Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sssd 2.3.0 breaks AD auth due to GPO parsing failure #5183

Closed
sumit-bose opened this issue May 28, 2020 · 4 comments
Closed

sssd 2.3.0 breaks AD auth due to GPO parsing failure #5183

sumit-bose opened this issue May 28, 2020 · 4 comments
Assignees
@sumit-bose
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@sumit-bose
Copy link
Contributor

Ticket was cloned from Red Hat Bugzilla (product Fedora): Bug 1840908

Created attachment 1692858
sssd log file during a failed SSH authentication attempt

**Description of problem**:

After the upgrade from sssd-2.2.3-13.fc32 to sssd-2.3.0-1.fc32.x86_64, sssd
authentication via AD no longer works. For example, logging in via SSH fails
with:

    pam_sss(sshd:account): Access denied for user lan\chenxiaolong: 4 (System
error)

The sssd logs (included as attachment) indicate that GPO parsing may be causing
the issue:

    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_parse_sd] (0x0020):
Failed to pull security descriptor
    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_sd_process_attrs]
(0x0040): ad_gpo_parse_sd() failed


**Version-Release number of selected component (if applicable)**:

sssd-2.3.0-1.fc32.x86_64


**How reproducible**:

Always


**Steps to Reproduce**:
1. Join an AD domain with "realm join <domain> -U <user>"
2. Add "debug_level = 10" to the "[domain/<domain>]" section of sssd.conf and
restart sssd
3. Try to SSH into the machine and note the generic PAM auth error in journald
and the GPO parsing error in the sssd logs
4. As a temporary workaround, add "ad_gpo_access_control = permissive" to the
"[domain/<domain>]" section of sssd.conf and restart sssd
5. Notice that authentication now works


**Additional info**:

Nothing has been changed on the AD server side of things during the upgrade
from 2.2.3 to 2.3.0. Downgrading to 2.2.3 fixes things, as does working around
the problem by specifying "ad_gpo_access_control = permissive" in sssd.conf.

Not sure if it's relevant, but in my case, I'm using a fresh Samba 4 AD
installation on the server side and I have never configured any GPOs.
@sumit-bose
Copy link
Contributor Author

Issue linked to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1840908

@sumit-bose sumit-bose self-assigned this May 28, 2020
sumit-bose added a commit to sumit-bose/sssd that referenced this issue May 28, 2020
@sumit-bose
ad_gpo_ndr.c: more ndr updates
dbe9d59 
This patch add another update to the ndr code which was previously
updated by commit c031add and
1fdd8fa.

As missing update in ndr_pull_security_ace() cased
a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
added to prevent similar issues in future.

Resolves: SSSD#5183
@sumit-bose sumit-bose mentioned this issue May 28, 2020
Closed
@alexey-tikhonov
Copy link
Member

Issue linked to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1843872

@pbrezina
Copy link
Member

pbrezina commented Jun 5, 2020

Pushed PR: #5184

  • master
    • a7c7556 - ad_gpo_ndr.c: more ndr updates

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Jun 5, 2020
alexey-tikhonov pushed a commit to alexey-tikhonov/sssd that referenced this issue Feb 5, 2021
@sumit-bose @alexey-tikhonov
ad_gpo_ndr.c: more ndr updates
16a4626 
This patch add another update to the ndr code which was previously
updated by commit c031add and
1fdd8fa.

As missing update in ndr_pull_security_ace() cased
a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
added to prevent similar issues in future.

Resolves: SSSD#5183

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a7c7556)
pbrezina pushed a commit that referenced this issue Feb 19, 2021
@sumit-bose @pbrezina
ad_gpo_ndr.c: more ndr updates
d5809f6 
This patch add another update to the ndr code which was previously
updated by commit c031add and
1fdd8fa.

As missing update in ndr_pull_security_ace() cased
a failure in ad_gpo_parse_sd(). A unit-test for ad_gpo_parse_sd() was
added to prevent similar issues in future.

Resolves: #5183

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit a7c7556)

Reviewed-by: Pavel Březina <pbrezina@redhat.com>
@pbrezina
Copy link
Member

Pushed PR: #5493

  • sssd-1-16
    • f8fd5e8 - Makefile.am: get rid of libsss_nss_idmap_tests
    • e5f833f - BUILD: fixes gpo_child linking issue
    • 9039fcf - sss_nss_idmap-tests: fixed error in iteration over test_data
    • 9871d7c - Makefile: add missing '-fno-lto' to some tests
    • 59da80b - Makefile: add missing '-fno-lto' to some tests
    • 8ea7d65 - cmocka based tests: explicitly turn LTO off
    • 8b2bcae - BUILD: Accept krb5 1.19 for building the PAC plugin
    • bcf8ca8 - nss: Collision with external nss symbol
    • 6b47187 - python-test.py: Do not use letter similar to numbers
    • 9c290dc - INTG: Do not use letter similar to numbers in python code
    • edb1e38 - Improve samba version check for ndr_pull_steal_switch_value signature
    • d5809f6 - ad_gpo_ndr.c: more ndr updates
    • 5285a18 - ad_gpo_ndr.c: refresh ndr_ methods from samba-4.12
    • 3ba88c3 - Use ndr_pull_steal_switch_value for modern samba versions
    • a629df5 - Fix build failure against samba 4.12.0rc1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ad_gpo_ndr.c: more ndr updates sumit-bose/sssd
3 participants
@sumit-bose @pbrezina @alexey-tikhonov