group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #13167
[Bug 1641203] Re: SSSD can't process GPO from Active Directory when it contains lines with no equal sign
Hello Anders, or anyone else affected,
Accepted ding-libs into xenial-proposed. The package will build now and
be available at https://launchpad.net/ubuntu/+source/ding-
libs/0.5.0-1ubuntu0.16.04.1 in a few hours, and then in the -proposed
repository.
Please help us by testing this new package. See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.
If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed. In either case, details of your testing will help
us make a better decision.
Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!
** Changed in: ding-libs (Ubuntu Xenial)
Status: In Progress => Fix Committed
** Tags added: verification-needed
** Also affects: sssd (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: ding-libs (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Changed in: ding-libs (Ubuntu Yakkety)
Status: New => Triaged
** Changed in: sssd (Ubuntu Yakkety)
Status: New => Triaged
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1641203
Title:
SSSD can't process GPO from Active Directory when it contains lines
with no equal sign
Status in ding-libs package in Ubuntu:
Fix Released
Status in sssd package in Ubuntu:
Fix Released
Status in ding-libs source package in Xenial:
Fix Committed
Status in sssd source package in Xenial:
Triaged
Status in ding-libs source package in Yakkety:
Triaged
Status in sssd source package in Yakkety:
Triaged
Bug description:
[Impact]
This bug hits users who is joined to a domain server (probably MS Active Directory) where there is a GPO line that doesn't contain an equal sign (=). See more info in the upstreams bug report linked below. This could be rather common in corporate environments and normally nothing you "fix" on the domain controller side to be able to use SSSD clients. This means all clients that upgrades to 16.04 using SSSD with a GPO containing a line without equal sign will be affected.
[Test Case]
Steps to reproduce (you'll need a domain server with GPO containing a line withouth equal sign!):
- Install:
apt install krb5-user samba sssd ntp
- Make sure the default realm is setup properly (FQDN in uppercase):
dpkg-reconfigure krb5-config
- Set up /etc/samba/smb.conf like this: https://paste.ubuntu.com/24407627/
- Set up /etc/sssd/sssd.conf like this: https://paste.ubuntu.com/24407643/
- File permissions:
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
- Restart services:
sudo service ntp restart
sudo service smbd restart
sudo service nmbd restart
- Join domain with:
sudo net ads join -U "administrator@xxxxxxxxxx" "createcomputer=Servers/Virtual" osName=Ubuntu osVer=16.04
- Start SSSD:
sudo service sssd start
- Verify:
getent passwd Administrator@xxxxxxxxx
- Add creation of home directories on login (check the unchecked box):
sudo pam-auth-update
- Now try to login to the server with a domain user:
arune@d152:~$ ssh arune@xxxxxxxxxx@server.domain.com
- This should fail and you'll find in the logs:
grep "ad_gpo_store_policy_settings" /var/log/sssd/*
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): [/var/lib/sss/gpo_cache/DOMAIN.COM/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf]: ini_config_parse failed [5][Input/output error]
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error (5) on line 20: Equal sign is missing.
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error encountered: 5.
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017) [sssd[be[DOMAIN.COM]]] [ad_gpo_cse_done] (0x0040): ad_gpo_store_policy_settings failed: [5](Input/output error)
[Regression Potential]
The current state of SSSD in Xenial is broken for _some_ users (where the GPO has a line without equal sign) it's _not known_ how many users are affected. A potential regression could mean even more users are affected by a new unknown bug.
Upstreams bugreport and patch:
https://fedorahosted.org/sssd/ticket/2751
Please backport to xenial.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ding-libs/+bug/1641203/+subscriptions