summaryrefslogtreecommitdiffstats
path: root/src/providers/ad
diff options
context:
space:
mode:
authorLukas Slebodnik <lslebodn@redhat.com>2014-09-01 13:29:14 +0200
committerJakub Hrozek <jhrozek@redhat.com>2014-09-02 14:42:11 +0200
commitf929e9e5a6daa71a22176b08eb7983fb4b708180 (patch)
treea96e21bc441ccd058794a43068568d428fbcf3c2 /src/providers/ad
parent261af6792759e510f698b9e37d14a6232e4714ed (diff)
downloadsssd-f929e9e5a6daa71a22176b08eb7983fb4b708180.tar.gz
sssd-f929e9e5a6daa71a22176b08eb7983fb4b708180.tar.xz
sssd-f929e9e5a6daa71a22176b08eb7983fb4b708180.zip
AD: Ignore all errors if gpo is in permissive mode.
This patch prevents problems with user authentication if gpo is misconfigurated. [ad_gpo_target_dn_retrieval_done] (0x0040): No DN retrieved for policy target. [sdap_id_op_destroy] (0x4000): releasing operation connection [ad_gpo_access_done] (0x0040): GPO-based access control failed. [be_pam_handler_callback] (0x0100): Backend returned: (3, 4, No such file or directory) [Internal Error (System error)] [be_pam_handler_callback] (0x0100): Sending result [4][sssdad.com] [be_pam_handler_callback] (0x0100): Sent result [4][sssdad.com] Reviewed-by: Yassir Elley <yelley@redhat.com>
Diffstat (limited to 'src/providers/ad')
-rw-r--r--src/providers/ad/ad_access.c19
1 files changed, 18 insertions, 1 deletions
diff --git a/src/providers/ad/ad_access.c b/src/providers/ad/ad_access.c
index 74077ec10..5b1792223 100644
--- a/src/providers/ad/ad_access.c
+++ b/src/providers/ad/ad_access.c
@@ -21,6 +21,8 @@
*/
#include <security/pam_modules.h>
+#include <syslog.h>
+
#include "src/util/util.h"
#include "src/providers/data_provider.h"
#include "src/providers/dp_backend.h"
@@ -415,9 +417,13 @@ static void
ad_gpo_access_done(struct tevent_req *subreq)
{
struct tevent_req *req;
+ struct ad_access_state *state;
errno_t ret;
+ enum gpo_access_control_mode mode;
req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct ad_access_state);
+ mode = state->ctx->gpo_access_control_mode;
ret = ad_gpo_access_recv(subreq);
talloc_zfree(subreq);
@@ -427,7 +433,18 @@ ad_gpo_access_done(struct tevent_req *subreq)
tevent_req_done(req);
} else {
DEBUG(SSSDBG_OP_FAILURE, "GPO-based access control failed.\n");
- tevent_req_error(req, ret);
+ if (mode == GPO_ACCESS_CONTROL_ENFORCING) {
+ tevent_req_error(req, ret);
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Ignoring error: [%d](%s); GPO-based access control failed, "
+ "but GPO is not in enforcing mode.\n",
+ ret, sss_strerror(ret));
+ sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would "
+ "have been denied GPO-based logon access if the "
+ "ad_gpo_access_control option were set to enforcing mode.");
+ tevent_req_done(req);
+ }
}
}