Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1177140

Summary: gpo_child fails if "log level" is enabled in smb.conf
Product: Red Hat Enterprise Linux 7 Reporter: Prasad Kulkarni <pkulkarn>
Component: sssdAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: dlavu, dpal, grajaiya, jgalipea, jhrozek, lmiksik, lslebodn, mkosek, mzidek, pbrezina, pkulkarn, preichl, sssd-maint
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sssd-1.12.2-40.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 10:35:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
sssd domain logs none

Description Prasad Kulkarni 2014-12-24 12:50:12 UTC 
Created attachment 972738 [details]
sssd domain logs

Description of problem:
While testing the GPO functionality during a test day, I came across Internal error appearing in the domain logs and denying all users to login.

Note:
Testing on another 7.1 client against the same AD Server seems to work fine. Appropriate users were denied and appropriate users were allowed access.

This could be an issue specific to a system, so I am logging this bug.


Version-Release number of selected component (if applicable):
# rpm -q sssd
sssd-1.12.2-39.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Add a user allowed_user and denied_user to AD.
2. Add the denied_user to "deny log on locally" in the GPO of AD Server.
3. The GPO is set to enforcing.
4. On the client side, the domain has:
[domain/sssdad2012.com]
ad_domain = sssdad2012.com
krb5_realm = SSSDAD2012.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%d/%u
access_provider = ad
ad_gpo_access_control = enforcing
debug_level = 9
5. Auth as allowed_user.

Actual results:
# ssh -l allowed_user localhost
allowed_user@localhost's password: 
Connection closed by ::1

/var/log/secure shows:
Dec 24 17:55:13 dhcp210-121 sshd[36662]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=allowed_user
Dec 24 17:55:13 dhcp210-121 sshd[36662]: pam_sss(sshd:account): Access denied for user allowed_user: 4 (System error)

Domain log shows(the full domain log is attached):
(Wed Dec 24 17:55:13 2014) [sssd[be[sssdad2012.com]]] [gpo_cse_done] (0x0020): Error in gpo_child: [1852383332][Unknown error 1852383332]
(Wed Dec 24 17:55:13 2014) [sssd[be[sssdad2012.com]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {6723952F-D149-416A-8EE0-7F3C4191A9B0}
(Wed Dec 24 17:55:13 2014) [sssd[be[sssdad2012.com]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [1852383332](Unknown error 1852383332}
(Wed Dec 24 17:55:13 2014) [sssd[be[sssdad2012.com]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
(Wed Dec 24 17:55:13 2014) [sssd[be[sssdad2012.com]]] [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, Unknown error 1852383332) [Internal Error (System error)]

Expected results:


Additional info:
Removing the option "ad_gpo_access_control = enforcing" from sssd.conf and restarting sssd, allows login to allowed_user:

# ssh -l allowed_user localhost
allowed_user@localhost's password: 
Last failed login: Wed Dec 24 17:55:13 IST 2014 from localhost on ssh:notty
There were 8 failed login attempts since the last successful login.
Last login: Wed Dec 24 15:30:07 2014 from localhost
$
Comment 2 Jakub Hrozek 2015-01-05 13:38:48 UTC 
Do you still have a system that reproduces the error? If so, can you give me access?
Comment 7 Jakub Hrozek 2015-01-06 13:56:09 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2542
Comment 8 Jakub Hrozek 2015-01-06 13:56:16 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2543
Comment 11 Jakub Hrozek 2015-01-07 08:27:13 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2544
Comment 12 Jakub Hrozek 2015-01-07 08:37:43 UTC 
The root cause is https://bugzilla.samba.org/show_bug.cgi?id=11036 but we need to work around the issue in SSSD...
Comment 13 Jakub Hrozek 2015-01-07 08:52:35 UTC 
QE: To reproduce, set "log level" to a high number in smb.conf
Comment 14 Jakub Hrozek 2015-01-07 10:40:39 UTC 
Prasad, I left a fixed version of sssd installed on the test machine, feel free to use it to verify the fix or run any additional test cases.

Thank you very much for reporting the problem.
Comment 15 Jakub Hrozek 2015-01-13 16:56:19 UTC 
    master:
        f00a61b6079d8de81432077a59daf015d85800d2
        16cb0969f0a9ea71524d852077d6a480740d4f12
        bb7ddd2be9847bfb07395341c7623da1b104b8a6 
    sssd-1-12:
        f00a61b6079d8de81432077a59daf015d85800d2
        16cb0969f0a9ea71524d852077d6a480740d4f12
        bb7ddd2be9847bfb07395341c7623da1b104b8a6
Comment 16 Jakub Hrozek 2015-01-13 17:11:48 UTC 
Additional fixes:
    master: ccff8e75940963a0f68f86efcddc37133318abfa
    sssd-1-12: 6cdefffcc399f09ee29aacf858905bfad179f1b3
Comment 18 Sumit Bose 2015-01-14 15:05:31 UTC 
*** Bug 1182183 has been marked as a duplicate of this bug. ***
Comment 19 Dan Lavu 2015-01-29 23:59:08 UTC 
Verified the fix in sssd-ad-1.12.2-39.el7.x86_64.

Adding the log parameter in samba no longer breaks gpo_child 
#########################################################################
gpo_child.log:(Wed Jan 28 15:24:55 2015) [[sssd[gpo_child[16706]]]] [perform_smb_operations] (0x0400): sysvol_gpt_version: 65537
gpo_child.log:(Wed Jan 28 15:24:55 2015) [[sssd[gpo_child[16706]]]] [pack_buffer] (0x0400): result [0]
gpo_child.log:(Wed Jan 28 15:24:55 2015) [[sssd[gpo_child[16706]]]] [prepare_response] (0x4000): r->size: 8
gpo_child.log:(Wed Jan 28 15:24:55 2015) [[sssd[gpo_child[16706]]]] [main] (0x0400): gpo_child completed successfully
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [main] (0x0400): gpo_child started.
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [main] (0x0400): context initialized
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x0400): cached_gpt_version: 65537
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x4000): smb_server length: 23
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x4000): smb_server: smb://ad1.example.local
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x4000): smb_share length: 7
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x4000): smb_share: /sysvol
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x4000): smb_path length: 62
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x4000): smb_path: /example.local/Policies/{03395DC9-7B06-47CA-B8B1-0BCACC9140DC}
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x4000): smb_cse_suffix length: 49
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [unpack_buffer] (0x4000): smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [main] (0x0400): performing smb operations
gpo_child.log:(Wed Jan 28 15:25:01 2015) [[sssd[gpo_child[16765]]]] [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://ad1.example.local/sysvol/example.local/Policies/{03395DC9-7B06-47CA-B8B1-0BCACC9
#########################################################################
Comment 21 errata-xmlrpc 2015-03-05 10:35:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0441.html