URL: https://github.com/SSSD/sssd/pull/120 Author: mzidek-rh Title: #120: GPO: Skip GPOs without gPCFunctionalityVersion Action: opened
PR body: """ We falsely stopped GPO processing when Group Policy Container in AD did not contain gPCFunctionalityVersion. Such GPOs should be ignored by SSSD. Resolves: https://fedorahosted.org/sssd/ticket/3269 """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/120/head:pr120 git checkout pr120
From db79699467597a98b7f225def39d4aebfe018f4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com> Date: Thu, 15 Dec 2016 15:16:51 +0100 Subject: [PATCH] GPO: Skip GPOs without gPCFunctionalityVersion We falsely stopped GPO processing when Group Policy Container in AD did not contain gPCFunctionalityVersion. Such GPOs should be ignored by SSSD. Resolves: https://fedorahosted.org/sssd/ticket/3269 --- src/providers/ad/ad_gpo.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 2b06a0e..8371245 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -864,8 +864,6 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, access_allowed = false; candidate_gpo = candidate_gpos[i]; - sd = candidate_gpo->gpo_sd; - dacl = candidate_gpo->gpo_sd->dacl; DEBUG(SSSDBG_TRACE_ALL, "examining dacl candidate_gpo_guid:%s\n", candidate_gpo->gpo_guid); @@ -873,10 +871,13 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, /* gpo_func_version must be set to version 2 */ if (candidate_gpo->gpo_func_version != 2) { DEBUG(SSSDBG_TRACE_ALL, - "GPO not applicable to target per security filtering\n"); + AD_AT_FUNC_VERSION" of this GPO is not 2. Skipping.\n"); continue; } + sd = candidate_gpo->gpo_sd; + dacl = candidate_gpo->gpo_sd->dacl; + /* gpo_flags value of 2 means that GPO's computer portion is disabled */ if (candidate_gpo->gpo_flags == 2) { DEBUG(SSSDBG_TRACE_ALL, @@ -3849,7 +3850,13 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, /* retrieve AD_AT_FUNC_VERSION */ ret = sysdb_attrs_get_int32_t(result, AD_AT_FUNC_VERSION, &gp_gpo->gpo_func_version); - if (ret != EOK) { + if (ret == ENOENT) { + DEBUG(SSSDBG_IMPORTANT_INFO, "GPO with GUID %s is missing attribute " + AD_AT_FUNC_VERSION " and will be skipped.\n", gp_gpo->gpo_guid); + state->gpo_index++; + ret = ad_gpo_get_gpo_attrs_step(req); + goto done; + } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed: [%d](%s)\n", ret, sss_strerror(ret));
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org