Bug 1431870

Summary: gpo_child fails when log is enabled in smb
Product: Red Hat Enterprise Linux 7 Reporter: Lukas Slebodnik <lslebodn>
Component: sssdAssignee: Michal Zidek <mzidek>
Status: CLOSED NOTABUG QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-06-05 14:56:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lukas Slebodnik 2017-03-13 22:20:23 UTC 
Description of problem:
Regression test for BZ1177140 fails with new libsmbclient
It might be a bug in libsmbclient


Version-Release number of selected component (if applicable):
sh$ rpm -q sssd libsmbclient
sssd-1.15.1-1.el7.x86_64
libsmbclient-4.6.0-2.el7.x86_64

How reproducible:
deterministic

Steps to Reproduce:
1. join machine to AD domain
2. create /etc/sssd/sssd.conf
    unindent <<<"
    [sssd]
    config_file_version = 2
    services = nss, pam
    domains = $AD_DOMAIN1

    [nss]
    filter_groups = root
    filter_users = root
    default_shell = /bin/bash

    [pam]

    [domain/$AD_DOMAIN1]
    ldap_purge_cache_timeout = 0
    krb5_auth_timeout = 12

    debug_level = 0xFFF0
    ad_domain = $AD_DOMAIN1
    krb5_realm = $AD_SERVER1_REALM
    ad_server = $AD_SERVER1
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    use_fully_qualified_names = True
    fallback_homedir = /home/%d/%u
    access_provider = ad
    ad_gpo_access_control = enforcing
    ad_gpo_map_interactive = +su +sshd

3. create /etc/samba/smb.conf
    [global]
    workgroup = $AD_SERVER_SHORT_REALM
    realm = $AD_SERVER1_REALM
    security = ads
    kerberos method = system keytab
    log level = 10
4. systemctl restart sssd.service smb.service
5. authenticate as user who should be able to authenticate
   allow_u-23737

Actual results:
authentication fialed

Expected results:
user authenticate without any problem


Additional info:
It fails with rhel7.3 sssd-1.14.0-43.el7_3.11.x86_64 and new libsmbclient-4.6.0-2.el7.x86_64

sh# cat /var/log/sssd/gpo_child.log 
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400): gpo_child started.
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400): context initialized
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x0400): cached_gpt_version: -1
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000): smb_server length: 22
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000): smb_server: smb://pluto.sssdad.com
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000): smb_share length: 7
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000): smb_share: /sysvol
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000): smb_path length: 59
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000): smb_path: /sssdad.com/Policies/{892F53E0-E4AA-4D2E-9106-7AA4B9FE8680}
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000): smb_cse_suffix length: 49
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000): smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400): performing smb operations
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://pluto.sssdad.com/sysvol/sssdad.com/Policies/{892F53E0-E4AA-4D2E-9106-7AA4B9FE8680}/GPT.INI
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed [13][Permission denied]
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed [13][Permission denied]
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [main] (0x0020): perform_smb_operations failed.[13][Permission denied].
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [main] (0x0020): gpo_child failed!

It might be a bug in libsmbclient or wrong usage of libsmbclient by sssd.
Anyway we need to prepare simpler reproducer if we want to reassign to samba
Comment 2 Michal Zidek 2017-03-14 08:44:28 UTC 
May be related to these issues:
https://pagure.io/SSSD/sssd/issue/3279
https://pagure.io/SSSD/sssd/issue/3324
Comment 3 Lukas Slebodnik 2017-03-14 18:23:58 UTC 
I run automated script on fedora and test passed with libsmbclient-4.5.6

Following update broke it.
Packages Altered:
    Upgraded libsmbclient-2:4.5.6-0.fc25.x86_64             @updates/25
    Upgrade               2:4.6.0-0.0.rc1.fc26.x86_64       @@commandline
    Upgraded libwbclient-2:4.5.6-0.fc25.x86_64              @updates/25
    Upgrade              2:4.6.0-0.0.rc1.fc26.x86_64        @@commandline
    Upgraded samba-2:4.5.6-0.fc25.x86_64                    @updates/25
    Upgrade        2:4.6.0-0.0.rc1.fc26.x86_64              @@commandline
    Upgraded samba-client-2:4.5.6-0.fc25.x86_64             @updates/25
    Upgrade               2:4.6.0-0.0.rc1.fc26.x86_64       @@commandline
    Upgraded samba-client-libs-2:4.5.6-0.fc25.x86_64        @updates/25
    Upgrade                    2:4.6.0-0.0.rc1.fc26.x86_64  @@commandline
    Upgraded samba-common-2:4.5.6-0.fc25.noarch             @updates/25
    Upgrade               2:4.6.0-0.0.rc1.fc26.noarch       @@commandline
    Upgraded samba-common-libs-2:4.5.6-0.fc25.x86_64        @updates/25
    Upgrade                    2:4.6.0-0.0.rc1.fc26.x86_64  @@commandline
    Upgraded samba-common-tools-2:4.5.6-0.fc25.x86_64       @updates/25
    Upgrade                     2:4.6.0-0.0.rc1.fc26.x86_64 @@commandline
    Upgraded samba-libs-2:4.5.6-0.fc25.x86_64               @updates/25
    Upgrade             2:4.6.0-0.0.rc1.fc26.x86_64         @@commandline
Comment 4 Jakub Hrozek 2017-03-22 20:34:54 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3347
Comment 5 Lukas Slebodnik 2017-04-21 12:50:55 UTC 
Any progress here?
If it is bug/regression in samba then they should be aware of it soon and not a day before deadline.
Comment 6 Michal Zidek 2017-06-05 14:56:16 UTC 
Hi,

The problem does not seem to be related to the logging, but to the wrong workgroup set in the smb.conf .

workgroup = $AD_SERVER_SHORT_REALM

The environmental variable $AD_SERVER_SHORT_REALM , is empty/not defined which results in configuration error that causes the downstream tests to fail.

In order to fix the test, simply remove the line from smb.conf (or set it to a correct value).

I am closing this as NOTABUG (well it is a bug in the tests, but not in the SSSD component :) ). It probably only worked by accident in previous versions.

(btw. thank you Lukas for preparing the machine to test)

Michal