diff options
author | Stephen Gallagher <sgallagh@redhat.com> | 2015-07-20 09:29:19 -0400 |
---|---|---|
committer | Pavel Březina <pbrezina@redhat.com> | 2015-07-27 17:25:20 +0200 |
commit | 7f3499336a14026fd4c9d472c0431664921041fe (patch) | |
tree | 514e7efa79390134039762ab29d20d66f6c0b364 | |
parent | 473623463da3f5fcb5ae5fbd657b21d2e9698b3b (diff) | |
download | sssd-7f3499336a14026fd4c9d472c0431664921041fe.tar.gz sssd-7f3499336a14026fd4c9d472c0431664921041fe.tar.xz sssd-7f3499336a14026fd4c9d472c0431664921041fe.zip |
AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with
it include access-control rules. Currently, this results in a
denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that
offline operation will also grant access.
Resolves:
https://fedorahosted.org/sssd/ticket/2713
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
-rw-r--r-- | src/providers/ad/ad_gpo.c | 46 |
1 files changed, 43 insertions, 3 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 974fd04b9..ffd8ac5dd 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -1949,11 +1949,33 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) ret = sdap_id_op_done(state->sdap_op, ret, &dp_error); - if (ret != EOK) { + if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get GPO list: [%d](%s)\n", ret, sss_strerror(ret)); - ret = ENOENT; + goto done; + } else if (ret == ENOENT) { + DEBUG(SSSDBG_TRACE_FUNC, + "No GPOs found that apply to this system.\n"); + /* + * Delete the result object list, since there are no + * GPOs to include in it. + */ + ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n"); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not delete GPO Result from cache: [%s]\n", + sss_strerror(ret)); + goto done; + } + } + + ret = EOK; goto done; } @@ -1973,6 +1995,25 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) /* since no applicable gpos were found, there is nothing to enforce */ DEBUG(SSSDBG_TRACE_FUNC, "no applicable gpos found after dacl filtering\n"); + + /* + * Delete the result object list, since there are no + * GPOs to include in it. + */ + ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n"); + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, + "Could not delete GPO Result from cache: [%s]\n", + sss_strerror(ret)); + goto done; + } + } + ret = EOK; goto done; } @@ -3422,7 +3463,6 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx, DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve GPO List: [%d](%s)\n", ret, sss_strerror(ret)); - ret = ENOENT; goto immediately; } |