Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GPO application fails with more > 1host in security filter #7411

Closed
fdalfa opened this issue Jun 6, 2024 · 8 comments
Closed

GPO application fails with more > 1host in security filter #7411

fdalfa opened this issue Jun 6, 2024 · 8 comments
Assignees
@sumit-bose
Labels
Bugzilla Closed: Fixed Issue was closed as fixed.

Comments

@fdalfa
Copy link

fdalfa commented Jun 6, 2024

Hello,

I'm using sssd 2.9.4 on RHEL8 (2.9.4-3.el8_10) with the following scenario: two linux machines are joined to an MS-AD domain, machines are in a specific OU with a GPO linked to it, the GPO has a security filter with two machines.
The GPO is applied on first machine, and is not applied on the second machine; here the log from the second one

(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_filter_gpos_by_dacl] (0x0400): [RID#7] examining dacl candidate_gpo_guid:{A8282E6A-7A7A-4148-B9E5-F2C26FB15950}
..
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0400): [RID#7] GPO denied (security);  Trustee: S-1-5-21-1384148484-2853517914-4044072970-4618
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_filter_gpos_by_dacl] (0x0400): [RID#7] GPO not applicable to target per security filtering: result of DACL evaluation

A8282E6A-7A7A-4148-B9E5-F2C26FB15950 is GUID of not-applied GPO, S-1-5-21-1384148484-2853517914-4044072970-461 is the SID of the first machine in the filter.
If I remote the first machine from the filter, the GPO is applied as expected

(2024-06-05 10:17:08): [be[a.b.c]] [ad_gpo_filter_gpos_by_dacl] (0x0400): [RID#6] examining dacl candidate_gpo_guid:{A8282E6A-7A7A-4148-B9E5-F2C26FB15950}
..
(2024-06-05 10:17:08): [be[a.b.c]] [ad_gpo_filter_gpos_by_dacl] (0x0400): [RID#6] GPO applicable to target per security filtering

It looks like evalution of DACL halts on first non-matching SID.

regards,
Fabrizio
@sumit-bose
Copy link
Contributor

Hi,

thank you for your report. You have omitted some log lines in your first log snippet, can you send the full snippet?

bye,
Sumit

@fdalfa
Copy link
Author

fdalfa commented Jun 6, 2024

Sure

(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_filter_gpos_by_dacl] (0x0400): [RID#7] examining dacl candidate_gpo_guid:{A8282E6A-7A7A-4148-B9E5-F2C26FB15950}
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable;  Trustee: S-1-5-21-1384148484-2853517914-4044072970-4618
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable;  Trustee: S-1-5-21-1384148484-2853517914-4044072970-512
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable;  Trustee: S-1-5-21-1384148484-2853517914-4044072970-4618
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable;  Trustee: S-1-5-21-1384148484-2853517914-4044072970-512
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable;  Trustee: S-1-5-21-1384148484-2853517914-4044072970-519
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable;  Trustee: S-1-5-9
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable;  Trustee: S-1-5-18
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0400): [RID#7] GPO denied (security);  Trustee: S-1-5-21-1384148484-2853517914-4044072970-4618
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_filter_gpos_by_dacl] (0x0400): [RID#7] GPO not applicable to target per security filtering: result of DACL evaluation

FYI the SID of machine where the application of GPO fails is S-1-5-21-1384148484-2853517914-4044072970-5108

@sumit-bose
Copy link
Contributor

Hi,

thanks, this looks like there is some invalid data or a binary SID in the list where SID strings were expected. Would it be possible to send the full backend log, the gpo_child.log and the cache file /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb? You can send it by email, if you prefer; the user name would be 'sbose' and the email domain is 'redhat.com'.

bye,
Sumit

sumit-bose added a commit to sumit-bose/sssd that referenced this issue Jun 10, 2024
@sumit-bose
ad: use right memory context in GPO code
34bb395 
The original primary SID is allocated on a temporary context and must be
move to be longer living one to still be available when the SID is
evaluated later in the code.

Resolves: SSSD#7411
sumit-bose added a commit to sumit-bose/sssd that referenced this issue Jun 10, 2024
@sumit-bose
ad: use right memory context in GPO code
bf54114 
The original primary SID is allocated on a temporary context and must be
move to be longer living one to still be available when the SID is
evaluated later in the code.

Resolves: SSSD#7411
@sumit-bose sumit-bose mentioned this issue Jun 10, 2024
Closed
@alexey-tikhonov
Copy link
Member

https://issues.redhat.com/browse/RHEL-40570

@fdalfa
Copy link
Author

fdalfa commented Jun 10, 2024
edited
Loading

Ciao,

The fix works! Thanks.

regards,
Fabrizio

@fdalfa fdalfa closed this as completed Jun 10, 2024
@alexey-tikhonov
Copy link
Member

The fix works! Thanks

Did you build from sources?

(I'll keep ticket open until fix is merged into the code base)

@fdalfa
Copy link
Author

fdalfa commented Jun 10, 2024

Did you build from sources?
Onestly no; @sumit-bose kindly sent me some prebuilt packages.

(I'll keep ticket open until fix is merged into the code base)
(Y)

regards,
Fabrizio

alexey-tikhonov pushed a commit that referenced this issue Jun 14, 2024
@sumit-bose @alexey-tikhonov
ad: use right memory context in GPO code
723a30b 
The original primary SID is allocated on a temporary context and must be
move to be longer living one to still be available when the SID is
evaluated later in the code.

Resolves: #7411

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Tomáš Halman <thalman@redhat.com>
(cherry picked from commit b25e510)
@alexey-tikhonov
Copy link
Member

Pushed PR: #7421

  • master
    • b25e510 - ad: use right memory context in GPO code
  • sssd-2-9
    • 723a30b - ad: use right memory context in GPO code

@alexey-tikhonov alexey-tikhonov added the Closed: Fixed Issue was closed as fixed. label Jun 14, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sumit-bose sumit-bose

Labels
Bugzilla Closed: Fixed Issue was closed as fixed.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ad: use right memory context in GPO code sumit-bose/sssd
3 participants
@sumit-bose @alexey-tikhonov @fdalfa