Bug 1840908 - sssd 2.3.0 breaks AD auth due to GPO parsing failure
Summary: sssd 2.3.0 breaks AD auth due to GPO parsing failure
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 32
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Sumit Bose
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
: 1849109 (view as bug list)
Depends On:
Blocks: 1843872
TreeView+ depends on / blocked
 
Reported: 2020-05-27 21:03 UTC by Andrew Gunnerson
Modified: 2020-07-30 18:56 UTC (History)
11 users (show)

Fixed In Version: sssd-2.3.1-2.fc32
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1843872 (view as bug list)
Environment:
Last Closed: 2020-07-30 18:56:49 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
sssd log file during a failed SSH authentication attempt (224.93 KB, text/plain)
2020-05-27 21:03 UTC, Andrew Gunnerson
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5183 0 None closed sssd 2.3.0 breaks AD auth due to GPO parsing failure 2020-10-19 09:02:22 UTC

Description Andrew Gunnerson 2020-05-27 21:03:48 UTC
Created attachment 1692858 [details]
sssd log file during a failed SSH authentication attempt

**Description of problem**:

After the upgrade from sssd-2.2.3-13.fc32 to sssd-2.3.0-1.fc32.x86_64, sssd authentication via AD no longer works. For example, logging in via SSH fails with:

    pam_sss(sshd:account): Access denied for user lan\chenxiaolong: 4 (System error)

The sssd logs (included as attachment) indicate that GPO parsing may be causing the issue:

    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor
    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_sd_process_attrs] (0x0040): ad_gpo_parse_sd() failed


**Version-Release number of selected component (if applicable)**:

sssd-2.3.0-1.fc32.x86_64


**How reproducible**:

Always


**Steps to Reproduce**:
1. Join an AD domain with "realm join <domain> -U <user>"
2. Add "debug_level = 10" to the "[domain/<domain>]" section of sssd.conf and restart sssd
3. Try to SSH into the machine and note the generic PAM auth error in journald and the GPO parsing error in the sssd logs
4. As a temporary workaround, add "ad_gpo_access_control = permissive" to the "[domain/<domain>]" section of sssd.conf and restart sssd
5. Notice that authentication now works 


**Additional info**:

Nothing has been changed on the AD server side of things during the upgrade from 2.2.3 to 2.3.0. Downgrading to 2.2.3 fixes things, as does working around the problem by specifying "ad_gpo_access_control = permissive" in sssd.conf.

Not sure if it's relevant, but in my case, I'm using a fresh Samba 4 AD installation on the server side and I have never configured any GPOs.

Comment 1 Andrew Gunnerson 2020-05-27 21:11:20 UTC
Closing this because it seems to be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1839805, which has more information.

*** This bug has been marked as a duplicate of bug 1839805 ***

Comment 2 Sumit Bose 2020-05-28 05:00:27 UTC
Hi,

I doubt that this is a duplicate of bug 1839805, it look more like an issue already reported on sssd-users https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/RHDZSANV7VFVBKJOXJAK53HOAOFMFQB2/.

I will reopen this ticket and remove the links to the other ticket.

bye,
Sumit

Comment 3 Sumit Bose 2020-05-28 15:06:05 UTC
Upstream ticket:
https://github.com/SSSD/sssd/issues/5183

Comment 4 Charles Butterfield 2020-06-03 18:03:22 UTC
I'm having the same problem on Fedora-32.  Just upgraded to sssd 2.3.0-1.fc32 and my AD authentication stopped working.  The workaround described above also works for me, namely

/etc/sssd/sssd.conf
[domain WHATEVER]
ad_gpo_access_control=disabled

Comment 5 Pavel Březina 2020-06-05 09:04:17 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/5184

* `master`
    * a7c755672cd277497da3df4714f6d9457b6ac5ae - ad_gpo_ndr.c: more ndr updates

Comment 6 Alexey Tikhonov 2020-06-19 18:22:23 UTC
*** Bug 1849109 has been marked as a duplicate of this bug. ***

Comment 7 Fedora Update System 2020-07-27 14:07:20 UTC
FEDORA-2020-63a418c824 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-63a418c824

Comment 8 Fedora Update System 2020-07-28 15:20:09 UTC
FEDORA-2020-63a418c824 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-63a418c824`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-63a418c824

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 9 Fedora Update System 2020-07-30 18:56:49 UTC
FEDORA-2020-63a418c824 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.