AD GPO: Fix incorrect return of EACCES

In the access providers, we expect to receive ERR_ACCESS_DENIED when
access is denied, but we were returning EACCES here. The effect was the
same, except that it presented ultimately as a system error instead of
a proper denial.

Related:
https://fedorahosted.org/sssd/ticket/2437

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 4e31a4832..7cb9619ca 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1123,7 +1123,7 @@ ad_gpo_access_check(TALLOC_CTX *mem_ctx,
     } else {
         switch (gpo_mode) {
         case GPO_ACCESS_CONTROL_ENFORCING:
-            return EACCES;
+            return ERR_ACCESS_DENIED;
         case GPO_ACCESS_CONTROL_PERMISSIVE:
             DEBUG(SSSDBG_TRACE_FUNC, "access denied: permissive mode\n");
             sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would " \
@@ -1271,7 +1271,7 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
     if (gpo_map_type == GPO_MAP_DENY) {
         switch (ctx->gpo_access_control_mode) {
         case GPO_ACCESS_CONTROL_ENFORCING:
-            ret = EACCES;
+            ret = ERR_ACCESS_DENIED;
             goto immediately;
         case GPO_ACCESS_CONTROL_PERMISSIVE:
             DEBUG(SSSDBG_TRACE_FUNC, "access denied: permissive mode\n");