Bug 1840908

Summary: sssd 2.3.0 breaks AD auth due to GPO parsing failure
Product: [Fedora] Fedora Reporter: Andrew Gunnerson <accounts+fedora>
Component: sssdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: abokovoy, atikhono, cb20777, jhrozek, lslebodn, mzidek, pbrezina, rharwood, sbose, ssorce, vargax
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sssd-2.3.1-2.fc32 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1843872 (view as bug list) Environment:
Last Closed: 2020-07-30 18:56:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1843872    
Attachments:
Description Flags
sssd log file during a failed SSH authentication attempt none

Description Andrew Gunnerson 2020-05-27 21:03:48 UTC 
Created attachment 1692858 [details]
sssd log file during a failed SSH authentication attempt

**Description of problem**:

After the upgrade from sssd-2.2.3-13.fc32 to sssd-2.3.0-1.fc32.x86_64, sssd authentication via AD no longer works. For example, logging in via SSH fails with:

    pam_sss(sshd:account): Access denied for user lan\chenxiaolong: 4 (System error)

The sssd logs (included as attachment) indicate that GPO parsing may be causing the issue:

    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor
    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_sd_process_attrs] (0x0040): ad_gpo_parse_sd() failed


**Version-Release number of selected component (if applicable)**:

sssd-2.3.0-1.fc32.x86_64


**How reproducible**:

Always


**Steps to Reproduce**:
1. Join an AD domain with "realm join <domain> -U <user>"
2. Add "debug_level = 10" to the "[domain/<domain>]" section of sssd.conf and restart sssd
3. Try to SSH into the machine and note the generic PAM auth error in journald and the GPO parsing error in the sssd logs
4. As a temporary workaround, add "ad_gpo_access_control = permissive" to the "[domain/<domain>]" section of sssd.conf and restart sssd
5. Notice that authentication now works 


**Additional info**:

Nothing has been changed on the AD server side of things during the upgrade from 2.2.3 to 2.3.0. Downgrading to 2.2.3 fixes things, as does working around the problem by specifying "ad_gpo_access_control = permissive" in sssd.conf.

Not sure if it's relevant, but in my case, I'm using a fresh Samba 4 AD installation on the server side and I have never configured any GPOs.
Comment 1 Andrew Gunnerson 2020-05-27 21:11:20 UTC 
Closing this because it seems to be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1839805, which has more information.

*** This bug has been marked as a duplicate of bug 1839805 ***
Comment 2 Sumit Bose 2020-05-28 05:00:27 UTC 
Hi,

I doubt that this is a duplicate of bug 1839805, it look more like an issue already reported on sssd-users https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/RHDZSANV7VFVBKJOXJAK53HOAOFMFQB2/.

I will reopen this ticket and remove the links to the other ticket.

bye,
Sumit
Comment 3 Sumit Bose 2020-05-28 15:06:05 UTC 
Upstream ticket:
https://github.com/SSSD/sssd/issues/5183
Comment 4 Charles Butterfield 2020-06-03 18:03:22 UTC 
I'm having the same problem on Fedora-32.  Just upgraded to sssd 2.3.0-1.fc32 and my AD authentication stopped working.  The workaround described above also works for me, namely

/etc/sssd/sssd.conf
[domain WHATEVER]
ad_gpo_access_control=disabled
Comment 5 Pavel Březina 2020-06-05 09:04:17 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5184

* `master`
    * a7c755672cd277497da3df4714f6d9457b6ac5ae - ad_gpo_ndr.c: more ndr updates
Comment 6 Alexey Tikhonov 2020-06-19 18:22:23 UTC 
*** Bug 1849109 has been marked as a duplicate of this bug. ***
Comment 7 Fedora Update System 2020-07-27 14:07:20 UTC 
FEDORA-2020-63a418c824 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-63a418c824
Comment 8 Fedora Update System 2020-07-28 15:20:09 UTC 
FEDORA-2020-63a418c824 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-63a418c824`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-63a418c824

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 9 Fedora Update System 2020-07-30 18:56:49 UTC 
FEDORA-2020-63a418c824 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.