From 7c18b65dbdeb584a946c055f2db3814544b17232 Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 20 Jul 2015 09:29:19 -0400
Subject: AD: Handle cases where no GPOs apply
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

It is possible to have a machine where none of the GPOs associated with
it include access-control rules. Currently, this results in a
denial-by-system-error.

We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration

We also need to delete the result object from the cache to ensure that
offline operation will also grant access.

Resolves:
https://fedorahosted.org/sssd/ticket/2713

Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 43 insertions(+), 3 deletions(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 974fd04b9..ffd8ac5dd 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1949,11 +1949,33 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
 
     ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
 
-    if (ret != EOK) {
+    if (ret != EOK && ret != ENOENT) {
         DEBUG(SSSDBG_OP_FAILURE,
               "Unable to get GPO list: [%d](%s)\n",
               ret, sss_strerror(ret));
-        ret = ENOENT;
+        goto done;
+    } else if (ret == ENOENT) {
+        DEBUG(SSSDBG_TRACE_FUNC,
+              "No GPOs found that apply to this system.\n");
+        /*
+         * Delete the result object list, since there are no
+         * GPOs to include in it.
+         */
+        ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain);
+        if (ret != EOK) {
+            switch (ret) {
+            case ENOENT:
+                DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n");
+                break;
+            default:
+                DEBUG(SSSDBG_FATAL_FAILURE,
+                      "Could not delete GPO Result from cache: [%s]\n",
+                      sss_strerror(ret));
+                goto done;
+            }
+        }
+
+        ret = EOK;
         goto done;
     }
 
@@ -1973,6 +1995,25 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
         /* since no applicable gpos were found, there is nothing to enforce */
         DEBUG(SSSDBG_TRACE_FUNC,
               "no applicable gpos found after dacl filtering\n");
+
+        /*
+         * Delete the result object list, since there are no
+         * GPOs to include in it.
+         */
+        ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain);
+        if (ret != EOK) {
+            switch (ret) {
+            case ENOENT:
+                DEBUG(SSSDBG_TRACE_FUNC, "No GPO Result available in cache\n");
+                break;
+            default:
+                DEBUG(SSSDBG_FATAL_FAILURE,
+                      "Could not delete GPO Result from cache: [%s]\n",
+                      sss_strerror(ret));
+                goto done;
+            }
+        }
+
         ret = EOK;
         goto done;
     }
@@ -3422,7 +3463,6 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx,
         DEBUG(SSSDBG_OP_FAILURE,
               "Unable to retrieve GPO List: [%d](%s)\n",
               ret, sss_strerror(ret));
-        ret = ENOENT;
         goto immediately;
     }
 
-- 
cgit