Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1843872

Summary:	sssd 2.3.0 breaks AD auth due to GPO parsing failure
Product:	Red Hat Enterprise Linux 8	Reporter:	Alexey Tikhonov <atikhono>
Component:	sssd	Assignee:	Sumit Bose <sbose>
Status:	CLOSED ERRATA	QA Contact:	sssd-qe <sssd-qe>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	8.3	CC:	abokovoy, accounts+fedora, atikhono, cb20777, dlavu, extras-qa, grajaiya, jhrozek, lslebodn, mniranja, mzidek, pbrezina, rharwood, sbose, sgoveas, ssorce, thalman, tscherf
Target Milestone:	rc	Keywords:	Triaged
Target Release:	8.0	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:	sync-to-jira
Fixed In Version:	sssd-2.3.0-1.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:	1840908	Environment:
Last Closed:	2020-11-04 02:05:17 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1839037, 1840908
Bug Blocks:

Description Alexey Tikhonov 2020-06-04 11:02:11 UTC

+++ This bug was initially created as a clone of Bug #1840908 +++

**Description of problem**:

After the upgrade from sssd-2.2.3-13.fc32 to sssd-2.3.0-1.fc32.x86_64, sssd authentication via AD no longer works. For example, logging in via SSH fails with:

    pam_sss(sshd:account): Access denied for user lan\chenxiaolong: 4 (System error)

The sssd logs (included as attachment) indicate that GPO parsing may be causing the issue:

    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor
    (2020-05-27 16:36:10): [be[lan.noobdev.io]] [ad_gpo_sd_process_attrs] (0x0040): ad_gpo_parse_sd() failed


**Version-Release number of selected component (if applicable)**:

sssd-2.3.0-1.fc32.x86_64


**How reproducible**:

Always


**Steps to Reproduce**:
1. Join an AD domain with "realm join <domain> -U <user>"
2. Add "debug_level = 10" to the "[domain/<domain>]" section of sssd.conf and restart sssd
3. Try to SSH into the machine and note the generic PAM auth error in journald and the GPO parsing error in the sssd logs
4. As a temporary workaround, add "ad_gpo_access_control = permissive" to the "[domain/<domain>]" section of sssd.conf and restart sssd
5. Notice that authentication now works 


**Additional info**:

Nothing has been changed on the AD server side of things during the upgrade from 2.2.3 to 2.3.0. Downgrading to 2.2.3 fixes things, as does working around the problem by specifying "ad_gpo_access_control = permissive" in sssd.conf.

Not sure if it's relevant, but in my case, I'm using a fresh Samba 4 AD installation on the server side and I have never configured any GPOs.

--- Additional comment from Andrew Gunnerson on 2020-05-27 21:11:20 UTC ---

Closing this because it seems to be a duplicate of https://bugzilla.redhat.com/show_bug.cgi?id=1839805, which has more information.

--- Additional comment from Sumit Bose on 2020-05-28 05:00:27 UTC ---

Hi,

I doubt that this is a duplicate of bug 1839805, it look more like an issue already reported on sssd-users https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/RHDZSANV7VFVBKJOXJAK53HOAOFMFQB2/.

I will reopen this ticket and remove the links to the other ticket.

bye,
Sumit

--- Additional comment from Sumit Bose on 2020-05-28 15:06:05 UTC ---

Upstream ticket:
https://github.com/SSSD/sssd/issues/5183

--- Additional comment from Charles Butterfield on 2020-06-03 18:03:22 UTC ---

I'm having the same problem on Fedora-32.  Just upgraded to sssd 2.3.0-1.fc32 and my AD authentication stopped working.  The workaround described above also works for me, namely

/etc/sssd/sssd.conf
[domain WHATEVER]
ad_gpo_access_control=disabled

Comment 1 Pavel Březina 2020-06-05 09:04:33 UTC

Pushed PR: https://github.com/SSSD/sssd/pull/5184

* `master`
    * a7c755672cd277497da3df4714f6d9457b6ac5ae - ad_gpo_ndr.c: more ndr updates

Comment 6 Dan Lavu 2020-08-17 18:02:20 UTC

Sanity testing done against sssd-2.3.0-7.el8.x86_64

Comment 9 errata-xmlrpc 2020-11-04 02:05:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:4569