[SSSD] [sssd PR#120][opened] GPO: Skip GPOs without gPCFunctionalityVersion

Wed, 11 Jan 2017 08:57:01 -0800 

   URL: https://github.com/SSSD/sssd/pull/120
Author: mzidek-rh
 Title: #120: GPO: Skip GPOs without gPCFunctionalityVersion
Action: opened

PR body:
"""
We falsely stopped GPO processing when Group Policy Container
in AD did not contain gPCFunctionalityVersion. Such GPOs
should be ignored by SSSD.

Resolves:
https://fedorahosted.org/sssd/ticket/3269
"""

To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/120/head:pr120
git checkout pr120

From db79699467597a98b7f225def39d4aebfe018f4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com>
Date: Thu, 15 Dec 2016 15:16:51 +0100
Subject: [PATCH] GPO: Skip GPOs without gPCFunctionalityVersion

We falsely stopped GPO processing when Group Policy Container
in AD did not contain gPCFunctionalityVersion. Such GPOs
should be ignored by SSSD.

Resolves:
https://fedorahosted.org/sssd/ticket/3269
---
 src/providers/ad/ad_gpo.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 2b06a0e..8371245 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -864,8 +864,6 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx,
 
         access_allowed = false;
         candidate_gpo = candidate_gpos[i];
-        sd = candidate_gpo->gpo_sd;
-        dacl = candidate_gpo->gpo_sd->dacl;
 
         DEBUG(SSSDBG_TRACE_ALL, "examining dacl candidate_gpo_guid:%s\n",
                                 candidate_gpo->gpo_guid);
@@ -873,10 +871,13 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx,
         /* gpo_func_version must be set to version 2 */
         if (candidate_gpo->gpo_func_version != 2) {
             DEBUG(SSSDBG_TRACE_ALL,
-                  "GPO not applicable to target per security filtering\n");
+                  AD_AT_FUNC_VERSION" of this GPO is not 2. Skipping.\n");
             continue;
         }
 
+        sd = candidate_gpo->gpo_sd;
+        dacl = candidate_gpo->gpo_sd->dacl;
+
         /* gpo_flags value of 2 means that GPO's computer portion is disabled */
         if (candidate_gpo->gpo_flags == 2) {
             DEBUG(SSSDBG_TRACE_ALL,
@@ -3849,7 +3850,13 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
     /* retrieve AD_AT_FUNC_VERSION */
     ret = sysdb_attrs_get_int32_t(result, AD_AT_FUNC_VERSION,
                                   &gp_gpo->gpo_func_version);
-    if (ret != EOK) {
+    if (ret == ENOENT) {
+        DEBUG(SSSDBG_IMPORTANT_INFO, "GPO with GUID %s is missing attribute "
+              AD_AT_FUNC_VERSION " and will be skipped.\n", gp_gpo->gpo_guid);
+        state->gpo_index++;
+        ret = ad_gpo_get_gpo_attrs_step(req);
+        goto done;
+    } else if (ret != EOK) {
         DEBUG(SSSDBG_OP_FAILURE,
               "sysdb_attrs_get_int32_t failed: [%d](%s)\n",
               ret, sss_strerror(ret));

_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org

Reply via email to