Ubuntu
sssd package

[SRU] Fix GPO support in Focal

Bug #1933116 reported by Jean-Baptiste Lallement
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
High
Unassigned
Focal
Fix Released
High
Unassigned

Bug Description

[Description]
GPO support in focal doesn't follow MS ADTS spec and is not functional. It means that the default domain policy containing the security policy for example is not applied.

This SRU backports GPO patches from current stable version of SSSD.

[Test Case]
1. Install a machine with SSSD and join and AD domain where the controller is a Windows machine.
2. Add the machine to an OU of the domain
3. Boot the machine and login as a user of the domain.
4. Verify the content of /var/lib/sss/gpo_cache/

When it fails, this directory is empty
On success it is filled with the GPO downloaded from the domain controller.

It is also possible to check the journal for errors, there should be non related to GPO.

[Where problems could occur]
This code is limited to GPO on AD which is not working in focal. Worst case, it is still not functional.

See original description
Jean-Baptiste Lallement (jibel)
Changed in sssd (Ubuntu):
status: New → Fix Released
importance: Undecided → High
Changed in sssd (Ubuntu Focal):
importance: Undecided → High
status: New → Triaged
summary: - [SRU] Fix GPO support on Focal
+ [SRU] Fix GPO support in Focal
Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

FYI, 2.3 and 2.4 are respectively in Groovy and Hirsute.

Łukasz Zemczak (sil2100)
description: updated
description: updated
Revision history for this message
Łukasz Zemczak (sil2100) wrote :

I don't know the sssd codebase so it's hard for me to assess if the huge patch that's being added as part of this SRU indeed only touches the GPO support or not. I will trust in your validation, but let's make sure that no other functionality of sssd is affected by this change. Would it be possible to do some exploratory testing at least, just to be sure? As said, maybe for those that know the code it's 'obvious' that it's not possible to introduce a regression, but seeing the diffstat there seem to be files updated that are not only related to gpo.

Anyway, let's do this, but proceed with caution. Also, remember that by pulling in such a huge set of changes, I think you need to coordinate with the server team if they are willing to maintain the patch going forward (or making sure the desktop team does).

Changed in sssd (Ubuntu Focal):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Please test proposed package

Hello Jean-Baptiste, or anyone else affected,

Accepted sssd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu0.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Jean-Baptiste Lallement (jibel) wrote :

I verified that sssd 2.2.3-3ubuntu0.6 behaves as expected (default domain policy is downloaded and applied) and didn't find any regression either.

Marking as verification-done

tags: added: verification-done verification-done-focal
removed: verification-needed verification-needed-focal
Revision history for this message
Łukasz Zemczak (sil2100) wrote (last edit ):

10:23 < jibel> sil2100, can you release ubiquity and sssd in focal proposed? they've been tested since a bit less than a week but we need them to build an image.
10:24 < jibel> sil2100, also Andreas considers the sssd patch as an improvement :)

...so considering this change ACKed by the server team.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 2.2.3-3ubuntu0.6

---------------
sssd (2.2.3-3ubuntu0.6) focal; urgency=medium

  * debian/patches/fix-gpo-MS-ADTS-compliance.patch:
    - Backport several upstream patches from 2.3.x and 2.4.x in ad_gpo
      namespaces. This makes it compliant with MS ADTS spec, which allows
      gpos to be downloaded on user login. (LP: #1933116)

sssd (2.2.3-3ubuntu0.5) focal-proposed; urgency=medium

  * SRU: LP: #1931074: Fix tests to also pass with Python 3.8.10.

 -- Didier Roche <email address hidden> Fri, 18 Jun 2021 16:24:45 +0200

Changed in sssd (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for sssd has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
r0mulux (r-marie) wrote :

Hello,

After upgrade of sssd packages from version 2.2.3-3ubuntu0.4 to version 2.2.3-3ubuntu0.6, I could not authenticate with users from my Samba4 directory.

After enabling debug, I can see in /var/log/sssd/gpo_child.log errors:

(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): gpo_child started.
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): context initialized
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x0400): cached_gpt_version: -1
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_server length: 21
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_server: smb://MY_SERVER_FQDN
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_share length: 7
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_share: /sysvol
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_path length: 60
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_path: /MY_DOMAIN/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_cse_suffix length: 49
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): performing smb operations
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://MY_SERVER_FQDN/sysvol/MY_DOMAIN/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed [13][Permission denied]
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed [13][Permission denied]
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0020): perform_smb_operations failed.[13][Permission denied].
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0020): gpo_child failed!

(I have replaced real server and domain name by MY_SERVER_FQDN and MY_DOMAIN)

As a workaround, I add new option 'ad_gpo_access_control = permissive' in sssd.conf and authentication is working again, but I'm wondering why upgrade has broken authentication, and what is the impact of the option ?

Thanks!

Revision history for this message
r0mulux (r-marie) wrote :

As a precision of previous message, here is my sssd.conf:

[sssd]
default_domain_suffix = my_domain
full_name_format = %1$s
domains = my_domain
config_file_version = 2
services = nss, pam

[domain/my_domain]
debug_level=9
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MY_DOMAIN
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%d/%u
ad_domain = my_domain
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

After adding 'ad_gpo_access_control = permissive' at the end of file, authentication with samba4 users works again.

Revision history for this message
r0mulux (r-marie) wrote :

Created separated report: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1934997

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.