Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1493916

Summary:

Issues with certificate mapping rules [rhel-7.4.z]

Product:

Red Hat Enterprise Linux 7

Reporter:

Oneata Mircea Teodor <toneata>

Component:

sssd

Assignee:

Fabiano Fidêncio <fidencio>

Status:

CLOSED ERRATA

QA Contact:

ipa-qe <ipa-qe>

Severity:

urgent

Docs Contact:

Priority:

high

Version:

7.4

CC:

ekeck, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas, spoore, sssd-maint, tscherf

Target Milestone:

Keywords:

ZStream

Target Release:

---

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

sssd-1.15.2-50.el7_4.5

Doc Type:

If docs needed, set a value

Doc Text:

Story Points:

---

Clone Of:

1489895

Environment:

Last Closed:

2017-10-19 15:14:38 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

1489895

Bug Blocks:

Attachments:

Description	Flags
logs after libsss_certmap updated	none

Description Oneata Mircea Teodor 2017-09-21 07:21:17 UTC

This bug has been copied from bug #1489895 and has been proposed to be backported to 7.4 z-stream (EUS).

Comment 5 Scott Poore 2017-09-26 14:56:49 UTC

The fix doesn't appear to work:

[root@master sssd]# rpm -q sssd
sssd-1.15.2-50.el7_4.5.x86_64

[root@master sssd]# ipa certmaprule-find
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: ekutest
  Mapping rule: |(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})
  Matching rule: <EKU>1.3.6.1.5.5.7.3.1
  Domain name: testrelm.test, ad.test
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

[root@master sssd]# systemctl start sssd

[root@master sssd]# pidof sssd
2997

[root@master sssd]# sleep 10

[root@master sssd]# pidof sssd
# nothing returned here ^^^

From /var/log/messages:
Sep 26 09:47:06 master kernel: sssd_be[3011]: segfault at 0 ip 00007fb038818546 sp 00007ffda99be8e0 error 6 in libsss_certmap.so.0.0.0[7fb038811000+e000]
Sep 26 09:47:06 master sssd: Exiting the SSSD. Could not restart critical service [testrelm.test].

Comment 7 Scott Poore 2017-09-26 18:28:44 UTC

Sumit found that libsss_certmap wasn't updated.  So I need to retry with:

yum update sssd libsss_certmap

Moving back to ON_QA

Comment 8 Scott Poore 2017-09-26 20:30:05 UTC

Ok even after updating libsss_certmap I'm still seeing segfaults.  SSSD is still running but, shortly after startup, I see it segfault and restart:


Sep 26 14:49:47 master sssd: Starting up

...

Sep 26 14:49:47 master systemd: Started System Security Services Daemon.
Sep 26 14:49:47 master kernel: sssd_be[17962]: segfault at 0 ip 00007f45656f3546 sp 00007ffe59031cb0 error 6 in libsss_certmap.so.0.0.0[7f45656ec000+e000]
Sep 26 14:49:47 master sssd[be[testrelm.test]]: Starting up
Sep 26 14:49:48 master kernel: sssd_be[17972]: segfault at 0 ip 00007fca9e574546 sp 00007ffcf62d7830 error 6 in libsss_certmap.so.0.0.0[7fca9e56d000+e000]
Sep 26 14:49:50 master sssd[be[testrelm.test]]: Starting up
Sep 26 14:49:50 master kernel: sssd_be[17974]: segfault at 0 ip 00007f2262d8a546 sp 00007ffc7bc2c800 error 6 in libsss_certmap.so.0.0.0[7f2262d83000+e000]
Sep 26 14:49:54 master sssd[be[testrelm.test]]: Starting up
Sep 26 14:49:54 master kernel: sssd_be[17976]: segfault at 0 ip 00007f66c61d6546 sp 00007ffe9609e110 error 6 in libsss_certmap.so.0.0.0[7f66c61cf000+e000]
Sep 26 14:49:54 master sssd: Exiting the SSSD. Could not restart critical service [testrelm.test].

...

Sep 26 14:49:54 master systemd: sssd.service: main process exited, code=exited, status=1/FAILURE
Sep 26 14:49:54 master systemd: Unit sssd.service entered failed state.
Sep 26 14:49:54 master systemd: sssd.service failed.
Sep 26 14:50:01 master systemd: Started Session 6 of user root.
Sep 26 14:50:01 master systemd: Starting Session 6 of user root.
Sep 26 14:50:48 master systemd: Starting System Security Services Daemon...
Sep 26 14:50:48 master sssd: Starting up


[root@master ~]# rpm -qa|grep sss|sort
libsss_autofs-1.15.2-50.el7_4.2.x86_64
libsss_certmap-1.15.2-50.el7_4.2.x86_64
libsss_idmap-1.15.2-50.el7_4.2.x86_64
libsss_nss_idmap-1.15.2-50.el7_4.2.x86_64
libsss_sudo-1.15.2-50.el7_4.2.x86_64
python-libsss_nss_idmap-1.15.2-50.el7_4.2.x86_64
python-sss-1.15.2-50.el7_4.2.x86_64
python-sssdconfig-1.15.2-50.el7_4.2.noarch
python-sss-murmur-1.15.2-50.el7_4.2.x86_64
sssd-1.15.2-50.el7_4.2.x86_64
sssd-ad-1.15.2-50.el7_4.2.x86_64
sssd-client-1.15.2-50.el7_4.2.x86_64
sssd-common-1.15.2-50.el7_4.2.x86_64
sssd-common-pac-1.15.2-50.el7_4.2.x86_64
sssd-dbus-1.15.2-50.el7_4.2.x86_64
sssd-ipa-1.15.2-50.el7_4.2.x86_64
sssd-krb5-1.15.2-50.el7_4.2.x86_64
sssd-krb5-common-1.15.2-50.el7_4.2.x86_64
sssd-ldap-1.15.2-50.el7_4.2.x86_64
sssd-proxy-1.15.2-50.el7_4.2.x86_64

I'll also attach sssd logs.

Comment 9 Scott Poore 2017-09-26 20:31:23 UTC

Created attachment 1331231 [details]
logs after libsss_certmap updated

Comment 10 Fabiano Fidêncio 2017-09-26 20:39:53 UTC

(In reply to Scott Poore from comment #8)
> Ok even after updating libsss_certmap I'm still seeing segfaults.  SSSD is
> still running but, shortly after startup, I see it segfault and restart:
> 
> 
> Sep 26 14:49:47 master sssd: Starting up
> 
> ...
> 
> Sep 26 14:49:47 master systemd: Started System Security Services Daemon.
> Sep 26 14:49:47 master kernel: sssd_be[17962]: segfault at 0 ip
> 00007f45656f3546 sp 00007ffe59031cb0 error 6 in
> libsss_certmap.so.0.0.0[7f45656ec000+e000]
> Sep 26 14:49:47 master sssd[be[testrelm.test]]: Starting up
> Sep 26 14:49:48 master kernel: sssd_be[17972]: segfault at 0 ip
> 00007fca9e574546 sp 00007ffcf62d7830 error 6 in
> libsss_certmap.so.0.0.0[7fca9e56d000+e000]
> Sep 26 14:49:50 master sssd[be[testrelm.test]]: Starting up
> Sep 26 14:49:50 master kernel: sssd_be[17974]: segfault at 0 ip
> 00007f2262d8a546 sp 00007ffc7bc2c800 error 6 in
> libsss_certmap.so.0.0.0[7f2262d83000+e000]
> Sep 26 14:49:54 master sssd[be[testrelm.test]]: Starting up
> Sep 26 14:49:54 master kernel: sssd_be[17976]: segfault at 0 ip
> 00007f66c61d6546 sp 00007ffe9609e110 error 6 in
> libsss_certmap.so.0.0.0[7f66c61cf000+e000]
> Sep 26 14:49:54 master sssd: Exiting the SSSD. Could not restart critical
> service [testrelm.test].
> 
> ...
> 
> Sep 26 14:49:54 master systemd: sssd.service: main process exited,
> code=exited, status=1/FAILURE
> Sep 26 14:49:54 master systemd: Unit sssd.service entered failed state.
> Sep 26 14:49:54 master systemd: sssd.service failed.
> Sep 26 14:50:01 master systemd: Started Session 6 of user root.
> Sep 26 14:50:01 master systemd: Starting Session 6 of user root.
> Sep 26 14:50:48 master systemd: Starting System Security Services Daemon...
> Sep 26 14:50:48 master sssd: Starting up
> 
> 
> [root@master ~]# rpm -qa|grep sss|sort
> libsss_autofs-1.15.2-50.el7_4.2.x86_64
> libsss_certmap-1.15.2-50.el7_4.2.x86_64
> libsss_idmap-1.15.2-50.el7_4.2.x86_64
> libsss_nss_idmap-1.15.2-50.el7_4.2.x86_64
> libsss_sudo-1.15.2-50.el7_4.2.x86_64
> python-libsss_nss_idmap-1.15.2-50.el7_4.2.x86_64
> python-sss-1.15.2-50.el7_4.2.x86_64
> python-sssdconfig-1.15.2-50.el7_4.2.noarch
> python-sss-murmur-1.15.2-50.el7_4.2.x86_64
> sssd-1.15.2-50.el7_4.2.x86_64
> sssd-ad-1.15.2-50.el7_4.2.x86_64
> sssd-client-1.15.2-50.el7_4.2.x86_64
> sssd-common-1.15.2-50.el7_4.2.x86_64
> sssd-common-pac-1.15.2-50.el7_4.2.x86_64
> sssd-dbus-1.15.2-50.el7_4.2.x86_64
> sssd-ipa-1.15.2-50.el7_4.2.x86_64
> sssd-krb5-1.15.2-50.el7_4.2.x86_64
> sssd-krb5-common-1.15.2-50.el7_4.2.x86_64
> sssd-ldap-1.15.2-50.el7_4.2.x86_64
> sssd-proxy-1.15.2-50.el7_4.2.x86_64
> 
> I'll also attach sssd logs.

Scott, you're still using the wrong SSSD version. The build which contains this fix is sssd-1.15.2-50.el7_4.5

Comment 12 Scott Poore 2017-09-26 22:11:40 UTC

Fabiano, 

Good catch.  Thanks!  I'm upgrading and retesting.

Comment 13 Scott Poore 2017-09-27 00:11:29 UTC

Verified.

Version ::

sssd-1.15.2-50.el7_4.5.x86_64

Results ::

1. Scenario with EKU crash:

[root@master ~]# sh test1
+ systemctl stop sssd
+ rm -rf /var/lib/sss/db/cache_testrelm.test.ldb /var/lib/sss/db/ccache_TESTRELM.TEST /var/lib/sss/db/config.ldb /var/lib/sss/db/sssd.ldb /var/lib/sss/db/timestamps_testrelm.test.ldb /var/lib/sss/mc/group /var/lib/sss/mc/initgroups /var/lib/sss/mc/passwd
+ systemctl start sssd
+ kinit admin
+ echo Secret123
Password for admin: 
+ ipa certmaprule-add ekutest '--maprule=|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})' '--matchrule=<EKU>1.3.6.1.5.5.7.3.1' --domain=testrelm.test --domain=ad.test
-------------------------------------------------
Added Certificate Identity Mapping Rule "ekutest"
-------------------------------------------------
  Rule name: ekutest
  Mapping rule: |(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})
  Matching rule: <EKU>1.3.6.1.5.5.7.3.1
  Domain name: testrelm.test, ad.test
  Enabled: TRUE
+ date
Tue Sep 26 18:39:31 CDT 2017
+ systemctl restart sssd
++ pidof sssd
+ OLDPID=11633
+ sleep 60
+ pidof sssd
11633
++ pidof sssd
+ NEWPID=11633
+ '[' 11633 '!=' 11633 ']'
+ echo bug_not_found
bug_not_found
+ ipa certmaprule-del ekutest
---------------------------------------------------
Deleted Certificate Identity Mapping Rule "ekutest"
---------------------------------------------------

[root@master ~]# pidof sssd
11633


2.  Scenario with AD Trust certmap offline-online crash of sssd_be:

[root@master ~]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd; sleep 10

[root@master ~]# ipa certmaprule-find
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: adtest
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:{issuer_dn!nss_x500}{subject_dn!nss_x500})(altSecurityIdentities=X509:{issuer_dn!ad_x500}{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=adca,DC=ad,DC=test
  Domain name: ad.test, testrelm.test
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# ipa certmap-match /root/adcerts/aduser1.crt 
--------------
1 user matched
--------------
  Domain: ad.test
  User logins: aduser1
----------------------------
Number of entries returned 1
----------------------------

[root@master ~]# sh test2
++ pidof sssd_be
+ OLDPID=12408
++ cat /var/run/sssd.pid
+ SSSD_PID=12407
+ kill -USR1 12407
+ sleep 10
+ kill -USR2 12407
+ sss_cache -E
+ sleep 10
+ ipa certmap-match /root/adcerts/aduser1.crt
--------------
1 user matched
--------------
  Domain: ad.test
  User logins: aduser1
----------------------------
Number of entries returned 1
----------------------------
++ pidof sssd_be
+ NEWPID=12408
+ '[' 12408 '!=' 12408 ']'
+ echo bug_not_found
bug_not_found

[root@master ~]# pidof sssd_be
12408

Comment 15 errata-xmlrpc 2017-10-19 15:14:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2940