SSSD can't process GPO from Active Directory when it contains lines with no equal sign
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ding-libs (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Xenial |
Won't Fix
|
Medium
|
Unassigned | ||
Yakkety |
Won't Fix
|
Undecided
|
Unassigned | ||
sssd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Won't Fix
|
Medium
|
Unassigned | ||
Yakkety |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Impact]
This bug hits users who is joined to a domain server (probably MS Active Directory) where there is a GPO line that doesn't contain an equal sign (=). See more info in the upstreams bug report linked below. This could be rather common in corporate environments and normally nothing you "fix" on the domain controller side to be able to use SSSD clients. This means all clients that upgrades to 16.04 using SSSD with a GPO containing a line without equal sign will be affected.
[Test Case]
Steps to reproduce (you'll need a domain server with GPO containing a line withouth equal sign!):
- Install:
apt install krb5-user samba sssd ntp
- Make sure the default realm is setup properly (FQDN in uppercase):
dpkg-reconfigure krb5-config
- Set up /etc/samba/smb.conf like this: https:/
- Set up /etc/sssd/sssd.conf like this: https:/
- File permissions:
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
- Restart services:
sudo service ntp restart
sudo service smbd restart
sudo service nmbd restart
- Join domain with:
sudo net ads join -U "<email address hidden>" "createcomputer
- Start SSSD:
sudo service sssd start
- Verify:
getent passwd <email address hidden>
- Add creation of home directories on login (check the unchecked box):
sudo pam-auth-update
- Now try to login to the server with a domain user:
arune@d152:~$ ssh <email address hidden>
- This should fail and you'll find in the logs:
grep "ad_gpo_
/var/log/
/var/log/
/var/log/
/var/log/
[Regression Potential]
The current state of SSSD in Xenial is broken for _some_ users (where the GPO has a line without equal sign) it's _not known_ how many users are affected. A potential regression could mean even more users are affected by a new unknown bug.
Upstreams bugreport and patch: https:/
Please backport to xenial.
description: | updated |
Changed in ding-libs (Ubuntu Yakkety): | |
status: | Triaged → Won't Fix |
Changed in sssd (Ubuntu Yakkety): | |
status: | Triaged → Won't Fix |
Changed in ding-libs (Ubuntu Xenial): | |
status: | Fix Committed → Won't Fix |
Thank you for taking the time to report this bug and helping to make Ubuntu better.
Looks like the commit wanted is 21a28c in sssd, which is present in 1.14.2 but not 1.13.4. So this is Fix Committed as 1.14.2 is in zesty-proposed.
Additionally it looks like backports of fbaaf4, 9591b1 and 8481bb are needed to ding-libs. These are present in 0.6.0 in Zesty but not 0.5.0 in Xenial and Yakkety. So this is Fix Released for Zesty, and open in Xenial.
For a fix for an existing stable release, please comment with a justification against https:/ /wiki.ubuntu. com/StableRelea seUpdates# When and complete steps 1 through 4 in https:/ /wiki.ubuntu. com/StableRelea seUpdates# Procedure - and go ahead with all the steps if you can. This needs to be for both ding-libs and sssd. If you could prepare the backports, that would be ideal. Note that that SRU team would need to make a final decision but I think it seems likely that it would be OK in this case.