It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra tion We also need to delete the result object from the cache to ensure that offline operation will also grant access. Resolves: https://fedorahosted.org/sssd/ticket/2691
From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher <sgall...@redhat.com> Date: Mon, 20 Jul 2015 09:29:19 -0400 Subject: [PATCH] AD: Handle cases where no GPOs apply It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error. We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration We also need to delete the result object from the cache to ensure that offline operation will also grant access. Resolves: https://fedorahosted.org/sssd/ticket/2691 --- src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) talloc_zfree(subreq); ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); - if (ret != EOK) { + if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get GPO list: [%d](%s)\n", ret, sss_strerror(ret)); - ret = ENOENT; + goto done; + } else if (ret == ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "No GPOs found that apply to this system.\n"); + /* + * Delete the result object list, since there are no + * GPOs to include in it. + */ + ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n"); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not delete GPO Result from cache: [%s]\n", + sss_strerror(ret)); + goto done; + } + } + + ret = EOK; goto done; } ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->user_domain, state->opts->idmap_ctx->map, @@ -1971,10 +1993,29 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) if (state->dacl_filtered_gpos[0] == NULL) { /* since no applicable gpos were found, there is nothing to enforce */ DEBUG(SSSDBG_TRACE_FUNC, "no applicable gpos found after dacl filtering\n"); + + /* + * Delete the result object list, since there are no + * GPOs to include in it. + */ + ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n"); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not delete GPO Result from cache: [%s]\n", + sss_strerror(ret)); + goto done; + } + } + ret = EOK; goto done; } for (i = 0; i < state->num_dacl_filtered_gpos; i++) { @@ -3420,11 +3461,10 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx, if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve GPO List: [%d](%s)\n", ret, sss_strerror(ret)); - ret = ENOENT; goto immediately; } if (state->candidate_gpos == NULL) { DEBUG(SSSDBG_OP_FAILURE, "no gpos found\n"); -- 2.4.3
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel