|
|
8aada9 |
From dce025b882db7247571b135e928afb47f069a60f Mon Sep 17 00:00:00 2001
|
|
|
8aada9 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
8aada9 |
Date: Thu, 27 Feb 2020 06:54:21 +0100
|
|
|
8aada9 |
Subject: [PATCH] GPO: fix link order in a SOM
|
|
|
8aada9 |
|
|
|
8aada9 |
GPOs of the same OU were applied in the wrong order. Details about how
|
|
|
8aada9 |
GPOs should be processed can be found e.g. at
|
|
|
8aada9 |
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
|
|
|
8aada9 |
|
|
|
8aada9 |
Resolves: https://github.com/SSSD/sssd/issues/5103
|
|
|
8aada9 |
|
|
|
8aada9 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
8aada9 |
---
|
|
|
8aada9 |
src/providers/ad/ad_gpo.c | 59 +++++++++++++++++++++++++++++----------
|
|
|
8aada9 |
1 file changed, 45 insertions(+), 14 deletions(-)
|
|
|
8aada9 |
|
|
|
8aada9 |
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
|
|
|
8aada9 |
index bbe8d8a1e..1524c4bfc 100644
|
|
|
8aada9 |
--- a/src/providers/ad/ad_gpo.c
|
|
|
8aada9 |
+++ b/src/providers/ad/ad_gpo.c
|
|
|
8aada9 |
@@ -3511,14 +3511,19 @@ ad_gpo_process_som_recv(struct tevent_req *req,
|
|
|
8aada9 |
* - GPOs linked to an OU will be applied after GPOs linked to a Domain,
|
|
|
8aada9 |
* which will be applied after GPOs linked to a Site.
|
|
|
8aada9 |
* - multiple GPOs linked to a single SOM are applied in their link order
|
|
|
8aada9 |
- * (i.e. 1st GPO linked to SOM is applied after 2nd GPO linked to SOM, etc).
|
|
|
8aada9 |
+ * (i.e. 1st GPO linked to SOM is applied before 2nd GPO linked to SOM, etc).
|
|
|
8aada9 |
* - enforced GPOs are applied after unenforced GPOs.
|
|
|
8aada9 |
*
|
|
|
8aada9 |
* As such, the _candidate_gpos output's dn fields looks like (in link order):
|
|
|
8aada9 |
- * [unenforced {Site, Domain, OU}; enforced {Site, Domain, OU}]
|
|
|
8aada9 |
+ * [unenforced {Site, Domain, OU}; enforced {OU, Domain, Site}]
|
|
|
8aada9 |
*
|
|
|
8aada9 |
* Note that in the case of conflicting policy settings, GPOs appearing later
|
|
|
8aada9 |
- * in the list will trump GPOs appearing earlier in the list.
|
|
|
8aada9 |
+ * in the list will trump GPOs appearing earlier in the list. Therefore the
|
|
|
8aada9 |
+ * enforced GPOs are applied in revers order after the unenforced GPOs to
|
|
|
8aada9 |
+ * make sure the enforced setting form the highest level will be applied.
|
|
|
8aada9 |
+ *
|
|
|
8aada9 |
+ * GPO processing details can be found e.g. at
|
|
|
8aada9 |
+ * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
|
|
|
8aada9 |
*/
|
|
|
8aada9 |
static errno_t
|
|
|
8aada9 |
ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
@@ -3542,6 +3547,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
int i = 0;
|
|
|
8aada9 |
int j = 0;
|
|
|
8aada9 |
int ret;
|
|
|
8aada9 |
+ size_t som_count = 0;
|
|
|
8aada9 |
|
|
|
8aada9 |
tmp_ctx = talloc_new(NULL);
|
|
|
8aada9 |
if (tmp_ctx == NULL) {
|
|
|
8aada9 |
@@ -3568,6 +3574,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
}
|
|
|
8aada9 |
i++;
|
|
|
8aada9 |
}
|
|
|
8aada9 |
+ som_count = i;
|
|
|
8aada9 |
|
|
|
8aada9 |
num_candidate_gpos = num_enforced + num_unenforced;
|
|
|
8aada9 |
|
|
|
8aada9 |
@@ -3590,9 +3597,43 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
goto done;
|
|
|
8aada9 |
}
|
|
|
8aada9 |
|
|
|
8aada9 |
+ i = som_count -1 ;
|
|
|
8aada9 |
+ while (i >= 0) {
|
|
|
8aada9 |
+ gp_som = som_list[i];
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ /* For unenforced_gpo_dns the most specific GPOs with the highest
|
|
|
8aada9 |
+ * priority should be the last. We start with the top-level SOM and go
|
|
|
8aada9 |
+ * down to the most specific one and add the unenforced following the
|
|
|
8aada9 |
+ * gplink_list where the GPO with the highest priority comes last. */
|
|
|
8aada9 |
+ j = 0;
|
|
|
8aada9 |
+ while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) {
|
|
|
8aada9 |
+ gp_gplink = gp_som->gplink_list[j];
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ if (!gp_gplink->enforced) {
|
|
|
8aada9 |
+ unenforced_gpo_dns[unenforced_idx] =
|
|
|
8aada9 |
+ talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn);
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ if (unenforced_gpo_dns[unenforced_idx] == NULL) {
|
|
|
8aada9 |
+ ret = ENOMEM;
|
|
|
8aada9 |
+ goto done;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+ unenforced_idx++;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+ j++;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+ i--;
|
|
|
8aada9 |
+ }
|
|
|
8aada9 |
+
|
|
|
8aada9 |
i = 0;
|
|
|
8aada9 |
while (som_list[i]) {
|
|
|
8aada9 |
gp_som = som_list[i];
|
|
|
8aada9 |
+
|
|
|
8aada9 |
+ /* For enforced GPOs we start processing with the most specific SOM to
|
|
|
8aada9 |
+ * make sur enforced GPOs from higher levels override to lower level
|
|
|
8aada9 |
+ * ones. According to the 'Group Policy Inheritance' tab in the
|
|
|
8aada9 |
+ * Windows 'Goup Policy Management' utility in the same SOM the link
|
|
|
8aada9 |
+ * order is still observed and an enforced GPO with a lower link order
|
|
|
8aada9 |
+ * value still overrides an enforced GPO with a higher link order. */
|
|
|
8aada9 |
j = 0;
|
|
|
8aada9 |
while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) {
|
|
|
8aada9 |
gp_gplink = gp_som->gplink_list[j];
|
|
|
8aada9 |
@@ -3610,16 +3651,6 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
goto done;
|
|
|
8aada9 |
}
|
|
|
8aada9 |
enforced_idx++;
|
|
|
8aada9 |
- } else {
|
|
|
8aada9 |
-
|
|
|
8aada9 |
- unenforced_gpo_dns[unenforced_idx] =
|
|
|
8aada9 |
- talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn);
|
|
|
8aada9 |
-
|
|
|
8aada9 |
- if (unenforced_gpo_dns[unenforced_idx] == NULL) {
|
|
|
8aada9 |
- ret = ENOMEM;
|
|
|
8aada9 |
- goto done;
|
|
|
8aada9 |
- }
|
|
|
8aada9 |
- unenforced_idx++;
|
|
|
8aada9 |
}
|
|
|
8aada9 |
j++;
|
|
|
8aada9 |
}
|
|
|
8aada9 |
@@ -3638,7 +3669,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
|
|
|
8aada9 |
}
|
|
|
8aada9 |
|
|
|
8aada9 |
gpo_dn_idx = 0;
|
|
|
8aada9 |
- for (i = num_unenforced - 1; i >= 0; i--) {
|
|
|
8aada9 |
+ for (i = 0; i < num_unenforced; i++) {
|
|
|
8aada9 |
candidate_gpos[gpo_dn_idx] = talloc_zero(candidate_gpos, struct gp_gpo);
|
|
|
8aada9 |
if (candidate_gpos[gpo_dn_idx] == NULL) {
|
|
|
8aada9 |
ret = ENOMEM;
|
|
|
8aada9 |
--
|
|
|
8aada9 |
2.21.3
|
|
|
8aada9 |
|