1525644 – dbus-send unable to find user by CAC cert

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1525644 - dbus-send unable to find user by CAC cert

Summary: dbus-send unable to find user by CAC cert

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.5
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-12-13 19:23 UTC by Scott Poore
Modified:	2020-05-02 18:52 UTC (History)
CC List:	11 users (show)
Fixed In Version:	sssd-1.16.0-14.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-10 17:20:30 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4631	0	None	closed	dbus-send unable to find user by CAC cert	2020-10-31 15:30:38 UTC
Red Hat Product Errata	RHEA-2018:0929	0	None	None	None	2018-04-10 17:21:33 UTC

Description Scott Poore 2017-12-13 19:23:36 UTC

Description of problem:

I'm trying to use dbus-send to verify that I can lookup users by certificates.  When using some certs, the search fails.


Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

Version-Release number of selected component (if applicable):
sssd-1.16.0-12

How reproducible:
unknown.  happening with cert I export from a CAC card.

Steps to Reproduce:
1. Setup IPA server and client to use Smart Card Authentication
2. Setup certmaprules for mapping the cert:
3. Add certmapdata to user
4. run dbus-send search:

# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10

Actual results:

Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

Expected results:

Finds the user

Additional info:


[root@seceng-idm-1 sssd]# ipa certmaprule-show maprule_9
  Rule name: maprule_9
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=DOD OM CA-32,OU=PKI,OU=DoD,O=U.S. Government,C=US
  Domain name: testrelm.test, ipaadcs12r2.test
  Enabled: TRUE


[root@seceng-idm-1 sssd]# ipa user-show ipauser1
  User login: ipauser1
  First name: ipauser1
  Last name: lastname
  Home directory: /home/ipauser1
  Login shell: /bin/bash
  Principal name: ipauser1
  Principal alias: ipauser1
  Email address: ipauser1
  UID: 908200127
  GID: 908200127
  Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD OM CA-32<S>C=US,O=U.S.
                            Government,OU=DoD,OU=PKI,OU=NOAA,CN=name.id.of.user
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@seceng-idm-1 sssd]# openssl x509 -in /tmp/cac_card_01_piv_auth.crt -noout -subject -issuer
subject= /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=NOAA/CN=name.id.of.user
issuer= /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD OM CA-32

Comment 4 Sumit Bose 2017-12-13 19:37:15 UTC

In the journal messages like:

    sssd[13828]: process 13980: arguments to dbus_message_iter_append_basic() were incorrect, assertion "_dbus_check_is_valid_path (*string_p)" failed in file ../../dbus/dbus-message.c line 2759

can be found.

The reason is that the first path in the list_ctx->paths array is 0x0 when calling iface_ifp_users_ListByName_finish(). I think the reason is that ifp_list_ctx_remaining_capacity() is called multiple times during the request once for each domain by ifp_users_list_copy() to collect the results fro all domains.

With commit b0b9222f7dd62b19ec702afe295ec71624888e87 talloc_zero_array() is called always when ifp_list_ctx_remaining_capacity() is called overwriting existing results. I guess some realloc scheme would be better there.

Comment 6 Sumit Bose 2017-12-15 11:08:37 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3608

Comment 7 Jakub Hrozek 2017-12-15 16:11:54 UTC

* master: 510ac193900a7bb9dfae10c0ca4607c224b265af

Comment 9 Scott Poore 2017-12-15 17:09:45 UTC

Verified.

Version ::

sssd-1.16.0-14.el7.x86_64

Quick reproducer before updating on test host:

[root@seceng-idm-1 tmp]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10
Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying

Now upgrade sssd to fixed version:

[root@seceng-idm-1 tmp]# yum update sssd
Loaded plugins: auto-update-debuginfo, fastestmirror, product-id, search-disabled-repos, subscription-
              : manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
Loading mirror speeds from cached hostfile
...
Updated:
  sssd.x86_64 0:1.16.0-14.el7                                                                          

Dependency Updated:
  libipa_hbac.x86_64 0:1.16.0-14.el7                 libsss_autofs.x86_64 0:1.16.0-14.el7             
  libsss_idmap.x86_64 0:1.16.0-14.el7                libsss_sudo.x86_64 0:1.16.0-14.el7               
  python-libipa_hbac.x86_64 0:1.16.0-14.el7          python-sssdconfig.noarch 0:1.16.0-14.el7         
  sssd-ad.x86_64 0:1.16.0-14.el7                     sssd-client.x86_64 0:1.16.0-14.el7               
  sssd-common.x86_64 0:1.16.0-14.el7                 sssd-common-pac.x86_64 0:1.16.0-14.el7           
  sssd-dbus.x86_64 0:1.16.0-14.el7                   sssd-ipa.x86_64 0:1.16.0-14.el7                  
  sssd-krb5.x86_64 0:1.16.0-14.el7                   sssd-krb5-common.x86_64 0:1.16.0-14.el7          
  sssd-ldap.x86_64 0:1.16.0-14.el7                   sssd-proxy.x86_64 0:1.16.0-14.el7                

Complete!

Reset sssd and cache to run a clean test:

[root@seceng-idm-1 tmp]# !systemctl
systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd 


And, test:

[root@seceng-idm-1 tmp]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10
method return time=1513357456.425038 sender=:1.1767 -> destination=:1.1768 serial=5 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/908200222"
      object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401145"
   ]


I also upgraded SSSD on the IPA server to confirm with ipa certmap-match where I saw the problem first:

[root@seceng-idm-1 tmp]# ipa certmap-match /tmp/cac_card_01_piv_auth.crt
---------------
2 users matched
---------------
  Domain: TESTRELM.TEST
  User logins: ipauser1

  Domain: ipaadcs12r2.test
  User logins: adcacuser1
----------------------------
Number of entries returned 2
----------------------------

Comment 12 errata-xmlrpc 2018-04-10 17:20:30 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929

Note You need to log in before you can comment on or make changes to this bug.