User policy is not update for ephemeral users |
||||||||||
Issue descriptionWhat steps will reproduce the problem? (1) Enroll device into active directory mode (2) Enable ephemeral users for device (3) Login What is the expected result? User policy should apply What happens instead? 2018-05-03T13:50:27.167156+02:00 ERR authpolicyd[1328]: Failed to call method: org.chromium.SessionManagerInterface.StoreUnsignedPolicyEx: object_path= /org/chromium/SessionManager: org.chromium.SessionManagerInterface.kGetServiceFail: Cannot get policy service for account type 1 I also had user from a different domain than the device if it matters.
,
May 4 2018
,
May 11 2018
Actually, I can't enroll at all as ephemeral user.
,
May 22 2018
Fixed?
,
May 23 2018
Ephemeral user login is fixed AFAICT as of version 10698. Policy comes down as well.
,
May 23 2018
Unable to verify this due https://bugs.chromium.org/p/chromium/issues/detail?id=845829 Chrome OS: 10709.0.0 Chrome: 68.0.3437.0 Device: Robo360 Debug logs attached.
,
Aug 13
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/d853c8cfe3ecd5a3777909290cecc996c2438799 commit d853c8cfe3ecd5a3777909290cecc996c2438799 Author: Lutz Justen <ljusten@chromium.org> Date: Mon Aug 13 07:54:06 2018 Return consistent CryptohomeId for Active Directory accounts During signin, the cryptohome migration flag is automatically set for Active Directory user accounts, which makes their cryptohome id switch from email to account id key. This is problematic for tests that populate policy before signin by sending policy to Session Manager since the policy is 'addressed' using the cryptohome id, see e.g. https://chromium-review.googlesource.com/c/chromium/src/+/1145319/2/chrome/browser/chromeos/policy/affiliation_test_helper.cc#122 In a nutshell, policy is stored using the email address, but later loaded using the account id key. To resolve this, ACTIVE_DIRECTORY now always uses the account id key as cryptohome id. This fixes the issue and should make the code more robust. BUG= chromium:839352 TEST=Verified that the hack in the CL above isn't necessary anymore. Change-Id: I3ecb378aac08fc8dc5374e7bc170a9eb2c96741d Reviewed-on: https://chromium-review.googlesource.com/1055509 Reviewed-by: Alexander Alekseev <alemate@chromium.org> Reviewed-by: Roman Sorokin <rsorokin@chromium.org> Commit-Queue: Lutz Justen <ljusten@chromium.org> Cr-Commit-Position: refs/heads/master@{#582525} [modify] https://crrev.com/d853c8cfe3ecd5a3777909290cecc996c2438799/chromeos/cryptohome/cryptohome_parameters.cc [modify] https://crrev.com/d853c8cfe3ecd5a3777909290cecc996c2438799/chromeos/login/auth/cryptohome_authenticator.cc
,
Aug 13
,
Aug 17
Hi Lutz, Does this bug require any special verification other than c#7? If yes, could you please provide some steps? Thanks, Ivan
,
Aug 20
No, this is fine. The CL was in review for a long time. In the meantime, the issue was addressed by a different CL, but we figured we do this change, anyway, to things it more robust.
,
Aug 20
Thanks, Lutz! Marking this as "Verified" since no problem with policy update for ephemeral AD users. Chrome Version: 70.0.3524.2 Chrome OS Version: 10984.0.0 Chrome OS Platform: Robo |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by rsorokin@chromium.org
, May 3 2018