It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra tion
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
On (20/07/15 10:41), Stephen Gallagher wrote:
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra tion
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgallagh@redhat.com Date: Mon, 20 Jul 2015 09:29:19 -0400 Subject: [PATCH] AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
Resolves: https://fedorahosted.org/sssd/ticket/2691
This patch fixes ticket #2713.
I need to better test #2691. because it works sometimes and sometime doesn't work. I assume there can be bug in as tests. (some leftovers from previous execution)
src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
talloc_zfree(subreq); ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
- if (ret != EOK) {
- if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get GPO list: [%d](%s)\n", ret, sss_strerror(ret));
ret = ENOENT;
goto done;
- } else if (ret == ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"No GPOs found that apply to this system.\n");
I'm not sure about this debug level.
There is a plan to increase default debug level to SSSDBG_OP_FAILURE. An if the user does not have any GPOs on AD server then this message will be printed after each login.
LS
On 07/23/2015 09:46 AM, Lukas Slebodnik wrote:
On (20/07/15 10:41), Stephen Gallagher wrote:
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra tion
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgallagh@redhat.com Date: Mon, 20 Jul 2015 09:29:19 -0400 Subject: [PATCH] AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
Resolves: https://fedorahosted.org/sssd/ticket/2691
This patch fixes ticket #2713.
I need to better test #2691. because it works sometimes and sometime doesn't work. I assume there can be bug in as tests. (some leftovers from previous execution)
src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
talloc_zfree(subreq); ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
- if (ret != EOK) {
- if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get GPO list: [%d](%s)\n", ret, sss_strerror(ret));
ret = ENOENT;
goto done;
- } else if (ret == ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"No GPOs found that apply to this system.\n");
I'm not sure about this debug level.
There is a plan to increase default debug level to SSSDBG_OP_FAILURE. An if the user does not have any GPOs on AD server then this message will be printed after each login.
LS
Hi Lukas,
I am sending Stephen's patch updated according to your request.
I have not tested the patch however.
Michal
On 24 Jul 2015, at 18:41, Michal Židek mzidek@redhat.com wrote:
On 07/23/2015 09:46 AM, Lukas Slebodnik wrote:
On (20/07/15 10:41), Stephen Gallagher wrote:
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra tion
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgallagh@redhat.com Date: Mon, 20 Jul 2015 09:29:19 -0400 Subject: [PATCH] AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
Resolves: https://fedorahosted.org/sssd/ticket/2691
This patch fixes ticket #2713.
I need to better test #2691. because it works sometimes and sometime doesn't work. I assume there can be bug in as tests. (some leftovers from previous execution)
src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
talloc_zfree(subreq); ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
- if (ret != EOK) {
- if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get GPO list: [%d](%s)\n", ret, sss_strerror(ret));
ret = ENOENT;
goto done;
- } else if (ret == ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"No GPOs found that apply to this system.\n");
I'm not sure about this debug level.
There is a plan to increase default debug level to SSSDBG_OP_FAILURE. An if the user does not have any GPOs on AD server then this message will be printed after each login.
LS
Hi Lukas,
I am sending Stephen's patch updated according to your request.
I have not tested the patch however.
Me neither, but if the debug level was the only complaint, then I vote for pushing the patch.
Michal
-- Senior Principal Intern <0001-AD-Handle-cases-where-no-GPOs-apply.patch>_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
On (24/07/15 18:41), Michal Židek wrote:
On 07/23/2015 09:46 AM, Lukas Slebodnik wrote:
On (20/07/15 10:41), Stephen Gallagher wrote:
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegra tion
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
From 06e58a26fd5b59631b479f2f076e80ecfae425b8 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgallagh@redhat.com Date: Mon, 20 Jul 2015 09:29:19 -0400 Subject: [PATCH] AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
Resolves: https://fedorahosted.org/sssd/ticket/2691
This patch fixes ticket #2713.
I need to better test #2691. because it works sometimes and sometime doesn't work. I assume there can be bug in as tests. (some leftovers from previous execution)
src/providers/ad/ad_gpo.c | 46 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 974fd04b99709055f25ed2a3b77821b3caec09ad..0d310b87696feb810b6a096d31adede38c72d16a 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -1947,15 +1947,37 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
talloc_zfree(subreq); ret = sdap_id_op_done(state->sdap_op, ret, &dp_error);
- if (ret != EOK) {
- if (ret != EOK && ret != ENOENT) { DEBUG(SSSDBG_OP_FAILURE, "Unable to get GPO list: [%d](%s)\n", ret, sss_strerror(ret));
ret = ENOENT;
goto done;
- } else if (ret == ENOENT) {
DEBUG(SSSDBG_OP_FAILURE,
"No GPOs found that apply to this system.\n");
I'm not sure about this debug level.
There is a plan to increase default debug level to SSSDBG_OP_FAILURE. An if the user does not have any GPOs on AD server then this message will be printed after each login.
LS
Hi Lukas,
I am sending Stephen's patch updated according to your request.
I have not tested the patch however.
But I tested patch :-)
From 027a680b4bb6c35c757e26c8db6a4e2995cfb1cb Mon Sep 17 00:00:00 2001 From: Stephen Gallagher sgallagh@redhat.com Date: Mon, 20 Jul 2015 09:29:19 -0400 Subject: [PATCH] AD: Handle cases where no GPOs apply
It is possible to have a machine where none of the GPOs associated with it include access-control rules. Currently, this results in a denial-by-system-error.
We need to treat this case as allowing the user (see the test cases in https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryGPOIntegration
We also need to delete the result object from the cache to ensure that offline operation will also grant access.
Resolves: https://fedorahosted.org/sssd/ticket/2713
ACK
http://sssd-ci.duckdns.org/logs/job/19/18/summary.html
LS
On Fri, Jul 24, 2015 at 09:47:06PM +0200, Lukas Slebodnik wrote:
ACK
master: 7c18b65dbdeb584a946c055f2db3814544b17232
sssd-devel@lists.fedorahosted.org