Fix will be released in SSSD 2.7.0
On Tue, Apr 12, 2022 at 9:58 AM lingyuan zhu <lingyuan_zhu(a)126.com> wrote:
1、SSSD version:
sssd-common-1.16.5-10.el7_9.12.x86_64
sssd-ldap-1.16.5-10.el7_9.12.x86_64
sssd-ad-1.16.5-10.el7_9.12.x86_64
sssd-client-1.16.5-10.el7_9.12.x86_64
python-sssdconfig-1.16.5-10.el7_9.12.noarch
sssd-krb5-common-1.16.5-10.el7_9.12.x86_64
sssd-ipa-1.16.5-10.el7_9.12.x86_64
sssd-krb5-1.16.5-10.el7_9.12.x86_64
sssd-1.16.5-10.el7_9.12.x86_64
sssd-common-pac-1.16.5-10.el7_9.12.x86_64
sssd-proxy-1.16.5-10.el7_9.12.x86_64
2、 SSSD Configuration
[sssd]
domains =
adtest.zly.com
config_file_version = 2
services = nss, pam
[
domain/adtest.zly.com]
ad_server =
adtest.adtest.zly.com
ad_domain =
adtest.zly.com
krb5_realm =
ADTEST.ZLY.COM
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = true
use_fully_qualified_names = false
fallback_homedir = /home/%u
access_provider = ad
debug_level=9
ad_gpo_access_control=enforcing
#ad_gpo_access_control=permissive
3、error log
Error in /var/log/secure :
Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin
Apr 12 15:28:15 wxvmlinux sssd[be[adtest.zly.com]]: Warning: user would
have been denied GPO-based logon access if the ad_gpo_access_control option
were set to enforcing mode.
Apr 12 15:28:15 wxvmlinux sshd[3784]: Accepted password for njadmin from
::1 port 49040 ssh2
Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_unix(sshd:session): session
opened for user njadmin by (uid=0)
Apr 12 15:28:24 wxvmlinux sshd[3836]: Received disconnect from ::1 port
49040:11: disconnected by user
Apr 12 15:28:24 wxvmlinux sshd[3836]: Disconnected from ::1 port 49040
Apr 12 15:28:24 wxvmlinux sshd[3784]: pam_unix(sshd:session): session
closed for user njadmin
Apr 12 15:28:40 wxvmlinux polkitd[547]: Registered Authentication Agent
for unix-process:3889:296012 (system bus name :1.57 [/usr/bin/pkttyagent
--notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Apr 12 15:28:41 wxvmlinux polkitd[547]: Unregistered Authentication Agent
for unix-process:3889:296012 (system bus name :1.57, object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
(disconnected from bus)
Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:auth): authentication
success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin
Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:account): Access denied
for user njadmin: 4 (System error)
Apr 12 15:28:46 wxvmlinux sshd[3925]: Failed password for njadmin from ::1
port 49084 ssh2
Apr 12 15:28:46 wxvmlinux sshd[3925]: fatal: Access denied for user
njadmin by PAM account configuration [preauth]
/var/log/sssd/gpo_child.log
(2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): gpo_child
started.
(2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): context
initialized
(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x0400):
cached_gpt_version: -1
(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000):
smb_server length: 27
(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000):
smb_server:
smb://adtest.adtest.zly.com
(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000):
smb_share length: 7
(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000):
smb_share: /SysVol
(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000):
smb_path length: 63
(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000):
smb_path: /adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}
(2022-04-12
<
http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D...
15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_cse_suffix
length: 49
(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000):
smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
(2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): performing smb
operations
(2022-04-12 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache]
(0x0400): smb_uri: smb://
adtest.adtest.zly.com/SysVol/adtest.zly.com/Policies/{63899852-E3D6-4975-...
(2022-04-12
<
http://adtest.adtest.zly.com/SysVol/adtest.zly.com/Policies/%7B63899852-E...
15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] (0x4000):
smb_buflen: 50
(2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x4000):
smb_path_with_suffix: /
adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI
(2022-04-12
<
http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D...
15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in
/var/lib/sss/gpo_cache/adtest.zly.com
(2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400):
Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com/Policies
(2022-04-12 <
http://adtest.zly.com/Policies(2022-04-12> 15:28:54):
[gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in
/var/lib/sss/gpo_cache/
adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}
(2022-04-12
<
http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D...
15:28:54): [gpo_child[3955]] [unique_filename_destructor] (0x2000):
Unlinking [/var/lib/sss/gpo_cache/
adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW
<
http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D...
]
(2022-04-12 15:28:54): [gpo_child[3955]] [unlink_dbg] (0x2000): File
already removed: [/var/lib/sss/gpo_cache/
adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW
<
http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D...
]
(2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0400):
ini_filename:/var/lib/sss/gpo_cache/
adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI
(2022-04-12
<
http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D...
15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020):
ini_config_file_open failed [84][Invalid or incomplete multibyte or wide
character]
(2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020):
Error encountered: 84.
(2022-04-12 15:28:54): [gpo_child[3955]] [perform_smb_operations]
(0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or
wide character]
(2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020):
perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide
character].
(2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): gpo_child failed!
4、Reproduction method
1) preparation
AD: windows server 2012 datacenter,
Configure AD Domain server, DNS Service
Configure domain:
adtest.zly.com
Gpo policy: “computer configuration ==> strategy==>windows
setting==>security setting==>local stategy==> Allow local login”, configure
some user or group who have local login permission
Linux client: centos 7.9 or redhat 7.9
realm join
adtest.zly.com
2) reproduction
Linux client:
[root@wxvmlinux sssd]# ssh -l wxadmin localhost
wxadmin@localhost's password:
Authentication failed.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure