Red Hat Bugzilla – Bug 1525644
dbus-send unable to find user by CAC cert
Last modified: 2018-05-29 04:41:02 EDT
Description of problem: I'm trying to use dbus-send to verify that I can lookup users by certificates. When using some certs, the search fails. Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying Version-Release number of selected component (if applicable): sssd-1.16.0-12 How reproducible: unknown. happening with cert I export from a CAC card. Steps to Reproduce: 1. Setup IPA server and client to use Smart Card Authentication 2. Setup certmaprules for mapping the cert: 3. Add certmapdata to user 4. run dbus-send search: # dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10 Actual results: Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying Expected results: Finds the user Additional info: [root@seceng-idm-1 sssd]# ipa certmaprule-show maprule_9 Rule name: maprule_9 Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500})) Matching rule: <ISSUER>CN=DOD OM CA-32,OU=PKI,OU=DoD,O=U.S. Government,C=US Domain name: testrelm.test, ipaadcs12r2.test Enabled: TRUE [root@seceng-idm-1 sssd]# ipa user-show ipauser1 User login: ipauser1 First name: ipauser1 Last name: lastname Home directory: /home/ipauser1 Login shell: /bin/bash Principal name: ipauser1@TESTRELM.TEST Principal alias: ipauser1@TESTRELM.TEST Email address: ipauser1@testrelm.test UID: 908200127 GID: 908200127 Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD OM CA-32<S>C=US,O=U.S. Government,OU=DoD,OU=PKI,OU=NOAA,CN=name.id.of.user Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@seceng-idm-1 sssd]# openssl x509 -in /tmp/cac_card_01_piv_auth.crt -noout -subject -issuer subject= /C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=NOAA/CN=name.id.of.user issuer= /C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD OM CA-32
In the journal messages like: sssd[13828]: process 13980: arguments to dbus_message_iter_append_basic() were incorrect, assertion "_dbus_check_is_valid_path (*string_p)" failed in file ../../dbus/dbus-message.c line 2759 can be found. The reason is that the first path in the list_ctx->paths array is 0x0 when calling iface_ifp_users_ListByName_finish(). I think the reason is that ifp_list_ctx_remaining_capacity() is called multiple times during the request once for each domain by ifp_users_list_copy() to collect the results fro all domains. With commit b0b9222f7dd62b19ec702afe295ec71624888e87 talloc_zero_array() is called always when ifp_list_ctx_remaining_capacity() is called overwriting existing results. I guess some realloc scheme would be better there.
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3608
* master: 510ac193900a7bb9dfae10c0ca4607c224b265af
Verified. Version :: sssd-1.16.0-14.el7.x86_64 Quick reproducer before updating on test host: [root@seceng-idm-1 tmp]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10 Error org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying Now upgrade sssd to fixed version: [root@seceng-idm-1 tmp]# yum update sssd Loaded plugins: auto-update-debuginfo, fastestmirror, product-id, search-disabled-repos, subscription- : manager This system is not registered with an entitlement server. You can use subscription-manager to register. Loading mirror speeds from cached hostfile ... Updated: sssd.x86_64 0:1.16.0-14.el7 Dependency Updated: libipa_hbac.x86_64 0:1.16.0-14.el7 libsss_autofs.x86_64 0:1.16.0-14.el7 libsss_idmap.x86_64 0:1.16.0-14.el7 libsss_sudo.x86_64 0:1.16.0-14.el7 python-libipa_hbac.x86_64 0:1.16.0-14.el7 python-sssdconfig.noarch 0:1.16.0-14.el7 sssd-ad.x86_64 0:1.16.0-14.el7 sssd-client.x86_64 0:1.16.0-14.el7 sssd-common.x86_64 0:1.16.0-14.el7 sssd-common-pac.x86_64 0:1.16.0-14.el7 sssd-dbus.x86_64 0:1.16.0-14.el7 sssd-ipa.x86_64 0:1.16.0-14.el7 sssd-krb5.x86_64 0:1.16.0-14.el7 sssd-krb5-common.x86_64 0:1.16.0-14.el7 sssd-ldap.x86_64 0:1.16.0-14.el7 sssd-proxy.x86_64 0:1.16.0-14.el7 Complete! Reset sssd and cache to run a clean test: [root@seceng-idm-1 tmp]# !systemctl systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd And, test: [root@seceng-idm-1 tmp]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/cac_card_01_piv_auth.crt)" uint32:10 method return time=1513357456.425038 sender=:1.1767 -> destination=:1.1768 serial=5 reply_serial=2 array [ object path "/org/freedesktop/sssd/infopipe/Users/testrelm_2etest/908200222" object path "/org/freedesktop/sssd/infopipe/Users/ipaadcs12r2_2etest/1664401145" ] I also upgraded SSSD on the IPA server to confirm with ipa certmap-match where I saw the problem first: [root@seceng-idm-1 tmp]# ipa certmap-match /tmp/cac_card_01_piv_auth.crt --------------- 2 users matched --------------- Domain: TESTRELM.TEST User logins: ipauser1 Domain: ipaadcs12r2.test User logins: adcacuser1 ---------------------------- Number of entries returned 2 ----------------------------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0929