Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
sssd fails GPO-based access because it cannot parse GPT.INI retrieved from AD.
$ ssh testuser001@ssscli
testuser001@ssscli's password:
Connection closed by ssscli port 22
-- /var/log/sssd/gpo_cache.log --
(Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0400): ini_filename:/var/lib/sss/gpo_cache/EXAMPLE.COM/Policies/{4B3F2549-8571-4C3A-9B62-65D082B99DDB}/GPT.INI
(Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0020): ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character
(Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0020): Error encountered: 84.
(Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [perform_smb_operations] (0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character]
(Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [main] (0x0020): perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character].
(Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [main] (0x0020): gpo_child failed!
-- /var/log/sssd/sssd_EXAMPLE.COM.log --
(Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][無効な引数です]
(Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {4B3F2549-8571-4C3A-9B62-65D082B99DDB}
(Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](無効な引数です}
(Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.
-- /var/log/secure --
Dec 14 09:40:29 ssscli sshd[4088]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=kscadmin
Dec 14 09:40:29 ssscli sshd[4088]: pam_sss(sshd:account): Access denied for user sssuser: 4 (System error)
This file contains non-UTF-8 Japanese text.
$ file GPT.INI
GPT.INI: Non-ISO extended-ASCII text, with CRLF line terminators
$ iconv -f CP932 -t UTF-8 GPT.INI
[General]
Version=6
displayName=新しいグループ ポリシー オブジェクト
It seems to be the same issue as https://pagure.io/SSSD/sssd/issue/3105.
I think that problems also occur in locales of other multi-byte characters.
Version-Release number of selected component (if applicable):
- Red Hat Enterprise Linux 7.6
- sssd-1.16.2-13.el7
How reproducible:
Always
Steps to Reproduce:
1. Set the GPO-based access to AD has setup with Japanese language
https://access.redhat.com/solutions/2427851
2. Connect to host with ssh
$ ssh testuser001@ssscli
testuser001@ssscli's password:
Connection closed by ssscli port 22
Actual results:
The user configured with GPO cannot be logged in.
Expected results:
The parsing error doesn't occur and GPO-based access works as expected.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2022:8325
Description of problem: sssd fails GPO-based access because it cannot parse GPT.INI retrieved from AD. $ ssh testuser001@ssscli testuser001@ssscli's password: Connection closed by ssscli port 22 -- /var/log/sssd/gpo_cache.log -- (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0400): ini_filename:/var/lib/sss/gpo_cache/EXAMPLE.COM/Policies/{4B3F2549-8571-4C3A-9B62-65D082B99DDB}/GPT.INI (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0020): ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0020): Error encountered: 84. (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [perform_smb_operations] (0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character] (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [main] (0x0020): perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character]. (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [main] (0x0020): gpo_child failed! -- /var/log/sssd/sssd_EXAMPLE.COM.log -- (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][無効な引数です] (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {4B3F2549-8571-4C3A-9B62-65D082B99DDB} (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](無効な引数です} (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed. -- /var/log/secure -- Dec 14 09:40:29 ssscli sshd[4088]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=kscadmin Dec 14 09:40:29 ssscli sshd[4088]: pam_sss(sshd:account): Access denied for user sssuser: 4 (System error) This file contains non-UTF-8 Japanese text. $ file GPT.INI GPT.INI: Non-ISO extended-ASCII text, with CRLF line terminators $ iconv -f CP932 -t UTF-8 GPT.INI [General] Version=6 displayName=新しいグループ ポリシー オブジェクト It seems to be the same issue as https://pagure.io/SSSD/sssd/issue/3105. I think that problems also occur in locales of other multi-byte characters. Version-Release number of selected component (if applicable): - Red Hat Enterprise Linux 7.6 - sssd-1.16.2-13.el7 How reproducible: Always Steps to Reproduce: 1. Set the GPO-based access to AD has setup with Japanese language https://access.redhat.com/solutions/2427851 2. Connect to host with ssh $ ssh testuser001@ssscli testuser001@ssscli's password: Connection closed by ssscli port 22 Actual results: The user configured with GPO cannot be logged in. Expected results: The parsing error doesn't occur and GPO-based access works as expected.