----- Original Message -----
> ehlo,
>
> If there is a problem with GPO configuration on AD, then function
> ad_gpo_access_done set error to the request and authentication was rejected
> with pam system error. It should not happen in permissive mode.
>
> Patch is attached. I can modify debug messages or add some logging to the
> syslog. Any suggestion is welcomed.
>
> LS
>
Good catch. I would suggest two changes:
* display ret before sss_sterror(ret) in the DEBUG message
* add the syslog message we use in other places in which we would have failed
had the mode been "enforcing"
In other words:
if (mode == GPO_ACCESS_CONTROL_ENFORCING) {
tevent_req_error(req, ret);
} else {
DEBUG(SSSDBG_OP_FAILURE,
"Ignoring error:[%d](%s); GPO-based access control failed,"
" but GPO is not in enforcing mode.\n",
ret, sss_strerror(ret));
sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would " \
"have been denied GPO-based logon access if the " \
"ad_gpo_access_control option were set to enforcing " \
"mode.");
tevent_req_done(req);
}
Regards,
Yassir.
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
