SSSD can't process GPO from Active Directory when it contains lines with no equal sign

Thank you for taking the time to report this bug and helping to make Ubuntu better.

Looks like the commit wanted is 21a28c in sssd, which is present in 1.14.2 but not 1.13.4. So this is Fix Committed as 1.14.2 is in zesty-proposed.

Additionally it looks like backports of fbaaf4, 9591b1 and 8481bb are needed to ding-libs. These are present in 0.6.0 in Zesty but not 0.5.0 in Xenial and Yakkety. So this is Fix Released for Zesty, and open in Xenial.

For a fix for an existing stable release, please comment with a justification against https://wiki.ubuntu.com/StableReleaseUpdates#When and complete steps 1 through 4 in https://wiki.ubuntu.com/StableReleaseUpdates#Procedure - and go ahead with all the steps if you can. This needs to be for both ding-libs and sssd. If you could prepare the backports, that would be ideal. Note that that SRU team would need to make a final decision but I think it seems likely that it would be OK in this case.

@racb I'm currently testing this.

I've set up a server with 14.04, one with 16.04 and one with 17.04.
14.04: works ok
16.04: I have the error described in this issue
17.04: works ok

So I want to test the sssd and ding-libs from 17.04 on 16.04 but currently I'm not sure on how to do that. Should I just set the version in /etc/apt/sources.list to zesty instead of xenial and do a apt update; apt install sssd to get all deps from zesty? Will I get newer ding-libs as well?

So I tested upgrading SSSD like this.
- First change all xenial to zesty in /etc/apt/sources.list
- apt update
- apt install sssd

After this, login with domain user works fine and I found no regression.

See below for log of upgraded/installed packages.

The following package was automatically installed and is no longer required:
  libaio1 libboost-iostreams1.62.0 libboost-random1.62.0 libboost-system1.62.0 libboost-thread1.62.0
Use 'apt autoremove' to remove it.

The following additional packages will be installed:
  dirmngr gnupg gnupg-agent libassuan0 libgcrypt20 libgnutls-openssl27 libgnutls30 libgpg-error0 libgpgme11 libini-config5 libipa-hbac0 libksba8 libldb1 libnpth0 libreadline7 libsmbclient
  libsss-idmap0 libtasn1-6 libwbclient0 pinentry-curses python-ldb python-samba python-sss python-talloc python3-software-properties samba samba-common samba-common-bin samba-dsdb-modules
  samba-libs software-properties-common sssd-ad sssd-ad-common sssd-common sssd-ipa sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy

Suggested packages:
  tor parcimonie xloadimage rng-tools gnutls-bin gpgsm pinentry-doc python-gpgme bind9 bind9utils ctdb ldb-tools ntp | chrony smbldap-tools winbind heimdal-clients adcli sssd-tools
  libsasl2-modules-ldap

Recommended packages:
  gnupg-l10n samba-vfs-modules

The following packages will be REMOVED:
  samba-vfs-modules

The following NEW packages will be installed:
  dirmngr gnupg-agent libassuan0 libgpgme11 libksba8 libnpth0 libreadline7 pinentry-curses

The following packages will be upgraded:
  gnupg libgcrypt20 libgnutls-openssl27 libgnutls30 libgpg-error0 libini-config5 libipa-hbac0 libldb1 libsmbclient libsss-idmap0 libtasn1-6 libwbclient0 python-ldb python-samba python-sss
  python-talloc python3-software-properties samba samba-common samba-common-bin samba-dsdb-modules samba-libs software-properties-common sssd sssd-ad sssd-ad-common sssd-common sssd-ipa
  sssd-krb5 sssd-krb5-common sssd-ldap sssd-proxy

32 upgraded, 8 newly installed, 1 to remove and 402 not upgraded.
Need to get 12.5 MB of archives.
After this operation, 4050 kB of additional disk space will be used.

I can't manage to make a debdiff so I just upload the patches I've used for Xenial to fix this bug.

Second patch for ding-libs.

Third and last patch for ding-libs.

This is the patch for sssd (Xenial).

sssd and ding-libs are managed in pkg-sssd git on git.debian.org, and sssd 1.13.5 should be released soon with the fix

ding-libs OTOH probably needs to be patched, instead of backporting 0.6..

sssd in 17.04 works

I've uploaded a patched ding-libs to the SRU queue

Thanks Timo

Can you clarify "1.13.5 should be released soon with the fix", for Xenial I suppose?

Shouldn't the patched ding-libs show up on
http://reqorts.qa.ubuntu.com/reports/sponsoring/index.html ?

xenial and maybe yakkety

I'm a core-dev so can upload directly. An SRU team member (someone else than me) needs to ack it though before it's built and pushed to -proposed..

Hello Anders, or anyone else affected,

Accepted ding-libs into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/ding-libs/0.5.0-1ubuntu0.16.04.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

ding-libs is at the same version in xenial and yakkety, so we should be able to forward-copy the binaries once verified.

sssd should have an upload for yakkety as well as xenial.

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

I was trying to verify this. But sssd 1.13.5 don't seem to be available in proposed.

I'm still seeing this problem about missing equal signs with Ubuntu 18.04 and sssd 1.16. Should that be the case?

@Jon, I would suggest filing a new bug report. This bug report was about an issue that was narrowed specifically to Xenial, and fixed with a patch that is understood to be included in bionic. It's possible you are experiencing a different issue or a regression in the earlier fix.

In any case, unfortunately it appears this SRU failed to get confirmed when the fix was in proposed, so I'm uncertain if further work will be done on this report. Starting a fresh report will be the best path forward, perhaps with a mention of this bug report as reference.

Xenial has entered ESM, therefore I am marking this bug as Won't Fix for it.