summaryrefslogtreecommitdiffstats
path: root/src/providers/ad
diff options
context:
space:
mode:
Diffstat (limited to 'src/providers/ad')
-rw-r--r--src/providers/ad/ad_access.c19
1 files changed, 18 insertions, 1 deletions
diff --git a/src/providers/ad/ad_access.c b/src/providers/ad/ad_access.c
index 74077ec10..5b1792223 100644
--- a/src/providers/ad/ad_access.c
+++ b/src/providers/ad/ad_access.c
@@ -21,6 +21,8 @@
*/
#include <security/pam_modules.h>
+#include <syslog.h>
+
#include "src/util/util.h"
#include "src/providers/data_provider.h"
#include "src/providers/dp_backend.h"
@@ -415,9 +417,13 @@ static void
ad_gpo_access_done(struct tevent_req *subreq)
{
struct tevent_req *req;
+ struct ad_access_state *state;
errno_t ret;
+ enum gpo_access_control_mode mode;
req = tevent_req_callback_data(subreq, struct tevent_req);
+ state = tevent_req_data(req, struct ad_access_state);
+ mode = state->ctx->gpo_access_control_mode;
ret = ad_gpo_access_recv(subreq);
talloc_zfree(subreq);
@@ -427,7 +433,18 @@ ad_gpo_access_done(struct tevent_req *subreq)
tevent_req_done(req);
} else {
DEBUG(SSSDBG_OP_FAILURE, "GPO-based access control failed.\n");
- tevent_req_error(req, ret);
+ if (mode == GPO_ACCESS_CONTROL_ENFORCING) {
+ tevent_req_error(req, ret);
+ } else {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "Ignoring error: [%d](%s); GPO-based access control failed, "
+ "but GPO is not in enforcing mode.\n",
+ ret, sss_strerror(ret));
+ sss_log_ext(SSS_LOG_WARNING, LOG_AUTHPRIV, "Warning: user would "
+ "have been denied GPO-based logon access if the "
+ "ad_gpo_access_control option were set to enforcing mode.");
+ tevent_req_done(req);
+ }
}
}
generated by cgit (git 2.34.1) at 2024-06-04 21:07:29 +0000