| 2022-06-21 17:28:33 |
Sergio Durigan Junior |
bug |
|
|
added bug |
| 2022-06-21 17:28:44 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Jammy |
|
| 2022-06-21 17:28:44 |
Sergio Durigan Junior |
bug task added |
|
sssd (Ubuntu Jammy) |
|
| 2022-06-21 17:28:49 |
Sergio Durigan Junior |
sssd (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2022-06-21 17:28:52 |
Sergio Durigan Junior |
sssd (Ubuntu Jammy): status |
New |
Confirmed |
|
| 2022-06-21 17:28:55 |
Sergio Durigan Junior |
sssd (Ubuntu Jammy): importance |
Undecided |
Medium |
|
| 2022-06-21 17:28:57 |
Sergio Durigan Junior |
sssd (Ubuntu Jammy): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
| 2022-06-21 17:29:08 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Ubuntu Server |
| 2022-06-21 17:29:13 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Andreas Hasenack |
| 2022-06-21 17:29:32 |
Sergio Durigan Junior |
bug watch added |
|
https://github.com/SSSD/sssd/issues/4138 |
|
| 2022-06-21 17:29:32 |
Sergio Durigan Junior |
bug task added |
|
sssd |
|
| 2022-06-21 17:30:02 |
Sergio Durigan Junior |
sssd (Ubuntu): status |
Fix Released |
Fix Committed |
|
| 2022-06-21 17:32:17 |
Sergio Durigan Junior |
description |
Placeholder for the SRU template. |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
TBD.
[ Where problems could occur ]
TBD. |
|
| 2022-06-21 18:01:08 |
Sergio Durigan Junior |
description |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
TBD.
[ Where problems could occur ]
TBD. |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.in << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the following log file:
client# tail -n20 /var/log/sssd/gpo_child.log
* (2022-06-21 17:56:12): [gpo_child[3085]] [unique_filename_destructor] (0x2000): [RID#14] Unlinking [/var/lib/sss/gpo_cache/test.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI34x4YU]
* (2022-06-21 17:56:12): [gpo_child[3085]] [unlink_dbg] (0x2000): [RID#14] File already removed: [/var/lib/sss/gpo_cache/test.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI34x4YU]
* (2022-06-21 17:56:12): [gpo_child[3085]] [ad_gpo_parse_ini_file] (0x0400): [RID#14] ini_filename:/var/lib/sss/gpo_cache/test.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
* (2022-06-21 17:56:12): [gpo_child[3085]] [ad_gpo_parse_ini_file] (0x0020): [RID#14] ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-21 17:56:12): [gpo_child[3085]] [ad_gpo_parse_ini_file] (0x0020): [RID#14] Error encountered: 84.
(2022-06-21 17:56:12): [gpo_child[3085]] [perform_smb_operations] (0x0020): [RID#14] Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-06-21 17:56:12): [gpo_child[3085]] [ad_gpo_parse_ini_file] (0x0020): [RID#14] Error encountered: 84.
* (2022-06-21 17:56:12): [gpo_child[3085]] [perform_smb_operations] (0x0020): [RID#14] Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-21 17:56:12): [gpo_child[3085]] [main] (0x0020): [RID#14] perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character].
(2022-06-21 17:56:12): [gpo_child[3085]] [main] (0x0020): [RID#14] gpo_child failed!
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-06-21 17:56:12): [gpo_child[3085]] [main] (0x0020): [RID#14] perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character].
* (2022-06-21 17:56:12): [gpo_child[3085]] [main] (0x0020): [RID#14] gpo_child failed!
********************** BACKTRACE DUMP ENDS HERE *********************************
You can see the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
TBD. |
|
| 2022-06-21 18:20:08 |
Bug Watch Updater |
sssd: status |
Unknown |
Fix Released |
|
| 2022-06-21 18:30:15 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/424995 |
|
| 2022-06-21 18:33:32 |
Sergio Durigan Junior |
nominated for series |
|
Ubuntu Focal |
|
| 2022-06-21 18:33:32 |
Sergio Durigan Junior |
bug task added |
|
sssd (Ubuntu Focal) |
|
| 2022-06-21 18:33:38 |
Sergio Durigan Junior |
sssd (Ubuntu Focal): status |
New |
Confirmed |
|
| 2022-06-21 18:33:43 |
Sergio Durigan Junior |
sssd (Ubuntu Focal): importance |
Undecided |
Medium |
|
| 2022-06-21 18:33:45 |
Sergio Durigan Junior |
sssd (Ubuntu Focal): assignee |
|
Sergio Durigan Junior (sergiodj) |
|
| 2022-06-21 18:35:03 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~sergiodj/ubuntu/+source/sssd/+git/sssd/+merge/424996 |
|
| 2022-06-22 14:14:37 |
Sergio Durigan Junior |
description |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.in << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the following log file:
client# tail -n20 /var/log/sssd/gpo_child.log
* (2022-06-21 17:56:12): [gpo_child[3085]] [unique_filename_destructor] (0x2000): [RID#14] Unlinking [/var/lib/sss/gpo_cache/test.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI34x4YU]
* (2022-06-21 17:56:12): [gpo_child[3085]] [unlink_dbg] (0x2000): [RID#14] File already removed: [/var/lib/sss/gpo_cache/test.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI34x4YU]
* (2022-06-21 17:56:12): [gpo_child[3085]] [ad_gpo_parse_ini_file] (0x0400): [RID#14] ini_filename:/var/lib/sss/gpo_cache/test.lan/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
* (2022-06-21 17:56:12): [gpo_child[3085]] [ad_gpo_parse_ini_file] (0x0020): [RID#14] ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-21 17:56:12): [gpo_child[3085]] [ad_gpo_parse_ini_file] (0x0020): [RID#14] Error encountered: 84.
(2022-06-21 17:56:12): [gpo_child[3085]] [perform_smb_operations] (0x0020): [RID#14] Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character]
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-06-21 17:56:12): [gpo_child[3085]] [ad_gpo_parse_ini_file] (0x0020): [RID#14] Error encountered: 84.
* (2022-06-21 17:56:12): [gpo_child[3085]] [perform_smb_operations] (0x0020): [RID#14] Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character]
********************** BACKTRACE DUMP ENDS HERE *********************************
(2022-06-21 17:56:12): [gpo_child[3085]] [main] (0x0020): [RID#14] perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character].
(2022-06-21 17:56:12): [gpo_child[3085]] [main] (0x0020): [RID#14] gpo_child failed!
********************** PREVIOUS MESSAGE WAS TRIGGERED BY THE FOLLOWING BACKTRACE:
* (2022-06-21 17:56:12): [gpo_child[3085]] [main] (0x0020): [RID#14] perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character].
* (2022-06-21 17:56:12): [gpo_child[3085]] [main] (0x0020): [RID#14] gpo_child failed!
********************** BACKTRACE DUMP ENDS HERE *********************************
You can see the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
TBD. |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.in << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/sssd/gpo_child.log file. You should find the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/sssd/gpo_child.log, this time you will see a message like this:
(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_buffer_content] (0x1f7c0): [RID#7] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
TBD. |
|
| 2022-06-22 14:17:19 |
Sergio Durigan Junior |
description |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.in << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/sssd/gpo_child.log file. You should find the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/sssd/gpo_child.log, this time you will see a message like this:
(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_buffer_content] (0x1f7c0): [RID#7] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
TBD. |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/sssd/gpo_child.log file. You should find the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/sssd/gpo_child.log, this time you will see a message like this:
(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_buffer_content] (0x1f7c0): [RID#7] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
TBD. |
|
| 2022-06-22 19:14:46 |
Sergio Durigan Junior |
description |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/sssd/gpo_child.log file. You should find the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/sssd/gpo_child.log, this time you will see a message like this:
(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_buffer_content] (0x1f7c0): [RID#7] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
TBD. |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/sssd/gpo_child.log file. You should find the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/sssd/gpo_child.log, this time you will see a message like this:
(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_buffer_content] (0x1f7c0): [RID#7] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
Although the problem seems somewhat simple to overcome, the patch is not entirely trivial. It involves parsing the GPT.INI file, determining the location of the non-ASCII characters, and finally ignoring them. It is not likely, but also not impossible that this new parser doesn't handle some obscure corner case very well, and we end up discarding more than we'd like from GPT.INI. |
|
| 2022-06-22 22:01:40 |
Sergio Durigan Junior |
description |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/sssd/gpo_child.log file. You should find the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/sssd/gpo_child.log, this time you will see a message like this:
(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_buffer_content] (0x1f7c0): [RID#7] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
Although the problem seems somewhat simple to overcome, the patch is not entirely trivial. It involves parsing the GPT.INI file, determining the location of the non-ASCII characters, and finally ignoring them. It is not likely, but also not impossible that this new parser doesn't handle some obscure corner case very well, and we end up discarding more than we'd like from GPT.INI. |
[ Impact ]
When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.
server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.
server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._tcp.sambadc.test.lan
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd Administrator@TEST.LAN
administrator@test.lan:*:1522000500:1522000513:Administrator:/home/administrator@test.lan:/bin/bash
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd testuser@TEST.LAN
testuser@test.lan:*:1522001104:1522000513:testuser:/home/testuser@test.lan:/bin/bash
Now, try to login as the user:
client# login testuser@TEST.LAN
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/sssd/gpo_child.log file. You should find the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").
Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/sssd/gpo_child.log, this time you will see a message like this:
(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_buffer_content] (0x1f7c0): [RID#7] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'
If you're testing this on Focal, you will also need to edit /etc/sssd/sssd.conf and, inside the "[domain...]" section, add the following line:
debug = 2
Otherwise the /var/log/sssd/gpo_child.log file will be empty.
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
Although the problem seems somewhat simple to overcome, the patch is not entirely trivial. It involves parsing the GPT.INI file, determining the location of the non-ASCII characters, and finally ignoring them. It is not likely, but also not impossible that this new parser doesn't handle some obscure corner case very well, and we end up discarding more than we'd like from GPT.INI. |
|
| 2022-06-22 22:05:00 |
Sergio Durigan Junior |
sssd (Ubuntu Focal): status |
Confirmed |
In Progress |
|
| 2022-06-22 22:05:12 |
Sergio Durigan Junior |
sssd (Ubuntu Jammy): status |
Confirmed |
In Progress |
|
| 2022-07-01 20:20:52 |
Steve Langasek |
sssd (Ubuntu Jammy): status |
In Progress |
Fix Committed |
|
| 2022-07-01 20:20:53 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2022-07-01 20:20:57 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
| 2022-07-01 20:21:01 |
Steve Langasek |
tags |
server-todo |
server-todo verification-needed verification-needed-jammy |
|
| 2022-07-01 20:22:32 |
Steve Langasek |
sssd (Ubuntu Focal): status |
In Progress |
Incomplete |
|
| 2022-07-02 00:02:15 |
Andreas Hasenack |
tags |
server-todo verification-needed verification-needed-jammy |
server-todo verification-done-jammy verification-needed |
|
| 2022-07-06 06:31:33 |
Chris Halse Rogers |
sssd (Ubuntu Focal): status |
Incomplete |
Fix Committed |
|
| 2022-07-06 06:31:42 |
Chris Halse Rogers |
tags |
server-todo verification-done-jammy verification-needed |
server-todo verification-done-jammy verification-needed verification-needed-focal |
|
| 2022-07-06 14:23:41 |
Andreas Hasenack |
tags |
server-todo verification-done-jammy verification-needed verification-needed-focal |
server-todo verification-done-focal verification-done-jammy verification-needed |
|
| 2022-07-12 23:17:46 |
Launchpad Janitor |
sssd (Ubuntu Jammy): status |
Fix Committed |
Fix Released |
|
| 2022-07-12 23:18:14 |
Brian Murray |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
| 2022-07-13 15:04:50 |
Sergio Durigan Junior |
tags |
server-todo verification-done-focal verification-done-jammy verification-needed |
server-todo verification-done verification-done-focal verification-done-jammy |
|
| 2022-08-03 04:16:33 |
Launchpad Janitor |
sssd (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
| 2022-08-03 15:09:58 |
Sergio Durigan Junior |
sssd (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2022-08-03 15:10:19 |
Sergio Durigan Junior |
tags |
server-todo verification-done verification-done-focal verification-done-jammy |
verification-done verification-done-focal verification-done-jammy |
|
