sssd can't parse GPT.INI if it contains non-ASCII characters

[ Impact ]

When the Active Directory Domain Controller uses GPO, and if sssd is configured to enforce GPO permissions, and if the GPT.INI file (which is part of the server's GPO policies, and served to the client when an authentication happens) contains non-ASCII characters, then the user can experience a crash on sssd and the authentication will fail.

[ Test Plan ]

The test case for this bug is a bit complex, but I will do my best to describe it in detail.

We need to setup one VM running a Samba Active Directory Domain Controller (AD DC), which will be our main server. This needs only to be configured once. We then need to setup another VM which will join our AD DC realm using realmd and sssd.

== Virtual Network setup ==

The first step is to create a dedicated virtual network for our tests. This is not strictly mandatory, but it will simplify things. The best way to create this network is via virt-manager. Install it if needed, open the program and select the "QEMU/KVM" line. Go to Edit > Connection Details > Virtual Networks, click on the "+" icon (bottom left), give this network a name (I will use "sssdad"), make sure that "Enable IPv4" and "Enable DHCPv4" are selected (under "IPv4 configuration"). Go to "DNS domain name" and select "Custom". For the domain name, type "test.lan". Click on "Finish".

Take note of the "Device" name that shows up after you create the network. We will use it when creating the VMs. For this test plan, let's assume the device name is "virbr1".

== Samba AD DC VM setup ==

We need to setup a Samba AD DC server. It doesn't matter which Ubuntu release we use for it. Note that we have to use "-n virbr1" when creating the VM, otherwise it won't use our virtual network.

$ lxc launch ubuntu-daily:jammy sambadc -n virbr1 --vm
$ lxc shell sambadc
server# apt update
server# ip a

Make sure to grab this VM's IP address.

server# cat >> /etc/hosts << _EOF_
IP_ADDRESS_HERE sambadc sambadc.test.lan
_EOF_
server# reboot
$ lxc shell sambadc
server# apt install -y samba winbind

server# mv /etc/samba/smb.conf /etc/samba/smb.conf.bkp
server# samba-tool domain provision --use-rfc2307 --realm TEST.LAN --domain TEST --server-role dc --dns-backend SAMBA_INTERNAL --adminpass MyPassword1

server# systemctl mask smbd.service nmbd.service winbind.service
server# systemctl disable --now smbd.service nmbd.service winbind.service
server# systemctl unmask samba-ad-dc.service
server# systemctl enable --now samba-ad-dc.service

We now have to adjust the DNS server settings of the server. We are going to disable systemd-resolved.service and use samba as our DNS service.

You will notice that the samba-tool command issued above has added 127.0.0.53 as the "dns forwarder" in /etc/samba/smb.conf. Edit the file and set the forwarder to be the virtual network's DNS resolver -- it should be the same as IP_ADDRESS_HERE, but ending in .1.

server# systemctl disable --now systemd-resolved.service
server# unlink /etc/resolv.conf
server# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_
server# reboot

This should be enough to configure Samba as an AD DC. While at it, create a test user that will later be used to trigger the bug.

server# samba-tool user create testuser MyUserPassword1

We also need to insert non-ASCII characters into the GPT.INI file, and make sure that we also create a GptTmpl.inf file that will allow us to login as the user.

server# cd /var/lib/samba/sysvol/test.lan/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}/
server# echo -n -e "\ndisplayName=crásher\n" | iconv -f UTF-8 -t CP850 >> GPT.INI
server# mkdir -p MACHINE/Microsoft/Windows\ NT/SecEdit/
server# cat > MACHINE/Microsoft/Windows\ NT/SecEdit/GptTmpl.inf << _EOF_
[Unicode]
Unicode=yes
[Version]
signature="\$CHICAGO\$"
Revision=1
_EOF_

== VM AD client setup ==

Let's configure a VM to act as an AD client.

$ lxc launch ubuntu-daily:jammy sssdclient -n virbr1 --vm
$ lxc shell sssdclient

Before anything else, let's configure this VM to use the Samba AD DC VM as its DNS resolver. In the excerpt below, IP_ADDRESS_HERE refers to the IP address of the Samba AD DC VM (configured in the last section).

client# systemctl disable --now systemd-resolved.service
client# unlink /etc/resolv.conf
client# cat > /etc/resolv.conf << _EOF_
nameserver IP_ADDRESS_HERE
search test.lan
_EOF_

client# apt update
client# apt install -y sssd-ad sssd-tools realmd adcli sssd-dbus
client# pam-auth-update --enable mkhomedir

We can now check if our container can detect the AD DC:

client# realm -v discover sambadc.test.lan
 * Resolving: _ldap._tcp.sambadc.test.lan
 * Resolving: sambadc.test.lan
 * Performing LDAP DSE lookup on: 192.168.101.142
 * Successfully discovered: test.lan
test.lan
  type: kerberos
  realm-name: TEST.LAN
  domain-name: test.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

You can also confirm that the "realm -v discover" works on the domain name:

client# realm -v discover test.lan
 * Resolving: _ldap._tcp.test.lan
 * Performing LDAP DSE lookup on: 192.168.101.142
 * Successfully discovered: test.lan
test.lan
  type: kerberos
  realm-name: TEST.LAN
  domain-name: test.lan
  configured: no
  server-software: active-directory
  client-software: sssd
  required-package: sssd-tools
  required-package: sssd
  required-package: libnss-sss
  required-package: libpam-sss
  required-package: adcli
  required-package: samba-common-bin

And we can join the realm:

client# realm -v join test.lan

You will be prompted the password for the Administrator user. It is MyPassword1. If everything worked OK, you should now be able to list the information from the Administrator user:

client# getent passwd <email address hidden>
<email address hidden>:*:1522000500:1522000513:Administrator:/<email address hidden>:/bin/bash

== Reproducing the bug ==

Make sure you can obtain the passwd information for the test user we've created in the Samba AD DC server.

client# getent passwd <email address hidden>
<email address hidden>:*:1522001104:1522000513:testuser:/<email address hidden>:/bin/bash

Now, try to login as the user:

client# login <email address hidden>
Password: MyUserPassword1

System error

As can be seen, the user will get a system error when trying to login in a default AD DC setup. In order to confirm that the problem is indeed caused by the non-ASCII characters present in the GPT.INI file, you can inspect the /var/log/sssd/gpo_child.log file. You should find the messages saying "Invalid or incomplete multibyte or wide character". If you would like to check that the login works without the non-ASCII characters, simply edit the GPT.INI (on the server side) and remove its last line (starting with "displayName=").

Once you upgrade the sssd package to the fixed version, you should be able to confirm that the login works even when GPT.INI contains non-ASCII characters. Upon inspecting /var/log/sssd/gpo_child.log, this time you will see a message like this:

(2022-06-22 14:14:12): [gpo_child[9778]] [gpo_sanitize_buffer_content] (0x1f7c0): [RID#7] Value for key 'displayName' contains non-ascii symbol. Replacing with '?'

If you're testing this on Focal, you will also need to edit /etc/sssd/sssd.conf and, inside the "[domain...]" section, add the following line:

debug = 2

Otherwise the /var/log/sssd/gpo_child.log file will be empty.

Be aware of the client-side caching when testing sssd. Sometimes the authentication can work when it's not expected to, or vice-versa. It's recommended to completely remove sssd's cache before testing a new scenario:

client# sssctl cache-remove -o -p -s

[ Where problems could occur ]

Although the problem seems somewhat simple to overcome, the patch is not entirely trivial. It involves parsing the GPT.INI file, determining the location of the non-ASCII characters, and finally ignoring them. It is not likely, but also not impossible that this new parser doesn't handle some obscure corner case very well, and we end up discarding more than we'd like from GPT.INI.