Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
(cherry picked from commit a305fc11b7)
This commit is contained in:
Fabiano Fidêncio 2018-04-27 22:02:36 +02:00
parent 15af9187cf
commit e45d803139
2 changed files with 80 additions and 0 deletions

View File

@ -0,0 +1,77 @@
From c83f6c6da3958475ca4782ffcb49fbc41f8c8f17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
Date: Wed, 11 Apr 2018 18:56:53 +0200
Subject: [PATCH] GPO: Fix bug with empty GPO rules
When two or more GPO rules were defined on the server
and one of them contained no SIDs (no users or groups
were specified), then SSSD failed to store such rule
and users were denied access (system error).
This patch changes the behavior so that in case
there are no SIDs in the rule a special value is
stored with the rule to indicate that the rule
was actually specified, but this value will not
match any real SID (because the rule should be
empty).
Resolves:
https://pagure.io/SSSD/sssd/issue/3680
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
(cherry picked from commit e6e5fe349aa6ed85eb9acb3273007fa90ee99450)
---
src/providers/ad/ad_gpo.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index a48f264c7..ae3329b90 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -1132,6 +1132,7 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
int i;
char *allow_value = NULL;
char *deny_value = NULL;
+ const char *empty_val = "NO_SID";
const char *allow_key = NULL;
const char *deny_key = NULL;
TALLOC_CTX *tmp_ctx = NULL;
@@ -1236,7 +1237,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
}
for (i = 0; i < GPO_MAP_NUM_OPTS; i++) {
-
+ /* The NO_SID val is used as special SID value for the case when
+ * no SIDs are found in the rule, but we need to store some
+ * value (SID) with the key (rule name) so that it is clear
+ * that the rule is defined on the server. */
struct gpo_map_option_entry entry = gpo_map_option_entries[i];
allow_key = entry.allow_key;
@@ -1252,9 +1256,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
allow_key, ret, sss_strerror(ret));
goto done;
} else if (ret != ENOENT) {
+ const char *value = allow_value ? allow_value : empty_val;
ret = sysdb_gpo_store_gpo_result_setting(domain,
allow_key,
- allow_value);
+ value);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sysdb_gpo_store_gpo_result_setting failed for key:"
@@ -1278,9 +1283,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
deny_key, ret, sss_strerror(ret));
goto done;
} else if (ret != ENOENT) {
+ const char *value = deny_value ? deny_value : empty_val;
ret = sysdb_gpo_store_gpo_result_setting(domain,
deny_key,
- deny_value);
+ value);
if (ret != EOK) {
DEBUG(SSSDBG_CRIT_FAILURE,
"sysdb_gpo_store_gpo_result_setting failed for key:"
--
2.14.3

View File

@ -88,6 +88,7 @@ Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
Patch0047: 0047-GPO-Fix-bug-with-empty-GPO-rules.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1310,6 +1311,8 @@ fi
- Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
set.
- Document which principal does the AD provider use
- Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is
defined, but contains no SIDs
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain