1、SSSD version: sssd-common-1.16.5-10.el7_9.12.x86_64 sssd-ldap-1.16.5-10.el7_9.12.x86_64 sssd-ad-1.16.5-10.el7_9.12.x86_64 sssd-client-1.16.5-10.el7_9.12.x86_64 python-sssdconfig-1.16.5-10.el7_9.12.noarch sssd-krb5-common-1.16.5-10.el7_9.12.x86_64 sssd-ipa-1.16.5-10.el7_9.12.x86_64 sssd-krb5-1.16.5-10.el7_9.12.x86_64 sssd-1.16.5-10.el7_9.12.x86_64 sssd-common-pac-1.16.5-10.el7_9.12.x86_64 sssd-proxy-1.16.5-10.el7_9.12.x86_64 2、 SSSD Configuration [sssd] domains = adtest.zly.com config_file_version = 2 services = nss, pam
[domain/adtest.zly.com] ad_server = adtest.adtest.zly.com ad_domain = adtest.zly.com krb5_realm = ADTEST.ZLY.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = false fallback_homedir = /home/%u access_provider = ad debug_level=9 ad_gpo_access_control=enforcing #ad_gpo_access_control=permissive 3、error log Error in /var/log/secure : Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin Apr 12 15:28:15 wxvmlinux sssd[be[adtest.zly.com]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. Apr 12 15:28:15 wxvmlinux sshd[3784]: Accepted password for njadmin from ::1 port 49040 ssh2 Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_unix(sshd:session): session opened for user njadmin by (uid=0) Apr 12 15:28:24 wxvmlinux sshd[3836]: Received disconnect from ::1 port 49040:11: disconnected by user Apr 12 15:28:24 wxvmlinux sshd[3836]: Disconnected from ::1 port 49040 Apr 12 15:28:24 wxvmlinux sshd[3784]: pam_unix(sshd:session): session closed for user njadmin Apr 12 15:28:40 wxvmlinux polkitd[547]: Registered Authentication Agent for unix-process:3889:296012 (system bus name :1.57 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Apr 12 15:28:41 wxvmlinux polkitd[547]: Unregistered Authentication Agent for unix-process:3889:296012 (system bus name :1.57, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:account): Access denied for user njadmin: 4 (System error) Apr 12 15:28:46 wxvmlinux sshd[3925]: Failed password for njadmin from ::1 port 49084 ssh2 Apr 12 15:28:46 wxvmlinux sshd[3925]: fatal: Access denied for user njadmin by PAM account configuration [preauth]
/var/log/sssd/gpo_child.log (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): gpo_child started. (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): context initialized (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x0400): cached_gpt_version: -1 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_server length: 27 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_server: smb://adtest.adtest.zly.com (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_share length: 7 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_share: /SysVol (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_path length: 63 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_path: /adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319} (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_cse_suffix length: 49 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): performing smb operations (2022-04-12 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://adtest.adtest.zly.com/SysVol/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] (0x4000): smb_buflen: 50 (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x4000): smb_path_with_suffix: /adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com/Policies (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319} (2022-04-12 15:28:54): [gpo_child[3955]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/gpo_cache/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW] (2022-04-12 15:28:54): [gpo_child[3955]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/gpo_cache/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW] (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0400): ini_filename:/var/lib/sss/gpo_cache/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020): ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character] (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020): Error encountered: 84. (2022-04-12 15:28:54): [gpo_child[3955]] [perform_smb_operations] (0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character] (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character]. (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): gpo_child failed! 4、Reproduction method 1) preparation AD: windows server 2012 datacenter, Configure AD Domain server, DNS Service Configure domain: adtest.zly.com Gpo policy: “computer configuration ==> strategy==>windows setting==>security setting==>local stategy==> Allow local login”, configure some user or group who have local login permission Linux client: centos 7.9 or redhat 7.9 realm join adtest.zly.com 2) reproduction Linux client: [root@wxvmlinux sssd]# ssh -l wxadmin localhost wxadmin@localhost's password: Authentication failed.
Hi,
this is https://github.com/SSSD/sssd/issues/4138 Fixed via https://github.com/SSSD/sssd/pull/6039 Fix will be released in SSSD 2.7.0
On Tue, Apr 12, 2022 at 9:58 AM lingyuan zhu lingyuan_zhu@126.com wrote:
1、SSSD version: sssd-common-1.16.5-10.el7_9.12.x86_64 sssd-ldap-1.16.5-10.el7_9.12.x86_64 sssd-ad-1.16.5-10.el7_9.12.x86_64 sssd-client-1.16.5-10.el7_9.12.x86_64 python-sssdconfig-1.16.5-10.el7_9.12.noarch sssd-krb5-common-1.16.5-10.el7_9.12.x86_64 sssd-ipa-1.16.5-10.el7_9.12.x86_64 sssd-krb5-1.16.5-10.el7_9.12.x86_64 sssd-1.16.5-10.el7_9.12.x86_64 sssd-common-pac-1.16.5-10.el7_9.12.x86_64 sssd-proxy-1.16.5-10.el7_9.12.x86_64 2、 SSSD Configuration [sssd] domains = adtest.zly.com config_file_version = 2 services = nss, pam
[domain/adtest.zly.com] ad_server = adtest.adtest.zly.com ad_domain = adtest.zly.com krb5_realm = ADTEST.ZLY.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = true use_fully_qualified_names = false fallback_homedir = /home/%u access_provider = ad debug_level=9 ad_gpo_access_control=enforcing #ad_gpo_access_control=permissive 3、error log Error in /var/log/secure : Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin Apr 12 15:28:15 wxvmlinux sssd[be[adtest.zly.com]]: Warning: user would have been denied GPO-based logon access if the ad_gpo_access_control option were set to enforcing mode. Apr 12 15:28:15 wxvmlinux sshd[3784]: Accepted password for njadmin from ::1 port 49040 ssh2 Apr 12 15:28:15 wxvmlinux sshd[3784]: pam_unix(sshd:session): session opened for user njadmin by (uid=0) Apr 12 15:28:24 wxvmlinux sshd[3836]: Received disconnect from ::1 port 49040:11: disconnected by user Apr 12 15:28:24 wxvmlinux sshd[3836]: Disconnected from ::1 port 49040 Apr 12 15:28:24 wxvmlinux sshd[3784]: pam_unix(sshd:session): session closed for user njadmin Apr 12 15:28:40 wxvmlinux polkitd[547]: Registered Authentication Agent for unix-process:3889:296012 (system bus name :1.57 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) Apr 12 15:28:41 wxvmlinux polkitd[547]: Unregistered Authentication Agent for unix-process:3889:296012 (system bus name :1.57, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus) Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=njadmin Apr 12 15:28:46 wxvmlinux sshd[3925]: pam_sss(sshd:account): Access denied for user njadmin: 4 (System error) Apr 12 15:28:46 wxvmlinux sshd[3925]: Failed password for njadmin from ::1 port 49084 ssh2 Apr 12 15:28:46 wxvmlinux sshd[3925]: fatal: Access denied for user njadmin by PAM account configuration [preauth]
/var/log/sssd/gpo_child.log (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): gpo_child started. (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): context initialized (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x0400): cached_gpt_version: -1 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_server length: 27 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_server: smb://adtest.adtest.zly.com (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_share length: 7 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_share: /SysVol (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_path length: 63 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_path: /adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319} (2022-04-12 http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D(2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_cse_suffix length: 49 (2022-04-12 15:28:54): [gpo_child[3955]] [unpack_buffer] (0x4000): smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0400): performing smb operations (2022-04-12 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb:// adtest.adtest.zly.com/SysVol/adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 http://adtest.adtest.zly.com/SysVol/adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INI(2022-04-12 15:28:54): [gpo_child[3955]] [copy_smb_file_to_gpo_cache] (0x4000): smb_buflen: 50 (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x4000): smb_path_with_suffix: / adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INI(2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com (2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/adtest.zly.com/Policies (2022-04-12 http://adtest.zly.com/Policies(2022-04-12 15:28:54): [gpo_child[3955]] [prepare_gpo_cache] (0x0400): Storing GPOs in /var/lib/sss/gpo_cache/ adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319} (2022-04-12 http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D(2022-04-12 15:28:54): [gpo_child[3955]] [unique_filename_destructor] (0x2000): Unlinking [/var/lib/sss/gpo_cache/ adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INIPUsDAW ] (2022-04-12 15:28:54): [gpo_child[3955]] [unlink_dbg] (0x2000): File already removed: [/var/lib/sss/gpo_cache/ adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INIPUsDAW http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INIPUsDAW ] (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0400): ini_filename:/var/lib/sss/gpo_cache/ adtest.zly.com/Policies/{63899852-E3D6-4975-84B6-1B585DE97319}/GPT.INI (2022-04-12 http://adtest.zly.com/Policies/%7B63899852-E3D6-4975-84B6-1B585DE97319%7D/GPT.INI(2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020): ini_config_file_open failed [84][Invalid or incomplete multibyte or wide character] (2022-04-12 15:28:54): [gpo_child[3955]] [ad_gpo_parse_ini_file] (0x0020): Error encountered: 84. (2022-04-12 15:28:54): [gpo_child[3955]] [perform_smb_operations] (0x0020): Cannot parse ini file: [84][Invalid or incomplete multibyte or wide character] (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): perform_smb_operations failed.[84][Invalid or incomplete multibyte or wide character]. (2022-04-12 15:28:54): [gpo_child[3955]] [main] (0x0020): gpo_child failed! 4、Reproduction method
- preparation
AD: windows server 2012 datacenter, Configure AD Domain server, DNS Service Configure domain: adtest.zly.com Gpo policy: “computer configuration ==> strategy==>windows setting==>security setting==>local stategy==> Allow local login”, configure some user or group who have local login permission Linux client: centos 7.9 or redhat 7.9 realm join adtest.zly.com 2) reproduction Linux client: [root@wxvmlinux sssd]# ssh -l wxadmin localhost wxadmin@localhost's password: Authentication failed. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi, Thank you for replying to my question。There are some other problems,please help me。 (1)When is SSSD 2.7.0 released? (2)What is the installing requirements? Can I install it to RedHat version 6.9 or 7.9? (3)If I have to use GPO function, can I modify the settings to make them taking effect,such as ad setting or linux client setting。
On Wed, Apr 13, 2022 at 2:56 AM lingyuan zhu lingyuan_zhu@126.com wrote:
Hi, Thank you for replying to my question。There are some other problems,please help me。 (1)When is SSSD 2.7.0 released?
There is no set schedule / no promises, but hopefully this month.
(2)What is the installing requirements? Can I install it to RedHat version 6.9 or 7.9?
Upstream release contains source code, one can't install it on a given platform directly. It has to be built (compiled and linked) first. If you are a Red Hat customer, please work with your support contact to discuss the possibility to ship a fix in RHEL7. There are virtually no chances for this to be fixed in RHEL6.
(3)If I have to use GPO function, can I modify the settings to make them taking effect,such as ad setting or linux client setting。
Perhaps you could try to edit the policy file at AD side to avoid using non utf8 characters. Or change a locale used by Windows. There is no work around at client side.
sssd-users@lists.fedorahosted.org