Bug 2087746

Summary: sssd fails GPO-based access if AD have setup with Japanese language
Product: Red Hat Enterprise Linux 8 Reporter: Alexey Tikhonov <atikhono>
Component: sssdAssignee: Alexey Tikhonov <atikhono>
Status: CLOSED ERRATA QA Contact: Dan Lavu <dlavu>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.6CC: grajaiya, jhrozek, lslebodn, mzidek, pbrezina, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.7.0-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-11-08 10:51:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2022-05-18 12:13:50 UTC 
This bug was initially created as a copy of Bug #1661055

I am copying this bug because: to track fix for RHEL8.



Description of problem:

sssd fails GPO-based access because it cannot parse GPT.INI retrieved from AD.

  $ ssh testuser001@ssscli
  testuser001@ssscli's password: 
  Connection closed by ssscli port 22

  -- /var/log/sssd/gpo_cache.log --
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0400): ini_filename:/var/lib/sss/gpo_cache/EXAMPLE.COM/Policies/{4B3F2549-8571-4C3A-9B62-65D082B99DDB}/GPT.INI
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0020): ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0020): Error encountered: 84.
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [perform_smb_operations] (0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character]
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [main] (0x0020): perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character].
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [main] (0x0020): gpo_child failed!

  -- /var/log/sssd/sssd_EXAMPLE.COM.log --
  (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][無効な引数です]
  (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {4B3F2549-8571-4C3A-9B62-65D082B99DDB}
  (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](無効な引数です}
  (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.

  -- /var/log/secure --
  Dec 14 09:40:29 ssscli sshd[4088]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=kscadmin
  Dec 14 09:40:29 ssscli sshd[4088]: pam_sss(sshd:account): Access denied for user sssuser: 4 (System error)


This file contains non-UTF-8 Japanese text.

  $ file GPT.INI 
  GPT.INI: Non-ISO extended-ASCII text, with CRLF line terminators

  $ iconv -f CP932 -t UTF-8 GPT.INI 
  [General]
  Version=6
  displayName=新しいグループ ポリシー オブジェクト


It seems to be the same issue as https://pagure.io/SSSD/sssd/issue/3105.
I think that problems also occur in locales of other multi-byte characters.


Version-Release number of selected component (if applicable):

  - Red Hat Enterprise Linux 7.6
  - sssd-1.16.2-13.el7

How reproducible:

  Always

Steps to Reproduce:

1. Set the GPO-based access to AD has setup with Japanese language

  https://access.redhat.com/solutions/2427851

2. Connect to host with ssh

  $ ssh testuser001@ssscli
  testuser001@ssscli's password: 
  Connection closed by ssscli port 22


Actual results:

  The user configured with GPO cannot be logged in.

Expected results:

  The parsing error doesn't occur and GPO-based access works as expected.
Comment 1 Alexey Tikhonov 2022-05-18 12:25:03 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6039

* `master`
    * d241b55291419753ce3e961a1b201d62f7851513 - GPO: ignore non-ascii symbols in values in GPT.INI
Comment 8 errata-xmlrpc 2022-11-08 10:51:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7739