On 24 Jul 2015, at 18:41, Michal Židek <mzidek(a)redhat.com>
wrote:
On 07/23/2015 09:46 AM, Lukas Slebodnik wrote:
> On (20/07/15 10:41), Stephen Gallagher wrote:
>> It is possible to have a machine where none of the GPOs associated with
>> it include access-control rules. Currently, this results in a
>> denial-by-system-error.
>>
>> We need to treat this case as allowing the user (see the test cases in
>>
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra
>> tion
>>
>> We also need to delete the result object from the cache to ensure that
>> offline operation will also grant access.
>>
>> Resolves:
>>
https://fedorahosted.org/sssd/ticket/2691
>
>> From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001
>> From: Stephen Gallagher <sgallagh(a)redhat.com>
>> Date: Mon, 20 Jul 2015 09:29:19 -0400
>> Subject: [PATCH] AD: Handle cases where no GPOs apply
>>
>> It is possible to have a machine where none of the GPOs associated with
>> it include access-control rules. Currently, this results in a
>> denial-by-system-error.
>>
>> We need to treat this case as allowing the user (see the test cases in
>>
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
>>
>> We also need to delete the result object from the cache to ensure that
>> offline operation will also grant access.
>>
>> Resolves:
>>
https://fedorahosted.org/sssd/ticket/2691
>> ---
> This patch fixes ticket #2713.
>
> I need to better test #2691. because it works sometimes and sometime doesn't
> work. I assume there can be bug in as tests. (some leftovers from previous
> execution)
>
>> src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++---
>> 1 file changed, 43 insertions(+), 3 deletions(-)
>>
>> diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
>> index
974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a 100644
>> --- a/src/providers/ad/ad_gpo.c
>> +++ b/src/providers/ad/ad_gpo.c
>> @@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
>>
>> talloc_zfree(subreq);
>>
>> ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
>>
>> - if (ret != EOK) {
>> + if (ret != EOK && ret != ENOENT) {
>> DEBUG(SSSDBG_OP_FAILURE,
>> "Unable to get GPO list: [%d](%s)\n",
>> ret, sss_strerror(ret));
>> - ret = ENOENT;
>> + goto done;
>> + } else if (ret == ENOENT) {
>> + DEBUG(SSSDBG_OP_FAILURE,
>> + "No GPOs found that apply to this system.\n");
> I'm not sure about this debug level.
>
> There is a plan to increase default debug level to SSSDBG_OP_FAILURE.
> An if the user does not have any GPOs on AD server then
> this message will be printed after each login.
>
> LS
Hi Lukas,
I am sending Stephen's patch updated according to
your request.
I have not tested the patch however.
Me neither, but if the debug level was the only complaint, then I vote for pushing the
patch.
Michal
--
Senior Principal Intern
<0001-AD-Handle-cases-where-no-GPOs-apply.patch>_______________________________________________
sssd-devel mailing list
sssd-devel(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel