Merge ~sergiodj/ubuntu/+source/sssd:bug1934997-auth-error-gpo-jammy into ubuntu/+source/sssd:ubuntu/jammy-devel
Status: | Merged | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Approved by: | git-ubuntu bot | ||||||||||||
Approved revision: | not available | ||||||||||||
Merged at revision: | f3835665f5d103fdf7ee5c72d88c77f3346d67a7 | ||||||||||||
Proposed branch: | ~sergiodj/ubuntu/+source/sssd:bug1934997-auth-error-gpo-jammy | ||||||||||||
Merge into: | ubuntu/+source/sssd:ubuntu/jammy-devel | ||||||||||||
Diff against target: |
448 lines (+372/-6) 10 files modified
debian/changelog (+18/-0) debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch (+169/-0) debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch (+152/-0) debian/patches/lp1979453-fix-shebang-on-sss_analyze.patch (+22/-0) debian/patches/series (+3/-0) debian/python3-libipa-hbac.install (+1/-1) debian/python3-libsss-nss-idmap.install (+1/-1) debian/python3-sss.install (+3/-3) debian/rules (+2/-0) debian/sssd-tools.install (+1/-1) |
||||||||||||
Related bugs: |
|
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Andreas Hasenack | Approve | ||
git-ubuntu bot | Approve | ||
Canonical Server Reporter | Pending | ||
Canonical Server Reporter | Pending | ||
Canonical Server Reporter | Pending | ||
Canonical Server | Pending | ||
Review via email: mp+424996@code.launchpad.net |
Description of the change
This MP fixes the problem reported at bug #1934997 on Jammy.
When samba is used as a Domain Controller for an Active Directory realm, it correctly creates GPOs (Group Policy Objects) that list the proper Security Protocol Extension GUID. The problem is that there is no SecEdit/GptTmpl.inf file present in the sysvol.
According to Microsoft's "Group Policy: Security Protocol Extension" document, when such file doesn't exist the GPO client (sssd, in this case) should treat this as an error and stop processing. Quoting the document:
1. Perform an SMB File Open on the file specified by <gpo path>\Machine\
NT\SecEdit\
encountered while opening the file, an error MUST be indicated to the Group Policy system (as
specified in [MS-GPOL] section 2.2.7) on the client machine and processing MUST be stopped.
This is exactly what sssd has been doing in Jammy. The problem is that this causes user authentication to fail, which is not something we want. Apparently even Windows GPO clients don't honour the specification and just continue with the authentication if they can't find the file aforementioned.
Long story short, upstream sssd decided to follow the "de facto" standard and be more lenient when SecEdit/GptTmpl.inf is missing. This allows the user authentication to succeed, which is what users who have just setup a samba AD DC + sssd as its client would expect.
Testing this requires a little bit of effort; there are detailed instructions in the bug. There is a PPA with the proposed change here:
https:/
autopkgtests are still running; I will post their results later.
It's worth mentioning that this bug is still affecting Kinetic, but it should be fixed with the new sssd merge that's up for review. This also means that the changes proposed here won't be uploaded until the Kinetic merge lands.
Results from https:/ /autopkgtest. ubuntu. com/results/ autopkgtest- jammy-sergiodj- sssd-bugfix/ ?format= plain: 2.6.3-1ubuntu3. 1~ppa1' ] 2.6.3-1ubuntu3. 1~ppa1' ] 2.6.3-1ubuntu3. 1~ppa1' ] 2.6.3-1ubuntu3. 1~ppa1' ] 2.6.3-1ubuntu3. 1~ppa1' ]
sssd @ amd64:
18.06.22 06:51:24 Log 🗒️ ✅ Triggers: ['sssd/
sssd @ arm64:
18.06.22 05:17:23 Log 🗒️ ✅ Triggers: ['sssd/
sssd @ armhf:
18.06.22 05:28:07 Log 🗒️ ✅ Triggers: ['sssd/
sssd @ ppc64el:
18.06.22 05:13:09 Log 🗒️ ✅ Triggers: ['sssd/
sssd @ s390x:
18.06.22 05:18:24 Log 🗒️ ✅ Triggers: ['sssd/
autopkgtest is OK.