sumit-bose
commented
4 months ago Hi,
thank you for the report. I agree that it would be good to handle this case more gracefully, i.e. try to fallback to other AD DCs and switching to offline operation.
bye, Sumit
Hi,
This issue affects computers that are using GPOs for access control, with AD servers online, but one AD server not functioning properly, specifically by not servicing smb requests.
During group policy processing, each policy's GPT.INI is fetched from the AD server in order to read the version number. If the connection fails, for example if copy_smb_file_to_gpo_cache gets 'Connection refused', this is treated as a critical failure and the child exits immediately instead of sending a response through the pipefd.
In the parent process, ad_gpo_parse_gpo_child_response calls SAFEALIGN_COPY_UINT32_CHECK to extract the response from the pipefd, but gets EOF due to the child exiting early. This condition is turned into EINVAL, which results in the message "Broken GPO data received from AD. Check AD child logs for more information."
GPO stops and ad_gpo_cse_done reports "Unable to retrieve policy data", followed by ad_gpo_access_done reporting "GPO-based access control failed."
This results in a login failure, with PAM reporting "Access denied for user xxxxx: 4 (System error)".
The system does not failover to the next AD server, nor does it use the cached copy of the GPO.