Bug#965143: sssd-ad: Login issues with SSSD 2.3 for AD back end

Sat, 18 Jul 2020 14:19:02 -0700 

Package: sssd-ad
Version: 2.3.0-2
Followup-For: Bug #965143

I might have a related issue with logins for AD accounts. I fixed
ndr_pull_security_ace to again correctly parse GPOs in the AD back end.
Without this fix, SSS_PAM_ACCT_MGMT fails for pam_sss, and users can not log
in. A symptom of the bug is the following line in the log:
  "[ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor"

Patch is attached.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (520, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-9-amd64 (SMP w/8 CPU threads)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sssd-ad depends on:
ii  libc6             2.30-8
ii  libdhash1         0.6.1-2
ii  libini-config5    0.6.1-2
ii  libldap-2.4-2     2.4.50+dfsg-1
ii  libldb2           2:2.1.4-2
ii  libpopt0          1.18-1
ii  libsasl2-2        2.1.27+dfsg-2
ii  libsmbclient      2:4.12.5+dfsg-3
ii  libsss-idmap0     2.3.0-2
ii  libtalloc2        2.3.1-1
ii  libtevent0        0.10.2-1
ii  samba-libs        2:4.12.5+dfsg-3
ii  sssd-ad-common    2.3.0-2
ii  sssd-common       2.3.0-2
ii  sssd-krb5-common  2.3.0-2

sssd-ad recommends no packages.

Versions of packages sssd-ad suggests:
pn  adcli  <none>

-- no debconf information

Author: Joachim Falk <joachim.f...@gmx.de>
Description: In sssd 2.3.0, ndr_pull_security_ace_object_ctr was migrated
 from
   level = ndr_pull_get_switch_value(ndr, r);
 to
   #ifdef SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH
     NDR_CHECK(ndr_pull_steal_switch_value(ndr, r, &level));
   #else
     level = ndr_pull_steal_switch_value(ndr, r);
   #endif
 In the case of SMB_HAS_NEW_NDR_PULL_STEAL_SWITCH, this will fail if
 ndr_pull_set_switch_value is not previously used to set a switch value.
 However, ndr_pull_security_ace does not do this in the case of NDR_BUFFERS.
 This patch corrects this oversight.
 .
 Without this patch, the sssd AD back end can not correctly parse GPOs. As a
 result, SSS_PAM_ACCT_MGMT fails for pam_sss, and users can not log in. A
 symptom of the bug is the following line in the log:
     "[ad_gpo_parse_sd] (0x0020): Failed to pull security descriptor"

Index: pkg-sssd/src/providers/ad/ad_gpo_ndr.c
===================================================================
--- pkg-sssd.orig/src/providers/ad/ad_gpo_ndr.c
+++ pkg-sssd/src/providers/ad/ad_gpo_ndr.c
@@ -317,6 +317,7 @@ ndr_pull_security_ace(struct ndr_pull *n
         ndr->offset += pad;
     }
     if (ndr_flags & NDR_BUFFERS) {
+        NDR_CHECK(ndr_pull_set_switch_value(ndr, &r->object, r->type));
         NDR_CHECK(ndr_pull_security_ace_object_ctr
                   (ndr, NDR_BUFFERS, &r->object));
     }

Reply via email to