On (20/07/15 10:41), Stephen Gallagher wrote:
> It is possible to have a machine where none of the GPOs associated with
> it include access-control rules. Currently, this results in a
> denial-by-system-error.
>
> We need to treat this case as allowing the user (see the test cases in
>
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra
> tion
>
> We also need to delete the result object from the cache to ensure that
> offline operation will also grant access.
>
> Resolves:
>
https://fedorahosted.org/sssd/ticket/2691
>From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001
> From: Stephen Gallagher <sgallagh(a)redhat.com>
> Date: Mon, 20 Jul 2015 09:29:19 -0400
> Subject: [PATCH] AD: Handle cases where no GPOs apply
>
> It is possible to have a machine where none of the GPOs associated with
> it include access-control rules. Currently, this results in a
> denial-by-system-error.
>
> We need to treat this case as allowing the user (see the test cases in
>
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
>
> We also need to delete the result object from the cache to ensure that
> offline operation will also grant access.
>
> Resolves:
>
https://fedorahosted.org/sssd/ticket/2691
> ---
This patch fixes ticket #2713.
I need to better test #2691. because it works sometimes and sometime doesn't
work. I assume there can be bug in as tests. (some leftovers from previous
execution)
> src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
> 1 file changed, 43 insertions(+), 3 deletions(-)
>
> diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
> index
974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a 100644
> --- a/src/providers/ad/ad_gpo.c
> +++ b/src/providers/ad/ad_gpo.c
> @@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
>
> talloc_zfree(subreq);
>
> ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
>
> - if (ret != EOK) {
> + if (ret != EOK && ret != ENOENT) {
> DEBUG(SSSDBG_OP_FAILURE,
> "Unable to get GPO list: [%d](%s)\n",
> ret, sss_strerror(ret));
> - ret = ENOENT;
> + goto done;
> + } else if (ret == ENOENT) {
> + DEBUG(SSSDBG_OP_FAILURE,
> + "No GPOs found that apply to this system.\n");
I'm not sure about this debug level.
There is a plan to increase default debug level to SSSDBG_OP_FAILURE.
An if the user does not have any GPOs on AD server then
this message will be printed after each login.
LS
Hi Lukas,
I am sending Stephen's patch updated according to
your request.
I have not tested the patch however.
Michal
--
Senior Principal Intern