SSSD can't process GPO from Active Directory when it contains lines with no equal sign

Bug #1641203 reported by Anders Sandblad on 2016-11-11
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
ding-libs (Ubuntu)
Undecided
Unassigned
Xenial
Medium
Unassigned
Yakkety
Undecided
Unassigned
sssd (Ubuntu)
Medium
Unassigned
Xenial
Medium
Unassigned
Yakkety
Undecided
Unassigned

Bug Description

[Impact]
This bug hits users who is joined to a domain server (probably MS Active Directory) where there is a GPO line that doesn't contain an equal sign (=). See more info in the upstreams bug report linked below. This could be rather common in corporate environments and normally nothing you "fix" on the domain controller side to be able to use SSSD clients. This means all clients that upgrades to 16.04 using SSSD with a GPO containing a line without equal sign will be affected.

[Test Case]
Steps to reproduce (you'll need a domain server with GPO containing a line withouth equal sign!):
- Install:
apt install krb5-user samba sssd ntp
- Make sure the default realm is setup properly (FQDN in uppercase):
dpkg-reconfigure krb5-config
- Set up /etc/samba/smb.conf like this: https://paste.ubuntu.com/24407627/
- Set up /etc/sssd/sssd.conf like this: https://paste.ubuntu.com/24407643/
- File permissions:
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
- Restart services:
sudo service ntp restart
sudo service smbd restart
sudo service nmbd restart
- Join domain with:
sudo net ads join -U "<email address hidden>" "createcomputer=Servers/Virtual" osName=Ubuntu osVer=16.04
- Start SSSD:
sudo service sssd start
- Verify:
getent passwd <email address hidden>
- Add creation of home directories on login (check the unchecked box):
sudo pam-auth-update

- Now try to login to the server with a domain user:
arune@d152:~$ ssh <email address hidden>@server.domain.com
- This should fail and you'll find in the logs:
grep "ad_gpo_store_policy_settings" /var/log/sssd/*
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): [/var/lib/sss/gpo_cache/DOMAIN.COM/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf]: ini_config_parse failed [5][Input/output error]
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error (5) on line 20: Equal sign is missing.
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error encountered: 5.
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_cse_done] (0x0040): ad_gpo_store_policy_settings failed: [5](Input/output error)

[Regression Potential]
The current state of SSSD in Xenial is broken for _some_ users (where the GPO has a line without equal sign) it's _not known_ how many users are affected. A potential regression could mean even more users are affected by a new unknown bug.

Upstreams bugreport and patch: https://fedorahosted.org/sssd/ticket/2751

Please backport to xenial.

Robie Basak (racb) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Looks like the commit wanted is 21a28c in sssd, which is present in 1.14.2 but not 1.13.4. So this is Fix Committed as 1.14.2 is in zesty-proposed.

Additionally it looks like backports of fbaaf4, 9591b1 and 8481bb are needed to ding-libs. These are present in 0.6.0 in Zesty but not 0.5.0 in Xenial and Yakkety. So this is Fix Released for Zesty, and open in Xenial.

For a fix for an existing stable release, please comment with a justification against https://wiki.ubuntu.com/StableReleaseUpdates#When and complete steps 1 through 4 in https://wiki.ubuntu.com/StableReleaseUpdates#Procedure - and go ahead with all the steps if you can. This needs to be for both ding-libs and sssd. If you could prepare the backports, that would be ideal. Note that that SRU team would need to make a final decision but I think it seems likely that it would be OK in this case.

Changed in ding-libs (Ubuntu):
status: New → Fix Released
Changed in ding-libs (Ubuntu Xenial):
status: New → Triaged
Changed in sssd (Ubuntu):
status: New → Fix Committed
Changed in sssd (Ubuntu Xenial):
status: New → Triaged
importance: Undecided → Medium
Changed in sssd (Ubuntu):
importance: Undecided → Medium
Changed in ding-libs (Ubuntu Xenial):
importance: Undecided → Medium
Anders Sandblad (arune) on 2017-04-18
description: updated
Anders Sandblad (arune) wrote :

@racb I'm currently testing this.

I've set up a server with 14.04, one with 16.04 and one with 17.04.
14.04: works ok
16.04: I have the error described in this issue
17.04: works ok

So I want to test the sssd and ding-libs from 17.04 on 16.04 but currently I'm not sure on how to do that. Should I just set the version in /etc/apt/sources.list to zesty instead of xenial and do a apt update; apt install sssd to get all deps from zesty? Will I get newer ding-libs as well?

Anders Sandblad (arune) wrote :

So I tested upgrading SSSD like this.
- First change all xenial to zesty in /etc/apt/sources.list
- apt update
- apt install sssd

After this, login with domain user works fine and I found no regression.

See below for log of upgraded/installed packages.

The following package was automatically installed and is no longer required:
  libaio1 libboost-iostreams1.62.0 libboost-random1.62.0 libboost-system1.62.0 libboost-thread1.62.0
Use 'apt autoremove' to remove it.

The following additional packages will be installed:
  dirmngr gnupg gnupg-agent libassuan0 libgcrypt20 libgnutls-openssl27 libgnutls30 libgpg-error0 libgpgme11 libini-config5 libipa-hbac0 libksba8 libldb1 libnpth0 libreadline7 libsmbclient
  libsss-idmap0 libtasn1-6 libwbclient0 pinentry-curses python-ldb python-samba python-sss python-talloc python3-software-properties samba samba-common samba-common-bin samba-dsdb-modules
  samba-libs software-properties-common sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy

Suggested packages:
  tor parcimonie xloadimage rng-tools gnutls-bin gpgsm pinentry-doc python-gpgme bind9 bind9utils ctdb ldb-tools ntp | chrony smbldap-tools winbind heimdal-clients adcli sssd-tools
  libsasl2-modules-ldap

Recommended packages:
  gnupg-l10n samba-vfs-modules

The following packages will be REMOVED:
  samba-vfs-modules

The following NEW packages will be installed:
  dirmngr gnupg-agent libassuan0 libgpgme11 libksba8 libnpth0 libreadline7 pinentry-curses

The following packages will be upgraded:
  gnupg libgcrypt20 libgnutls-openssl27 libgnutls30 libgpg-error0 libini-config5 libipa-hbac0 libldb1 libsmbclient libsss-idmap0 libtasn1-6 libwbclient0 python-ldb python-samba python-sss
  python-talloc python3-software-properties samba samba-common samba-common-bin samba-dsdb-modules samba-libs software-properties-common sssd sssd-ad sssd-ad-common sssd-common sssd-ipa
  sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy

32 upgraded, 8 newly installed, 1 to remove and 402 not upgraded.
Need to get 12.5 MB of archives.
After this operation, 4050 kB of additional disk space will be used.

Anders Sandblad (arune) wrote :

I can't manage to make a debdiff so I just upload the patches I've used for Xenial to fix this bug.

Anders Sandblad (arune) wrote :

Second patch for ding-libs.

Anders Sandblad (arune) wrote :

Third and last patch for ding-libs.

Anders Sandblad (arune) wrote :

This is the patch for sssd (Xenial).

Timo Aaltonen (tjaalton) wrote :

sssd and ding-libs are managed in pkg-sssd git on git.debian.org, and sssd 1.13.5 should be released soon with the fix

ding-libs OTOH probably needs to be patched, instead of backporting 0.6..

Timo Aaltonen (tjaalton) wrote :

sssd in 17.04 works

Changed in sssd (Ubuntu):
status: Fix Committed → Fix Released
Timo Aaltonen (tjaalton) wrote :

I've uploaded a patched ding-libs to the SRU queue

Changed in ding-libs (Ubuntu Xenial):
status: Triaged → In Progress
Anders Sandblad (arune) wrote :

Thanks Timo

Can you clarify "1.13.5 should be released soon with the fix", for Xenial I suppose?

Shouldn't the patched ding-libs show up on
http://reqorts.qa.ubuntu.com/reports/sponsoring/index.html ?

Timo Aaltonen (tjaalton) wrote :

xenial and maybe yakkety

I'm a core-dev so can upload directly. An SRU team member (someone else than me) needs to ack it though before it's built and pushed to -proposed..

Hello Anders, or anyone else affected,

Accepted ding-libs into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ding-libs/0.5.0-1ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in ding-libs (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed
Changed in ding-libs (Ubuntu Yakkety):
status: New → Triaged
Steve Langasek (vorlon) wrote :

ding-libs is at the same version in xenial and yakkety, so we should be able to forward-copy the binaries once verified.

sssd should have an upload for yakkety as well as xenial.

Changed in sssd (Ubuntu Yakkety):
status: New → Triaged

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers