Xenial has entered ESM, therefore I am marking this bug as Won't Fix for
it.
** Changed in: sssd (Ubuntu Xenial)
Status: Triaged => Won't Fix
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1641203
Title:
SSSD can't process GPO from Active Directory when it contains lines
with no equal sign
Status in ding-libs package in Ubuntu:
Fix Released
Status in sssd package in Ubuntu:
Fix Released
Status in ding-libs source package in Xenial:
Won't Fix
Status in sssd source package in Xenial:
Won't Fix
Status in ding-libs source package in Yakkety:
Won't Fix
Status in sssd source package in Yakkety:
Won't Fix
Bug description:
[Impact]
This bug hits users who is joined to a domain server (probably MS Active
Directory) where there is a GPO line that doesn't contain an equal sign (=).
See more info in the upstreams bug report linked below. This could be rather
common in corporate environments and normally nothing you "fix" on the domain
controller side to be able to use SSSD clients. This means all clients that
upgrades to 16.04 using SSSD with a GPO containing a line without equal sign
will be affected.
[Test Case]
Steps to reproduce (you'll need a domain server with GPO containing a line
withouth equal sign!):
- Install:
apt install krb5-user samba sssd ntp
- Make sure the default realm is setup properly (FQDN in uppercase):
dpkg-reconfigure krb5-config
- Set up /etc/samba/smb.conf like this: https://paste.ubuntu.com/24407627/
- Set up /etc/sssd/sssd.conf like this: https://paste.ubuntu.com/24407643/
- File permissions:
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf
- Restart services:
sudo service ntp restart
sudo service smbd restart
sudo service nmbd restart
- Join domain with:
sudo net ads join -U "administra...@domain.com"
"createcomputer=Servers/Virtual" osName=Ubuntu osVer=16.04
- Start SSSD:
sudo service sssd start
- Verify:
getent passwd administra...@qrtech.se
- Add creation of home directories on login (check the unchecked box):
sudo pam-auth-update
- Now try to login to the server with a domain user:
arune@d152:~$ ssh ar...@domain.com@server.domain.com
- This should fail and you'll find in the logs:
grep "ad_gpo_store_policy_settings" /var/log/sssd/*
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017)
[sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020):
[/var/lib/sss/gpo_cache/DOMAIN.COM/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine/Microsoft/Windows
NT/SecEdit/GptTmpl.inf]: ini_config_parse failed [5][Input/output error]
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017)
[sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error (5) on
line 20: Equal sign is missing.
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017)
[sssd[be[DOMAIN.COM]]] [ad_gpo_store_policy_settings] (0x0020): Error
encountered: 5.
/var/log/sssd/sssd_DOMAIN.COM.log:(Tue Apr 18 15:13:28 2017)
[sssd[be[DOMAIN.COM]]] [ad_gpo_cse_done] (0x0040): ad_gpo_store_policy_settings
failed: [5](Input/output error)
[Regression Potential]
The current state of SSSD in Xenial is broken for _some_ users (where the GPO
has a line without equal sign) it's _not known_ how many users are affected. A
potential regression could mean even more users are affected by a new unknown
bug.
Upstreams bugreport and patch:
https://fedorahosted.org/sssd/ticket/2751
Please backport to xenial.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ding-libs/+bug/1641203/+subscriptions
_______________________________________________
Mailing list: https://launchpad.net/~group.of.nepali.translators
Post to : group.of.nepali.translators@lists.launchpad.net
Unsubscribe : https://launchpad.net/~group.of.nepali.translators
More help : https://help.launchpad.net/ListHelp
