Bug 1489895
| Summary: | Issues with certificate mapping rules | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sumit Bose <sbose> | |
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | |
| Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
| Severity: | urgent | Docs Contact: | ||
| Priority: | high | |||
| Version: | 7.4 | CC: | ekeck, fidencio, grajaiya, jhrozek, lslebodn, mkosek, mzidek, ndehadra, pbrezina, sbose, sgoveas, spoore, tscherf | |
| Target Milestone: | rc | Keywords: | ZStream | |
| Target Release: | --- | Flags: | spoore:
needinfo+
|
|
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | sssd-1.16.0-1.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1493916 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-10 17:16:19 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1493916 | |||
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3508 master: * f2e70ec742cd7aab82b74d7e4b424ba3258da7aa * f5a8cd60c6f377af1954b58f007d16cf3f6dc846 IPA-VERSION: ipa-server-4.5.4-6.el7.x86_64
SSSD-VERSION: sssd-1.16.0-10.el7.x86_64
Verified the bug based on tests performed in below scenarios:
Scenario 1: Scenario with EKU crash:
[root@auto-hv-01-guest08 ~]# kinit admin
Password for admin:
[root@auto-hv-01-guest08 ~]# ipa certmaprule-add ekutest '-maprule=|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})' '-matchrule=<EKU>1.3.6.1.5.5.7.3.1' --domain=nd071217a.test --domain=ipaad2012r2.test
-------------------------------------------------
Added Certificate Identity Mapping Rule "ekutest"
-------------------------------------------------
Rule name: ekutest
Mapping rule: |(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})
Matching rule: <EKU>1.3.6.1.5.5.7.3.1
Domain name: nd071217a.test, ipaad2012r2.test
Enabled: TRUE
[root@auto-hv-01-guest08 ~]# systemctl restart sssd
[root@auto-hv-01-guest08 ~]# ps -ef | grep sssd
root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files
root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files
root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files
root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
root 5907 11101 0 04:26 pts/0 00:00:00 grep --color=auto sssd
[root@auto-hv-01-guest08 ~]# sleep 60
[root@auto-hv-01-guest08 ~]# ps -ef | grep sssd
root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files
root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files
root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files
root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
root 5911 11101 0 04:28 pts/0 00:00:00 grep --color=auto sssd
[root@auto-hv-01-guest08 ~]# # PIDS for sssd are same, bug not found, thus VERIFIED
[root@auto-hv-01-guest08 ~]# ipa certmaprule-del ekutest
---------------------------------------------------
Deleted Certificate Identity Mapping Rule "ekutest"
---------------------------------------------------
Scenario 2: 2. Scenario with AD Trust certmap offline-online crash of sssd_be:
[root@auto-hv-01-guest06 ~]# ipa certmaprule-add adtest --maprule='(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))' --matchrule='<ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test' --domain=ipaadcs12r2.test --domain=nd071217b.test
------------------------------------------------
Added Certificate Identity Mapping Rule "adtest"
------------------------------------------------
Rule name: adtest
Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))
Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test
Domain name: ipaadcs12r2.test, nd071217b.test
Enabled: TRUE
[root@auto-hv-01-guest06 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd; sleep 10
[root@auto-hv-01-guest06 ~]# ipa certmaprule-find adtest
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
Rule name: adtest
Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))
Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test
Domain name: ipaadcs12r2.test, nd071217b.test
Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------
[root@auto-hv-01-guest06 ~]# ipa certmap-match /root/adcerts/adcertsingleuser1.crt
--------------
1 user matched
--------------
Domain: ipaadcs12r2.test
User logins: adcertsingleuser1
----------------------------
Number of entries returned 1
----------------------------
[root@auto-hv-01-guest06 ~]# bash -x script2.sh
+ set -x
++ pidof sssd_be
+ OLDPID=1850
++ cat /var/run/sssd.pid
+ SSSD_PID=1849
+ kill -USR1 1849
+ sleep 10
+ kill -USR2 1849
+ sss_cache -E
+ sleep 10
+ ipa certmap-match /root/adcerts/adcertsingleuser1.crt
--------------
1 user matched
--------------
Domain: ipaadcs12r2.test
User logins: adcertsingleuser1
----------------------------
Number of entries returned 1
----------------------------
++ pidof sssd_be
+ NEWPID=1850
+ '[' 1850 '!=' 1850 ']'
+ echo bug_not_found
bug_not_found
[root@auto-hv-01-guest06 ~]# cat /var/log/messages | grep "segfault"
[root@auto-hv-01-guest06 ~]#
Thus based on observations above, marking the status of this bug to "VERIFIED"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929 |
Description of problem: Two issues were found related to certificate mapping rules. 1. If <EKU> is used in the matching rule with only OIDs, e.g. <EKU>1.2.3.4, the SSSD backend will crash. Since the rules are read during startup SSSD might even fail to start. 2. If the rules are re-read, e.g. during an offline-online cycle with kill -USR1 $(pidof sssd) kill -USR2 $(pidof sssd) the SSSD backend might crash if the certificate mapping rules are evaluated for a trusted AD domain.