RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1489895 - Issues with certificate mapping rules
Summary: Issues with certificate mapping rules
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks: 1493916
TreeView+ depends on / blocked
 
Reported: 2017-09-08 15:10 UTC by Sumit Bose
Modified: 2021-06-10 12:59 UTC (History)
13 users (show)

Fixed In Version: sssd-1.16.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1493916 (view as bug list)
Environment:
Last Closed: 2018-04-10 17:16:19 UTC
Target Upstream Version:
Embargoed:
spoore: needinfo+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4534 0 None None None 2020-05-02 18:47:55 UTC
Red Hat Product Errata RHEA-2018:0929 0 None None None 2018-04-10 17:17:27 UTC

Description Sumit Bose 2017-09-08 15:10:42 UTC
Description of problem:

Two issues were found related to certificate mapping rules.

1. If <EKU> is used in the matching rule with only OIDs, e.g. <EKU>1.2.3.4, the SSSD backend will crash. Since the rules are read during startup SSSD might even fail to start.

2. If the rules are re-read, e.g. during an offline-online cycle with
    kill -USR1 $(pidof sssd)
    kill -USR2 $(pidof sssd)
the SSSD backend might crash if the certificate mapping rules are evaluated for a trusted AD domain.

Comment 1 Jakub Hrozek 2017-09-11 13:56:46 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3508

Comment 4 Jakub Hrozek 2017-09-14 15:03:46 UTC
master:
 * f2e70ec742cd7aab82b74d7e4b424ba3258da7aa
 * f5a8cd60c6f377af1954b58f007d16cf3f6dc846

Comment 17 Nikhil Dehadrai 2017-12-07 22:21:58 UTC
IPA-VERSION: ipa-server-4.5.4-6.el7.x86_64
SSSD-VERSION: sssd-1.16.0-10.el7.x86_64

Verified the bug based on tests performed in below scenarios:

Scenario 1: Scenario with EKU crash:

[root@auto-hv-01-guest08 ~]# kinit admin
Password for admin: 
[root@auto-hv-01-guest08 ~]# ipa certmaprule-add ekutest '-maprule=|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})' '-matchrule=<EKU>1.3.6.1.5.5.7.3.1' --domain=nd071217a.test --domain=ipaad2012r2.test
-------------------------------------------------
Added Certificate Identity Mapping Rule "ekutest"
-------------------------------------------------
Rule name: ekutest
Mapping rule: |(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})
Matching rule: <EKU>1.3.6.1.5.5.7.3.1
Domain name: nd071217a.test, ipaad2012r2.test
Enabled: TRUE
[root@auto-hv-01-guest08 ~]# systemctl restart sssd
[root@auto-hv-01-guest08 ~]# ps -ef | grep sssd
root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files
root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files
root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files
root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
root 5907 11101 0 04:26 pts/0 00:00:00 grep --color=auto sssd

[root@auto-hv-01-guest08 ~]# sleep 60

[root@auto-hv-01-guest08 ~]# ps -ef | grep sssd
root 5897 1 0 04:26 ? 00:00:00 /usr/sbin/sssd -i --logger=files
root 5898 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_be --domain nd071217a.test --uid 0 --gid 0 --logger=files
root 5899 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_sudo --uid 0 --gid 0 --logger=files
root 5900 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
root 5901 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --logger=files
root 5902 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files
root 5903 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_ssh --uid 0 --gid 0 --logger=files
root 5904 5897 0 04:26 ? 00:00:00 /usr/libexec/sssd/sssd_pac --uid 0 --gid 0 --logger=files
root 5911 11101 0 04:28 pts/0 00:00:00 grep --color=auto sssd

[root@auto-hv-01-guest08 ~]# # PIDS for sssd are same, bug not found, thus VERIFIED
[root@auto-hv-01-guest08 ~]# ipa certmaprule-del ekutest
---------------------------------------------------
Deleted Certificate Identity Mapping Rule "ekutest"
---------------------------------------------------


Scenario 2: 2.  Scenario with AD Trust certmap offline-online crash of sssd_be:

[root@auto-hv-01-guest06 ~]# ipa certmaprule-add adtest --maprule='(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))' --matchrule='<ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test' --domain=ipaadcs12r2.test --domain=nd071217b.test
------------------------------------------------
Added Certificate Identity Mapping Rule "adtest"
------------------------------------------------
  Rule name: adtest
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test
  Domain name: ipaadcs12r2.test, nd071217b.test
  Enabled: TRUE


[root@auto-hv-01-guest06 ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd; sleep 10
[root@auto-hv-01-guest06 ~]# ipa certmaprule-find adtest
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: adtest
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=AD-ROOT-CA,DC=ipaadcs12r2,DC=test
  Domain name: ipaadcs12r2.test, nd071217b.test
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

[root@auto-hv-01-guest06 ~]# ipa certmap-match /root/adcerts/adcertsingleuser1.crt 
--------------
1 user matched
--------------
  Domain: ipaadcs12r2.test
  User logins: adcertsingleuser1
----------------------------
Number of entries returned 1
----------------------------

[root@auto-hv-01-guest06 ~]# bash -x script2.sh 
+ set -x
++ pidof sssd_be
+ OLDPID=1850
++ cat /var/run/sssd.pid
+ SSSD_PID=1849
+ kill -USR1 1849
+ sleep 10
+ kill -USR2 1849
+ sss_cache -E
+ sleep 10
+ ipa certmap-match /root/adcerts/adcertsingleuser1.crt
--------------
1 user matched
--------------
  Domain: ipaadcs12r2.test
  User logins: adcertsingleuser1
----------------------------
Number of entries returned 1
----------------------------
++ pidof sssd_be
+ NEWPID=1850
+ '[' 1850 '!=' 1850 ']'
+ echo bug_not_found
bug_not_found

[root@auto-hv-01-guest06 ~]# cat /var/log/messages | grep "segfault"
[root@auto-hv-01-guest06 ~]#


Thus based on observations above, marking the status of this bug to "VERIFIED"

Comment 20 errata-xmlrpc 2018-04-10 17:16:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929


Note You need to log in before you can comment on or make changes to this bug.