summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorStephen Gallagher <sgallagh@redhat.com>2015-07-20 09:29:19 -0400
committerJakub Hrozek <jhrozek@redhat.com>2015-07-26 20:33:07 +0200
commit7c18b65dbdeb584a946c055f2db3814544b17232 (patch)
tree573c92f4ba51963f5c5d4acf3b56403e15392998
parenteabc1732ef91548616a699b7e9f8d30e5e7b8dd3 (diff)
downloadsssd-7c18b65dbdeb584a946c055f2db3814544b17232.tar.gz
sssd-7c18b65dbdeb584a946c055f2db3814544b17232.tar.xz
sssd-7c18b65dbdeb584a946c055f2db3814544b17232.zip
AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error. We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration We also need to delete the result object from the cache to ensure that offline operation will also grant access. Resolves: https://fedorahosted.org/sssd/ticket/2713 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-rw-r--r--src/providers/ad/ad_gpo.c46
1 files changed, 43 insertions, 3 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 974fd04b9..ffd8ac5dd 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1949,11 +1949,33 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to get GPO list: [%d](%s)\n",
ret, sss_strerror(ret));
- ret = ENOENT;
+ goto done;
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_TRACE_FUNC,
+ "No GPOs found that apply to this system.\n");
+ /*
+ * Delete the result object list, since there are no
+ * GPOs to include in it.
+ */
+ ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain);
+ if (ret != EOK) {
+ switch (ret) {
+ case ENOENT:
+ DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n");
+ break;
+ default:
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Could not delete GPO Result from cache: [%s]\n",
+ sss_strerror(ret));
+ goto done;
+ }
+ }
+
+ ret = EOK;
goto done;
}
@@ -1973,6 +1995,25 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
/* since no applicable gpos were found, there is nothing to enforce */
DEBUG(SSSDBG_TRACE_FUNC,
"no applicable gpos found after dacl filtering\n");
+
+ /*
+ * Delete the result object list, since there are no
+ * GPOs to include in it.
+ */
+ ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain);
+ if (ret != EOK) {
+ switch (ret) {
+ case ENOENT:
+ DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n");
+ break;
+ default:
+ DEBUG(SSSDBG_FATAL_FAILURE,
+ "Could not delete GPO Result from cache: [%s]\n",
+ sss_strerror(ret));
+ goto done;
+ }
+ }
+
ret = EOK;
goto done;
}
@@ -3422,7 +3463,6 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx,
DEBUG(SSSDBG_OP_FAILURE,
"Unable to retrieve GPO List: [%d](%s)\n",
ret, sss_strerror(ret));
- ret = ENOENT;
goto immediately;
}