From 8527ed113aba315061b3d54d8c5c803e290857b4 Mon Sep 17 00:00:00 2001 From: REIM THOMAS Date: Apr 29 2020 12:16:45 +0000 Subject: GPO: Support group policy file main folders with upper case name There are AD domain controller implementations that use upper case names for the main folder on SYSVOL under which group policy files and templates are stored. E. g. 'MACHINE' instead of 'Machine'. gpo_child uses library libsmbclient to copy group policy files from the AD domain controller into a local GPO cache directory. libsmbclient does not allow to request the domain controller to perform case insensitive SMB URI lookups, if SYSVOL is located on a case sensitive file system. If a group policy template is stored under main folder 'MACHINE' gpo_child cannot retrieve the policy data and exits with error code 2 (No such file or directory). GPO based access control fails with error 22 (Invalid argument) and users may not be able to login. GP_EXT_GUID_SECURITY_SUFFIX constant defines a case sensitive main folder name (/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf) for the policy template to retrieve. If the group policy file cannot be retrieved, gpo_child will now also try to retrieve the file using an upper case main folder name, i.e. /MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf. Resolves: https://pagure.io/SSSD/sssd/issue/3324 Signed-off-by: REIM THOMAS Signed-off-by: Thomas Reim Reviewed-by: Pawel Polawski Reviewed-by: Sumit Bose --- diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c index a0bd6e1..789b7fb 100644 --- a/src/providers/ad/ad_gpo_child.c +++ b/src/providers/ad/ad_gpo_child.c @@ -23,6 +23,7 @@ */ #include +#include #include #include #include @@ -529,6 +530,7 @@ copy_smb_file_to_gpo_cache(SMBCCTX *smbc_ctx, const char *smb_cse_suffix) { char *smb_uri = NULL; + char *gpt_main_folder = NULL; SMBCFILE *file; int ret; uint8_t *buf = NULL; @@ -554,10 +556,41 @@ copy_smb_file_to_gpo_cache(SMBCCTX *smbc_ctx, errno = 0; file = smbc_getFunctionOpen(smbc_ctx)(smbc_ctx, smb_uri, O_RDONLY, 0755); if (file == NULL) { - ret = errno; - DEBUG(SSSDBG_CRIT_FAILURE, "smbc_getFunctionOpen failed [%d][%s]\n", - ret, strerror(ret)); - goto done; + // ENOENT: A directory component in pathname does not exist + if (errno == ENOENT) { + /* + * DCs may use upper case names for the main folder, where GPTs are + * stored. libsmbclient does not allow us to request case insensitive + * file name lookups on DCs with case sensitive file systems. + */ + gpt_main_folder = strstr(smb_uri, "/Machine/"); + if (gpt_main_folder == NULL) { + /* At this moment we do not use any GPO from user settings, + * but it can change in the future so let's keep the following + * line around to make this part of the code 'just work' also + * with the user GPO settings. */ + gpt_main_folder = strstr(smb_uri, "/User/"); + } + if (gpt_main_folder != NULL) { + ++gpt_main_folder; + while (gpt_main_folder != NULL && *gpt_main_folder != '/') { + *gpt_main_folder = toupper(*gpt_main_folder); + ++gpt_main_folder; + } + + DEBUG(SSSDBG_TRACE_FUNC, "smb_uri: %s\n", smb_uri); + + errno = 0; + file = smbc_getFunctionOpen(smbc_ctx)(smbc_ctx, smb_uri, O_RDONLY, 0755); + } + } + + if (file == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "smbc_getFunctionOpen failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } } buf = talloc_array(tmp_ctx, uint8_t, SMB_BUFFER_SIZE);