sssd can't parse GPT.INI if it contains non-ASCII characters
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd |
Fix Released
|
Unknown
|
|||
sssd (Ubuntu) |
Fix Released
|
Medium
|
Sergio Durigan Junior | ||
Focal |
Fix Released
|
Medium
|
Sergio Durigan Junior | ||
Jammy |
Fix Released
|
Medium
|
Sergio Durigan Junior |
Bug Description
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/
server# systemctl disable --now systemd-
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/
server# echo -n -e "\ndisplayName=
server# mkdir -p MACHINE/
server# cat > MACHINE/
[Unicode]
Unicode=yes
[Version]
signature=
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd <email address hidden>
<email address hidden>
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd <email address hidden>
<email address hidden>
Now, try to login as the user:
client# login <email address hidden>
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/
Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/
(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_
If you're testing this on Focal, you will also need to edit /etc/sssd/sssd.conf and, inside the "[domain...]" section, add the following line:
debug = 2
Otherwise the /var/log/
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
Although the problem seems somewhat simple to overcome, the patch is not entirely trivial. It involves parsing the GPT.INI file, determining the location of the non-ASCII characters, and finally ignoring them. It is not likely, but also not impossible that this new parser doesn't handle some obscure corner case very well, and we end up discarding more than we'd like from GPT.INI.
Related branches
- Andreas Hasenack: Approve
- git-ubuntu bot: Approve
- Canonical Server Reporter: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server: Pending requested
-
Diff: 448 lines (+372/-6)10 files modifieddebian/changelog (+18/-0)
debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch (+169/-0)
debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch (+152/-0)
debian/patches/lp1979453-fix-shebang-on-sss_analyze.patch (+22/-0)
debian/patches/series (+3/-0)
debian/python3-libipa-hbac.install (+1/-1)
debian/python3-libsss-nss-idmap.install (+1/-1)
debian/python3-sss.install (+3/-3)
debian/rules (+2/-0)
debian/sssd-tools.install (+1/-1)
- git-ubuntu bot: Approve
- Andreas Hasenack: Approve
- Canonical Server packageset reviewers: Pending requested
-
Diff: 362 lines (+334/-0)4 files modifieddebian/changelog (+10/-0)
debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch (+170/-0)
debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch (+152/-0)
debian/patches/series (+2/-0)
description: | updated |
Changed in sssd: | |
status: | Unknown → Fix Released |
Changed in sssd (Ubuntu Focal): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in sssd (Ubuntu Focal): | |
status: | Confirmed → In Progress |
Changed in sssd (Ubuntu Jammy): | |
status: | Confirmed → In Progress |
tags: |
added: verification-done-focal removed: verification-needed-focal |
tags: |
added: verification-done removed: verification-needed |
Changed in sssd (Ubuntu): | |
status: | Fix Committed → Fix Released |
tags: | removed: server-todo |
This has been fixed upstream by https:/ /github. com/SSSD/ sssd/commit/ d241b5529141975 3ce3e961a1b201d 62f7851513.
The fix is part of sssd 2.7.1-2, which is currently sitting on kinetic-proposed.