[SSSD] [PATCH] AD: Ignore all errors if gpo is in permissive mode.

Mon, 01 Sep 2014 09:38:14 -0700 

ehlo,

If there is a problem with GPO configuration on AD, then function
ad_gpo_access_done set error to the request and authentication was rejected
with pam system error. It should not happen in permissive mode.

Patch is attached. I can modify debug messages or add some logging to the
syslog. Any suggestion is welcomed.

LS

>From 3b826a239b5cdd7d368edd9f40876a6e0b1eeb89 Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lsleb...@redhat.com>
Date: Mon, 1 Sep 2014 13:29:14 +0200
Subject: [PATCH] AD: Ignore all errors if gpo is in permissive mode.

This patch prevents problems with user authentication
if gpo is misconfigurated.

[ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target.
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ad_gpo_access_done] (0x0040): GPO-based access control failed.
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or
                                    directory) [Internal Error (System error)]
[be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com]
[be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com]
---
 src/providers/ad/ad_access.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_access.c b/src/providers/ad/ad_access.c
index 
74077ec1022c84b6930b423f706c9f1f2131e601..f008a66c4ef163ed02b5bc04e174b3a320dfd136
 100644
--- a/src/providers/ad/ad_access.c
+++ b/src/providers/ad/ad_access.c
@@ -415,9 +415,13 @@ static void
 ad_gpo_access_done(struct tevent_req *subreq)
 {
     struct tevent_req *req;
+    struct ad_access_state *state;
     errno_t ret;
+    enum gpo_access_control_mode mode;
 
     req = tevent_req_callback_data(subreq, struct tevent_req);
+    state = tevent_req_data(req, struct ad_access_state);
+    mode = state->ctx->gpo_access_control_mode;
 
     ret = ad_gpo_access_recv(subreq);
     talloc_zfree(subreq);
@@ -427,7 +431,15 @@ ad_gpo_access_done(struct tevent_req *subreq)
         tevent_req_done(req);
     } else {
         DEBUG(SSSDBG_OP_FAILURE, "GPO-based access control failed.\n");
-        tevent_req_error(req, ret);
+        if (mode == GPO_ACCESS_CONTROL_ENFORCING) {
+            tevent_req_error(req, ret);
+        } else {
+            DEBUG(SSSDBG_OP_FAILURE,
+                  "Ignoring error:%s[%d]; GPO-based access control failed,"
+                  " but GPO is not in enforcing mode.\n",
+                  sss_strerror(ret), ret);
+            tevent_req_done(req);
+        }
     }
 }
 
-- 
2.1.0


_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel

Reply via email to