Issue #2713: GPO: pam system error returned in enforcing mode with no gpo applied - sssd

SSSD / sssd

#2713 GPO: pam system error returned in enforcing mode with no gpo applied

Closed: Duplicate None Opened 8 years ago by lslebodn.

It is related to dns sites. (as you can see in following part of log file)

[ad_gpo_get_som_attrs_done] (0x4000): gpoptions attr not found or has no value; defaults to 0
[ad_gpo_populate_gplink_list] (0x0400): som_dn: cn=Default-First-Site-Name,cn=Sites,CN=Configuration,DC=sssdad2012,DC=com
[ad_gpo_process_gpo_send] (0x0040): no gpos found
[sdap_id_op_done] (0x4000): releasing operation connection
[ad_gpo_process_gpo_done] (0x0040): Unable to get GPO list: [2](No such file or directory)
[ad_gpo_access_done] (0x0040): GPO-based access control failed.
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or directory) [Internal Error (System error)]
[be_pam_handler_callback] (0x0100): Sending result [4][sssdad2012.com]
[be_pam_handler_callback] (0x0100): Sent result [4][sssdad2012.com]

It is a blocker because we would like to enable gpo enforcing mode by default in fedora 22.

lslebodn commented 8 years ago

file with SRV recods
srv_records

lslebodn commented 8 years ago

sssd domain log file with fulll debug level
sssd_sssdad2012.com.log

lslebodn commented 8 years ago

ldap_child.log
ldap_child.log

lslebodn commented 8 years ago

krb5_child.log
krb5_child.log

sgallagh commented 8 years ago

This isn't actually related to DNS sites. It's related to the internal LDAP representation of sites. GPO processing has to look for GPOs in the domain, OU and site for the machine.

It should be ignoring any of the three that has no GPO specified.

cc: => sgallagh

jhrozek commented 8 years ago

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13.1

sgallagh commented 8 years ago

This is a duplicate of ticket #2691. They both stem from the fact that the GPO code wasn't properly handling the case where no GPO applied to the machine. Ticket #2691 is a super-set of this case (it also revealed that if a GPO used to be applied and then none are, there's another bug related to removal of the cache).

Both of these tickets are solved by the patch to #2691.

resolution: => duplicate
status: new => closed

Metadata Update from @lslebodn:
- Issue set to the milestone: SSSD 1.13.1

7 years ago

pbrezina commented 3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3754

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

blocker

Milestone

SSSD 1.13.1

type

defect

component

SSSD

version

1.13.0

selected

None

testsupdated

patch

rhbz

None

design_review

review

changelog

None

keywords

None

coverity

None

mark

blocking

None

design

None

sensitive

sgallagh

blockedby

None

feature_milestone

None

SSSD / sssd

Source Code

Documentation

#2713 GPO: pam system error returned in enforcing mode with no gpo applied Closed: Duplicate None Opened 8 years ago by lslebodn.

Metadata

#2713 GPO: pam system error returned in enforcing mode with no gpo applied

Closed: Duplicate None Opened 8 years ago by lslebodn.