Authentication fails after upgrading sssd to 2.2.3-3ubuntu0.6
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Server Guide |
Fix Released
|
High
|
Andreas Hasenack | ||
sssd |
New
|
Unknown
|
|||
sssd (Fedora) |
Unknown
|
Unknown
|
|||
sssd (Ubuntu) |
Fix Released
|
High
|
Sergio Durigan Junior | ||
Focal |
Fix Released
|
High
|
Sergio Durigan Junior | ||
Impish |
Won't Fix
|
Undecided
|
Sergio Durigan Junior | ||
Jammy |
Fix Released
|
High
|
Sergio Durigan Junior | ||
Kinetic |
Fix Released
|
High
|
Sergio Durigan Junior |
Bug Description
[ Impact ]
A user running a Samba Active Directory Domain Controller compliant with the MS ADTS specifications in regards to how GPO is handled will experience authentication failures when joining an AD realm using the Ubuntu sssd package on Focal, Impish and Jammy with the "fix-gpo-
Upstream sssd has fixed this problem on version 2.7.0, which will be available in Kinetic soon.
[ Test Plan ]
The test case for this bug is a bit complex, but I will do my best to describe it in detail.
We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.
== Virtual Network setup ==
The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".
Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".
== Samba AD DC VM setup ==
We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.
$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a
Make sure to grab this VM's IP address.
server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind
server# mv /etc/samba/smb.conf /etc/samba/
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1
server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service
We now have to adjust the DNS server settings of the server. We are going to disable systemd-
You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/
server# systemctl disable --now systemd-
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot
This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.
server# samba-tool user create testuser MyUserPassword1
== VM AD client setup ==
Let's configure a VM to act as an AD client.
$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient
Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).
client# systemctl disable --now systemd-
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir
We can now check if our container can detect the AD DC:
client# realm -v discover sambadc.test.lan
* Resolving: _ldap._
* Resolving: sambadc.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
You can also confirm that the "realm -v discover" works on the domain name:
client# realm -v discover test.lan
* Resolving: _ldap._tcp.test.lan
* Performing LDAP DSE lookup on: 192.168.101.142
* Successfully discovered: test.lan
test.lan
type: kerberos
realm-name: TEST.LAN
domain-name: test.lan
configured: no
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
And we can join the realm:
client# realm -v join test.lan
You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:
client# getent passwd <email address hidden>
<email address hidden>
== Reproducing the bug ==
Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.
client# getent passwd <email address hidden>
<email address hidden>
Now, try to login as the user:
client# login <email address hidden>
Password: MyUserPassword1
System error
As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by GPO, the following line can be added to the end of the /etc/sssd/sssd.conf file:
ad_gpo_
After restarting sssd.service and trying to login again, you can confirm that it succeeds.
Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:
client# sssctl cache-remove -o -p -s
[ Where problems could occur ]
The behaviour being introduced by this change goes against the specificiation for Group Policies by Microsoft. It is worth mentioning that Microsoft Windows itself does *not* follow the specification either, so in a way we are bringing sssd to the "de facto" standard. But users can be surprised to see the authentication process successfully finish even if there is no SecEdit\GptTmpl.inf available.
As usual, there is also the small risk of rebuilding a package against newer dependencies in the archive.
[ Original Description ]
Hello,
After upgrade of sssd packages from version 2.2.3-3ubuntu0.4 to version 2.2.3-3ubuntu0.6, I could not authenticate with users from my Samba4 directory.
After enabling debug, I can see in /var/log/
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): gpo_child started.
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): context initialized
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x0400): cached_gpt_version: -1
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_server length: 21
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_server: smb://MY_
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_share length: 7
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_share: /sysvol
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_path length: 60
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_path: /MY_DOMAIN/
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_cse_suffix length: 49
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_cse_suffix: /Machine/
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): performing smb operations
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [copy_smb_
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [copy_smb_
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [perform_
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0020): perform_
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0020): gpo_child failed!
(I have replaced real server and domain name by MY_SERVER_FQDN and MY_DOMAIN)
As a workaround, I add new option 'ad_gpo_
here is my sssd.conf:
[sssd]
default_
full_name_format = %1$s
domains = my_domain
config_file_version = 2
services = nss, pam
[domain/my_domain]
debug_level=9
default_shell = /bin/bash
krb5_store_
cache_credentials = True
krb5_realm = MY_DOMAIN
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%d/%u
ad_domain = my_domain
use_fully_
ldap_id_mapping = True
access_provider = ad
After adding 'ad_gpo_
Thanks!
Related branches
- Andreas Hasenack (community): Approve
- git-ubuntu bot: Approve
- Canonical Server Reporter: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server Reporter: Pending requested
- Canonical Server: Pending requested
-
Diff: 448 lines (+372/-6)10 files modifieddebian/changelog (+18/-0)
debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch (+169/-0)
debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch (+152/-0)
debian/patches/lp1979453-fix-shebang-on-sss_analyze.patch (+22/-0)
debian/patches/series (+3/-0)
debian/python3-libipa-hbac.install (+1/-1)
debian/python3-libsss-nss-idmap.install (+1/-1)
debian/python3-sss.install (+3/-3)
debian/rules (+2/-0)
debian/sssd-tools.install (+1/-1)
- git-ubuntu bot: Approve
- Andreas Hasenack (community): Approve
- Canonical Server packageset reviewers: Pending requested
-
Diff: 362 lines (+334/-0)4 files modifieddebian/changelog (+10/-0)
debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch (+170/-0)
debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch (+152/-0)
debian/patches/series (+2/-0)
- git-ubuntu bot: Approve
- Andreas Hasenack (community): Approve
- Canonical Server: Pending requested
-
Diff: 309 lines (+234/-3)2 files modifieddebian/changelog (+230/-0)
debian/control (+4/-3)
Changed in sssd (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
tags: | added: regression-update |
Changed in sssd: | |
status: | Unknown → New |
Changed in sssd (Ubuntu Focal): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in sssd (Ubuntu Impish): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in sssd (Ubuntu Jammy): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
Changed in sssd (Ubuntu Kinetic): | |
assignee: | nobody → Sergio Durigan Junior (sergiodj) |
description: | updated |
Changed in sssd (Ubuntu Jammy): | |
status: | New → In Progress |
Changed in sssd (Ubuntu Focal): | |
status: | New → In Progress |
importance: | Undecided → High |
Changed in sssd (Ubuntu Jammy): | |
importance: | Undecided → High |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
tags: |
added: verification-done removed: verification-needed |
tags: | removed: server-todo |
Thank you for your report and sorry for the issue caused by this SRU.
In focal GPO are enforced by default. But the original version of SSSD was not fully implementing the MS spec and GPO where actually not enforced. This was the case for the default domain policy which defines in particular the security and password policy which where not followed.
This is what this SRU addressed by backporting most the GPO fixes from recent version of SSSD and created this unfortunate side effect.
This problem will occur when users will upgrade from 20.04 to 22.04 anyway.
Adding 'ad_gpo_ access_ control = permissive' to sssd.conf is one way to fix it. Another way is to make sure the default domain policy is properly defined and that the client can access it.
However we will have a look at a Samba4 setup to try to understand if there is a general problem with this setup and how it can be addressed before 22.04 is released.