1.696 -> dest=:1.695 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400131"
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/576400132"
   ]

2017-05-19 14:52:48 MDT 
[root@dhcp129-184 testing]# ps -ef|grep sssd_ifp
root      2142     1  0 14:52 ?        00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --debug-to-files --dbus-activated
root      2144  1899  0 14:52 pts/0    00:00:00 grep --color=auto sssd_ifp

Comment 21 errata-xmlrpc 2017-08-01 09:06:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294


Note You need to log in before you can comment on or make changes to this bug.