|
|
841ac7 |
From ad058011b6b75b15c674be46a3ae9b3cc5228175 Mon Sep 17 00:00:00 2001
|
|
|
841ac7 |
From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>
|
|
|
841ac7 |
Date: Wed, 17 Oct 2018 16:57:20 +0200
|
|
|
841ac7 |
Subject: [PATCH] GPO: Add option ad_gpo_ignore_unreadable
|
|
|
841ac7 |
|
|
|
841ac7 |
Add option to ignore group policy containers in AD
|
|
|
841ac7 |
with unreadable or missing attributes. This is
|
|
|
841ac7 |
for the case when server contains GPOs that
|
|
|
841ac7 |
have very strict permissions on their attributes
|
|
|
841ac7 |
in AD but are unrelated to access control.
|
|
|
841ac7 |
|
|
|
841ac7 |
Rather then using this option it is better to
|
|
|
841ac7 |
change the permissions on the AD objects but
|
|
|
841ac7 |
that may not be always possible (company policy,
|
|
|
841ac7 |
not access to server etc.).
|
|
|
841ac7 |
|
|
|
841ac7 |
Resolves:
|
|
|
841ac7 |
https://pagure.io/SSSD/sssd/issue/3867
|
|
|
841ac7 |
CVE-2018-16838
|
|
|
841ac7 |
|
|
|
841ac7 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
841ac7 |
(cherry picked from commit 2f27dd9f05c2d3ed1c190ba387bc97738988efb0)
|
|
|
841ac7 |
---
|
|
|
841ac7 |
src/config/cfg_rules.ini | 1 +
|
|
|
841ac7 |
src/man/sssd-ad.5.xml | 19 ++++++++++
|
|
|
841ac7 |
src/providers/ad/ad_common.h | 1 +
|
|
|
841ac7 |
src/providers/ad/ad_gpo.c | 67 +++++++++++++++++++++++++++++++++---
|
|
|
841ac7 |
src/providers/ad/ad_opts.c | 1 +
|
|
|
841ac7 |
5 files changed, 85 insertions(+), 4 deletions(-)
|
|
|
841ac7 |
|
|
|
841ac7 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
841ac7 |
index 887428437..603211711 100644
|
|
|
841ac7 |
--- a/src/config/cfg_rules.ini
|
|
|
841ac7 |
+++ b/src/config/cfg_rules.ini
|
|
|
841ac7 |
@@ -439,6 +439,7 @@ option = ad_enabled_domains
|
|
|
841ac7 |
option = ad_enable_gc
|
|
|
841ac7 |
option = ad_gpo_access_control
|
|
|
841ac7 |
option = ad_gpo_implicit_deny
|
|
|
841ac7 |
+option = ad_gpo_ignore_unreadable
|
|
|
841ac7 |
option = ad_gpo_cache_timeout
|
|
|
841ac7 |
option = ad_gpo_default_right
|
|
|
841ac7 |
option = ad_gpo_map_batch
|
|
|
841ac7 |
diff --git a/src/man/sssd-ad.5.xml b/src/man/sssd-ad.5.xml
|
|
|
841ac7 |
index f9b7f7667..b14f07f7f 100644
|
|
|
841ac7 |
--- a/src/man/sssd-ad.5.xml
|
|
|
841ac7 |
+++ b/src/man/sssd-ad.5.xml
|
|
|
841ac7 |
@@ -437,6 +437,25 @@ DOM:dom1:(memberOf:1.2.840.113556.1.4.1941:=cn=nestedgroup,ou=groups,dc=example,
|
|
|
841ac7 |
</listitem>
|
|
|
841ac7 |
</varlistentry>
|
|
|
841ac7 |
|
|
|
841ac7 |
+ <varlistentry>
|
|
|
841ac7 |
+ <term>ad_gpo_ignore_unreadable (boolean)</term>
|
|
|
841ac7 |
+ <listitem>
|
|
|
841ac7 |
+ <para>
|
|
|
841ac7 |
+ Normally when some group policy containers (AD
|
|
|
841ac7 |
+ object) of applicable group policy objects are
|
|
|
841ac7 |
+ not readable by SSSD then users are denied access.
|
|
|
841ac7 |
+ This option allows to ignore group policy
|
|
|
841ac7 |
+ containers and with them associated policies
|
|
|
841ac7 |
+ if their attributes in group policy containers
|
|
|
841ac7 |
+ are not readable for SSSD.
|
|
|
841ac7 |
+ </para>
|
|
|
841ac7 |
+ <para>
|
|
|
841ac7 |
+ Default: False
|
|
|
841ac7 |
+ </para>
|
|
|
841ac7 |
+ </listitem>
|
|
|
841ac7 |
+ </varlistentry>
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+
|
|
|
841ac7 |
|
|
|
841ac7 |
<varlistentry>
|
|
|
841ac7 |
<term>ad_gpo_cache_timeout (integer)</term>
|
|
|
841ac7 |
diff --git a/src/providers/ad/ad_common.h b/src/providers/ad/ad_common.h
|
|
|
841ac7 |
index 2c52c997a..529753a8a 100644
|
|
|
841ac7 |
--- a/src/providers/ad/ad_common.h
|
|
|
841ac7 |
+++ b/src/providers/ad/ad_common.h
|
|
|
841ac7 |
@@ -53,6 +53,7 @@ enum ad_basic_opt {
|
|
|
841ac7 |
AD_ENABLE_GC,
|
|
|
841ac7 |
AD_GPO_ACCESS_CONTROL,
|
|
|
841ac7 |
AD_GPO_IMPLICIT_DENY,
|
|
|
841ac7 |
+ AD_GPO_IGNORE_UNREADABLE,
|
|
|
841ac7 |
AD_GPO_CACHE_TIMEOUT,
|
|
|
841ac7 |
AD_GPO_MAP_INTERACTIVE,
|
|
|
841ac7 |
AD_GPO_MAP_REMOTE_INTERACTIVE,
|
|
|
841ac7 |
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
|
841ac7 |
index 3b472e0e9..5f85910a9 100644
|
|
|
841ac7 |
--- a/src/providers/ad/ad_gpo.c
|
|
|
841ac7 |
+++ b/src/providers/ad/ad_gpo.c
|
|
|
841ac7 |
@@ -3603,6 +3603,7 @@ struct ad_gpo_process_gpo_state {
|
|
|
841ac7 |
struct ad_access_ctx *access_ctx;
|
|
|
841ac7 |
struct tevent_context *ev;
|
|
|
841ac7 |
struct sdap_id_op *sdap_op;
|
|
|
841ac7 |
+ struct dp_option *ad_options;
|
|
|
841ac7 |
struct sdap_options *opts;
|
|
|
841ac7 |
char *server_hostname;
|
|
|
841ac7 |
struct sss_domain_info *host_domain;
|
|
|
841ac7 |
@@ -3647,6 +3648,7 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx,
|
|
|
841ac7 |
|
|
|
841ac7 |
state->ev = ev;
|
|
|
841ac7 |
state->sdap_op = sdap_op;
|
|
|
841ac7 |
+ state->ad_options = access_ctx->ad_options;
|
|
|
841ac7 |
state->opts = opts;
|
|
|
841ac7 |
state->server_hostname = server_hostname;
|
|
|
841ac7 |
state->host_domain = host_domain;
|
|
|
841ac7 |
@@ -3871,6 +3873,54 @@ static bool machine_ext_names_is_blank(char *attr_value)
|
|
|
841ac7 |
return true;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
+static errno_t
|
|
|
841ac7 |
+ad_gpo_missing_or_unreadable_attr(struct ad_gpo_process_gpo_state *state,
|
|
|
841ac7 |
+ struct tevent_req *req)
|
|
|
841ac7 |
+{
|
|
|
841ac7 |
+ bool ignore_unreadable = dp_opt_get_bool(state->ad_options,
|
|
|
841ac7 |
+ AD_GPO_IGNORE_UNREADABLE);
|
|
|
841ac7 |
+
|
|
|
841ac7 |
+ if (ignore_unreadable) {
|
|
|
841ac7 |
+ /* If admins decided to skip GPOs with unreadable
|
|
|
841ac7 |
+ * attributes just log the SID of skipped GPO */
|
|
|
841ac7 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
841ac7 |
+ "Group Policy Container with DN [%s] has unreadable or missing "
|
|
|
841ac7 |
+ "attributes -> skipping this GPO "
|
|
|
841ac7 |
+ "(ad_gpo_ignore_unreadable = True)\n",
|
|
|
841ac7 |
+ state->candidate_gpos[state->gpo_index]->gpo_dn);
|
|
|
841ac7 |
+ state->gpo_index++;
|
|
|
841ac7 |
+ return ad_gpo_get_gpo_attrs_step(req);
|
|
|
841ac7 |
+ } else {
|
|
|
841ac7 |
+ /* Inform in logs and syslog that this GPO can
|
|
|
841ac7 |
+ * not be processed due to unreadable or missing
|
|
|
841ac7 |
+ * attributes and point to possible server side
|
|
|
841ac7 |
+ * and client side solutions. */
|
|
|
841ac7 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
841ac7 |
+ "Group Policy Container with DN [%s] is unreadable or has "
|
|
|
841ac7 |
+ "unreadable or missing attributes. In order to fix this "
|
|
|
841ac7 |
+ "make sure that this AD object has following attributes "
|
|
|
841ac7 |
+ "readable: nTSecurityDescriptor, cn, gPCFileSysPath, "
|
|
|
841ac7 |
+ "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. "
|
|
|
841ac7 |
+ "Alternatively if you do not have access to the server or can "
|
|
|
841ac7 |
+ "not change permissions on this object, you can use option "
|
|
|
841ac7 |
+ "ad_gpo_ignore_unreadable = True which will skip this GPO."
|
|
|
841ac7 |
+ "See 'man ad_gpo_ignore_unreadable for details.'\n",
|
|
|
841ac7 |
+ state->candidate_gpos[state->gpo_index]->gpo_dn);
|
|
|
841ac7 |
+ sss_log(SSSDBG_CRIT_FAILURE,
|
|
|
841ac7 |
+ "Group Policy Container with DN [%s] is unreadable or has "
|
|
|
841ac7 |
+ "unreadable or missing attributes. In order to fix this "
|
|
|
841ac7 |
+ "make sure that this AD object has following attributes "
|
|
|
841ac7 |
+ "readable: nTSecurityDescriptor, cn, gPCFileSysPath, "
|
|
|
841ac7 |
+ "gPCMachineExtensionNames, gPCFunctionalityVersion, flags. "
|
|
|
841ac7 |
+ "Alternatively if you do not have access to the server or can "
|
|
|
841ac7 |
+ "not change permissions on this object, you can use option "
|
|
|
841ac7 |
+ "ad_gpo_ignore_unreadable = True which will skip this GPO."
|
|
|
841ac7 |
+ "See 'man ad_gpo_ignore_unreadable for details.'\n",
|
|
|
841ac7 |
+ state->candidate_gpos[state->gpo_index]->gpo_dn);
|
|
|
841ac7 |
+ return EFAULT;
|
|
|
841ac7 |
+ }
|
|
|
841ac7 |
+}
|
|
|
841ac7 |
+
|
|
|
841ac7 |
static errno_t
|
|
|
841ac7 |
ad_gpo_sd_process_attrs(struct tevent_req *req,
|
|
|
841ac7 |
char *smb_host,
|
|
|
841ac7 |
@@ -3890,7 +3940,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
|
|
|
841ac7 |
|
|
|
841ac7 |
/* retrieve AD_AT_CN */
|
|
|
841ac7 |
ret = sysdb_attrs_get_string(result, AD_AT_CN, &gpo_guid);
|
|
|
841ac7 |
- if (ret != EOK) {
|
|
|
841ac7 |
+ if (ret == ENOENT) {
|
|
|
841ac7 |
+ ret = ad_gpo_missing_or_unreadable_attr(state, req);
|
|
|
841ac7 |
+ goto done;
|
|
|
841ac7 |
+ } else if (ret != EOK) {
|
|
|
841ac7 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
841ac7 |
"sysdb_attrs_get_string failed: [%d](%s)\n",
|
|
|
841ac7 |
ret, sss_strerror(ret));
|
|
|
841ac7 |
@@ -3911,7 +3964,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
|
|
|
841ac7 |
AD_AT_FILE_SYS_PATH,
|
|
|
841ac7 |
&raw_file_sys_path);
|
|
|
841ac7 |
|
|
|
841ac7 |
- if (ret != EOK) {
|
|
|
841ac7 |
+ if (ret == ENOENT) {
|
|
|
841ac7 |
+ ret = ad_gpo_missing_or_unreadable_attr(state, req);
|
|
|
841ac7 |
+ goto done;
|
|
|
841ac7 |
+ } else if (ret != EOK) {
|
|
|
841ac7 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
841ac7 |
"sysdb_attrs_get_string failed: [%d](%s)\n",
|
|
|
841ac7 |
ret, sss_strerror(ret));
|
|
|
841ac7 |
@@ -3959,7 +4015,10 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
|
|
|
841ac7 |
/* retrieve AD_AT_FLAGS */
|
|
|
841ac7 |
ret = sysdb_attrs_get_int32_t(result, AD_AT_FLAGS,
|
|
|
841ac7 |
&gp_gpo->gpo_flags);
|
|
|
841ac7 |
- if (ret != EOK) {
|
|
|
841ac7 |
+ if (ret == ENOENT) {
|
|
|
841ac7 |
+ ret = ad_gpo_missing_or_unreadable_attr(state, req);
|
|
|
841ac7 |
+ goto done;
|
|
|
841ac7 |
+ } else if (ret != EOK) {
|
|
|
841ac7 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
841ac7 |
"sysdb_attrs_get_int32_t failed: [%d](%s)\n",
|
|
|
841ac7 |
ret, sss_strerror(ret));
|
|
|
841ac7 |
@@ -3977,7 +4036,7 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,
|
|
|
841ac7 |
if ((ret == ENOENT) || (el->num_values == 0)) {
|
|
|
841ac7 |
DEBUG(SSSDBG_OP_FAILURE,
|
|
|
841ac7 |
"nt_sec_desc attribute not found or has no value\n");
|
|
|
841ac7 |
- ret = ENOENT;
|
|
|
841ac7 |
+ ret = ad_gpo_missing_or_unreadable_attr(state, req);
|
|
|
841ac7 |
goto done;
|
|
|
841ac7 |
}
|
|
|
841ac7 |
|
|
|
841ac7 |
diff --git a/src/providers/ad/ad_opts.c b/src/providers/ad/ad_opts.c
|
|
|
841ac7 |
index b274ba9b3..c408295f3 100644
|
|
|
841ac7 |
--- a/src/providers/ad/ad_opts.c
|
|
|
841ac7 |
+++ b/src/providers/ad/ad_opts.c
|
|
|
841ac7 |
@@ -39,6 +39,7 @@ struct dp_option ad_basic_opts[] = {
|
|
|
841ac7 |
{ "ad_enable_gc", DP_OPT_BOOL, BOOL_TRUE, BOOL_TRUE },
|
|
|
841ac7 |
{ "ad_gpo_access_control", DP_OPT_STRING, { AD_GPO_ACCESS_MODE_DEFAULT }, NULL_STRING },
|
|
|
841ac7 |
{ "ad_gpo_implicit_deny", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
841ac7 |
+ { "ad_gpo_ignore_unreadable", DP_OPT_BOOL, BOOL_FALSE, BOOL_FALSE },
|
|
|
841ac7 |
{ "ad_gpo_cache_timeout", DP_OPT_NUMBER, { .number = 5 }, NULL_NUMBER },
|
|
|
841ac7 |
{ "ad_gpo_map_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
841ac7 |
{ "ad_gpo_map_remote_interactive", DP_OPT_STRING, NULL_STRING, NULL_STRING },
|
|
|
841ac7 |
--
|
|
|
841ac7 |
2.19.1
|
|
|
841ac7 |
|