RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1843872 - sssd 2.3.0 breaks AD auth due to GPO parsing failure
Summary: sssd 2.3.0 breaks AD auth due to GPO parsing failure
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: 8.0
Assignee: Sumit Bose
QA Contact: sssd-qe
Whiteboard: sync-to-jira
Depends On: 1839037 1840908
TreeView+ depends on / blocked
Reported: 2020-06-04 11:02 UTC by Alexey Tikhonov
Modified: 2020-11-04 02:09 UTC (History)
18 users (show)

Fixed In Version: sssd-2.3.0-1.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1840908
Last Closed: 2020-11-04 02:05:17 UTC
Type: Bug
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5183 0 None closed sssd 2.3.0 breaks AD auth due to GPO parsing failure 2020-11-18 05:47:27 UTC
Red Hat Product Errata RHBA-2020:4569 0 None None None 2020-11-04 02:05:36 UTC

Description Alexey Tikhonov 2020-06-04 11:02:11 UTC
+++ This bug was initially created as a clone of Bug #1840908 +++

**Description of problem**:

After the upgrade from sssd-2.2.3-13.fc32 to sssd-2.3.0-1.fc32.x86_64, sssd authentication via AD no longer works. For example, logging in via SSH fails with:

    pam_sss(sshd:account): Access denied for user lan\chenxiaolong: 4 (System error)

The sssd logs (included as attachment) indicate that GPO parsing may be causing the issue:

    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor
    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_sd_process_attrs] (0x0040): ad_gpo_parse_sd() failed

**Version-Release number of selected component (if applicable)**:


**How reproducible**:


**Steps to Reproduce**:
1. Join an AD domain with "realm join <domain> -U <user>"
2. Add "debug_level = 10" to the "[domain/<domain>]" section of sssd.conf and restart sssd
3. Try to SSH into the machine and note the generic PAM auth error in journald and the GPO parsing error in the sssd logs
4. As a temporary workaround, add "ad_gpo_access_control = permissive" to the "[domain/<domain>]" section of sssd.conf and restart sssd
5. Notice that authentication now works 

**Additional info**:

Nothing has been changed on the AD server side of things during the upgrade from 2.2.3 to 2.3.0. Downgrading to 2.2.3 fixes things, as does working around the problem by specifying "ad_gpo_access_control = permissive" in sssd.conf.

Not sure if it's relevant, but in my case, I'm using a fresh Samba 4 AD installation on the server side and I have never configured any GPOs.

--- Additional comment from Andrew Gunnerson on 2020-05-27 21:11:20 UTC ---

Closing this because it seems to be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1839805, which has more information.

--- Additional comment from Sumit Bose on 2020-05-28 05:00:27 UTC ---


I doubt that this is a duplicate of bug 1839805, it look more like an issue already reported on sssd-users https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/RHDZSANV7VFVBKJOXJAK53HOAOFMFQB2/.

I will reopen this ticket and remove the links to the other ticket.


--- Additional comment from Sumit Bose on 2020-05-28 15:06:05 UTC ---

Upstream ticket:

--- Additional comment from Charles Butterfield on 2020-06-03 18:03:22 UTC ---

I'm having the same problem on Fedora-32.  Just upgraded to sssd 2.3.0-1.fc32 and my AD authentication stopped working.  The workaround described above also works for me, namely

[domain WHATEVER]

Comment 1 Pavel Březina 2020-06-05 09:04:33 UTC
Pushed PR: https://github.com/SSSD/sssd/pull/5184

* `master`
    * a7c755672cd277497da3df4714f6d9457b6ac5ae - ad_gpo_ndr.c: more ndr updates

Comment 6 Dan Lavu 2020-08-17 18:02:20 UTC
Sanity testing done against sssd-2.3.0-7.el8.x86_64

Comment 9 errata-xmlrpc 2020-11-04 02:05:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.