URL: https://github.com/SSSD/sssd/pull/552 Author: rdratlos Title: #552: GPO: Store security CSE settings of all applicable GPOs Action: opened
PR body: """ When two or more GPO rules were defined on the server and one of them contained no SIDs (no users or groups were specified), then SSSD failed to store such rule and users were denied access (system error). Access control settings for users and groups (e.g. allow/deny interactive login) may be split on more than one GPO. Current SSSD implementation overwrites settings of previously analyzed GPOs with the settings of subsequently analyzed GPOs. Check if allowed or denied SIDs retrieved from previous GPOs are stored in the group policy result object within the GPO cache and append missing SIDs, that have been retrieved from subsequent GPOs in the GPO list. Resolves: https://pagure.io/SSSD/sssd/issue/3680 Signed-off-by: Thomas Reim <rei...@gmail.com> """ To pull the PR as Git branch: git remote add ghsssd https://github.com/SSSD/sssd git fetch ghsssd pull/552/head:pr552 git checkout pr552
From 1a614ac3a8340b122e7da12ae4aaaf06e76d3762 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzi...@redhat.com> Date: Wed, 11 Apr 2018 18:56:53 +0200 Subject: [PATCH] GPO: Fix bug with empty GPO rules When two or more GPO rules were defined on the server and one of them contained no SIDs (no users or groups were specified), then SSSD failed to store such rule and users were denied access (system error). Access control settings for users and groups (e.g. allow/deny interactive login) may be split on more than one GPO. Current SSSD implementation overwrites settings of previously analyzed GPOs with the settings of subsequently analyzed GPOs. Check if allowed or denied SIDs retrieved from previous GPOs are stored in the group policy result object within the GPO cache and append missing SIDs, that have been retrieved from subsequent GPOs in the GPO list. Resolves: https://pagure.io/SSSD/sssd/issue/3680 Signed-off-by: Thomas Reim <rei...@gmail.com> --- src/db/sysdb.h | 36 ++++--- src/db/sysdb_gpo.c | 86 +++++++++-------- src/providers/ad/ad_gpo.c | 234 +++++++++++++++++++++++++++++++--------------- 3 files changed, 226 insertions(+), 130 deletions(-) diff --git a/src/db/sysdb.h b/src/db/sysdb.h index 2660314a7..27e78bb28 100644 --- a/src/db/sysdb.h +++ b/src/db/sysdb.h @@ -1346,6 +1346,7 @@ errno_t sysdb_remove_mapped_data(struct sss_domain_info *domain, /* === Functions related to GPOs === */ #define SYSDB_GPO_CONTAINER "cn=gpos,cn=ad,cn=custom" +#define SYSDB_GP_RESULT_CONTAINER "cn=gp_results,"SYSDB_GPO_CONTAINER /* === Functions related to GPO entries === */ @@ -1381,25 +1382,32 @@ errno_t sysdb_gpo_get_gpos(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, struct ldb_result **_result); -/* === Functions related to GPO Result object === */ +/* === Functions related to CSE entries === */ -#define SYSDB_GPO_RESULT_OC "gpo_result" -#define SYSDB_GPO_RESULT_FILTER "(objectClass="SYSDB_GPO_RESULT_OC")" +#define SYSDB_CSE_GUID_ATTR "cseGUID" -#define SYSDB_TMPL_GPO_RESULT_BASE SYSDB_GPO_CONTAINER","SYSDB_DOM_BASE -#define SYSDB_TMPL_GPO_RESULT "cn=%s,"SYSDB_TMPL_GPO_RESULT_BASE +/* === Functions related to GP Result object === */ -errno_t sysdb_gpo_delete_gpo_result_object(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain); +#define SYSDB_GP_RESULT_OC "gp_result" +#define SYSDB_GP_RESULT_FILTER "(objectClass="SYSDB_GP_RESULT_OC")" -errno_t sysdb_gpo_store_gpo_result_setting(struct sss_domain_info *domain, - const char *policy_setting_key, - const char *policy_setting_value); +#define SYSDB_TMPL_GP_RESULT_BASE SYSDB_GP_RESULT_CONTAINER","SYSDB_DOM_BASE +#define SYSDB_TMPL_GP_RESULT SYSDB_CSE_GUID_ATTR"=%s,"SYSDB_TMPL_GP_RESULT_BASE -errno_t sysdb_gpo_get_gpo_result_setting(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - const char *policy_setting_key, - const char **policy_setting_value); +errno_t sysdb_gpo_delete_gp_result_object(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *cse_guid); + +errno_t sysdb_gpo_store_gp_result_setting(struct sss_domain_info *domain, + const char *cse_guid, + const char *policy_setting_key, + const char *policy_setting_value); + +errno_t sysdb_gpo_get_gp_result_setting(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *cse_guid, + const char *policy_setting_key, + const char **policy_setting_value); errno_t sysdb_get_sids_of_members(TALLOC_CTX *mem_ctx, struct sss_domain_info *dom, diff --git a/src/db/sysdb_gpo.c b/src/db/sysdb_gpo.c index e5af91bd8..7f779d596 100644 --- a/src/db/sysdb_gpo.c +++ b/src/db/sysdb_gpo.c @@ -353,36 +353,37 @@ sysdb_gpo_get_gpos(TALLOC_CTX *mem_ctx, return ret; } -/* GPO Result */ +/* Group Policy (GP) Result */ static struct ldb_dn * -sysdb_gpo_result_dn(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - const char *result_name) +sysdb_gpo_gp_result_dn(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *cse_guid) { errno_t ret; - char *clean_result_name; + char *clean_cse_guid; struct ldb_dn *dn; - ret = sysdb_dn_sanitize(NULL, result_name, &clean_result_name); + ret = sysdb_dn_sanitize(NULL, cse_guid, &clean_cse_guid); if (ret != EOK) { return NULL; } - DEBUG(SSSDBG_TRACE_ALL, SYSDB_TMPL_GPO_RESULT"\n", - clean_result_name, domain->name); + DEBUG(SSSDBG_TRACE_ALL, SYSDB_TMPL_GP_RESULT"\n", + clean_cse_guid, domain->name); - dn = ldb_dn_new_fmt(mem_ctx, domain->sysdb->ldb, SYSDB_TMPL_GPO_RESULT, - clean_result_name, domain->name); - talloc_free(clean_result_name); + dn = ldb_dn_new_fmt(mem_ctx, domain->sysdb->ldb, SYSDB_TMPL_GP_RESULT, + clean_cse_guid, domain->name); + talloc_free(clean_cse_guid); return dn; } errno_t -sysdb_gpo_store_gpo_result_setting(struct sss_domain_info *domain, - const char *ini_key, - const char *ini_value) +sysdb_gpo_store_gp_result_setting(struct sss_domain_info *domain, + const char *cse_guid, + const char *ini_key, + const char *ini_value) { errno_t ret, sret; int lret; @@ -401,7 +402,7 @@ sysdb_gpo_store_gpo_result_setting(struct sss_domain_info *domain, goto done; } - update_msg->dn = sysdb_gpo_result_dn(update_msg, domain, "gpo_result"); + update_msg->dn = sysdb_gpo_gp_result_dn(update_msg, domain, cse_guid); if (!update_msg->dn) { ret = ENOMEM; goto done; @@ -415,12 +416,12 @@ sysdb_gpo_store_gpo_result_setting(struct sss_domain_info *domain, in_transaction = true; - /* Check for an existing GPO Result object */ + /* Check for an existing GP Result object */ ret = sysdb_search_entry(tmp_ctx, domain->sysdb, update_msg->dn, LDB_SCOPE_BASE, NULL, NULL, &count, &msgs); if (ret == ENOENT) { - /* Create new GPO Result object */ + /* Create new GP Result object */ DEBUG(SSSDBG_TRACE_FUNC, "Storing setting: key [%s] value [%s]\n", ini_key, ini_value); @@ -434,7 +435,7 @@ sysdb_gpo_store_gpo_result_setting(struct sss_domain_info *domain, } lret = ldb_msg_add_string(update_msg, SYSDB_OBJECTCLASS, - SYSDB_GPO_RESULT_OC); + SYSDB_GP_RESULT_OC); if (lret != LDB_SUCCESS) { ret = sysdb_error_to_errno(lret); goto done; @@ -460,13 +461,13 @@ sysdb_gpo_store_gpo_result_setting(struct sss_domain_info *domain, lret = ldb_add(domain->sysdb->ldb, update_msg); if (lret != LDB_SUCCESS) { DEBUG(SSSDBG_MINOR_FAILURE, - "Failed to add GPO Result: [%s]\n", + "Failed to add GP Result: [%s]\n", ldb_strerror(lret)); ret = sysdb_error_to_errno(lret); goto done; } } else if (ret == EOK && count == 1) { - /* Update existing GPO Result object*/ + /* Update existing GP Result object*/ if (ini_value) { DEBUG(SSSDBG_TRACE_FUNC, "Updating setting: key [%s] value [%s]\n", ini_key, ini_value); @@ -501,7 +502,7 @@ sysdb_gpo_store_gpo_result_setting(struct sss_domain_info *domain, lret = ldb_modify(domain->sysdb->ldb, update_msg); if (lret != LDB_SUCCESS) { DEBUG(SSSDBG_MINOR_FAILURE, - "Failed to modify GPO Result: [%s](%d)[%s]\n", + "Failed to modify GP Result: [%s](%d)[%s]\n", ldb_strerror(lret), lret, ldb_errstring(domain->sysdb->ldb)); ret = sysdb_error_to_errno(lret); goto done; @@ -531,10 +532,11 @@ sysdb_gpo_store_gpo_result_setting(struct sss_domain_info *domain, } static errno_t -sysdb_gpo_get_gpo_result_object(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - const char **attrs, - struct ldb_result **_result) +sysdb_gpo_get_gp_result_object(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *cse_guid, + const char **attrs, + struct ldb_result **_result) { errno_t ret; int lret; @@ -545,21 +547,21 @@ sysdb_gpo_get_gpo_result_object(TALLOC_CTX *mem_ctx, tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return ENOMEM; - DEBUG(SSSDBG_TRACE_ALL, SYSDB_TMPL_GPO_RESULT_BASE"\n", domain->name); + DEBUG(SSSDBG_TRACE_ALL, SYSDB_TMPL_GP_RESULT"\n", cse_guid, domain->name); base_dn = ldb_dn_new_fmt(tmp_ctx, domain->sysdb->ldb, - SYSDB_TMPL_GPO_RESULT_BASE, - domain->name); + SYSDB_TMPL_GP_RESULT, + cse_guid, domain->name); if (!base_dn) { ret = ENOMEM; goto done; } lret = ldb_search(domain->sysdb->ldb, tmp_ctx, &res, base_dn, - LDB_SCOPE_SUBTREE, attrs, SYSDB_GPO_RESULT_FILTER); + LDB_SCOPE_SUBTREE, attrs, SYSDB_GP_RESULT_FILTER); if (lret) { DEBUG(SSSDBG_MINOR_FAILURE, - "Could not locate GPO Result object: [%s]\n", + "Could not locate GP Result object: [%s]\n", ldb_strerror(lret)); ret = sysdb_error_to_errno(lret); goto done; @@ -576,7 +578,7 @@ sysdb_gpo_get_gpo_result_object(TALLOC_CTX *mem_ctx, done: if (ret == ENOENT) { - DEBUG(SSSDBG_TRACE_ALL, "No GPO Result object.\n"); + DEBUG(SSSDBG_TRACE_ALL, "No GP Result object in cache.\n"); } else if (ret) { DEBUG(SSSDBG_OP_FAILURE, "Error: %d (%s)\n", ret, strerror(ret)); } @@ -587,8 +589,9 @@ sysdb_gpo_get_gpo_result_object(TALLOC_CTX *mem_ctx, errno_t -sysdb_gpo_get_gpo_result_setting(TALLOC_CTX *mem_ctx, +sysdb_gpo_get_gp_result_setting(TALLOC_CTX *mem_ctx, struct sss_domain_info *domain, + const char *cse_guid, const char *ini_key, const char **_ini_value) { @@ -602,7 +605,11 @@ sysdb_gpo_get_gpo_result_setting(TALLOC_CTX *mem_ctx, tmp_ctx = talloc_new(NULL); if (!tmp_ctx) return ENOMEM; - ret = sysdb_gpo_get_gpo_result_object(tmp_ctx, domain, attrs, &res); + ret = sysdb_gpo_get_gp_result_object(tmp_ctx, + domain, + cse_guid, + attrs, + &res); if (ret != EOK) { goto done; } @@ -634,8 +641,9 @@ sysdb_gpo_get_gpo_result_setting(TALLOC_CTX *mem_ctx, } -errno_t sysdb_gpo_delete_gpo_result_object(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain) +errno_t sysdb_gpo_delete_gp_result_object(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *cse_guid) { struct ldb_result *res; errno_t ret, sret; @@ -649,18 +657,18 @@ errno_t sysdb_gpo_delete_gpo_result_object(TALLOC_CTX *mem_ctx, in_transaction = true; - ret = sysdb_gpo_get_gpo_result_object(mem_ctx, domain, NULL, &res); + ret = sysdb_gpo_get_gp_result_object(mem_ctx, domain, cse_guid, NULL, &res); if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, - "Could not delete GPO result object: %d\n", ret); + "Could not delete GP result object: %d\n", ret); goto done; } else if (ret != ENOENT) { - DEBUG(SSSDBG_TRACE_FUNC, "Deleting GPO Result object\n"); + DEBUG(SSSDBG_TRACE_FUNC, "Deleting GP Result object\n"); ret = sysdb_delete_entry(domain->sysdb, res->msgs[0]->dn, true); if (ret != EOK) { DEBUG(SSSDBG_MINOR_FAILURE, - "Could not delete GPO Result cache entry\n"); + "Could not delete GP Result cache entry\n"); goto done; } } diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index a48f264c7..3bbe09160 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -76,6 +76,8 @@ #define SMB_STANDARD_URI "smb://" #define BUFSIZE 65536 +/* == cse-security constants =============================================== */ + #define RIGHTS_SECTION "Privilege Rights" #define ALLOW_LOGON_INTERACTIVE "SeInteractiveLogonRight" #define DENY_LOGON_INTERACTIVE "SeDenyInteractiveLogonRight" @@ -1117,6 +1119,68 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, return ret; } +/* + * This function retrieves the raw policy_setting_value for the input key from + * the GP result object in the sysdb cache. It then parses the raw value and + * uses the results to populate the output parameters with the sids_list and + * the size of the sids_list. + */ +errno_t +parse_policy_setting_value(TALLOC_CTX *mem_ctx, + struct sss_domain_info *domain, + const char *cse_guid, + const char *key, + char ***_sids_list, + int *_sids_list_size) +{ + int ret; + int i; + const char *value; + int sids_list_size; + char **sids_list = NULL; + + ret = sysdb_gpo_get_gp_result_setting(mem_ctx, + domain, cse_guid, + key, &value); + if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, "No previous GP result\n"); + value = NULL; + } else if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot retrieve settings from sysdb for key: '%s' [%d][%s].\n", + key, ret, sss_strerror(ret)); + goto done; + } + + if (value == NULL) { + DEBUG(SSSDBG_TRACE_FUNC, + "No value for key [%s] found in gpo result\n", key); + sids_list_size = 0; + } else { + ret = split_on_separator(mem_ctx, value, ',', true, true, + &sids_list, &sids_list_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "Cannot parse list of sids %s: %d\n", value, ret); + ret = EINVAL; + goto done; + } + + for (i = 0; i < sids_list_size; i++) { + /* remove the asterisk prefix found on sids */ + sids_list[i]++; + } + } + + *_sids_list = talloc_steal(mem_ctx, sids_list); + *_sids_list_size = sids_list_size; + + ret = EOK; + + done: + return ret; +} + /* * This function parses the cse-specific (GP_EXT_GUID_SECURITY) filename, * and stores the allow_key and deny_key of all of the gpo_map_types present @@ -1124,16 +1188,19 @@ ad_gpo_extract_policy_setting(TALLOC_CTX *mem_ctx, */ static errno_t ad_gpo_store_policy_settings(struct sss_domain_info *domain, + const char *cse_guid, const char *filename) { struct ini_cfgfile *file_ctx = NULL; struct ini_cfgobj *ini_config = NULL; int ret; - int i; + int i, j; char *allow_value = NULL; char *deny_value = NULL; const char *allow_key = NULL; const char *deny_key = NULL; + char **sids_list; + int sids_list_size; TALLOC_CTX *tmp_ctx = NULL; tmp_ctx = talloc_new(NULL); @@ -1252,9 +1319,38 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, allow_key, ret, sss_strerror(ret)); goto done; } else if (ret != ENOENT) { - ret = sysdb_gpo_store_gpo_result_setting(domain, - allow_key, - allow_value); + /* SIDs might already have been stored from other GPOs */ + ret = parse_policy_setting_value(tmp_ctx, + domain, + cse_guid, + allow_key, + &sids_list, + &sids_list_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "parse_policy_setting_value failed for key %s: [%d](%s)\n", + allow_key, ret, sss_strerror(ret)); + ret = EINVAL; + goto done; + } + + if (sids_list != NULL) { + for (j = 0; j < sids_list_size; j++) { + if (strstr(allow_value, sids_list[j]) == NULL) { + /* SID not in allowed SIDs list */ + allow_value = talloc_asprintf_append(allow_value, + ",*%s", + sids_list[j]); + } + } + talloc_free(sids_list); + } + /* Store updated GP result object including allowed SIDs from + this GPO */ + ret = sysdb_gpo_store_gp_result_setting(domain, + cse_guid, + allow_key, + allow_value); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_gpo_store_gpo_result_setting failed for key:" @@ -1278,9 +1374,37 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain, deny_key, ret, sss_strerror(ret)); goto done; } else if (ret != ENOENT) { - ret = sysdb_gpo_store_gpo_result_setting(domain, - deny_key, - deny_value); + /* SIDs might already have been stored from other GPOs */ + ret = parse_policy_setting_value(tmp_ctx, + domain, + cse_guid, + deny_key, + &sids_list, + &sids_list_size); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "parse_policy_setting_value failed for key %s: [%d](%s)\n", + deny_key, ret, sss_strerror(ret)); + ret = EINVAL; + goto done; + } + + if (sids_list != NULL) { + for (j = 0; j < sids_list_size; j++) { + if (strstr(deny_value, sids_list[j]) == NULL) { + /* SID not in denied SIDs list */ + deny_value = talloc_asprintf_append(deny_value, + ",*%s", + sids_list[j]); + } + } + } + /* Store updated GP result object including denied SIDs from + this GPO */ + ret = sysdb_gpo_store_gp_result_setting(domain, + cse_guid, + deny_key, + deny_value); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "sysdb_gpo_store_gpo_result_setting failed for key:" @@ -1427,65 +1551,6 @@ static errno_t gpo_child_init(void) return child_debug_init(GPO_CHILD_LOG_FILE, &gpo_child_debug_fd); } -/* - * This function retrieves the raw policy_setting_value for the input key from - * the GPO_Result object in the sysdb cache. It then parses the raw value and - * uses the results to populate the output parameters with the sids_list and - * the size of the sids_list. - */ -errno_t -parse_policy_setting_value(TALLOC_CTX *mem_ctx, - struct sss_domain_info *domain, - const char *key, - char ***_sids_list, - int *_sids_list_size) -{ - int ret; - int i; - const char *value; - int sids_list_size; - char **sids_list = NULL; - - ret = sysdb_gpo_get_gpo_result_setting(mem_ctx, domain, key, &value); - if (ret == ENOENT) { - DEBUG(SSSDBG_TRACE_FUNC, "No previous GPO result\n"); - value = NULL; - } else if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Cannot retrieve settings from sysdb for key: '%s' [%d][%s].\n", - key, ret, sss_strerror(ret)); - goto done; - } - - if (value == NULL) { - DEBUG(SSSDBG_TRACE_FUNC, - "No value for key [%s] found in gpo result\n", key); - sids_list_size = 0; - } else { - ret = split_on_separator(mem_ctx, value, ',', true, true, - &sids_list, &sids_list_size); - if (ret != EOK) { - DEBUG(SSSDBG_OP_FAILURE, - "Cannot parse list of sids %s: %d\n", value, ret); - ret = EINVAL; - goto done; - } - - for (i = 0; i < sids_list_size; i++) { - /* remove the asterisk prefix found on sids */ - sids_list[i]++; - } - } - - *_sids_list = talloc_steal(mem_ctx, sids_list); - *_sids_list_size = sids_list_size; - - ret = EOK; - - done: - return ret; -} - /* * This cse-specific function (GP_EXT_GUID_SECURITY) performs HBAC policy * processing and determines whether logon access is granted or denied for @@ -1494,13 +1559,14 @@ parse_policy_setting_value(TALLOC_CTX *mem_ctx, * access is denied. * * Internally, this function retrieves the allow_value and deny_value for the - * input gpo_map_type from the GPO Result object in the sysdb cache, parses + * input gpo_map_type from the GP result object in the sysdb cache, parses * the values into allow_sids and deny_sids, and executes the access control * algorithm which compares the allow_sids and deny_sids against the user_sid * and group_sids for the input user. */ static errno_t ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, + const char *cse_guid, enum gpo_access_control_mode gpo_mode, enum gpo_map_type gpo_map_type, const char *user, @@ -1520,8 +1586,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, deny_key = gpo_map_option_entries[gpo_map_type].deny_key; DEBUG(SSSDBG_TRACE_ALL, "deny_key: %s\n", deny_key); - ret = parse_policy_setting_value(mem_ctx, host_domain, allow_key, - &allow_sids, &allow_size); + ret = parse_policy_setting_value(mem_ctx, host_domain, cse_guid, + allow_key, &allow_sids, &allow_size); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "parse_policy_setting_value failed for key %s: [%d](%s)\n", @@ -1530,8 +1596,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, goto done; } - ret = parse_policy_setting_value(mem_ctx, host_domain, deny_key, - &deny_sids, &deny_size); + ret = parse_policy_setting_value(mem_ctx, host_domain, cse_guid, + deny_key, &deny_sids, &deny_size); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "parse_policy_setting_value failed for key %s: [%d](%s)\n", @@ -1572,6 +1638,7 @@ struct ad_gpo_access_state { struct sss_domain_info *user_domain; struct sss_domain_info *host_domain; const char *user; + const char *cse_guid; int gpo_timeout_option; const char *ad_hostname; const char *target_dn; @@ -1670,6 +1737,7 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, state->host_domain = get_domains_head(domain); state->gpo_map_type = gpo_map_type; + state->cse_guid = GP_EXT_GUID_SECURITY; state->dacl_filtered_gpos = NULL; state->num_dacl_filtered_gpos = 0; state->cse_filtered_gpos = NULL; @@ -1717,6 +1785,7 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, static errno_t process_offline_gpos(TALLOC_CTX *mem_ctx, + const char *cse_guid, const char *user, enum gpo_access_control_mode gpo_mode, struct sss_domain_info *user_domain, @@ -1727,6 +1796,7 @@ process_offline_gpos(TALLOC_CTX *mem_ctx, errno_t ret; ret = ad_gpo_perform_hbac_processing(mem_ctx, + cse_guid, gpo_mode, gpo_map_type, user, @@ -1775,6 +1845,7 @@ ad_gpo_connect_done(struct tevent_req *subreq) } else { DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n"); ret = process_offline_gpos(state, + state->cse_guid, state->user, state->gpo_mode, state->user_domain, @@ -1897,6 +1968,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) if (ret == EAGAIN && dp_error == DP_ERR_OFFLINE) { DEBUG(SSSDBG_TRACE_FUNC, "Preparing for offline operation.\n"); ret = process_offline_gpos(state, + state->cse_guid, state->user, state->gpo_mode, state->user_domain, @@ -2087,7 +2159,9 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) * Delete the result object list, since there are no * GPOs to include in it. */ - ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + ret = sysdb_gpo_delete_gp_result_object(state, + state->host_domain, + state->cse_guid); if (ret != EOK) { switch (ret) { case ENOENT: @@ -2126,7 +2200,9 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) * Delete the result object list, since there are no * GPOs to include in it. */ - ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + ret = sysdb_gpo_delete_gp_result_object(state, + state->host_domain, + state->cse_guid); if (ret != EOK) { switch (ret) { case ENOENT: @@ -2150,7 +2226,7 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) } ret = ad_gpo_filter_gpos_by_cse_guid(state, - GP_EXT_GUID_SECURITY, + state->cse_guid, state->dacl_filtered_gpos, state->num_dacl_filtered_gpos, &state->cse_filtered_gpos, @@ -2199,7 +2275,9 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) * subsequent functions will add the GPO Result object (and populate it * with resultant policy settings) for this policy application */ - ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + ret = sysdb_gpo_delete_gp_result_object(state, + state->host_domain, + state->cse_guid); if (ret != EOK) { switch (ret) { case ENOENT: @@ -2361,11 +2439,12 @@ ad_gpo_cse_done(struct tevent_req *subreq) } /* - * now that the policy file for this gpo have been downloaded to the + * now that the policy file for this cse has been downloaded to the * GPO CACHE, we store all of the supported keys present in the file - * (as part of the GPO Result object in the sysdb cache). + * (as part of the GP Result object in the sysdb cache). */ ret = ad_gpo_store_policy_settings(state->host_domain, + state->cse_guid, cse_filtered_gpo->policy_filename); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, @@ -2380,6 +2459,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) if (ret == EOK) { /* ret is EOK only after all GPO policy files have been downloaded */ ret = ad_gpo_perform_hbac_processing(state, + state->cse_guid, state->gpo_mode, state->gpo_map_type, state->user,
_______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
