Adsys fails to fetch Policies when logged in through pubkey auth (Public Key stored in AD attribute)

[snussbaumermpreis]

Please do not report security vulnerabilities here
Use launchpad ADSys private bugs which is monitored by our security team. On Ubuntu machines, it’s best to use ubuntu-bug adsys to collect relevant information.

Thank you in advance for helping us to improve ADSys!
Please read through the template below and answer all relevant questions. Your additional work here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use Ubuntu Discourse. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Ubuntu Code of Conduct.

Description

Provide a clear and concise description of the issue, including what you expected to happen.

Hello, I don't know if you are aware of this, and if there is a possible solution to this issue. I just want to inform you, if you dont already know:

We have enabled Public Key Auth on a domainjoined Ubuntu Server with adsys. The key is stored in a Active Directory attribute. When logging in with the Key and running adsysctl update I get the following error:

ERROR Error from server: error while updating policy: can't get policies for "[email protected]": failed to retrieve the list of GPO (exited with 1): exit status 1
Failed to bind - LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to connect to 'ldap://dc01.example.com' with backend 'ldap': LDAP client internal error: NT_STATUS_INVALID_PARAMETER
Failed to open session: (1, 'LDAP client internal error: NT_STATUS_INVALID_PARAMETER')

When logging in with password it works.

Obviously the Key is not available for authenticating to the Active Directory. Therefore I don't know if there is a way to fix this behaviour.

As I think the issue is clear, therefore I wont post the Bugreports below, if you need them I can post them later.

Reproduction

Detail the steps taken to reproduce this error, what was expected, and whether this issue can be reproduced consistently or if it is intermittent.

As stated above logging in through they key -> adsysctl update -> error
Logging in with password -> adsysctl update -> success

Any Passwordcacheing in sssd is disabled for security reasons.

Where applicable, please include:

• Code sample to reproduce the issue
• Log files (redact/remove sensitive information)
• Application settings (redact/remove sensitive information)
  sssd.conf:

[sssd]
domains = example.com
config_file_version = 2
services = nss, pam
default_domain_suffix = EXAMPLE.COM

[domain/EXAMPLE.COM]
default_shell = /bin/bash
krb5_store_password_if_offline = False
cache_credentials = False
krb5_realm = EXAMPLE.COM
realmd_tags = manages-system joined-with-adcli
id_provider = ad
ldap_sasl_authid = host$
fallback_homedir = /home/%u@%d
ad_domain = example.com
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
cache_credentials = False
account_cache_expiration = 1
ad_gpo_access_control = enforcing
ad_gpo_cache_timeout = 30
ad_gpo_ignore_unreadable = True
ad_hostname = host.EXAMPLE.COM
dyndns_refresh_interval = 86400
dyndns_update = true
dyndns_update_ptr = true
ldap_user_ssh_public_key = altSecurityIdentities
ldap_user_extra_attrs = altSecurityIdentities

• Screenshots

Environment

Please provide the following:

For Ubuntu users, please run and copy the following

1. ubuntu-bug adsys --save=/tmp/report
2. Copy paste below /tmp/report content:

COPY REPORT CONTENT HERE.

Relevant AD information

If AD authentication works but adsys fails to fetch GPOs (e.g. you see can't get policies errors on login), please perform the following steps:

1. Add the following to /etc/samba/smb.conf:

log level = 10

2. Run sudo login user@domain in a terminal, replacing with your AD credentials
3. Paste the output in the bug report

Installed versions

• OS: (/etc/os-release)
  Ubuntu 22.04.1 LTS
• ADSys version: (adsysctl version output)
  0.9.2

Additional context

Add any other context about the problem here.