1537279 – Certificate is not removed from cache when it's removed from the override

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1537279 - Certificate is not removed from cache when it's removed from the override

Summary: Certificate is not removed from cache when it's removed from the override

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-22 20:01 UTC by Jakub Hrozek
Modified:	2020-05-02 18:52 UTC (History)
CC List:	13 users (show)
Fixed In Version:	sssd-1.16.2-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 10:41:19 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4626	0	None	None	None	2020-05-02 18:52:38 UTC
Red Hat Product Errata	RHSA-2018:3158	0	None	None	None	2018-10-30 10:42:21 UTC

Description Jakub Hrozek 2018-01-22 20:01:39 UTC

This bug is created as a clone of upstream ticket:
https://pagure.io/SSSD/sssd/issue/3603

After investigating the issue #3602 (https://pagure.io/SSSD/sssd/issue/3602) seems that a similar issue may happen with certificates.

I've talked to @sbose and we agreed on opening this to investigate whether it's the case and then provide a proper fix for this in case a bug is also present.

Steps to reproduce will be added later on when someone starts working on this bug.

Comment 1 Jakub Hrozek 2018-01-22 20:02:52 UTC

Rough steps to reproduce:

- add a certificate to an override of a subdomain user
- request the certificate with the dbus API
- remove the certificate from the override
- request the certificate again

If there are no certificates returned for a sub-domain user from the IPA
server to the client we should make sure they are not present in the
client's cache anymore and remove the whole attribute from the cached user
entry.

Comment 2 Jakub Hrozek 2018-03-14 16:22:13 UTC

* master:
 * 5e04cbb
 * 4300385

Comment 6 Sudhir Menon 2018-08-23 13:29:23 UTC

Fix is seen. Verified on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo)

[root@master httpd]# rpm -q ipa-server sssd samba krb5-server pki-server selinux-policy
ipa-server-4.6.4-6.el7.x86_64
sssd-1.16.2-12.el7.x86_64
samba-4.8.3-4.el7.x86_64
krb5-server-1.15.1-34.el7.x86_64
pki-server-10.5.9-5.el7.noarch
selinux-policy-3.13.1-215.el7.noarch


1. Added trusted AD user in 'Default Trust View'
[root@master ~]# ipa idoverrideuser-add 'Default trust View'
Anchor to override: aduser20
------------------------------------------------
Added User ID override "aduser20"
------------------------------------------------
  Anchor to override: aduser20

2. Added certificate for the trusted AD user in idview
[root@master ~]# ipa idoverrideuser-add-cert 'Default Trust View' aduser20 --certificate="$(cat /tmp/ipauser1.crt|sed '/CERT/d'|tr -d '\r\n')"
--------------------------------------------------------------
Added certificates to idoverrideuser "aduser20"
--------------------------------------------------------------
  Anchor to override: aduser20
  Certificate: MIIEBjCCAu6gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtBUE9MTE8uVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE4MDgyMzA5MDE0M1oXDTIwMDgyMzA5MDE0M1owKTEUMBIGA1UECgwLQVBPTExPLlRFU1QxETAPBgNVBAMMCGlwYXVzZXIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA/0IKnRf1SsNaqo15fEgMlQaZ8LonNbHk1SsaGZ6DwyBbKBYlWDo7eZcKsVeKMc8mK4iIskTHOHuqusVm2OqtCdhlQMM15B3cOzsN1lWVELkzZXubOR8u4awW7231aSd7jEtFHxwEkVzHTulYhYE62XnikHFYY74zRoN6KnMSXXFfH1tMV6SeP31MkNXg9IcfXo+7zFbjFykFWteXCcBXbW7bGrM1uEjAsRI6bPvbRpGpdzMvQ6/RG915qH1XM2sOv1Z3URp/Xlks3LupiFQTPYSHO11t/Ql96OOEBa7hED2uHPRY8bdzyMPv/iZ9QpLldgnWGmxIgGsJ+SrexuHGiQIDAQABo4IBKjCCASYwHwYDVR0jBBgwFoAUUfztxibL54WCGI3Yzh+csgF9TAkwPQYIKwYBBQUHAQEEMTAvMC0GCCsGAQUFBzABhiFodHRwOi8vaXBhLWNhLmFwb2xsby50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB2BgNVHR8EbzBtMGugM6Axhi9odHRwOi8vaXBhLWNhLmFwb2xsby50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUhp/FF3HBj3lOWdiMnpb/zT1kgM8wDQYJKoZIhvcNAQELBQADggEBAI1g3SNzorOPy9feYym0P0auP4267CDXrHVhVbtAomG3qYoeqOH0E1JK/+Nvnlm5H6ThvqEinMGAUJCltduneP2Py+Hn1fvenAWa7OpyRAGvfRLvzqtfMYAq6vCC6jny2BtOgFQ5lZxiu0YYJ3Np5YvSRYKnosMQQFPLSnIyjplyQ4qQhKWWS8fthd1VyGkXi/B3HcxqDddXHKwLlzjColnZFw/HkJuwXXhG6DbtGlJa9MTcD9WLmBoJq+Q92lfe47l479SAhgyoUc+wvHyMHbmFmKuIoO0uQBR/FZzgx3m1Tz30nlEV8YLc3qFCUiw6+41R/pUp2lTrRfnw0odzPzo=

3. sss_cache -E
4. run the below dbus-send commands

[root@master ~]#     dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/ipauser1.crt)" uint32:10
method return time=1535028715.335103 sender=:1.1717 -> destination=:1.1724 serial=13 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/ipaad2016_2etest/1577608160"
   ]

[root@master httpd]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipaad2016_2etest/1577608160 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name
method return time=1535030667.990435 sender=:1.1740 -> destination=:1.1747 serial=13 reply_serial=2
   variant       string "aduser20"

5. Removed the user certificate from view for the user.

[root@master ~]# ipa idoverrideuser-remove-cert 'Default Trust View' aduser20 --certificate="$(cat /tmp/ipauser1.crt|sed '/CERT/d'|tr -d '\r\n')"
------------------------------------------------------------------
Removed certificates from idoverrideuser "aduser20"
------------------------------------------------------------------
  Anchor to override: aduser20

6. sss_cache -E

7.  Object is not displayed since cert has been removed.
[root@master ~]#     dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/ipauser1.crt)" uint32:10
method return time=1535028736.269931 sender=:1.1717 -> destination=:1.1725 serial=15 reply_serial=2
   array [
   ]

[root@master httpd]# dbus-send --print-reply --system --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users/ipaad2016_2etest/1577608160 org.freedesktop.DBus.Properties.Get string:org.freedesktop.sssd.infopipe.Users.User string:name
method return time=1535030667.990435 sender=:1.1740 -> destination=:1.1747 serial=13 reply_serial=2
   variant       string "aduser20"

Comment 8 errata-xmlrpc 2018-10-30 10:41:19 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2018:3158

Note You need to log in before you can comment on or make changes to this bug.