diff options
| author | Michal Židek <mzidek@redhat.com> | 2016-07-29 16:09:16 +0200 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2016-08-11 10:30:45 +0200 |
| commit | b1a8b4a1291529367b46c79eb02448eced3bf8d2 (patch) | |
| tree | dac274706a06fed35ecb9bb74176cc99eb8f7c18 /src | |
| parent | 95de2cd9ea8083115f3bbbf0867aaf6b218cb624 (diff) | |
gpo: gPCMachineExtensionNames with just whitespaces
Resolves:
https://fedorahosted.org/sssd/ticket/3114
We failed GPO procesing if the gPCMachineExtensionNames
attribute contained just whitespaces. This coused
failures in some server settings.
Comment from Alexander Bokovoy quoting:
You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when
processing gPCMachineExtensionNames, "Group Policy processing terminates
at the first <CSE GUIDn> out of sequence."
Since ' ' (space only) does not fall into defined syntax for
gPCMachineExtensionNames, this Group Policy processing is stopped and
its CSE GUIDs are set to 'empty list'.
Because of the 3.2.5.1.10 'Extension Protocol Sequences' language
------------------------------------------------------------------------
The Group Policy client MUST evaluate the subset of the abstract element
Filtered GPO list separately for each Group Policy extension by
including in the subset only those GPOs whose gPCUserExtensionNames (for
user policy mode) or gPCMachineExtensionNames (for computer policy mode)
attributes contain CSE GUID that correspond to the Group Policy
extension. If the CSE GUID corresponding to the Group Policy extension
is present in Extension List, it is invoked using the
Implementation Identifier field. Applicability is determined as
specified in section 3.2.1.5. The Group Policy Registry Extension MUST
always execute first. All other applicable Group Policy extensions in
the Extension List MUST be loaded and executed in Extension List order.
A failure in any Group Policy extension sequence MUST NOT affect the
execution of other Group Policy extensions.
-------------------------------------------------------------------------
I think we can practically treat wrong content of
gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the
GPO to pass through the Filtered GPO list. Thus, the GPO would be
ignored.
Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/providers/ad/ad_gpo.c | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index f609d2813..63c68ce35 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -3765,6 +3765,24 @@ done: } } +static bool machine_ext_names_is_blank(char *attr_value) +{ + char *ptr; + + if (attr_value == NULL) { + return true; + } + + ptr = attr_value; + for (; *ptr != '\0'; ptr++) { + if (!isspace(*ptr)) { + return false; + } + } + + return true; +} + static errno_t ad_gpo_sd_process_attrs(struct tevent_req *req, char *smb_host, @@ -3880,7 +3898,8 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, goto done; } - if ((ret == ENOENT) || (el->num_values == 0)) { + if ((ret == ENOENT) || (el->num_values == 0) + || machine_ext_names_is_blank((char *) el[0].values[0].data)) { /* * if gpo has no machine_ext_names (which is perfectly valid: it could * have only user_ext_names, for example), we continue to next gpo |