On (20/07/15 10:41), Stephen Gallagher wrote:
It is possible to have a machine where none of the GPOs associated
with
it include access-control rules. Currently, this results in a
denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra
tion
We also need to delete the result object from the cache to ensure that
offline operation will also grant access.
Resolves:
https://fedorahosted.org/sssd/ticket/2691
From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00
2001
From: Stephen Gallagher <sgallagh(a)redhat.com>
Date: Mon, 20 Jul 2015 09:29:19 -0400
Subject: [PATCH] AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with
it include access-control rules. Currently, this results in a
denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that
offline operation will also grant access.
Resolves:
https://fedorahosted.org/sssd/ticket/2691
---
This patch fixes ticket #2713.
I need to better test #2691. because it works sometimes and sometime doesn't
work. I assume there can be bug in as tests. (some leftovers from previous
execution)
src/providers/ad/ad_gpo.c | 46
+++++++++++++++++++++++++++++++++++++++++++---
1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a
100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
talloc_zfree(subreq);
ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
- if (ret != EOK) {
+ if (ret != EOK && ret != ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"Unable to get GPO list: [%d](%s)\n",
ret, sss_strerror(ret));
- ret = ENOENT;
+ goto done;
+ } else if (ret == ENOENT) {
+ DEBUG(SSSDBG_OP_FAILURE,
+ "No GPOs found that apply to this system.\n");
I'm not
sure about this debug level.
There is a plan to increase default debug level to SSSDBG_OP_FAILURE.
An if the user does not have any GPOs on AD server then
this message will be printed after each login.
LS