218 lines
9.9 KiB
Diff
218 lines
9.9 KiB
Diff
From b025f8a22cab47ac1f705a872917e3da0799fdd9 Mon Sep 17 00:00:00 2001
|
|
From: Stephen Gallagher <sgallagh@redhat.com>
|
|
Date: Fri, 10 Apr 2015 16:34:37 -0400
|
|
Subject: [PATCH 64/99] AD GPO: Always look up GPOs from machine domain
|
|
|
|
When dealing with users from a child domain, SSSD was attempting to use
|
|
the subdomain for lookups. However, all GPOs applicable to this machine
|
|
are stored in the primary domain (the domain the host directly joined).
|
|
|
|
This patch has the GPO processing use the primary domain instead of the
|
|
user domain.
|
|
|
|
Resolves:
|
|
https://fedorahosted.org/sssd/ticket/2606
|
|
|
|
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
(cherry picked from commit 475d986b534c5e0dfdb8e2348ab89b13fd4874aa)
|
|
---
|
|
src/providers/ad/ad_gpo.c | 54 +++++++++++++++++++++++++++++------------------
|
|
1 file changed, 33 insertions(+), 21 deletions(-)
|
|
|
|
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
index 54e5545a57b7e697f730431ae35a95ccabbe21db..990acf94ae6d8fbd8f0e512354d22e1d0a71c292 100644
|
|
--- a/src/providers/ad/ad_gpo.c
|
|
+++ b/src/providers/ad/ad_gpo.c
|
|
@@ -1401,7 +1401,8 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
|
|
enum gpo_access_control_mode gpo_mode,
|
|
enum gpo_map_type gpo_map_type,
|
|
const char *user,
|
|
- struct sss_domain_info *domain)
|
|
+ struct sss_domain_info *user_domain,
|
|
+ struct sss_domain_info *host_domain)
|
|
{
|
|
int ret;
|
|
const char *allow_key = NULL;
|
|
@@ -1416,7 +1417,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
|
|
deny_key = gpo_map_option_entries[gpo_map_type].deny_key;
|
|
DEBUG(SSSDBG_TRACE_ALL, "deny_key: %s\n", deny_key);
|
|
|
|
- ret = parse_policy_setting_value(mem_ctx, domain, allow_key,
|
|
+ ret = parse_policy_setting_value(mem_ctx, host_domain, allow_key,
|
|
&allow_sids, &allow_size);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
@@ -1426,7 +1427,7 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
|
|
goto done;
|
|
}
|
|
|
|
- ret = parse_policy_setting_value(mem_ctx, domain, deny_key,
|
|
+ ret = parse_policy_setting_value(mem_ctx, host_domain, deny_key,
|
|
&deny_sids, &deny_size);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
@@ -1437,8 +1438,9 @@ ad_gpo_perform_hbac_processing(TALLOC_CTX *mem_ctx,
|
|
}
|
|
|
|
/* perform access check with the final resultant allow_sids and deny_sids */
|
|
- ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user, domain,
|
|
- allow_sids, allow_size, deny_sids, deny_size);
|
|
+ ret = ad_gpo_access_check(mem_ctx, gpo_mode, gpo_map_type, user,
|
|
+ user_domain, allow_sids, allow_size, deny_sids,
|
|
+ deny_size);
|
|
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
@@ -1463,7 +1465,8 @@ struct ad_gpo_access_state {
|
|
char *server_hostname;
|
|
struct sdap_options *opts;
|
|
int timeout;
|
|
- struct sss_domain_info *domain;
|
|
+ struct sss_domain_info *user_domain;
|
|
+ struct sss_domain_info *host_domain;
|
|
const char *user;
|
|
int gpo_timeout_option;
|
|
const char *ad_hostname;
|
|
@@ -1556,8 +1559,13 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
|
}
|
|
}
|
|
|
|
+ /* GPO Operations all happen against the enrolled domain,
|
|
+ * not the user's domain (which may be a trusted realm)
|
|
+ */
|
|
+ state->user_domain = domain;
|
|
+ state->host_domain = get_domains_head(domain);
|
|
+
|
|
state->gpo_map_type = gpo_map_type;
|
|
- state->domain = domain;
|
|
state->dacl_filtered_gpos = NULL;
|
|
state->num_dacl_filtered_gpos = 0;
|
|
state->cse_filtered_gpos = NULL;
|
|
@@ -1565,13 +1573,13 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx,
|
|
state->cse_gpo_index = 0;
|
|
state->ev = ev;
|
|
state->user = user;
|
|
- state->ldb_ctx = sysdb_ctx_get_ldb(domain->sysdb);
|
|
+ state->ldb_ctx = sysdb_ctx_get_ldb(state->host_domain->sysdb);
|
|
state->gpo_mode = ctx->gpo_access_control_mode;
|
|
state->gpo_timeout_option = ctx->gpo_cache_timeout;
|
|
state->ad_hostname = dp_opt_get_string(ctx->ad_options, AD_HOSTNAME);
|
|
state->opts = ctx->sdap_access_ctx->id_ctx->opts;
|
|
state->timeout = dp_opt_get_int(state->opts->basic, SDAP_SEARCH_TIMEOUT);
|
|
- state->conn = ad_get_dom_ldap_conn(ctx->ad_id_ctx, domain);
|
|
+ state->conn = ad_get_dom_ldap_conn(ctx->ad_id_ctx, state->host_domain);
|
|
state->sdap_op = sdap_id_op_create(state, state->conn->conn_cache);
|
|
if (state->sdap_op == NULL) {
|
|
DEBUG(SSSDBG_OP_FAILURE, "sdap_id_op_create failed.\n");
|
|
@@ -1606,7 +1614,8 @@ static errno_t
|
|
process_offline_gpos(TALLOC_CTX *mem_ctx,
|
|
const char *user,
|
|
enum gpo_access_control_mode gpo_mode,
|
|
- struct sss_domain_info *domain,
|
|
+ struct sss_domain_info *user_domain,
|
|
+ struct sss_domain_info *host_domain,
|
|
enum gpo_map_type gpo_map_type)
|
|
|
|
{
|
|
@@ -1616,7 +1625,8 @@ process_offline_gpos(TALLOC_CTX *mem_ctx,
|
|
gpo_mode,
|
|
gpo_map_type,
|
|
user,
|
|
- domain);
|
|
+ user_domain,
|
|
+ host_domain);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE, "HBAC processing failed: [%d](%s}\n",
|
|
ret, sss_strerror(ret));
|
|
@@ -1662,7 +1672,8 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
|
ret = process_offline_gpos(state,
|
|
state->user,
|
|
state->gpo_mode,
|
|
- state->domain,
|
|
+ state->user_domain,
|
|
+ state->host_domain,
|
|
state->gpo_map_type);
|
|
|
|
if (ret == EOK) {
|
|
@@ -1714,11 +1725,11 @@ ad_gpo_connect_done(struct tevent_req *subreq)
|
|
DEBUG(SSSDBG_TRACE_FUNC, "sam_account_name is %s\n", sam_account_name);
|
|
|
|
/* Convert the domain name into domain DN */
|
|
- ret = domain_to_basedn(state, state->domain->name, &domain_dn);
|
|
+ ret = domain_to_basedn(state, state->host_domain->name, &domain_dn);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
"Cannot convert domain name [%s] to base DN [%d]: %s\n",
|
|
- state->domain->name, ret, sss_strerror(ret));
|
|
+ state->host_domain->name, ret, sss_strerror(ret));
|
|
goto done;
|
|
}
|
|
|
|
@@ -1837,7 +1848,7 @@ ad_gpo_target_dn_retrieval_done(struct tevent_req *subreq)
|
|
state->opts,
|
|
state->timeout,
|
|
state->target_dn,
|
|
- state->domain->name);
|
|
+ state->host_domain->name);
|
|
if (subreq == NULL) {
|
|
ret = ENOMEM;
|
|
goto done;
|
|
@@ -1939,7 +1950,7 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
|
goto done;
|
|
}
|
|
|
|
- ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->domain,
|
|
+ ret = ad_gpo_filter_gpos_by_dacl(state, state->user, state->user_domain,
|
|
state->opts->idmap_ctx->map,
|
|
candidate_gpos, num_candidate_gpos,
|
|
&state->dacl_filtered_gpos,
|
|
@@ -2014,7 +2025,7 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
|
* subsequent functions will add the GPO Result object (and populate it
|
|
* with resultant policy settings) for this policy application
|
|
*/
|
|
- ret = sysdb_gpo_delete_gpo_result_object(state, state->domain);
|
|
+ ret = sysdb_gpo_delete_gpo_result_object(state, state->host_domain);
|
|
if (ret != EOK) {
|
|
switch (ret) {
|
|
case ENOENT:
|
|
@@ -2085,7 +2096,7 @@ ad_gpo_cse_step(struct tevent_req *req)
|
|
DEBUG(SSSDBG_TRACE_FUNC, "retrieving GPO from cache [%s]\n",
|
|
cse_filtered_gpo->gpo_guid);
|
|
ret = sysdb_gpo_get_gpo_by_guid(state,
|
|
- state->domain,
|
|
+ state->host_domain,
|
|
cse_filtered_gpo->gpo_guid,
|
|
&res);
|
|
if (ret == EOK) {
|
|
@@ -2127,7 +2138,7 @@ ad_gpo_cse_step(struct tevent_req *req)
|
|
subreq = ad_gpo_process_cse_send(state,
|
|
state->ev,
|
|
send_to_child,
|
|
- state->domain,
|
|
+ state->host_domain,
|
|
cse_filtered_gpo->gpo_guid,
|
|
cse_filtered_gpo->smb_server,
|
|
cse_filtered_gpo->smb_share,
|
|
@@ -2180,7 +2191,7 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
|
* GPO CACHE, we store all of the supported keys present in the file
|
|
* (as part of the GPO Result object in the sysdb cache).
|
|
*/
|
|
- ret = ad_gpo_store_policy_settings(state->domain,
|
|
+ ret = ad_gpo_store_policy_settings(state->host_domain,
|
|
cse_filtered_gpo->policy_filename);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE,
|
|
@@ -2198,7 +2209,8 @@ ad_gpo_cse_done(struct tevent_req *subreq)
|
|
state->gpo_mode,
|
|
state->gpo_map_type,
|
|
state->user,
|
|
- state->domain);
|
|
+ state->user_domain,
|
|
+ state->host_domain);
|
|
if (ret != EOK) {
|
|
DEBUG(SSSDBG_OP_FAILURE, "HBAC processing failed: [%d](%s}\n",
|
|
ret, sss_strerror(ret));
|
|
--
|
|
2.4.0
|
|
|