Ubuntu
sssd package

Merge ~sergiodj/ubuntu/+source/sssd:bug1934997-auth-error-gpo-jammy into ubuntu/+source/sssd:ubuntu/jammy-devel

  1. Git
  2. lp:~sergiodj/ubuntu/+source/sssd
  3. bug1934997-auth-error-gpo-jammy
  4. Merge into ubuntu/jammy-devel
Proposed by Sergio Durigan Junior
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: f3835665f5d103fdf7ee5c72d88c77f3346d67a7
Proposed branch: ~sergiodj/ubuntu/+source/sssd:bug1934997-auth-error-gpo-jammy
Merge into: ubuntu/+source/sssd:ubuntu/jammy-devel
Diff against target: 448 lines (+372/-6)
10 files modified
debian/changelog (+18/-0)
debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch (+169/-0)
debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch (+152/-0)
debian/patches/lp1979453-fix-shebang-on-sss_analyze.patch (+22/-0)
debian/patches/series (+3/-0)
debian/python3-libipa-hbac.install (+1/-1)
debian/python3-libsss-nss-idmap.install (+1/-1)
debian/python3-sss.install (+3/-3)
debian/rules (+2/-0)
debian/sssd-tools.install (+1/-1)
Reviewer Review Type Date Requested Status
Andreas Hasenack Approve
git-ubuntu bot Approve
Canonical Server Reporter Pending
Canonical Server Reporter Pending
Canonical Server Reporter Pending
Canonical Server Pending
Review via email: mp+424996@code.launchpad.net

Description of the change

This MP fixes the problem reported at bug #1934997 on Jammy.

When samba is used as a Domain Controller for an Active Directory realm, it correctly creates GPOs (Group Policy Objects) that list the proper Security Protocol Extension GUID. The problem is that there is no SecEdit/GptTmpl.inf file present in the sysvol.

According to Microsoft's "Group Policy: Security Protocol Extension" document, when such file doesn't exist the GPO client (sssd, in this case) should treat this as an error and stop processing. Quoting the document:

1. Perform an SMB File Open on the file specified by <gpo path>\Machine\Microsoft\Windows
NT\SecEdit\GptTmpl.inf (where <gpo path> is the GPO path in the GPO). If an error is
encountered while opening the file, an error MUST be indicated to the Group Policy system (as
specified in [MS-GPOL] section 2.2.7) on the client machine and processing MUST be stopped.

This is exactly what sssd has been doing in Jammy. The problem is that this causes user authentication to fail, which is not something we want. Apparently even Windows GPO clients don't honour the specification and just continue with the authentication if they can't find the file aforementioned.

Long story short, upstream sssd decided to follow the "de facto" standard and be more lenient when SecEdit/GptTmpl.inf is missing. This allows the user authentication to succeed, which is what users who have just setup a samba AD DC + sssd as its client would expect.

Testing this requires a little bit of effort; there are detailed instructions in the bug. There is a PPA with the proposed change here:

https://launchpad.net/~sergiodj/+archive/ubuntu/sssd-bugfix/+packages

autopkgtests are still running; I will post their results later.

It's worth mentioning that this bug is still affecting Kinetic, but it should be fixed with the new sssd merge that's up for review. This also means that the changes proposed here won't be uploaded until the Kinetic merge lands.

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Results from https://autopkgtest.ubuntu.com/results/autopkgtest-jammy-sergiodj-sssd-bugfix/?format=plain:
  sssd @ amd64:
    18.06.22 06:51:24 Log 🗒️ ✅ Triggers: ['sssd/2.6.3-1ubuntu3.1~ppa1']
  sssd @ arm64:
    18.06.22 05:17:23 Log 🗒️ ✅ Triggers: ['sssd/2.6.3-1ubuntu3.1~ppa1']
  sssd @ armhf:
    18.06.22 05:28:07 Log 🗒️ ✅ Triggers: ['sssd/2.6.3-1ubuntu3.1~ppa1']
  sssd @ ppc64el:
    18.06.22 05:13:09 Log 🗒️ ✅ Triggers: ['sssd/2.6.3-1ubuntu3.1~ppa1']
  sssd @ s390x:
    18.06.22 05:18:24 Log 🗒️ ✅ Triggers: ['sssd/2.6.3-1ubuntu3.1~ppa1']

autopkgtest is OK.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Grabbing this one

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

https://github.com/SSSD/sssd/pull/6039/commits/f5b2d4c25eff1472772ee52edbacff4d4506e422 hints that an older commit in that PR was dropped because of a new PR that landed, that being https://github.com/SSSD/sssd/pull/6039

Do you think we need the second patch? It's to fix a different issue ("SSSD cant parse GPO if AD server have Russain language"), but I was a bit worried about some of the decisions made in the first PR being conditional on this other PR having landed.

review: Needs Information
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, June 20 2022, Andreas Hasenack wrote:

> https://github.com/SSSD/sssd/pull/6039/commits/f5b2d4c25eff1472772ee52edbacff4d4506e422
> hints that an older commit in that PR was dropped because of a new PR
> that landed, that being https://github.com/SSSD/sssd/pull/6039

I think that maybe you meant to link
https://github.com/SSSD/sssd/pull/6051#issuecomment-1064342858 here.

> Do you think we need the second patch? It's to fix a different issue
> ("SSSD cant parse GPO if AD server have Russain language"), but I was
> a bit worried about some of the decisions made in the first PR being
> conditional on this other PR having landed.

Hm, that's a good question (and good catch). Thanks for bringing this
up.

I looked at the patch from PR 6039, and it's not entirely trivial. I do
agree with you, though: the fact that a commit was removed from PR 6051
because PR 6039 was accepted makes the two patches conditional on each
other.

I think the correct thing to do here would be to create another bug and
perform the two SRUs in the same upload. Unless you think it's OK to
add this second patch as part of the fix for bug 1934997.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

I'm thinking about the testing for the second case. We will need a gpo file with some non-ascii characters in it. It will have to be a second test case, doesn't matter if we have it in a separate bug or not. Maybe a second bug is best indeed.

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Monday, June 20 2022, Andreas Hasenack wrote:

> I'm thinking about the testing for the second case. We will need a gpo
> file with some non-ascii characters in it. It will have to be a second
> test case, doesn't matter if we have it in a separate bug or
> not. Maybe a second bug is best indeed.

Yes, that's why I thought about a second bug: we will need a second test
case.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Ok, so this worked, but we need to simplify the setup a bit, and streamline it.

On the server, we just need "samba" and "winbind", then provision as advertised. Drop systemd-resolved from both the server and client, and get the client to use samba as its dns.

On the samba server, the provisioning tool adds a dns forwarder to smb.conf, but it points at 127.0.0.53. Change that to whatever is the "real" upstream dns, i.e., on a libvirt network, it will be the IP ending in .1.

With the above setup, on the client all we need to give to the realm tool is the domain (test.lan), it should find the IP of the samba server on its own. If it doesn't, that's a sign the setup has something wrong.

Also for testing, we should be mindful of client-side caching. This drove us nuts while troubleshooting. The hammer approach is "sssctl cache-remove -o -p -s"

And the test case for the second bug (about invalid non-ascii characters in GPT.INI) can be triggered via "echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI

(the first \n might not be needed, ymmv)

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

FWIW, this MP has been updated to also address bug #1979350.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

+1

review: Approve
Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: sergiodj, ahasenack
Uploaders: sergiodj, ahasenack
MP auto-approved

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Wednesday, June 22 2022, Andreas Hasenack wrote:

> +1

Thanks, Andreas.

I am working on backporting the fix to bug #1979453 and include it in
this MP as well. Just a heads up that you will have to review an extra
fix here.

Thanks,

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Pasting here the "Impact" section of the new bug this MP is fixing.

sssd users who try to invoke the "sssctl analyze" command on Ubuntu Jammy will experience the following error:

/usr/bin/env: ‘python’: No such file or directory

This happens because "sssctl analyze" will call /usr/libexec/sssd/sss_analyze, which uses "#!/usr/bin/env python" as its shebang. This is incorrect, as it should be using "python3" instead.

When this bug is fixed, another one pops up:

Traceback (most recent call last):
  File "/usr/libexec/sssd/sss_analyze", line 3, in <module>
    from sssd import sss_analyze
ModuleNotFoundError: No module named 'sssd'

This bug is happening because sssd-tools currently installs its Python files inside /usr/lib/python3.10/site-packages/sssd/, but the right path to install these files is /usr/lib/python3/dist-packages/sssd.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

There are other python files, apparently only used in some test, that have the incorrect shebang line for the ubuntu case. I took a quick look and they seem fine, as they are all called with a shell wrapper for python2 (if enabled) and python3.

+1

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Wednesday, June 22 2022, Andreas Hasenack wrote:

> Review: Approve
>
> There are other python files, apparently only used in some test, that
> have the incorrect shebang line for the ubuntu case. I took a quick
> look and they seem fine, as they are all called with a shell wrapper
> for python2 (if enabled) and python3.
>
> +1

Thanks, Andreas.

I'm waiting for sssd 2.7.2-3 to be consumed by Launchpad, which should
happen tonight or tomorrow morning. Then, I will merge it and get it
into Kinetic before I upload these changes to Jammy.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

On Wednesday, June 22 2022, Sergio Durigan Junior wrote:

> On Wednesday, June 22 2022, Andreas Hasenack wrote:
>
>> Review: Approve
>>
>> There are other python files, apparently only used in some test, that
>> have the incorrect shebang line for the ubuntu case. I took a quick
>> look and they seem fine, as they are all called with a shell wrapper
>> for python2 (if enabled) and python3.
>>
>> +1
>
> Thanks, Andreas.
>
> I'm waiting for sssd 2.7.2-3 to be consumed by Launchpad, which should
> happen tonight or tomorrow morning. Then, I will merge it and get it
> into Kinetic before I upload these changes to Jammy.

sssd-2.7.2-3ubuntu1 has been uploaded a few hours ago.

Uploaded:

$ dput sssd_2.6.3-1ubuntu3.1_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/sssd/sssd_2.6.3-1ubuntu3.1_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/sssd/sssd_2.6.3-1ubuntu3.1.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading sssd_2.6.3-1ubuntu3.1.dsc: done.
  Uploading sssd_2.6.3-1ubuntu3.1.debian.tar.xz: done.
  Uploading sssd_2.6.3-1ubuntu3.1_source.buildinfo: done.
  Uploading sssd_2.6.3-1ubuntu3.1_source.changes: done.
Successfully uploaded packages.

--
Sergio
GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 4a92b68..055bfbf 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,21 @@
6+sssd (2.6.3-1ubuntu3.1) jammy; urgency=medium
7+
8+ * d/p/lp1934997-authentication-fails-gpo-non-existent.patch:
9+ Fix authentication failure when GPO is enabled and
10+ SecEdit/GptTmpl.inf is missing (LP: #1934997).
11+ * d/p/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch:
12+ Ignore non-ASCII characters in GPT.INI. (LP: #1979350)
13+ * Fix "sssctl analyze" (LP: #1979453)
14+ [ Timo Aaltonen ]
15+ - d/{python3-libipa-hbac.install,python3-sss.install,
16+ sssd-tools.install,rules}: Fix Python installation directory
17+ path.
18+ [ Sergio Durigan Junior ]
19+ - d/p/lp1979453-fix-shebang-on-sss_analyze.patch: Fix shebang on
20+ sss_analyze.
21+
22+ -- Sergio Durigan Junior <sergio.durigan@canonical.com> Wed, 22 Jun 2022 12:31:22 -0400
23+
24 sssd (2.6.3-1ubuntu3) jammy; urgency=medium
25
26 * No-change rebuild with new samba 4.15.5
27diff --git a/debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch b/debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch
28new file mode 100644
29index 0000000..5c2ce4a
30--- /dev/null
31+++ b/debian/patches/lp1934997-authentication-fails-gpo-non-existent.patch
32@@ -0,0 +1,169 @@
33+From: Alexey Sheplyakov <asheplyakov@altlinux.org>
34+Date: Thu, 2 Aug 2018 16:16:44 +0000
35+Subject: ad: gpo: ignore GPO if SecEdit/GptTmpl.inf is missing
36+MIME-Version: 1.0
37+Content-Type: text/plain; charset="utf-8"
38+Content-Transfer-Encoding: 8bit
39+
40+This makes it possible to use sssd's group policy based access control with
41+samba4 domain controllers `out of the box`. The problem is caused by
42+
43+1) group policy based control denies access (to all users) if
44+ `${GPO_GUID}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf`
45+ file is missing.
46+2) The `Default Domain Policy` and the `Default Domain Controller Policy`
47+ GPOs created by samba4 list the Security Protocol Extension CSE GUID
48+ {827D319E-6EAC-11D2-A4EA-00C04F79F83A} in their `gPCMachineExtensionNames`,
49+ however there are no .../SecEdit/GptTmpl.inf files in the sysvol.
50+
51+According to the section 3.2.5 of [MS-GPSM] current sssd's behavior is
52+correct. However Windows GPO client (at least the one in Windows 2008 r2)
53+just skips such broken GPOs. This patch makes sssd behave in the same way,
54+and makes setting up samba4 based AD domain less painful.
55+
56+Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
57+Reviewed-by: Pavel Březina <pbrezina@redhat.com>
58+
59+Origin: upstream, https://github.com/SSSD/sssd/commit/81d67a592315740d13e48b9a29e29baa8cc35638
60+Bug: https://github.com/SSSD/sssd/issues/5716
61+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1934997
62+Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1839805
63+Applied-Upstream: 2.7.0
64+---
65+ Makefile.am | 1 +
66+ src/providers/ad/ad_gpo.c | 2 +-
67+ src/providers/ad/ad_gpo_child.c | 63 +++++++++++++++++++++++++++++++++++++----
68+ 3 files changed, 59 insertions(+), 7 deletions(-)
69+
70+diff --git a/Makefile.am b/Makefile.am
71+index a82c332..8affc58 100644
72+--- a/Makefile.am
73++++ b/Makefile.am
74+@@ -4589,6 +4589,7 @@ gpo_child_SOURCES = \
75+ src/util/atomic_io.c \
76+ src/util/util.c \
77+ src/util/util_ext.c \
78++ src/util/util_errors.c \
79+ src/util/signal.c \
80+ src/util/sss_chain_id.c
81+ gpo_child_CFLAGS = \
82+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
83+index fa8727d..4b7bbf1 100644
84+--- a/src/providers/ad/ad_gpo.c
85++++ b/src/providers/ad/ad_gpo.c
86+@@ -2766,7 +2766,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
87+ */
88+ ret = ad_gpo_store_policy_settings(state->host_domain,
89+ cse_filtered_gpo->policy_filename);
90+- if (ret != EOK) {
91++ if (ret != EOK && ret != ENOENT) {
92+ DEBUG(SSSDBG_OP_FAILURE,
93+ "ad_gpo_store_policy_settings failed: [%d](%s)\n",
94+ ret, sss_strerror(ret));
95+diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c
96+index f9e9cb0..4c676d6 100644
97+--- a/src/providers/ad/ad_gpo_child.c
98++++ b/src/providers/ad/ad_gpo_child.c
99+@@ -387,6 +387,38 @@ static errno_t gpo_cache_store_file(const char *smb_path,
100+ return ret;
101+ }
102+
103++static errno_t
104++gpo_cache_remove_file(const char *smb_path,
105++ const char *smb_cse_suffix)
106++{
107++ errno_t ret = EOK;
108++ char *filename = NULL;
109++
110++ filename = talloc_asprintf(NULL, GPO_CACHE_PATH"%s%s", smb_path,
111++ smb_cse_suffix);
112++ if (filename == NULL) {
113++ DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n");
114++ ret = ENOMEM;
115++ goto done;
116++ }
117++
118++ ret = unlink(filename);
119++ if (ret != 0) {
120++ if (errno != ENOENT) {
121++ ret = errno;
122++ DEBUG(SSSDBG_CRIT_FAILURE, "failed to unlink %s [%d]: %s\n",
123++ filename, ret, sss_strerror(ret));
124++ goto done;
125++ }
126++ }
127++
128++ ret = EOK;
129++
130++done:
131++ talloc_free(filename);
132++ return ret;
133++}
134++
135+ static errno_t
136+ parse_ini_file_with_libini(struct ini_cfgobj *ini_config,
137+ int *_gpt_version)
138+@@ -528,7 +560,8 @@ copy_smb_file_to_gpo_cache(SMBCCTX *smbc_ctx,
139+ const char *smb_server,
140+ const char *smb_share,
141+ const char *smb_path,
142+- const char *smb_cse_suffix)
143++ const char *smb_cse_suffix,
144++ bool optional)
145+ {
146+ char *smb_uri = NULL;
147+ char *gpt_main_folder = NULL;
148+@@ -588,8 +621,25 @@ copy_smb_file_to_gpo_cache(SMBCCTX *smbc_ctx,
149+
150+ if (file == NULL) {
151+ ret = errno;
152+- DEBUG(SSSDBG_CRIT_FAILURE, "smbc_getFunctionOpen failed [%d][%s]\n",
153+- ret, strerror(ret));
154++ if (optional && ret == ENOENT) {
155++ DEBUG(SSSDBG_TRACE_FUNC,
156++ "%s does not exist in sysvol, purging cached copy\n",
157++ smb_uri);
158++ /* It looks like Windows clients treat missing GPO files as
159++ * empty. To make sure we do not use old and now invalid
160++ * content an potentially exising old file will be removed. */
161++ ret = gpo_cache_remove_file(smb_path, smb_cse_suffix);
162++ if (ret != EOK && ret != ENOENT) {
163++ DEBUG(SSSDBG_CRIT_FAILURE,
164++ "failed to purge stale cached %s\n", smb_uri);
165++ goto done;
166++ }
167++ ret = EOK;
168++ } else {
169++ DEBUG(SSSDBG_CRIT_FAILURE,
170++ "smbc_getFunctionOpen failed [%d][%s]\n",
171++ ret, strerror(ret));
172++ }
173+ goto done;
174+ }
175+ }
176+@@ -683,7 +733,7 @@ perform_smb_operations(int cached_gpt_version,
177+
178+ /* download ini file */
179+ ret = copy_smb_file_to_gpo_cache(smbc_ctx, smb_server, smb_share, smb_path,
180+- GPT_INI);
181++ GPT_INI, false);
182+ if (ret != EOK) {
183+ DEBUG(SSSDBG_CRIT_FAILURE,
184+ "copy_smb_file_to_gpo_cache failed [%d][%s]\n",
185+@@ -703,13 +753,14 @@ perform_smb_operations(int cached_gpt_version,
186+ if (sysvol_gpt_version > cached_gpt_version) {
187+ /* download policy file */
188+ ret = copy_smb_file_to_gpo_cache(smbc_ctx, smb_server, smb_share,
189+- smb_path, smb_cse_suffix);
190+- if (ret != EOK) {
191++ smb_path, smb_cse_suffix, true);
192++ if (ret != EOK && ret != ENOENT) {
193+ DEBUG(SSSDBG_CRIT_FAILURE,
194+ "copy_smb_file_to_gpo_cache failed [%d][%s]\n",
195+ ret, strerror(ret));
196+ goto done;
197+ }
198++ ret = EOK;
199+ }
200+
201+ *_sysvol_gpt_version = sysvol_gpt_version;
202diff --git a/debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch b/debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch
203new file mode 100644
204index 0000000..1b503e8
205--- /dev/null
206+++ b/debian/patches/lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch
207@@ -0,0 +1,152 @@
208+From: Alexey Tikhonov <atikhono@redhat.com>
209+Date: Mon, 7 Mar 2022 22:53:24 +0100
210+Subject: GPO: ignore non-ascii symbols in values in GPT.INI
211+
212+Windows uses ANSI (extended-ASCII) to encode the GPT.INI file.
213+See https://lists.samba.org/archive/cifs-protocol/2019-March/003228.html
214+for details.
215+
216+There is no trivial way to figure out actual code page used. But from
217+practical point of view, it seems the only key whose value might be
218+non-ascii is "DisplayName", and SSSD doesn't use it anyway.
219+
220+This patch replaces non-ascii symbols in values of GPT.INI with '?'
221+character to make content compatible with libini_config parser.
222+
223+Resolves: https://github.com/SSSD/sssd/issues/4138
224+
225+Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
226+Reviewed-by: Sumit Bose <sbose@redhat.com>
227+
228+Origin: upstream, https://github.com/SSSD/sssd/commit/d241b55291419753ce3e961a1b201d62f7851513
229+Bug: https://github.com/SSSD/sssd/issues/4138
230+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1979350
231+Applied-Upstream: 2.7.0
232+---
233+ src/providers/ad/ad_gpo_child.c | 90 ++++++++++++++++++++++++++++++++++++++++-
234+ 1 file changed, 88 insertions(+), 2 deletions(-)
235+
236+diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c
237+index 4c676d6..98bc747 100644
238+--- a/src/providers/ad/ad_gpo_child.c
239++++ b/src/providers/ad/ad_gpo_child.c
240+@@ -269,6 +269,48 @@ done:
241+ return ret;
242+ }
243+
244++static errno_t gpo_sanitize_buffer_content(uint8_t *buf, int buflen)
245++{
246++ int i;
247++ int line_start = 0;
248++ int equal_pos = 0;
249++
250++ if (!buf) {
251++ return EINVAL;
252++ }
253++
254++ for (i = 0; i < buflen; ++i) {
255++ if (buf[i] == '\n') {
256++ line_start = i + 1;
257++ continue;
258++ }
259++ if (buf[i] == '=') {
260++ equal_pos = i;
261++ continue;
262++ }
263++ if (isascii(buf[i])) {
264++ continue;
265++ }
266++
267++ /* non-ascii */
268++ if (equal_pos <= line_start) { /* key */
269++ DEBUG(SSSDBG_OP_FAILURE,
270++ "Key or section starting at position %d ('%.*s...') contains"
271++ " non-ascii symbol. File is unusable!\n",
272++ line_start, i - line_start, buf + line_start);
273++ return EINVAL;
274++ }
275++
276++ buf[i] = '?';
277++ DEBUG(SSSDBG_IMPORTANT_INFO,
278++ "Value for key '%.*s' contains non-ascii symbol."
279++ " Replacing with '?'\n",
280++ equal_pos - line_start, buf + line_start);
281++ }
282++
283++ return EOK;
284++}
285++
286+ /*
287+ * This function stores the input buf to a local file, whose file path
288+ * is constructed by concatenating:
289+@@ -472,6 +514,9 @@ ad_gpo_parse_ini_file(const char *smb_path,
290+ int ret;
291+ int gpt_version = -1;
292+ TALLOC_CTX *tmp_ctx = NULL;
293++ struct stat st;
294++ int fd = -1;
295++ uint8_t *buf = NULL;
296+
297+ tmp_ctx = talloc_new(NULL);
298+ if (tmp_ctx == NULL) {
299+@@ -496,10 +541,50 @@ ad_gpo_parse_ini_file(const char *smb_path,
300+ goto done;
301+ }
302+
303+- ret = ini_config_file_open(ini_filename, 0, &file_ctx);
304++ fd = open(ini_filename, O_RDONLY);
305++ if (fd == -1) {
306++ ret = errno;
307++ DEBUG(SSSDBG_CRIT_FAILURE,
308++ "open() failed [%d][%s]\n", ret, strerror(ret));
309++ ret = EIO;
310++ goto done;
311++ }
312++ ret = fstat(fd, &st);
313++ if (ret != 0) {
314++ ret = errno;
315++ DEBUG(SSSDBG_CRIT_FAILURE,
316++ "stat() failed [%d][%s]\n", ret, strerror(ret));
317++ ret = EIO;
318++ goto done;
319++ }
320++ buf = talloc_size(tmp_ctx, st.st_size);
321++ if (buf == NULL) {
322++ ret = ENOMEM;
323++ goto done;
324++ }
325++ if (sss_atomic_read_s(fd, buf, st.st_size) != st.st_size) {
326++ ret = EIO;
327++ DEBUG(SSSDBG_CRIT_FAILURE,
328++ "sss_atomic_read_s() failed\n");
329++ goto done;
330++ }
331++
332++ /* Windows uses ANSI (extended-ASCII) to encode the GPT.INI file.
333++ * Practically this might mean any code page, including uncompatible
334++ * with UTF. Since the only value read by SSSD from GPT.INI is
335++ * 'Version=...', just get rid of any non-ascii characters to make
336++ * content compatible with lib_iniconfig.
337++ */
338++ ret = gpo_sanitize_buffer_content(buf, st.st_size);
339++ if (ret != EOK) {
340++ DEBUG(SSSDBG_CRIT_FAILURE, "gpo_sanitize_buffer_content() failed\n");
341++ goto done;
342++ }
343++
344++ ret = ini_config_file_from_mem(buf, st.st_size, &file_ctx);
345+ if (ret != 0) {
346+ DEBUG(SSSDBG_CRIT_FAILURE,
347+- "ini_config_file_open failed [%d][%s]\n", ret, strerror(ret));
348++ "ini_config_file_from_mem() failed [%d][%s]\n", ret, strerror(ret));
349+ goto done;
350+ }
351+
352+@@ -547,6 +632,7 @@ ad_gpo_parse_ini_file(const char *smb_path,
353+
354+ ini_config_file_destroy(file_ctx);
355+ ini_config_destroy(ini_config);
356++ if (fd != -1) close(fd);
357+ talloc_free(tmp_ctx);
358+ return ret;
359+ }
360diff --git a/debian/patches/lp1979453-fix-shebang-on-sss_analyze.patch b/debian/patches/lp1979453-fix-shebang-on-sss_analyze.patch
361new file mode 100644
362index 0000000..9eadaf2
363--- /dev/null
364+++ b/debian/patches/lp1979453-fix-shebang-on-sss_analyze.patch
365@@ -0,0 +1,22 @@
366+From: Sergio Durigan Junior <sergiodj@debian.org>
367+Date: Wed, 22 Jun 2022 10:56:45 -0400
368+Subject: Fix shebang on sss_analyze
369+
370+s/python/python3/
371+
372+Forwarded: not-needed
373+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1979453
374+---
375+ src/tools/analyzer/sss_analyze | 2 +-
376+ 1 file changed, 1 insertion(+), 1 deletion(-)
377+
378+diff --git a/src/tools/analyzer/sss_analyze b/src/tools/analyzer/sss_analyze
379+index 3f1beaf..6d4b5b3 100755
380+--- a/src/tools/analyzer/sss_analyze
381++++ b/src/tools/analyzer/sss_analyze
382+@@ -1,4 +1,4 @@
383+-#!/usr/bin/env python
384++#!/usr/bin/env python3
385+
386+ from sssd import sss_analyze
387+
388diff --git a/debian/patches/series b/debian/patches/series
389index d83fab8..a400929 100644
390--- a/debian/patches/series
391+++ b/debian/patches/series
392@@ -1,2 +1,5 @@
393 fix-whitespace-test.diff
394 default-to-socket-activated-services.diff
395+lp1934997-authentication-fails-gpo-non-existent.patch
396+lp1979350-GPO-ignore-non-ascii-symbols-in-GPT.INI.patch
397+lp1979453-fix-shebang-on-sss_analyze.patch
398diff --git a/debian/python3-libipa-hbac.install b/debian/python3-libipa-hbac.install
399index 7d3cf99..923e03d 100644
400--- a/debian/python3-libipa-hbac.install
401+++ b/debian/python3-libipa-hbac.install
402@@ -1 +1 @@
403-usr/lib/python3*/site-packages/pyhbac.so
404+usr/lib/python3/dist-packages/pyhbac.so
405diff --git a/debian/python3-libsss-nss-idmap.install b/debian/python3-libsss-nss-idmap.install
406index b2339ca..a7667d1 100644
407--- a/debian/python3-libsss-nss-idmap.install
408+++ b/debian/python3-libsss-nss-idmap.install
409@@ -1 +1 @@
410-usr/lib/python3*/site-packages/pysss_nss_idmap.so
411+usr/lib/python3/dist-packages/pysss_nss_idmap.so
412diff --git a/debian/python3-sss.install b/debian/python3-sss.install
413index f9b99df..1f75e8c 100644
414--- a/debian/python3-sss.install
415+++ b/debian/python3-sss.install
416@@ -1,3 +1,3 @@
417-usr/lib/python3*/dist-packages/SSSDConfig/*.py
418-usr/lib/python3*/site-packages/pysss.so
419-usr/lib/python3*/site-packages/pysss_murmur.so
420+usr/lib/python3/dist-packages/SSSDConfig/*.py
421+usr/lib/python3/dist-packages/pysss.so
422+usr/lib/python3/dist-packages/pysss_murmur.so
423diff --git a/debian/rules b/debian/rules
424index c2251b3..dc7004b 100755
425--- a/debian/rules
426+++ b/debian/rules
427@@ -12,6 +12,8 @@ CFLAGS = $(shell dpkg-buildflags --get CFLAGS)
428 CFLAGS += -I/usr/include/samba-4.0
429
430 export CK_DEFAULT_TIMEOUT=30
431+export am_cv_python_pythondir=/usr/lib/python3/dist-packages
432+export am_cv_python_pyexecdir=/usr/lib/python3/dist-packages
433
434 DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
435
436diff --git a/debian/sssd-tools.install b/debian/sssd-tools.install
437index e2e2601..d6baf09 100644
438--- a/debian/sssd-tools.install
439+++ b/debian/sssd-tools.install
440@@ -4,7 +4,7 @@ usr/sbin/sss_obfuscate
441 usr/sbin/sss_override
442 usr/sbin/sss_seed
443 usr/sbin/sssctl
444-usr/lib/python3*/site-packages/sssd/
445+usr/lib/python3/dist-packages/sssd/
446 usr/libexec/sssd/sss_analyze
447 usr/share/man/man8/sss_cache.8*
448 usr/share/man/man8/sss_debuglevel.8*

Subscribers

People subscribed via source and target branches