Comments (8)
sumit-bose
commented on September 3, 2024
Hi,
thank you for your report. You have omitted some log lines in your first log snippet, can you send the full snippet?
bye,
Sumit
from sssd.
fdalfa
commented on September 3, 2024
Sure
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_filter_gpos_by_dacl] (0x0400): [RID#7] examining dacl candidate_gpo_guid:{A8282E6A-7A7A-4148-B9E5-F2C26FB15950}
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable; Trustee: S-1-5-21-1384148484-2853517914-4044072970-4618
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable; Trustee: S-1-5-21-1384148484-2853517914-4044072970-512
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable; Trustee: S-1-5-21-1384148484-2853517914-4044072970-4618
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable; Trustee: S-1-5-21-1384148484-2853517914-4044072970-512
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable; Trustee: S-1-5-21-1384148484-2853517914-4044072970-519
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable; Trustee: S-1-5-9
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0080): [RID#7] Could not determine if ACE is applicable; Trustee: S-1-5-18
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_ace_includes_client_sid] (0x0020): [RID#7] sss_idmap_sid_to_smb_sid() failed for group_sid '^A': 6
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_evaluate_dacl] (0x0400): [RID#7] GPO denied (security); Trustee: S-1-5-21-1384148484-2853517914-4044072970-4618
(2024-06-04 15:32:52): [be[a.b.c]] [ad_gpo_filter_gpos_by_dacl] (0x0400): [RID#7] GPO not applicable to target per security filtering: result of DACL evaluation
FYI the SID of machine where the application of GPO fails is S-1-5-21-1384148484-2853517914-4044072970-5108
from sssd.
sumit-bose
commented on September 3, 2024
Hi,
thanks, this looks like there is some invalid data or a binary SID in the list where SID strings were expected. Would it be possible to send the full backend log, the gpo_child.log and the cache file /var/lib/sss/db/cache_YOUR.DOMAIN.NAME.ldb? You can send it by email, if you prefer; the user name would be 'sbose' and the email domain is 'redhat.com'.
bye,
Sumit
from sssd.
alexey-tikhonov
commented on September 3, 2024
https://issues.redhat.com/browse/RHEL-40570
from sssd.
fdalfa
commented on September 3, 2024
Ciao,
The fix works! Thanks.
regards,
Fabrizio
from sssd.
alexey-tikhonov
commented on September 3, 2024
The fix works! Thanks
Did you build from sources?
(I'll keep ticket open until fix is merged into the code base)
from sssd.
fdalfa
commented on September 3, 2024
Did you build from sources?
Onestly no; @sumit-bose kindly sent me some prebuilt packages.
(I'll keep ticket open until fix is merged into the code base)
(Y)
regards,
Fabrizio
from sssd.
alexey-tikhonov
commented on September 3, 2024
Pushed PR: #7421
master- b25e510 - ad: use right memory context in GPO code
sssd-2-9- 723a30b - ad: use right memory context in GPO code
from sssd.
Related Issues (20)
- 2FA is being enforced after upgrading 2.9.1->2.9.4 HOT 4
- Dynamic DNS Update Fails with Active Directory HOT 4
- SSSD Search Depth for AltSecIdentities HOT 1
- passkey_child - Active Directory lookup HOT 5
- sssd Passkeys - TGT/SSO Kerberos HOT 2
- regression in certificate configuration/handling from NSS to OpenSSL HOT 7
- sssd cache not working, cant login when connection to AD is disabled HOT 10
- Remove leftovers of old reconnection code
- Pending (chained) DP requests aren't processed if backend restarts (affected sssd-2.10+)
- No way to configure `debug_backtrace_enabled` for 'ldap_/krb_child'
- domain with type application broken by pam_initgroup_scheme=no_session HOT 1
- Large number of unreleased cache files under /var/lib/sss/mc HOT 1
- Ask for `password` first when ipa user added with `User authentication types: password` and having passkey mapping for passkey HOT 1
- /usr/lib/libndr-krb5pac.so.0: version `NDR_KRB5PAC_0.0.1' not found (required by /usr/lib/sssd/sssd/sssd_pac HOT 5
- sss_override does not take precedence over override_shell directive HOT 2
- EL9/CentOS Stream 9 lost offline smart card authentication HOT 17
- Question: Can I use oauth2/idp plugin on macOS? HOT 3
- Prompter interface isn't used for prompting by SSSD HOT 7
- generating uidNumber/gidNumber for non ad setups HOT 1
- Controlling SSH access by AD group in Domain B, with users from Domain A (One Way Forest Trust Domain B -> Domain A) HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from sssd.