Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
2018-04-27 22:02:36 +02:00 · 2018-04-27 22:02:36 +02:00 · a305fc11b7
parent b6696d97c4
commit a305fc11b7
2 changed files with 80 additions and 0 deletions
--- a/0047-GPO-Fix-bug-with-empty-GPO-rules.patch
+++ b/0047-GPO-Fix-bug-with-empty-GPO-rules.patch
@ -0,0 +1,77 @@
+From c83f6c6da3958475ca4782ffcb49fbc41f8c8f17 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
+Date: Wed, 11 Apr 2018 18:56:53 +0200
+Subject: [PATCH] GPO: Fix bug with empty GPO rules
+
+When two or more GPO rules were defined on the server
+and one of them contained no SIDs (no users or groups
+were specified), then SSSD failed to store such rule
+and users were denied access (system error).
+
+This patch changes the behavior so that in case
+there are no SIDs in the rule a special value is
+stored with the rule to indicate that the rule
+was actually specified, but this value will not
+match any real SID (because the rule should be
+empty).
+
+Resolves:
+https://pagure.io/SSSD/sssd/issue/3680
+
+Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
+(cherry picked from commit e6e5fe349aa6ed85eb9acb3273007fa90ee99450)
+---
+ src/providers/ad/ad_gpo.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
+index a48f264c7..ae3329b90 100644
+--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
+@@ -1132,6 +1132,7 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+     int i;
+     char *allow_value = NULL;
+     char *deny_value = NULL;
+    const char *empty_val = "NO_SID";
+     const char *allow_key = NULL;
+     const char *deny_key = NULL;
+     TALLOC_CTX *tmp_ctx = NULL;
+@@ -1236,7 +1237,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+     }
+ 
+     for (i = 0; i < GPO_MAP_NUM_OPTS; i++) {
+-
+        /* The NO_SID val is used as special SID value for the case when
+         * no SIDs are found in the rule, but we need to store some
+         * value (SID) with the key (rule name) so that it is clear
+         * that the rule is defined on the server. */
+         struct gpo_map_option_entry entry = gpo_map_option_entries[i];
+ 
+         allow_key = entry.allow_key;
+@@ -1252,9 +1256,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                       allow_key, ret, sss_strerror(ret));
+                 goto done;
+             } else if (ret != ENOENT) {
+                const char *value = allow_value ? allow_value : empty_val;
+                 ret = sysdb_gpo_store_gpo_result_setting(domain,
+                                                          allow_key,
+-                                                         allow_value);
+                                                         value);
+                 if (ret != EOK) {
+                     DEBUG(SSSDBG_CRIT_FAILURE,
+                           "sysdb_gpo_store_gpo_result_setting failed for key:"
+@@ -1278,9 +1283,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
+                       deny_key, ret, sss_strerror(ret));
+                 goto done;
+             } else if (ret != ENOENT) {
+                const char *value = deny_value ? deny_value : empty_val;
+                 ret = sysdb_gpo_store_gpo_result_setting(domain,
+                                                          deny_key,
+-                                                         deny_value);
+                                                         value);
+                 if (ret != EOK) {
+                     DEBUG(SSSDBG_CRIT_FAILURE,
+                           "sysdb_gpo_store_gpo_result_setting failed for key:"
+-- 
+2.14.3
+
--- a/sssd.spec
+++ b/sssd.spec
@ -88,6 +88,7 @@ Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
 Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
 Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
 Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
+Patch0047: 0047-GPO-Fix-bug-with-empty-GPO-rules.patch

 Patch0502: 0502-SYSTEMD-Use-capabilities.patch
 Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1310,6 +1311,8 @@ fi
 - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
                            set.
 - Document which principal does the AD provider use
+- Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is
+                            defined, but contains no SIDs

 * Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
 - Resolves: upstream#3573 - sssd won't show netgroups with blank domain