Hi, this is https://github.com/SSSD/sssd/issues/4138 Fixed via https://github.com/SSSD/sssd/pull/6039 Fix will be released in SSSD 2.7.0
On Tue, Apr 12, 2022 at 9:58 AM lingyuan zhu <[email protected]> wrote: > 1、SSSD version: > sssd-common-1.16.5-10.el7_9.12.x86_64 > sssd-ldap-1.16.5-10.el7_9.12.x86_64 > sssd-ad-1.16.5-10.el7_9.12.x86_64 > sssd-client-1.16.5-10.el7_9.12.x86_64 > python-sssdconfig-1.16.5-10.el7_9.12.noarch > sssd-krb5-common-1.16.5-10.el7_9.12.x86_64 > sssd-ipa-1.16.5-10.el7_9.12.x86_64 > sssd-krb5-1.16.5-10.el7_9.12.x86_64 > sssd-1.16.5-10.el7_9.12.x86_64 > sssd-common-pac-1.16.5-10.el7_9.12.x86_64 > sssd-proxy-1.16.5-10.el7_9.12.x86_64 > 2、 SSSD Configuration > [sssd] > domains = adtest.zly.com > config_file_version = 2 > services = nss, pam > > [domain/adtest.zly.com] > ad_server = adtest.adtest.zly.com > ad_domain = adtest.zly.com > krb5_realm = ADTEST.ZLY.COM > realmd_tags = manages-system joined-with-adcli > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = true > use_fully_qualified_names = false > fallback_homedir = /home/%u > access_provider = ad > debug_level=9 > ad_gpo_access_control=enforcing > #ad_gpo_access_control=permissive > 3、error log > Error in /var/log/secure : > Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin > Apr 12 15:28:15 wxvmlinux sssd[be[adtest.zly.com]]: Warning: user would > have been denied GPO-based logon access if the ad_gpo_access_control option > were set to enforcing mode. > Apr 12 15:28:15 wxvmlinux sshd[3784]: Accepted password for njadmin from > ::1 port 49040 ssh2 > Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_unix(sshd:session): session > opened for user njadmin by (uid=0) > Apr 12 15:28:24 wxvmlinux sshd[3836]: Received disconnect from ::1 port > 49040:11: disconnected by user > Apr 12 15:28:24 wxvmlinux sshd[3836]: Disconnected from ::1 port 49040 > Apr 12 15:28:24 wxvmlinux sshd[3784]: pam_unix(sshd:session): session > closed for user njadmin > Apr 12 15:28:40 wxvmlinux polkitd[547]: Registered Authentication Agent > for unix-process:3889:296012 (system bus name :1.57 [/usr/bin/pkttyagent > --notify-fd 5 --fallback], object path > /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > Apr 12 15:28:41 wxvmlinux polkitd[547]: Unregistered Authentication Agent > for unix-process:3889:296012 (system bus name :1.57, object path > /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) > (disconnected from bus) > Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:auth): authentication > success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin > Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:account): Access denied > for user njadmin: 4 (System error) > Apr 12 15:28:46 wxvmlinux sshd[3925]: Failed password for njadmin from ::1 > port 49084 ssh2 > Apr 12 15:28:46 wxvmlinux sshd[3925]: fatal: Access denied for user > njadmin by PAM account configuration [preauth] > > /var/log/sssd/gpo_child.log > (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): gpo_child > started. > (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): context > initialized > (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x0400): > cached_gpt_version: -1 > (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): > smb_server length: 27 > (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): > smb_server: smb://adtest.adtest.zly.com > (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): > smb_share length: 7 > (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): > smb_share: /SysVol > (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): > smb_path length: 63 > (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): > smb_path: /adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319} > (2022-04-12 > <http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D(2022-04-12> > 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_cse_suffix > length: 49 > (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): > smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf > (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): performing smb > operations > (2022-04-12 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] > (0x0400): smb_uri: smb:// > adtest.adtest.zly.com/SysVol/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI > (2022-04-12 > <http://adtest.adtest.zly.com/SysVol/adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INI(2022-04-12> > 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] (0x4000): > smb_buflen: 50 > (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x4000): > smb_path_with_suffix: / > adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI > (2022-04-12 > <http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INI(2022-04-12> > 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in > /var/lib/sss/gpo_cache/adtest.zly.com > (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): > Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com/Policies > (2022-04-12 <http://adtest.zly.com/Policies(2022-04-12> 15:28:54): > [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in > /var/lib/sss/gpo_cache/ > adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319} > (2022-04-12 > <http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D(2022-04-12> > 15:28:54): [gpo_child[3955]] [unique_filename_destructor] (0x2000): > Unlinking [/var/lib/sss/gpo_cache/ > adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW > <http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INIPUsDAW> > ] > (2022-04-12 15:28:54): [gpo_child[3955]] [unlink_dbg] (0x2000): File > already removed: [/var/lib/sss/gpo_cache/ > adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW > <http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INIPUsDAW> > ] > (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0400): > ini_filename:/var/lib/sss/gpo_cache/ > adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI > (2022-04-12 > <http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INI(2022-04-12> > 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020): > ini_config_file_open failed [84][Invalid or incomplete multibyte or wide > character] > (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020): > Error encountered: 84. > (2022-04-12 15:28:54): [gpo_child[3955]] [perform_smb_operations] > (0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or > wide character] > (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): > perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide > character]. > (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): gpo_child failed! > 4、Reproduction method > 1) preparation > AD: windows server 2012 datacenter, > Configure AD Domain server, DNS Service > Configure domain: adtest.zly.com > Gpo policy: “computer configuration ==> strategy==>windows > setting==>security setting==>local stategy==> Allow local login”, configure > some user or group who have local login permission > Linux client: centos 7.9 or redhat 7.9 > realm join adtest.zly.com > 2) reproduction > Linux client: > [root@wxvmlinux sssd]# ssh -l wxadmin localhost > wxadmin@localhost's password: > Authentication failed. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
