Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit a305fc11b7
)
This commit is contained in:
parent
15af9187cf
commit
e45d803139
77
0047-GPO-Fix-bug-with-empty-GPO-rules.patch
Normal file
77
0047-GPO-Fix-bug-with-empty-GPO-rules.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From c83f6c6da3958475ca4782ffcb49fbc41f8c8f17 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||
Date: Wed, 11 Apr 2018 18:56:53 +0200
|
||||
Subject: [PATCH] GPO: Fix bug with empty GPO rules
|
||||
|
||||
When two or more GPO rules were defined on the server
|
||||
and one of them contained no SIDs (no users or groups
|
||||
were specified), then SSSD failed to store such rule
|
||||
and users were denied access (system error).
|
||||
|
||||
This patch changes the behavior so that in case
|
||||
there are no SIDs in the rule a special value is
|
||||
stored with the rule to indicate that the rule
|
||||
was actually specified, but this value will not
|
||||
match any real SID (because the rule should be
|
||||
empty).
|
||||
|
||||
Resolves:
|
||||
https://pagure.io/SSSD/sssd/issue/3680
|
||||
|
||||
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||
(cherry picked from commit e6e5fe349aa6ed85eb9acb3273007fa90ee99450)
|
||||
---
|
||||
src/providers/ad/ad_gpo.c | 12 +++++++++---
|
||||
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||
index a48f264c7..ae3329b90 100644
|
||||
--- a/src/providers/ad/ad_gpo.c
|
||||
+++ b/src/providers/ad/ad_gpo.c
|
||||
@@ -1132,6 +1132,7 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
int i;
|
||||
char *allow_value = NULL;
|
||||
char *deny_value = NULL;
|
||||
+ const char *empty_val = "NO_SID";
|
||||
const char *allow_key = NULL;
|
||||
const char *deny_key = NULL;
|
||||
TALLOC_CTX *tmp_ctx = NULL;
|
||||
@@ -1236,7 +1237,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
}
|
||||
|
||||
for (i = 0; i < GPO_MAP_NUM_OPTS; i++) {
|
||||
-
|
||||
+ /* The NO_SID val is used as special SID value for the case when
|
||||
+ * no SIDs are found in the rule, but we need to store some
|
||||
+ * value (SID) with the key (rule name) so that it is clear
|
||||
+ * that the rule is defined on the server. */
|
||||
struct gpo_map_option_entry entry = gpo_map_option_entries[i];
|
||||
|
||||
allow_key = entry.allow_key;
|
||||
@@ -1252,9 +1256,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
allow_key, ret, sss_strerror(ret));
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
+ const char *value = allow_value ? allow_value : empty_val;
|
||||
ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
allow_key,
|
||||
- allow_value);
|
||||
+ value);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
@@ -1278,9 +1283,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||
deny_key, ret, sss_strerror(ret));
|
||||
goto done;
|
||||
} else if (ret != ENOENT) {
|
||||
+ const char *value = deny_value ? deny_value : empty_val;
|
||||
ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||
deny_key,
|
||||
- deny_value);
|
||||
+ value);
|
||||
if (ret != EOK) {
|
||||
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||
"sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||
--
|
||||
2.14.3
|
||||
|
@ -88,6 +88,7 @@ Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
|
||||
Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
|
||||
Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
|
||||
Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
|
||||
Patch0047: 0047-GPO-Fix-bug-with-empty-GPO-rules.patch
|
||||
|
||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
|
||||
@ -1310,6 +1311,8 @@ fi
|
||||
- Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
|
||||
set.
|
||||
- Document which principal does the AD provider use
|
||||
- Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is
|
||||
defined, but contains no SIDs
|
||||
|
||||
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
|
||||
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain
|
||||
|
Loading…
Reference in New Issue
Block a user