>From a1a9b7492224cba34068aa55cc088db4b2c4db1c Mon Sep 17 00:00:00 2001
From: Lukas Slebodnik <lslebodn@redhat.com>
Date: Wed, 29 Apr 2015 09:17:18 +0200
Subject: [PATCH] GPO: Do not ignore missing attrs for GPOs

We don't want to skip over a GPO that might properly be denying
users.

[sssd[be[a.foo.com]]] [sdap_sd_search_send] (0x0400):
    Searching entry [cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=foo,DC=com] using SD
[sssd[be[a.foo.com]]] [sdap_get_generic_ext_step] (0x0400):
    calling ldap_search_ext with [(objectclass=*)][cn={2BA15B73-9524-419F-B4B7-185E1F0D3DCF},cn=policies,cn=system,DC=lzb,DC=hq].
[sssd[be[a.foo.com]]] [sdap_process_message] (0x4000):
    Message type: [LDAP_RES_SEARCH_RESULT]
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x0400):
    Search result: Referral(10), 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
        ref 1: 'lzb.hq'
[sssd[be[a.foo.com]]] [sdap_get_generic_op_finished] (0x1000):
    Ref: ldap://foo.com/cn=%7B2BA15B73-9524-419F-B4B7-185E1F0D3DCF%7D,cn=policies,cn=system,DC=foo,DC=com
[sssd[be[a.foo.com]]] [ad_gpo_get_gpo_attrs_done] (0x0040):
    no attrs found for GPO; try next GPO.

Resolves:
https://fedorahosted.org/sssd/ticket/2629
---
 src/providers/ad/ad_gpo.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 23d67bc35ded5d93ee4cb63bf5ea6f5e938257cd..4cfd26800da6c8d77fa4b5ee133a7adab346906c 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -3497,9 +3497,15 @@ ad_gpo_get_gpo_attrs_done(struct tevent_req *subreq)
     }
 
     if ((num_results < 1) || (results == NULL)) {
-        DEBUG(SSSDBG_OP_FAILURE, "no attrs found for GPO; try next GPO.\n");
-        state->gpo_index++;
-        ret = ad_gpo_get_gpo_attrs_step(req);
+        const char *gpo_dn = state->candidate_gpos[state->gpo_index]->gpo_dn;
+
+        DEBUG(SSSDBG_OP_FAILURE,
+              "BUG: No attrs found for GPO [%s]. This was likely caused by "
+              "the GPO entry being a referred to another domain controller."
+              " SSSD does not yet support this configuration. See upstream "
+              "ticket #2645 for more information.\n",
+              gpo_dn);
+        ret = ERR_INTERNAL;
         goto done;
     }
     else if (num_results > 1) {
-- 
2.3.6