#3347 gpo_child fails when log is enabled in smb
Closed: Invalid 6 years ago Opened 7 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1431870

Description of problem:
Regression test for BZ1177140 fails with new libsmbclient
It might be a bug in libsmbclient


Version-Release number of selected component (if applicable):
sh$ rpm -q sssd libsmbclient
sssd-1.15.1-1.el7.x86_64
libsmbclient-4.6.0-2.el7.x86_64

How reproducible:
deterministic

Steps to Reproduce:
1. join machine to AD domain
2. create /etc/sssd/sssd.conf
    unindent <<<"
    [sssd]
    config_file_version = 2
    services = nss, pam
    domains = $AD_DOMAIN1

    [nss]
    filter_groups = root
    filter_users = root
    default_shell = /bin/bash

    [pam]

    [domain/$AD_DOMAIN1]
    ldap_purge_cache_timeout = 0
    krb5_auth_timeout = 12

    debug_level = 0xFFF0
    ad_domain = $AD_DOMAIN1
    krb5_realm = $AD_SERVER1_REALM
    ad_server = $AD_SERVER1
    cache_credentials = True
    id_provider = ad
    krb5_store_password_if_offline = True
    use_fully_qualified_names = True
    fallback_homedir = /home/%d/%u
    access_provider = ad
    ad_gpo_access_control = enforcing
    ad_gpo_map_interactive = +su +sshd

3. create /etc/samba/smb.conf
    [global]
    workgroup = $AD_SERVER_SHORT_REALM
    realm = $AD_SERVER1_REALM
    security = ads
    kerberos method = system keytab
    log level = 10
4. systemctl restart sssd.service smb.service
5. authenticate as user who should be able to authenticate
   allow_u-23737@sssdad.com

Actual results:
authentication fialed

Expected results:
user authenticate without any problem


Additional info:
It fails with rhel7.3 sssd-1.14.0-43.el7_3.11.x86_64 and new
libsmbclient-4.6.0-2.el7.x86_64

sh# cat /var/log/sssd/gpo_child.log
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400):
gpo_child started.
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400): context
initialized
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x0400):
cached_gpt_version: -1
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_server length: 22
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_server: smb://pluto.sssdad.com
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_share length: 7
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_share: /sysvol
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_path length: 59
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_path: /sssdad.com/Policies/{892F53E0-E4AA-4D2E-9106-7AA4B9FE8680}
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_cse_suffix length: 49
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [unpack_buffer] (0x4000):
smb_cse_suffix: /Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]] [main] (0x0400):
performing smb operations
(Mon Mar 13 18:17:43 2017) [[sssd[gpo_child[19195]]]]
[copy_smb_file_to_gpo_cache] (0x0400): smb_uri: smb://pluto.sssdad.com/sysvol/s
ssdad.com/Policies/{892F53E0-E4AA-4D2E-9106-7AA4B9FE8680}/GPT.INI
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]]
[copy_smb_file_to_gpo_cache] (0x0020): smbc_getFunctionOpen failed
[13][Permission denied]
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [perform_smb_operations]
(0x0020): copy_smb_file_to_gpo_cache failed [13][Permission denied]
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [main] (0x0020):
perform_smb_operations failed.[13][Permission denied].
(Mon Mar 13 18:17:44 2017) [[sssd[gpo_child[19195]]]] [main] (0x0020):
gpo_child failed!

It might be a bug in libsmbclient or wrong usage of libsmbclient by sssd.
Anyway we need to prepare simpler reproducer if we want to reassign to samba

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1431870

7 years ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1431870

7 years ago

It is possible that bug is in libsmbclient

Metadata Update from @lslebodn:
- Issue assigned to mzidek
- Issue priority set to: 2

7 years ago

The problem was in the test. It was setting the workgroup in smb.conf to an empty value, which is a configuration error. Closing this issue.

Metadata Update from @mzidek:
- Issue close_status updated to: Invalid
- Issue status updated to: Closed (was: Open)

6 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4377

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata