Ubuntu
sssd package

Bug #1934997
Comment #0

Comment 0 for bug 1934997

Revision history for this message

r0mulux (r-marie) wrote on 2021-07-08:

Hello,

After upgrade of sssd packages from version 2.2.3-3ubuntu0.4 to version 2.2.3-3ubuntu0.6, I could not authenticate with users from my Samba4 directory.

After enabling debug, I can see in /var/log/sssd/gpo_child.log errors:

(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): gpo_child started.
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): context initialized
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x0400): cached_gpt_version: -1
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_server length: 21
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_server: smb://MY_SERVER_FQDN
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_share length: 7
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_share: /sysvol
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_path length: 60
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_path: /MY_DOMAIN/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_cse_suffix length: 49
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [unpack_buffer] (0x4000): smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0400): performing smb operations
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://MY_SERVER_FQDN/sysvol/MY_DOMAIN/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed [13][Permission denied]
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [perform_smb_operations] (0x0020): copy_smb_file_to_gpo_cache failed [13][Permission denied]
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0020): perform_smb_operations failed.[13][Permission denied].
(Mon Jul 5 18:15:20 2021) [gpo_child[9895]] [main] (0x0020): gpo_child failed!

(I have replaced real server and domain name by MY_SERVER_FQDN and MY_DOMAIN)

As a workaround, I add new option 'ad_gpo_access_control = permissive' in sssd.conf and authentication is working again, but I'm wondering why upgrade has broken authentication, and what is the impact of the option ?

here is my sssd.conf:

[sssd]
default_domain_suffix = my_domain
full_name_format = %1$s
domains = my_domain
config_file_version = 2
services = nss, pam

[domain/my_domain]
debug_level=9
default_shell = /bin/bash
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = MY_DOMAIN
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%d/%u
ad_domain = my_domain
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

After adding 'ad_gpo_access_control = permissive' at the end of file, authentication with samba4 users works again.

Thanks!