Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is defined, but contains no SIDs
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio
parent
b6696d97c4
commit
a305fc11b7
77
0047-GPO-Fix-bug-with-empty-GPO-rules.patch
Normal file
77
0047-GPO-Fix-bug-with-empty-GPO-rules.patch
Normal file
@ -0,0 +1,77 @@
|
|||||||
|
From c83f6c6da3958475ca4782ffcb49fbc41f8c8f17 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
||||||
|
Date: Wed, 11 Apr 2018 18:56:53 +0200
|
||||||
|
Subject: [PATCH] GPO: Fix bug with empty GPO rules
|
||||||
|
|
||||||
|
When two or more GPO rules were defined on the server
|
||||||
|
and one of them contained no SIDs (no users or groups
|
||||||
|
were specified), then SSSD failed to store such rule
|
||||||
|
and users were denied access (system error).
|
||||||
|
|
||||||
|
This patch changes the behavior so that in case
|
||||||
|
there are no SIDs in the rule a special value is
|
||||||
|
stored with the rule to indicate that the rule
|
||||||
|
was actually specified, but this value will not
|
||||||
|
match any real SID (because the rule should be
|
||||||
|
empty).
|
||||||
|
|
||||||
|
Resolves:
|
||||||
|
https://pagure.io/SSSD/sssd/issue/3680
|
||||||
|
|
||||||
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
||||||
|
(cherry picked from commit e6e5fe349aa6ed85eb9acb3273007fa90ee99450)
|
||||||
|
---
|
||||||
|
src/providers/ad/ad_gpo.c | 12 +++++++++---
|
||||||
|
1 file changed, 9 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
||||||
|
index a48f264c7..ae3329b90 100644
|
||||||
|
--- a/src/providers/ad/ad_gpo.c
|
||||||
|
+++ b/src/providers/ad/ad_gpo.c
|
||||||
|
@@ -1132,6 +1132,7 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||||
|
int i;
|
||||||
|
char *allow_value = NULL;
|
||||||
|
char *deny_value = NULL;
|
||||||
|
+ const char *empty_val = "NO_SID";
|
||||||
|
const char *allow_key = NULL;
|
||||||
|
const char *deny_key = NULL;
|
||||||
|
TALLOC_CTX *tmp_ctx = NULL;
|
||||||
|
@@ -1236,7 +1237,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||||
|
}
|
||||||
|
|
||||||
|
for (i = 0; i < GPO_MAP_NUM_OPTS; i++) {
|
||||||
|
-
|
||||||
|
+ /* The NO_SID val is used as special SID value for the case when
|
||||||
|
+ * no SIDs are found in the rule, but we need to store some
|
||||||
|
+ * value (SID) with the key (rule name) so that it is clear
|
||||||
|
+ * that the rule is defined on the server. */
|
||||||
|
struct gpo_map_option_entry entry = gpo_map_option_entries[i];
|
||||||
|
|
||||||
|
allow_key = entry.allow_key;
|
||||||
|
@@ -1252,9 +1256,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||||
|
allow_key, ret, sss_strerror(ret));
|
||||||
|
goto done;
|
||||||
|
} else if (ret != ENOENT) {
|
||||||
|
+ const char *value = allow_value ? allow_value : empty_val;
|
||||||
|
ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||||
|
allow_key,
|
||||||
|
- allow_value);
|
||||||
|
+ value);
|
||||||
|
if (ret != EOK) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
"sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||||
|
@@ -1278,9 +1283,10 @@ ad_gpo_store_policy_settings(struct sss_domain_info *domain,
|
||||||
|
deny_key, ret, sss_strerror(ret));
|
||||||
|
goto done;
|
||||||
|
} else if (ret != ENOENT) {
|
||||||
|
+ const char *value = deny_value ? deny_value : empty_val;
|
||||||
|
ret = sysdb_gpo_store_gpo_result_setting(domain,
|
||||||
|
deny_key,
|
||||||
|
- deny_value);
|
||||||
|
+ value);
|
||||||
|
if (ret != EOK) {
|
||||||
|
DEBUG(SSSDBG_CRIT_FAILURE,
|
||||||
|
"sysdb_gpo_store_gpo_result_setting failed for key:"
|
||||||
|
--
|
||||||
|
2.14.3
|
||||||
|
|
||||||
@ -88,6 +88,7 @@ Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
|
|||||||
Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
|
Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
|
||||||
Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
|
Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
|
||||||
Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
|
Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
|
||||||
|
Patch0047: 0047-GPO-Fix-bug-with-empty-GPO-rules.patch
|
||||||
|
|
||||||
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
Patch0502: 0502-SYSTEMD-Use-capabilities.patch
|
||||||
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
|
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
|
||||||
@ -1310,6 +1311,8 @@ fi
|
|||||||
- Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
|
- Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
|
||||||
set.
|
set.
|
||||||
- Document which principal does the AD provider use
|
- Document which principal does the AD provider use
|
||||||
|
- Resolves: upstream#3680 - GPO: SSSD fails to process GPOs If a rule is
|
||||||
|
defined, but contains no SIDs
|
||||||
|
|
||||||
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
|
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
|
||||||
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain
|
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user