On 07/23/2015 09:46 AM, Lukas Slebodnik wrote:
On (20/07/15 10:41), Stephen Gallagher wrote:
It is possible to have a machine where none of the GPOs associated with
it include access-control rules. Currently, this results in a
denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra
tion
We also need to delete the result object from the cache to ensure that
offline operation will also grant access.
Resolves:
https://fedorahosted.org/sssd/ticket/2691
From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Mon, 20 Jul 2015 09:29:19 -0400
Subject: [PATCH] AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with
it include access-control rules. Currently, this results in a
denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that
offline operation will also grant access.
Resolves:
https://fedorahosted.org/sssd/ticket/2691
---
This patch fixes ticket #2713.
I need to better test #2691. because it works sometimes and sometime doesn't
work. I assume there can be bug in as tests. (some leftovers from previous
execution)
src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index
974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a
100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
talloc_zfree(subreq);
ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to get GPO list: [%d](%s)\n",
ret, sss_strerror(ret));
- ret = ENOENT;
+ goto done;
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "No GPOs found that apply to this system.\n");
I'm not sure about this debug level.
There is a plan to increase default debug level to SSSDBG_OP_FAILURE.
An if the user does not have any GPOs on AD server then
this message will be printed after each login.
LS
Hi Lukas,
I am sending Stephen's patch updated according to
your request.
I have not tested the patch however.
Michal
--
Senior Principal Intern
>From 027a680b4bb6c35c757e26c8db6a4e2995cfb1cb Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgall...@redhat.com>
Date: Mon, 20 Jul 2015 09:29:19 -0400
Subject: [PATCH] AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with
it include access-control rules. Currently, this results in a
denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that
offline operation will also grant access.
Resolves:
https://fedorahosted.org/sssd/ticket/2713
---
src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 974fd04..ffd8ac5 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1949,11 +1949,33 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to get GPO list: [%d](%s)\n",
ret, sss_strerror(ret));
- ret = ENOENT;
+ goto done;
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No GPOs found that apply to this system.\n");
+ /*
+ * Delete the result object list, since there are no
+ * GPOs to include in it.
+ */
+ ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain);
+ if (ret != EOK) {
+ switch (ret) {
+ case ENOENT:
+ DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n");
+ break;
+ default:
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Could not delete GPO Result from cache: [%s]\n",
+ sss_strerror(ret));
+ goto done;
+ }
+ }
+
+ ret = EOK;
goto done;
}
@@ -1973,6 +1995,25 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
/* since no applicable gpos were found, there is nothing to enforce */
DEBUG(SSSDBG_TRACE_FUNC,
"no applicable gpos found after dacl filtering\n");
+
+ /*
+ * Delete the result object list, since there are no
+ * GPOs to include in it.
+ */
+ ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain);
+ if (ret != EOK) {
+ switch (ret) {
+ case ENOENT:
+ DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n");
+ break;
+ default:
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Could not delete GPO Result from cache: [%s]\n",
+ sss_strerror(ret));
+ goto done;
+ }
+ }
+
ret = EOK;
goto done;
}
@@ -3422,7 +3463,6 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_OP_FAILURE,
"Unable to retrieve GPO List: [%d](%s)\n",
ret, sss_strerror(ret));
- ret = ENOENT;
goto immediately;
}
--
2.1.0
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
