GPO: error out instead of leaving array element uninitialized

In general every object created by the AD provider should have a SID
attribute. Since SIDs and GPOs are used for access control a missing SID
should be treated as error for now until it is known if there is a valid
reason why the SID is missing.

Resolves https://fedorahosted.org/sssd/ticket/2608

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit 4cfab2330323834574c179f774a0c6b1fff4936e)

1 files changed, 4 insertions, 1 deletions

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index c45b7963e..69ff6daaa 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -581,7 +581,10 @@ ad_gpo_get_sids(TALLOC_CTX *mem_ctx,
         group_sid = ldb_msg_find_attr_as_string(res->msgs[i+1],
                                                 SYSDB_SID_STR, NULL);
         if (group_sid == NULL) {
-            continue;
+            DEBUG(SSSDBG_CRIT_FAILURE, "Missing SID for cache entry [%s].\n",
+                  ldb_dn_get_linearized(res->msgs[i+1]->dn));
+            ret = EINVAL;
+            goto done;
         }
 
         group_sids[i] = talloc_steal(group_sids, group_sid);