#3347 gpo_child fails when log is enabled in smb

Created 6 months ago by jhrozek
Modified 3 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1431870

Description of problem:
Regression test for BZ1177140 fails with new libsmbclient
It might be a bug in libsmbclient


Version-Release number of selected component (if applicable):
sh$ rpm -q sssd libsmbclient
sssd-1.15.1-1.el7.x86_64
libsmbclient-4.6.0-2.el7.x86_64

How reproducible:
deterministic

Steps to Reproduce:
1. join machine to AD domain
2. create /etc/sssd/sssd.conf
    unindent <<<"
    [sssd]
    config_file_version = 2
    services = nss, pam
    domains = $AD_DOMAIN1

    [nss]
    filter_groups = root
    filter_users = root
    default_shell = /bin/bash

    [pam]

    [domain/$AD_DOMAIN1]
    ldap_purge_cache_timeout = 0
    krb5_auth_timeout = 12

    debug_level = 0xFFF0
    ad_domain = $AD_DOMAIN1
    krb5_realm = $AD_SERVER1_REALM
    ad_server = $AD_SERVER1
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    use_fully_qualified_names = True
    fallback_homedir = /home/%d/%u
    access_provider = ad
    ad_gpo_access_control = enforcing
    ad_gpo_map_interactive = +su +sshd

3. create /etc/samba/smb.conf
    [global]
    workgroup = $AD_SERVER_SHORT_REALM
    realm = $AD_SERVER1_REALM
    security = ads
    kerberos method = system keytab
    log level = 10
4. systemctl restart sssd.service smb.service
5. authenticate as user who should be able to authenticate
   allow_u-23737@sssdad.com

Actual results:
authentication fialed

Expected results:
user authenticate without any problem


Additional info:
It fails with rhel7.3 sssd-1.14.0-43.el7_3.11.x86_64 and new
libsmbclient-4.6.0-2.el7.x86_64

sh# cat /var/log/sssd/gpo_child.log
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400):
gpo_child started.
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400): context
initialized
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x0400):
cached_gpt_version: -1
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_server length: 22
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_server: smb://pluto.sssdad.com
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_share length: 7
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_share: /sysvol
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_path length: 59
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_path: /sssdad.com/Policies/{892F53E0-E4AA-4D2E-9106-7AA4B9FE8680}
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_cse_suffix length: 49
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400):
performing smb operations
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]]
[copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://pluto.sssdad.com/sysvol/s
ssdad.com/Policies/{892F53E0-E4AA-4D2E-9106-7AA4B9FE8680}/GPT.INI
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]]
[copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed
[13][Permission denied]
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [perform_smb_operations]
(0x0020): copy_smb_file_to_gpo_cache failed [13][Permission denied]
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [main] (0x0020):
perform_smb_operations failed.[13][Permission denied].
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [main] (0x0020):
gpo_child failed!

It might be a bug in libsmbclient or wrong usage of libsmbclient by sssd.
Anyway we need to prepare simpler reproducer if we want to reassign to samba
6 months ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1431870

6 months ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1431870

It is possible that bug is in libsmbclient

6 months ago

Metadata Update from @lslebodn:
- Issue assigned to mzidek
- Issue priority set to: 2

The problem was in the test. It was setting the workgroup in smb.conf to an empty value, which is a configuration error. Closing this issue.

3 months ago

Metadata Update from @mzidek:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)

Login to comment on this ticket.

https://bugzilla.redhat.com/show_bug.cgi?id=1431870

cancel