New issue
Advanced search Search tips

Issue 680921 link

Starred by 3 users
Status: Verified
Owner:
ljusten@chromium.org
Closed: Jan 2017
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug
V1



Sign in to add a comment

authpolicy: Fix policy download failure on Intel CAP machines

Project Member Reported by ljusten@chromium.org, Jan 13 2017 
In a test, a default GPO was marked as version_user = 1, but has no Registry.pol file. Authpolicy always expects a .pol file if the version is > 0. On Windows this seems to be a valid assumption. Even if the GPO is empty, Windows still writes an (empty) .pol file. Thus, we need to find out who creates the default GPOs (Samba server or CAP software) and figure out why there is no .pol file.

Two options:
- Fix missing Registry.pol file upstream (i.e. on server); preferred
- Handle case of missing Registry.pol files; this is dangerous since it might mask real problems with downloading GPO.

Comment 1 by ljusten@chromium.org, Jan 16 2017 

We're seeing the same on Windows 2008 R2. Logs:

2017-01-13T14:39:12.279799-08:00 INFO authpolicy_parser[6672]: Found 2 GPOs.
2017-01-13T14:39:12.279805-08:00 INFO authpolicy_parser[6672]: 1)
2017-01-13T14:39:12.279812-08:00 INFO authpolicy_parser[6672]:   Name:            {31B2F340-016D-11D2-945F-00C04FB984F9}
2017-01-13T14:39:12.279819-08:00 INFO authpolicy_parser[6672]:   Filesyspath:     \\crosdev2.biz\sysvol\crosdev2.biz\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
2017-01-13T14:39:12.279826-08:00 INFO authpolicy_parser[6672]:   Version-User:    0
2017-01-13T14:39:12.279832-08:00 INFO authpolicy_parser[6672]:   Version-Machine: 1
2017-01-13T14:39:12.279842-08:00 INFO authpolicy_parser[6672]: 2)
2017-01-13T14:39:12.279852-08:00 INFO authpolicy_parser[6672]:   Name:            {56AC298D-8DC8-4B9A-ADD0-16DFD649947D}
2017-01-13T14:39:12.279861-08:00 INFO authpolicy_parser[6672]:   Filesyspath:     \\crosdev2.biz\SysVol\crosdev2.biz\Policies\{56AC298D-8DC8-4B9A-ADD0-16DFD649947D}
2017-01-13T14:39:12.279871-08:00 INFO authpolicy_parser[6672]:   Version-User:    6
2017-01-13T14:39:12.279879-08:00 INFO authpolicy_parser[6672]:   Version-Machine: 37
2017-01-13T14:39:12.280134-08:00 INFO authpolicyd[4033]: Stdout: #012{#012&{31B2F340-016D-11D2-945F-00C04FB984F9}#022#023crosdev2.biz/sysvol#032<crosdev2.biz\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}#012{#012&{56AC298D-8DC8-4B9A-ADD0-16DFD649947D}#022#023crosdev2.biz/SysVol#032<crosdev2.biz\Policies\{56AC298D-8DC8-4B9A-ADD0-16DFD649947D}
2017-01-13T14:39:12.280144-08:00 INFO authpolicyd[4033]: Stderr: 
2017-01-13T14:39:12.280151-08:00 INFO authpolicyd[4033]: Exit code: 0
2017-01-13T14:39:12.280686-08:00 INFO authpolicyd[4033]: Executing /usr/bin/smbclient '//adfs-cros-te.crosdev2.biz/sysvol' '-s' '/tmp/authpolicyd/smb.conf' '-c' 'prompt OFF;cd \crosdev2.biz\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine;lcd /tmp/authpolicyd/samba/cache/gpo_cache/crosdev2.biz/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/Machine;mget Registry.pol;cd \crosdev2.biz\Policies\{56AC298D-8DC8-4B9A-ADD0-16DFD649947D}\Machine;lcd /tmp/authpolicyd/samba/cache/gpo_cache/crosdev2.biz/Policies/{56AC298D-8DC8-4B9A-ADD0-16DFD649947D}/Machine;mget Registry.pol;' '-k'
2017-01-13T14:39:14.045038-08:00 INFO authpolicyd[4033]: Stdout: NT_STATUS_NO_SUCH_FILE listing \crosdev2.biz\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\Machine\Registry.pol#012
2017-01-13T14:39:14.045051-08:00 INFO authpolicyd[4033]: Stderr: getting file \crosdev2.biz\Policies\{56AC298D-8DC8-4B9A-ADD0-16DFD649947D}\Machine\Registry.pol of size 3592 as Registry.pol (19.8 KiloBytes/sec) (average 19.8 KiloBytes/sec)#012

Comment 2 by ljusten@chromium.org, Jan 16 2017

Status: Started (was: Assigned)

Comment 3 by ljusten@chromium.org, Jan 16 2017 

{31B2F340-016D-11D2-945F-00C04FB984F9} is a fixed GUID for the default device policy.

Comment 4 by ljusten@chromium.org, Jan 16 2017 

*default policy* (Windows policies can be device&user)

Comment 5 by tnagel@chromium.org, Jan 16 2017

Labels: -Pri-3 Pri-2
Project Member

Comment 6 by bugdroid1@chromium.org, Jan 17 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/platform2/+/6a9cb35cdcf95e641762c3fb62614925d6a6c46a

commit 6a9cb35cdcf95e641762c3fb62614925d6a6c46a
Author: Lutz Justen <ljusten@chromium.org>
Date: Tue Jan 17 10:25:30 2017

authpolicy: Ignore missing GPO files

Testing with two independent servers (Intel CAP and a Windows 2008 R2)
revealed that there can be GPOs with user/machine version > 0, but no
Registry.pol file. This CL handles this case gracefully and ignores
missing GPOs. Note that other error cases (failure to download existing
file, network error etc.) still result in an error.

BUG= chromium:680921 
TEST=Manually wiped a Registry.pol file and verified it works.

Change-Id: I30edc2ffc690b25eddc7603b341e0cef1e9acca8
Reviewed-on: https://chromium-review.googlesource.com/427707
Commit-Ready: Lutz Justen <ljusten@chromium.org>
Tested-by: Lutz Justen <ljusten@chromium.org>
Reviewed-by: Thiemo Nagel <tnagel@chromium.org>

[modify] https://crrev.com/6a9cb35cdcf95e641762c3fb62614925d6a6c46a/authpolicy/process_executor.h
[modify] https://crrev.com/6a9cb35cdcf95e641762c3fb62614925d6a6c46a/authpolicy/samba_interface.cc

Comment 7 by ljusten@chromium.org, Jan 18 2017

Status: Fixed (was: Started)

Comment 8 by kathrelk...@chromium.org, Jul 6 2017

Status: Verified (was: Fixed)
bulk Verify of Chromad V1 bugs

Sign in to add a comment