> On 24 Jul 2015, at 18:41, Michal Židek <mzi...@redhat.com> wrote: > > On 07/23/2015 09:46 AM, Lukas Slebodnik wrote: >> On (20/07/15 10:41), Stephen Gallagher wrote: >>> It is possible to have a machine where none of the GPOs associated with >>> it include access-control rules. Currently, this results in a >>> denial-by-system-error. >>> >>> We need to treat this case as allowing the user (see the test cases in >>> https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra >>> tion >>> >>> We also need to delete the result object from the cache to ensure that >>> offline operation will also grant access. >>> >>> Resolves: >>> https://fedorahosted.org/sssd/ticket/2691 >> >>> From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001 >>> From: Stephen Gallagher <sgall...@redhat.com> >>> Date: Mon, 20 Jul 2015 09:29:19 -0400 >>> Subject: [PATCH] AD: Handle cases where no GPOs apply >>> >>> It is possible to have a machine where none of the GPOs associated with >>> it include access-control rules. Currently, this results in a >>> denial-by-system-error. >>> >>> We need to treat this case as allowing the user (see the test cases in >>> https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration >>> >>> We also need to delete the result object from the cache to ensure that >>> offline operation will also grant access. >>> >>> Resolves: >>> https://fedorahosted.org/sssd/ticket/2691 >>> --- >> This patch fixes ticket #2713. >> >> I need to better test #2691. because it works sometimes and sometime doesn't >> work. I assume there can be bug in as tests. (some leftovers from previous >> execution) >> >>> src/providers/ad/ad_gpo.c | 46 >>> +++++++++++++++++++++++++++++++++++++++++++--- >>> 1 file changed, 43 insertions(+), 3 deletions(-) >>> >>> diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c >>> index >>> 974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a >>> 100644 >>> --- a/src/providers/ad/ad_gpo.c >>> +++ b/src/providers/ad/ad_gpo.c >>> @@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) >>> >>> talloc_zfree(subreq); >>> >>> ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); >>> >>> - if (ret != EOK) { >>> + if (ret != EOK && ret != ENOENT) { >>> DEBUG(SSSDBG_OP_FAILURE, >>> "Unable to get GPO list: [%d](%s)\n", >>> ret, sss_strerror(ret)); >>> - ret = ENOENT; >>> + goto done; >>> + } else if (ret == ENOENT) { >>> + DEBUG(SSSDBG_OP_FAILURE, >>> + "No GPOs found that apply to this system.\n"); >> I'm not sure about this debug level. >> >> There is a plan to increase default debug level to SSSDBG_OP_FAILURE. >> An if the user does not have any GPOs on AD server then >> this message will be printed after each login. >> >> LS > > Hi Lukas, > > I am sending Stephen's patch updated according to > your request. > > I have not tested the patch however.
Me neither, but if the debug level was the only complaint, then I vote for pushing the patch. > > Michal > > -- > Senior Principal Intern > <0001-AD-Handle-cases-where-no-GPOs-apply.patch>_______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel