diff options
| author | Stephen Gallagher <sgallagh@redhat.com> | 2015-04-10 16:34:37 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2015-04-15 17:43:13 +0200 |
| commit | 1d12fff68def0d6e15c6579e4f69c79a99622385 (patch) | |
| tree | 2168da8fffb88fddf6a1fce1766795cbfca59723 | |
| parent | b800d07991839c1047f10398f979e01e5543d0a7 (diff) | |
| download | sssd-1d12fff68def0d6e15c6579e4f69c79a99622385.tar.gz sssd-1d12fff68def0d6e15c6579e4f69c79a99622385.tar.xz sssd-1d12fff68def0d6e15c6579e4f69c79a99622385.zip | |
AD GPO: Always look up GPOs from machine domain
When dealing with users from a child domain, SSSD was attempting to use
the subdomain for lookups. However, all GPOs applicable to this machine
are stored in the primary domain (the domain the host directly joined).
This patch has the GPO processing use the primary domain instead of the
user domain.
Resolves:
https://fedorahosted.org/sssd/ticket/2606
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 475d986b534c5e0dfdb8e2348ab89b13fd4874aa)
(cherry picked from commit b025f8a22cab47ac1f705a872917e3da0799fdd9)
| -rw-r--r-- | src/providers/ad/ad_gpo.c | 54 |
1 files changed, 33 insertions, 21 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index bd1244ae4..d9385a958 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -1401,7 +1401,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, enum gpo_access_control_mode gpo_mode, enum gpo_map_type gpo_map_type, const char *user, - struct sss_domain_info *domain) + struct sss_domain_info *user_domain, + struct sss_domain_info *host_domain) { int ret; const char *allow_key = NULL; @@ -1416,7 +1417,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, deny_key = gpo_map_option_entries[gpo_map_type].deny_key; DEBUG(SSSDBG_TRACE_ALL, "deny_key: %s\n", deny_key); - ret = parse_policy_setting_value(mem_ctx, domain, allow_key, + ret = parse_policy_setting_value(mem_ctx, host_domain, allow_key, &allow_sids, &allow_size); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, @@ -1426,7 +1427,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, goto done; } - ret = parse_policy_setting_value(mem_ctx, domain, deny_key, + ret = parse_policy_setting_value(mem_ctx, host_domain, deny_key, &deny_sids, &deny_size); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, @@ -1437,8 +1438,9 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx, } /* perform access check with the final resultant allow_sids and deny_sids */ - ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user, domain, - allow_sids, allow_size, deny_sids, deny_size); + ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user, + user_domain, allow_sids, allow_size, deny_sids, + deny_size); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, @@ -1463,7 +1465,8 @@ struct ad_gpo_access_state { char *server_hostname; struct sdap_options *opts; int timeout; - struct sss_domain_info *domain; + struct sss_domain_info *user_domain; + struct sss_domain_info *host_domain; const char *user; int gpo_timeout_option; const char *ad_hostname; @@ -1556,8 +1559,13 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, } } + /* GPO Operations all happen against the enrolled domain, + * not the user's domain (which may be a trusted realm) + */ + state->user_domain = domain; + state->host_domain = get_domains_head(domain); + state->gpo_map_type = gpo_map_type; - state->domain = domain; state->dacl_filtered_gpos = NULL; state->num_dacl_filtered_gpos = 0; state->cse_filtered_gpos = NULL; @@ -1565,13 +1573,13 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, state->cse_gpo_index = 0; state->ev = ev; state->user = user; - state->ldb_ctx = sysdb_ctx_get_ldb(domain->sysdb); + state->ldb_ctx = sysdb_ctx_get_ldb(state->host_domain->sysdb); state->gpo_mode = ctx->gpo_access_control_mode; state->gpo_timeout_option = ctx->gpo_cache_timeout; state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME); state->opts = ctx->sdap_access_ctx->id_ctx->opts; state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT); - state->conn = ad_get_dom_ldap_conn(ctx->ad_id_ctx, domain); + state->conn = ad_get_dom_ldap_conn(ctx->ad_id_ctx, state->host_domain); state->sdap_op = sdap_id_op_create(state, state->conn->conn_cache); if (state->sdap_op == NULL) { DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n"); @@ -1606,7 +1614,8 @@ static errno_t process_offline_gpos(TALLOC_CTX *mem_ctx, const char *user, enum gpo_access_control_mode gpo_mode, - struct sss_domain_info *domain, + struct sss_domain_info *user_domain, + struct sss_domain_info *host_domain, enum gpo_map_type gpo_map_type) { @@ -1616,7 +1625,8 @@ process_offline_gpos(TALLOC_CTX *mem_ctx, gpo_mode, gpo_map_type, user, - domain); + user_domain, + host_domain); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "HBAC processing failed: [%d](%s}\n", ret, sss_strerror(ret)); @@ -1662,7 +1672,8 @@ ad_gpo_connect_done(struct tevent_req *subreq) ret = process_offline_gpos(state, state->user, state->gpo_mode, - state->domain, + state->user_domain, + state->host_domain, state->gpo_map_type); if (ret == EOK) { @@ -1714,11 +1725,11 @@ ad_gpo_connect_done(struct tevent_req *subreq) DEBUG(SSSDBG_TRACE_FUNC, "sam_account_name is %s\n", sam_account_name); /* Convert the domain name into domain DN */ - ret = domain_to_basedn(state, state->domain->name, &domain_dn); + ret = domain_to_basedn(state, state->host_domain->name, &domain_dn); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "Cannot convert domain name [%s] to base DN [%d]: %s\n", - state->domain->name, ret, sss_strerror(ret)); + state->host_domain->name, ret, sss_strerror(ret)); goto done; } @@ -1837,7 +1848,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq) state->opts, state->timeout, state->target_dn, - state->domain->name); + state->host_domain->name); if (subreq == NULL) { ret = ENOMEM; goto done; @@ -1939,7 +1950,7 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) goto done; } - ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->domain, + ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->user_domain, state->opts->idmap_ctx->map, candidate_gpos, num_candidate_gpos, &state->dacl_filtered_gpos, @@ -2014,7 +2025,7 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) * subsequent functions will add the GPO Result object (and populate it * with resultant policy settings) for this policy application */ - ret = sysdb_gpo_delete_gpo_result_object(state, state->domain); + ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); if (ret != EOK) { switch (ret) { case ENOENT: @@ -2085,7 +2096,7 @@ ad_gpo_cse_step(struct tevent_req *req) DEBUG(SSSDBG_TRACE_FUNC, "retrieving GPO from cache [%s]\n", cse_filtered_gpo->gpo_guid); ret = sysdb_gpo_get_gpo_by_guid(state, - state->domain, + state->host_domain, cse_filtered_gpo->gpo_guid, &res); if (ret == EOK) { @@ -2127,7 +2138,7 @@ ad_gpo_cse_step(struct tevent_req *req) subreq = ad_gpo_process_cse_send(state, state->ev, send_to_child, - state->domain, + state->host_domain, cse_filtered_gpo->gpo_guid, cse_filtered_gpo->smb_server, cse_filtered_gpo->smb_share, @@ -2180,7 +2191,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) * GPO CACHE, we store all of the supported keys present in the file * (as part of the GPO Result object in the sysdb cache). */ - ret = ad_gpo_store_policy_settings(state->domain, + ret = ad_gpo_store_policy_settings(state->host_domain, cse_filtered_gpo->policy_filename); state->cse_gpo_index++; @@ -2192,7 +2203,8 @@ ad_gpo_cse_done(struct tevent_req *subreq) state->gpo_mode, state->gpo_map_type, state->user, - state->domain); + state->user_domain, + state->host_domain); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "HBAC processing failed: [%d](%s}\n", ret, sss_strerror(ret)); |