2016-11-11 19:08:24 |
Anders Sandblad |
bug |
|
|
added bug |
2016-11-28 11:13:55 |
Robie Basak |
bug task added |
|
ding-libs (Ubuntu) |
|
2016-11-28 11:14:09 |
Robie Basak |
nominated for series |
|
Ubuntu Xenial |
|
2016-11-28 11:14:09 |
Robie Basak |
bug task added |
|
sssd (Ubuntu Xenial) |
|
2016-11-28 11:14:09 |
Robie Basak |
bug task added |
|
ding-libs (Ubuntu Xenial) |
|
2016-11-28 11:14:21 |
Robie Basak |
ding-libs (Ubuntu): status |
New |
Fix Released |
|
2016-11-28 11:14:24 |
Robie Basak |
ding-libs (Ubuntu Xenial): status |
New |
Triaged |
|
2016-11-28 11:14:27 |
Robie Basak |
sssd (Ubuntu): status |
New |
Fix Committed |
|
2016-11-28 11:14:30 |
Robie Basak |
sssd (Ubuntu Xenial): status |
New |
Triaged |
|
2016-11-28 11:14:32 |
Robie Basak |
sssd (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2016-11-28 11:14:34 |
Robie Basak |
sssd (Ubuntu): importance |
Undecided |
Medium |
|
2016-11-28 11:14:37 |
Robie Basak |
ding-libs (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2016-11-28 11:14:49 |
Robie Basak |
bug |
|
|
added subscriber Ubuntu Server Team |
2017-04-18 14:06:36 |
Anders Sandblad |
description |
(Fri Nov 11 14:55:52 2016) [sssd[be[MYDOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): [/var/lib/sss/gpo_cache/mydomain.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf]: ini_config_parse failed [5][Input/output error]
(Fri Nov 11 14:55:52 2016) [sssd[be[MYDOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error (5) on line 20: Equal sign is missing.
(Fri Nov 11 14:55:52 2016) [sssd[be[MYDOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error encountered: 5.
(Fri Nov 11 14:55:52 2016) [sssd[be[MYDOMAIN.COM]]] [ad_gpo_cse_done] (0x0040): ad_gpo_store_policy_settings failed: [5](Input/output error)
(Fri Nov 11 14:55:52 2016) [sssd[be[MYDOMAIN.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Fri Nov 11 14:55:52 2016) [sssd[be[MYDOMAIN.COM]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, Input/output error) [Internal Error]
Upstreams bugreport and patch: https://fedorahosted.org/sssd/ticket/2751
Please backport to xenial. |
[Impact]
This bug hits users who is joined to a domain server (probably MS Active Directory) where there is a GPO line that doesn't contain an equal sign (=). See more info in the upstreams bug report linked below. This could be rather common in corporate environments and normally nothing you "fix" on the domain controller side to be able to use SSSD clients. This means all clients that upgrades to 16.04 using SSSD with a GPO containing a line without equal sign will be affected.
[Test Case]
Steps to reproduce (you'll need a domain server with GPO containing a line withouth equal sign!):
- Install:
apt install krb5-user samba sssd ntp
- Make sure the default realm is setup properly (FQDN in uppercase):
dpkg-reconfigure krb5-config
- Set up /etc/samba/smb.conf like this: https://paste.ubuntu.com/24407627/
- Set up /etc/sssd/sssd.conf like this: https://paste.ubuntu.com/24407643/
- File permissions:
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
- Restart services:
sudo service ntp restart
sudo service smbd restart
sudo service nmbd restart
- Join domain with:
sudo net ads join -U "administrator@DOMAIN.COM" "createcomputer=Servers/Virtual" osName=Ubuntu osVer=16.04
- Start SSSD:
sudo service sssd start
- Verify:
getent passwd Administrator@QRTECH.SE
- Add creation of home directories on login (check the unchecked box):
sudo pam-auth-update
- Now try to login to the server with a domain user:
arune@d152:~$ ssh arune@domain.com@server.domain.com
- This should fail and you'll find in the logs:
grep "ad_gpo_store_policy_settings" /var/log/sssd/*
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): [/var/lib/sss/gpo_cache/DOMAIN.COM/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf]: ini_config_parse failed [5][Input/output error]
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error (5) on line 20: Equal sign is missing.
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error encountered: 5.
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_cse_done] (0x0040): ad_gpo_store_policy_settings failed: [5](Input/output error)
[Regression Potential]
The current state of SSSD in Xenial is broken for _some_ users (where the GPO has a line without equal sign) it's _not known_ how many users are affected. A potential regression could mean even more users are affected by a new unknown bug.
Upstreams bugreport and patch: https://fedorahosted.org/sssd/ticket/2751
Please backport to xenial. |
|
2017-04-25 06:44:27 |
Anders Sandblad |
attachment added |
|
Patch for ding-libs https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1641203/+attachment/4867680/+files/ini_parse_add_missing_trace_flow_exit.diff |
|
2017-04-25 06:45:13 |
Anders Sandblad |
attachment added |
|
Patch for ding-libs https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1641203/+attachment/4867681/+files/ini_add_ini_parse_ignore_non_kvp_flag.diff |
|
2017-04-25 06:45:42 |
Anders Sandblad |
attachment added |
|
Patch for ding-libs https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1641203/+attachment/4867682/+files/add_unit_test_for_ini_parse_ignore_non_kvp.diff |
|
2017-04-25 06:47:31 |
Anders Sandblad |
attachment added |
|
Patch for sssd https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1641203/+attachment/4867683/+files/gpo_ignore_non_kvp_lines_if_possible.diff |
|
2017-04-25 07:39:12 |
Timo Aaltonen |
sssd (Ubuntu): status |
Fix Committed |
Fix Released |
|
2017-04-25 09:32:30 |
Timo Aaltonen |
ding-libs (Ubuntu Xenial): status |
Triaged |
In Progress |
|
2017-05-12 04:14:57 |
Steve Langasek |
ding-libs (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2017-05-12 04:14:59 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2017-05-12 04:15:01 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2017-05-12 04:15:06 |
Steve Langasek |
tags |
xenial |
verification-needed xenial |
|
2017-05-12 04:16:38 |
Steve Langasek |
nominated for series |
|
Ubuntu Yakkety |
|
2017-05-12 04:16:38 |
Steve Langasek |
bug task added |
|
sssd (Ubuntu Yakkety) |
|
2017-05-12 04:16:38 |
Steve Langasek |
bug task added |
|
ding-libs (Ubuntu Yakkety) |
|
2017-05-12 04:17:00 |
Steve Langasek |
ding-libs (Ubuntu Yakkety): status |
New |
Triaged |
|
2017-05-12 04:20:13 |
Steve Langasek |
sssd (Ubuntu Yakkety): status |
New |
Triaged |
|
2017-09-14 17:34:38 |
Brian Murray |
ding-libs (Ubuntu Yakkety): status |
Triaged |
Won't Fix |
|
2017-09-14 17:34:45 |
Brian Murray |
sssd (Ubuntu Yakkety): status |
Triaged |
Won't Fix |
|
2018-06-29 15:10:15 |
Ćukasz Zemczak |
ding-libs (Ubuntu Xenial): status |
Fix Committed |
Won't Fix |
|
2021-10-14 19:45:46 |
Sergio Durigan Junior |
sssd (Ubuntu Xenial): status |
Triaged |
Won't Fix |
|