From a06bf788585f5fc14ba16d132665401a7ce7eb35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Po=C5=82awski?= Date: Thu, 28 May 2020 12:12:58 +0200 Subject: [PATCH] AD: Enforcing GPO rule restriction on user This fixes bug related to ad_gpo_implicit_deny option set to True. gpo_implict_denay was checked only for dacl_filtered_gpos, but not for cse_filtered_gpos. Resolves: https://github.com/SSSD/sssd/issues/5181 Reviewed-by: Sumit Bose --- src/providers/ad/ad_gpo.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 53560a754..2c6aa7fa6 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -2541,7 +2541,16 @@ ad_gpo_process_gpo_done(struct tevent_req *subreq) /* no gpos contain "SecuritySettings" cse_guid, nothing to enforce */ DEBUG(SSSDBG_TRACE_FUNC, "no applicable gpos found after cse_guid filtering\n"); - ret = EOK; + + if (state->gpo_implicit_deny == true) { + DEBUG(SSSDBG_TRACE_FUNC, + "No applicable GPOs have been found and ad_gpo_implicit_deny" + " is set to 'true'. The user will be denied access.\n"); + ret = ERR_ACCESS_DENIED; + } else { + ret = EOK; + } + goto done; } -- 2.21.3