|
 |
1bb595 |
From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001
|
|
|
1bb595 |
From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= <ppolawsk@redhat.com>
|
|
|
1bb595 |
Date: Thu, 28 May 2020 12:12:58 +0200
|
|
|
1bb595 |
Subject: [PATCH] AD: Enforcing GPO rule restriction on user
|
|
|
1bb595 |
|
|
|
1bb595 |
This fixes bug related to ad_gpo_implicit_deny option set to True.
|
|
|
1bb595 |
gpo_implict_denay was checked only for dacl_filtered_gpos,
|
|
|
1bb595 |
but not for cse_filtered_gpos.
|
|
|
1bb595 |
|
|
|
1bb595 |
Resolves:
|
|
|
1bb595 |
https://github.com/SSSD/sssd/issues/5181
|
|
|
1bb595 |
|
|
|
1bb595 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
1bb595 |
---
|
|
|
1bb595 |
src/providers/ad/ad_gpo.c | 11 ++++++++++-
|
|
|
1bb595 |
1 file changed, 10 insertions(+), 1 deletion(-)
|
|
|
1bb595 |
|
|
|
1bb595 |
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
|
1bb595 |
index 53560a754..2c6aa7fa6 100644
|
|
|
1bb595 |
--- a/src/providers/ad/ad_gpo.c
|
|
|
1bb595 |
+++ b/src/providers/ad/ad_gpo.c
|
|
|
1bb595 |
@@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq)
|
|
|
1bb595 |
/* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */
|
|
|
1bb595 |
DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
1bb595 |
"no applicable gpos found after cse_guid filtering\n");
|
|
|
1bb595 |
- ret = EOK;
|
|
|
1bb595 |
+
|
|
|
1bb595 |
+ if (state->gpo_implicit_deny == true) {
|
|
|
1bb595 |
+ DEBUG(SSSDBG_TRACE_FUNC,
|
|
|
1bb595 |
+ "No applicable GPOs have been found and ad_gpo_implicit_deny"
|
|
|
1bb595 |
+ " is set to 'true'. The user will be denied access.\n");
|
|
|
1bb595 |
+ ret = ERR_ACCESS_DENIED;
|
|
|
1bb595 |
+ } else {
|
|
|
1bb595 |
+ ret = EOK;
|
|
|
1bb595 |
+ }
|
|
|
1bb595 |
+
|
|
|
1bb595 |
goto done;
|
|
|
1bb595 |
}
|
|
|
1bb595 |
|
|
|
1bb595 |
--
|
|
|
1bb595 |
2.21.3
|
|
|
1bb595 |
|