diff options
| author | Lukas Slebodnik <lslebodn@redhat.com> | 2014-09-01 13:29:14 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-09-02 14:42:11 +0200 |
| commit | f929e9e5a6daa71a22176b08eb7983fb4b708180 (patch) | |
| tree | a96e21bc441ccd058794a43068568d428fbcf3c2 | |
| parent | 261af6792759e510f698b9e37d14a6232e4714ed (diff) | |
| download | sssd-f929e9e5a6daa71a22176b08eb7983fb4b708180.tar.gz sssd-f929e9e5a6daa71a22176b08eb7983fb4b708180.tar.xz sssd-f929e9e5a6daa71a22176b08eb7983fb4b708180.zip | |
AD: Ignore all errors if gpo is in permissive mode.
This patch prevents problems with user authentication
if gpo is misconfigurated.
[ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target.
[sdap_id_op_destroy] (0x4000): releasing operation connection
[ad_gpo_access_done] (0x0040): GPO-based access control failed.
[be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or
directory) [Internal Error (System error)]
[be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com]
[be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com]
Reviewed-by: Yassir Elley <yelley@redhat.com>
| -rw-r--r-- | src/providers/ad/ad_access.c | 19 |
1 files changed, 18 insertions, 1 deletions
diff --git a/src/providers/ad/ad_access.c b/src/providers/ad/ad_access.c index 74077ec10..5b1792223 100644 --- a/src/providers/ad/ad_access.c +++ b/src/providers/ad/ad_access.c @@ -21,6 +21,8 @@ */ #include <security/pam_modules.h> +#include <syslog.h> + #include "src/util/util.h" #include "src/providers/data_provider.h" #include "src/providers/dp_backend.h" @@ -415,9 +417,13 @@ static void ad_gpo_access_done(struct tevent_req *subreq) { struct tevent_req *req; + struct ad_access_state *state; errno_t ret; + enum gpo_access_control_mode mode; req = tevent_req_callback_data(subreq, struct tevent_req); + state = tevent_req_data(req, struct ad_access_state); + mode = state->ctx->gpo_access_control_mode; ret = ad_gpo_access_recv(subreq); talloc_zfree(subreq); @@ -427,7 +433,18 @@ ad_gpo_access_done(struct tevent_req *subreq) tevent_req_done(req); } else { DEBUG(SSSDBG_OP_FAILURE, "GPO-based access control failed.\n"); - tevent_req_error(req, ret); + if (mode == GPO_ACCESS_CONTROL_ENFORCING) { + tevent_req_error(req, ret); + } else { + DEBUG(SSSDBG_OP_FAILURE, + "Ignoring error: [%d](%s); GPO-based access control failed, " + "but GPO is not in enforcing mode.\n", + ret, sss_strerror(ret)); + sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would " + "have been denied GPO-based logon access if the " + "ad_gpo_access_control option were set to enforcing mode."); + tevent_req_done(req); + } } } |