RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2087746 - sssd fails GPO-based access if AD have setup with Japanese language
Summary: sssd fails GPO-based access if AD have setup with Japanese language
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alexey Tikhonov
QA Contact: Dan Lavu
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-05-18 12:13 UTC by Alexey Tikhonov
Modified: 2023-04-17 01:38 UTC (History)
6 users (show)

Fixed In Version: sssd-2.7.0-2.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-11-08 10:51:32 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4138 0 None closed SSSD cant parse GPO if AD server have Russain language 2022-05-18 12:25:03 UTC
Red Hat Issue Tracker RHELPLAN-122443 0 None None None 2022-05-18 12:40:09 UTC
Red Hat Issue Tracker SSSD-4682 0 None None None 2022-05-18 12:47:52 UTC
Red Hat Product Errata RHBA-2022:7739 0 None None None 2022-11-08 10:51:50 UTC

Description Alexey Tikhonov 2022-05-18 12:13:50 UTC 
This bug was initially created as a copy of Bug #1661055

I am copying this bug because: to track fix for RHEL8.



Description of problem:

sssd fails GPO-based access because it cannot parse GPT.INI retrieved from AD.

  $ ssh testuser001@ssscli
  testuser001@ssscli's password: 
  Connection closed by ssscli port 22

  -- /var/log/sssd/gpo_cache.log --
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0400): ini_filename:/var/lib/sss/gpo_cache/EXAMPLE.COM/Policies/{4B3F2549-8571-4C3A-9B62-65D082B99DDB}/GPT.INI
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0020): ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [ad_gpo_parse_ini_file] (0x0020): Error encountered: 84.
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [perform_smb_operations] (0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character]
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [main] (0x0020): perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character].
  (Fri Dec 14 09:40:29 2018) [[sssd[gpo_child[4091]]]] [main] (0x0020): gpo_child failed!

  -- /var/log/sssd/sssd_EXAMPLE.COM.log --
  (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [gpo_cse_done] (0x0020): ad_gpo_parse_gpo_child_response failed: [22][無効な引数です]
  (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_cse_done] (0x0400): gpo_guid: {4B3F2549-8571-4C3A-9B62-65D082B99DDB}
  (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_cse_done] (0x0040): Unable to retrieve policy data: [22](無効な引数です}
  (Fri Dec 14 09:40:29 2018) [sssd[be[EXAMPLE.COM]]] [ad_gpo_access_done] (0x0040): GPO-based access control failed.

  -- /var/log/secure --
  Dec 14 09:40:29 ssscli sshd[4088]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=127.0.0.1 user=kscadmin
  Dec 14 09:40:29 ssscli sshd[4088]: pam_sss(sshd:account): Access denied for user sssuser: 4 (System error)


This file contains non-UTF-8 Japanese text.

  $ file GPT.INI 
  GPT.INI: Non-ISO extended-ASCII text, with CRLF line terminators

  $ iconv -f CP932 -t UTF-8 GPT.INI 
  [General]
  Version=6
  displayName=新しいグループ ポリシー オブジェクト


It seems to be the same issue as https://pagure.io/SSSD/sssd/issue/3105.
I think that problems also occur in locales of other multi-byte characters.


Version-Release number of selected component (if applicable):

  - Red Hat Enterprise Linux 7.6
  - sssd-1.16.2-13.el7

How reproducible:

  Always

Steps to Reproduce:

1. Set the GPO-based access to AD has setup with Japanese language

  https://access.redhat.com/solutions/2427851

2. Connect to host with ssh

  $ ssh testuser001@ssscli
  testuser001@ssscli's password: 
  Connection closed by ssscli port 22


Actual results:

  The user configured with GPO cannot be logged in.

Expected results:

  The parsing error doesn't occur and GPO-based access works as expected.
Comment 1 Alexey Tikhonov 2022-05-18 12:25:03 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6039

* `master`
    * d241b55291419753ce3e961a1b201d62f7851513 - GPO: ignore non-ascii symbols in values in GPT.INI
Comment 8 errata-xmlrpc 2022-11-08 10:51:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:7739
Note You need to log in before you can comment on or make changes to this bug.