Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:Update
sssd.12196
0021-GPO-Skip-GPOs-without-gPCFunctionalityVers...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0021-GPO-Skip-GPOs-without-gPCFunctionalityVersion.patch of Package sssd.12196
From 6a490b312075d2588ad87bbb8a63466f1ac6a106 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com> Date: Thu, 15 Dec 2016 15:16:51 +0100 Subject: [PATCH] GPO: Skip GPOs without gPCFunctionalityVersion MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit We falsely stopped GPO processing when Group Policy Container in AD did not contain gPCFunctionalityVersion. Such GPOs should be ignored by SSSD according to MS-GPOL: https://msdn.microsoft.com/en-us/library/cc232538.aspx Resolves: https://fedorahosted.org/sssd/ticket/3269 Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com> --- src/providers/ad/ad_gpo.c | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 2b06a0ec8..7f046c8f0 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -864,8 +864,6 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, access_allowed = false; candidate_gpo = candidate_gpos[i]; - sd = candidate_gpo->gpo_sd; - dacl = candidate_gpo->gpo_sd->dacl; DEBUG(SSSDBG_TRACE_ALL, "examining dacl candidate_gpo_guid:%s\n", candidate_gpo->gpo_guid); @@ -877,6 +875,15 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx, continue; } + sd = candidate_gpo->gpo_sd; + if (sd == NULL) { + DEBUG(SSSDBG_TRACE_ALL, "Security descriptor is missing\n"); + ret = EINVAL; + goto done; + } + + dacl = candidate_gpo->gpo_sd->dacl; + /* gpo_flags value of 2 means that GPO's computer portion is disabled */ if (candidate_gpo->gpo_flags == 2) { DEBUG(SSSDBG_TRACE_ALL, @@ -3849,7 +3856,16 @@ ad_gpo_sd_process_attrs(struct tevent_req *req, /* retrieve AD_AT_FUNC_VERSION */ ret = sysdb_attrs_get_int32_t(result, AD_AT_FUNC_VERSION, &gp_gpo->gpo_func_version); - if (ret != EOK) { + if (ret == ENOENT) { + /* If this attrbute is missing we can skip the GPO. It will + * be filtered out according to MS-GPOL: + * https://msdn.microsoft.com/en-us/library/cc232538.aspx */ + DEBUG(SSSDBG_TRACE_ALL, "GPO with GUID %s is missing attribute " + AD_AT_FUNC_VERSION " and will be skipped.\n", gp_gpo->gpo_guid); + state->gpo_index++; + ret = ad_gpo_get_gpo_attrs_step(req); + goto done; + } else if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_int32_t failed: [%d](%s)\n", ret, sss_strerror(ret)); -- 2.16.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor