Created attachment 1692858 [details] sssd log file during a failed SSH authentication attempt **Description of problem**: After the upgrade from sssd-2.2.3-13.fc32 to sssd-2.3.0-1.fc32.x86_64, sssd authentication via AD no longer works. For example, logging in via SSH fails with: pam_sss(sshd:account): Access denied for user lan\chenxiaolong: 4 (System error) The sssd logs (included as attachment) indicate that GPO parsing may be causing the issue: (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_sd_process_attrs] (0x0040): ad_gpo_parse_sd() failed **Version-Release number of selected component (if applicable)**: sssd-2.3.0-1.fc32.x86_64 **How reproducible**: Always **Steps to Reproduce**: 1. Join an AD domain with "realm join <domain> -U <user>" 2. Add "debug_level = 10" to the "[domain/<domain>]" section of sssd.conf and restart sssd 3. Try to SSH into the machine and note the generic PAM auth error in journald and the GPO parsing error in the sssd logs 4. As a temporary workaround, add "ad_gpo_access_control = permissive" to the "[domain/<domain>]" section of sssd.conf and restart sssd 5. Notice that authentication now works **Additional info**: Nothing has been changed on the AD server side of things during the upgrade from 2.2.3 to 2.3.0. Downgrading to 2.2.3 fixes things, as does working around the problem by specifying "ad_gpo_access_control = permissive" in sssd.conf. Not sure if it's relevant, but in my case, I'm using a fresh Samba 4 AD installation on the server side and I have never configured any GPOs.
Closing this because it seems to be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1839805, which has more information. *** This bug has been marked as a duplicate of bug 1839805 ***
Hi, I doubt that this is a duplicate of bug 1839805, it look more like an issue already reported on sssd-users https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/RHDZSANV7VFVBKJOXJAK53HOAOFMFQB2/. I will reopen this ticket and remove the links to the other ticket. bye, Sumit
Upstream ticket: https://github.com/SSSD/sssd/issues/5183
I'm having the same problem on Fedora-32. Just upgraded to sssd 2.3.0-1.fc32 and my AD authentication stopped working. The workaround described above also works for me, namely /etc/sssd/sssd.conf [domain WHATEVER] ad_gpo_access_control=disabled
Pushed PR: https://github.com/SSSD/sssd/pull/5184 * `master` * a7c755672cd277497da3df4714f6d9457b6ac5ae - ad_gpo_ndr.c: more ndr updates
*** Bug 1849109 has been marked as a duplicate of this bug. ***
FEDORA-2020-63a418c824 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-63a418c824
FEDORA-2020-63a418c824 has been pushed to the Fedora 32 testing repository. In short time you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-63a418c824` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-63a418c824 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2020-63a418c824 has been pushed to the Fedora 32 stable repository. If problem still persists, please make note of it in this bug report.