Red Hat Bugzilla – Bug 1489895
Issues with certificate mapping rules
Last modified: 2018-04-10 13:17:28 EDT
Description of problem: Two issues were found related to certificate mapping rules. 1. If <EKU> is used in the matching rule with only OIDs, e.g. <EKU>1.2.3.4, the SSSD backend will crash. Since the rules are read during startup SSSD might even fail to start. 2. If the rules are re-read, e.g. during an offline-online cycle with kill -USR1 $(pidof sssd) kill -USR2 $(pidof sssd) the SSSD backend might crash if the certificate mapping rules are evaluated for a trusted AD domain.
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3508
master: * f2e70ec742cd7aab82b74d7e4b424ba3258da7aa * f5a8cd60c6f377af1954b58f007d16cf3f6dc846
IPA-VERSION: ipa-server-4.5.4-6.el7.x86_64 SSSD-VERSION: sssd-1.16.0-10.el7.x86_64 Verified the bug based on tests performed in below scenarios: Scenario 1: Scenario with EKU crash: [root@auto-hv-01-guest08 ~]# kinit admin Password for admin@ND071217A.TEST: [root@auto-hv-01-guest08 ~]# ipa certmaprule-add ekutest '-maprule=|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})' '-matchrule=<EKU>1.3.6.1.5.5.7.3.1' --domain=nd071217a.test --domain=ipaad2012r2.test ------------------------------------------------- Added Certificate Identity Mapping Rule "ekutest" ------------------------------------------------- Rule name: ekutest Mapping rule: |(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500}) Matching rule: <EKU>1.3.6.1.5.5.7.3.1 Domain name: nd071217a.test, ipaad2012r2.test Enabled: TRUE [root@auto-hv-01-guest08 ~]# systemctl restart sssd [root@auto-hv-01-guest08 ~]# ps -ef | grep sssd root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files root 5907 11101 0 04:26 pts/0 00:00:00 grep --color=auto sssd [root@auto-hv-01-guest08 ~]# sleep 60 [root@auto-hv-01-guest08 ~]# ps -ef | grep sssd root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files root 5911 11101 0 04:28 pts/0 00:00:00 grep --color=auto sssd [root@auto-hv-01-guest08 ~]# # PIDS for sssd are same, bug not found, thus VERIFIED [root@auto-hv-01-guest08 ~]# ipa certmaprule-del ekutest --------------------------------------------------- Deleted Certificate Identity Mapping Rule "ekutest" --------------------------------------------------- Scenario 2: 2. Scenario with AD Trust certmap offline-online crash of sssd_be: [root@auto-hv-01-guest06 ~]# ipa certmaprule-add adtest --maprule='(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))' --matchrule='<ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test' --domain=ipaadcs12r2.test --domain=nd071217b.test ------------------------------------------------ Added Certificate Identity Mapping Rule "adtest" ------------------------------------------------ Rule name: adtest Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test Domain name: ipaadcs12r2.test, nd071217b.test Enabled: TRUE [root@auto-hv-01-guest06 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd; sleep 10 [root@auto-hv-01-guest06 ~]# ipa certmaprule-find adtest ------------------------------------------- 1 Certificate Identity Mapping Rule matched ------------------------------------------- Rule name: adtest Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test Domain name: ipaadcs12r2.test, nd071217b.test Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- [root@auto-hv-01-guest06 ~]# ipa certmap-match /root/adcerts/adcertsingleuser1.crt -------------- 1 user matched -------------- Domain: ipaadcs12r2.test User logins: adcertsingleuser1 ---------------------------- Number of entries returned 1 ---------------------------- [root@auto-hv-01-guest06 ~]# bash -x script2.sh + set -x ++ pidof sssd_be + OLDPID=1850 ++ cat /var/run/sssd.pid + SSSD_PID=1849 + kill -USR1 1849 + sleep 10 + kill -USR2 1849 + sss_cache -E + sleep 10 + ipa certmap-match /root/adcerts/adcertsingleuser1.crt -------------- 1 user matched -------------- Domain: ipaadcs12r2.test User logins: adcertsingleuser1 ---------------------------- Number of entries returned 1 ---------------------------- ++ pidof sssd_be + NEWPID=1850 + '[' 1850 '!=' 1850 ']' + echo bug_not_found bug_not_found [root@auto-hv-01-guest06 ~]# cat /var/log/messages | grep "segfault" [root@auto-hv-01-guest06 ~]# Thus based on observations above, marking the status of this bug to "VERIFIED"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929