1846778 – [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL

Bug 1846778 - [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be confusing when SSSD was built against OpenSSL

Summary: [RfE] `/usr/libexec/sssd/p11_child` cmdline argument '--nssdb' might be conf...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	8.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Alexey Tikhonov
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:	1881992
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-14 07:32 UTC by Thorsten Scherf
Modified:	2021-05-18 15:04 UTC (History)
CC List:	10 users (show)
Fixed In Version:	sssd-2.4.0-1.el8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:03:57 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Thorsten Scherf 2020-06-14 07:32:27 UTC

Description of problem:
`/usr/libexec/sssd/p11_child` has the command-line argument `--nssdb`. However, this argument doesn't always mean "NSS database". If SSSD was built in OpenSSL mode (e.g. RHEL 8.x) instead of NSS mode (e.g. RHEL 7.x), then `--nssdb` actually means the CA root certificates in PEM format. It's referred to as both `nss_sb` and `ca_db` in the common source file `p11_child_common.c`.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:
Rename the argument '--nssdb' to something more generic. 

Additional info:

Comment 3 Alexey Tikhonov 2020-07-21 18:35:40 UTC

Upstream PR: https://github.com/SSSD/sssd/pull/5246

Comment 4 Alexey Tikhonov 2020-08-27 14:11:41 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5246

* `master`
    * a2911482a00dfad79e5f69d42d7e882fc0c717af - Get rid of "NSS DB" references.
    * 266ecc083d5fe9f576b7932a80ecb014d2d25311 - Drop support of libnss as a crypto backend

Comment 12 Scott Poore 2020-11-30 18:42:44 UTC

Verified.

Version ::

sssd-2.4.0-2.el8

Results ::

Verified with automated test run.

...

transport.py               519 DEBUG    RUN ['/usr/libexec/sssd/p11_child', '--pre', '--ca_db=/etc/sssd/pki/sssd_auth_ca_db.pem']
transport.py               563 DEBUG    ipauser1
transport.py               563 DEBUG    /usr/lib64/pkcs11/opensc-pkcs11.so
transport.py               563 DEBUG    0001
transport.py               563 DEBUG    CAC ID Certificate
transport.py               563 DEBUG    MIIEtjCCAx6gAwIBAgIBLjANBgkqhkiG9w0BAQsFADA5MRcwFQYDVQQKDA5TTUFSVENBUkQuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIwMTEyODE5NDkxMloXDTIyMTEyOTE5NDkxMlowLDEXMBUGA1UECgwOU01BUlRDQVJELlRFU1QxETAPBgNVBAMMCGlwYXVzZXIxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAz8eNfJJ4fTHhlE+fo2YYANfXphq+xjmaniLVu/CqJBDN4hWHMJB/9puzAwA+X+59X/ScPV9x1aVfblB3BUmH6a82fLXM7BLJ33bJJmmzpv2oHyobY97r9GI+LIaYkROPMXNla6x6LhzG7DsDhBDybUWD9wMUyiAs0SDQMEtoPNn+Mxk4DpVElqRpNyUvzTRpmpFdqRL+QbwRFfjnEOPnY7nJqiTtdEi+0ma+anl61D6GP+/9LF8Y40u/WBVjQqpfbqUDqarTpMNrAtdvu5LHkn4yeJgtA7vwlgvRTZnZ3RA5Qv0EkF+kLhugdRCm/kuVj9+kC5lTosOhrjBxPhaasQIDAQABo4IBVDCCAVAwHwYDVR0jBBgwFoAUBEp9YfHYQYwYR808GLo+33pNrwYwQAYIKwYBBQUHAQEENDAyMDAGCCsGAQUFBzABhiRodHRwOi8vaXBhLWNhLnNtYXJ0Y2FyZC50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB5BgNVHR8EcjBwMG6gNqA0hjJodHRwOi8vaXBhLWNhLnNtYXJ0Y2FyZC50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQU+1K9REuU3j0wyCfUvzaggyvGILYwIgYDVR0RBBswGYEXaXBhdXNlcjFAc21hcnRjYXJkLnRlc3QwDQYJKoZIhvcNAQELBQADggGBAFWXqJroUc4gqQoCRIUKFCXlXO6/Uvu79NPKd5mjFx0tVEjMosuJqoHI7b/3zutRahksFQ+5DX40ePC/d67XO6t8OUHwS9nUjK57Ylo824oiWQqkcCJ53QEMb1DiCZly5HCkMMvYzBazNcYWkjDULN0c5DhNpISKeKylSzRt0oGbsi39iBTI8g3YTP6TUEYRXqvCOxdr682fqM7pxgkIs8mKJS36gPpeP8beO3VrUaU80x+ETYjjsdl/nmrWJZ+wZaleFlSlWUri93gbzjnTjxgU7zrUCrK2Uy8R6QUUyuIhT4owHm8cvCxCZygIJNILSvslXZ2E819xMQ/eyX3wODnVD+yIW5tcqk61QyUIfeqZ6h8h29LtM4Aoaddt/Rp8PiO95OKQldJV1f1r6PGwReZrgWAfHrlGqYXZm2ANYu6Ekx8s4O7tFN8OkcVqB0ZH2ZCZS7W8ibAwQh4rH2h1/6NeQa6FS4brWgDcdGYRBO+8ozXCOPIY7A3Nbx3b76iMWg==
transport.py               217 DEBUG    Exit code: 0

Comment 15 errata-xmlrpc 2021-05-18 15:03:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666

Note You need to log in before you can comment on or make changes to this bug.