SSSD / sssd

Clone

a8f3d2a gpo: gPCMachineExtensionNames with just whitespaces

1 file Authored by mzidek 7 years ago, Committed by jhrozek 7 years ago,
raw patch tree parent
1 file changed. 20 lines added. 1 lines removed.
src/providers/ad/ad_gpo.c
file modified
+20 -1 
    gpo: gPCMachineExtensionNames with just whitespaces
    
    Resolves:
    https://fedorahosted.org/sssd/ticket/3114
    
    We failed GPO procesing if the gPCMachineExtensionNames
    attribute contained just whitespaces. This coused
    failures in some server settings.
    
    Comment from Alexander Bokovoy quoting:
    
    You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when
    processing gPCMachineExtensionNames, "Group Policy processing terminates
    at the first <CSE GUIDn> out of sequence."
    Since ' ' (space only) does not fall into defined syntax for
    gPCMachineExtensionNames, this Group Policy processing is stopped and
    its CSE GUIDs are set to 'empty list'.
    
    Because of the 3.2.5.1.10 'Extension Protocol Sequences' language
    ------------------------------------------------------------------------
    The Group Policy client MUST evaluate the subset of the abstract element
    Filtered GPO list separately for each Group Policy extension by
    including in the subset only those GPOs whose gPCUserExtensionNames (for
    user policy mode) or gPCMachineExtensionNames (for computer policy mode)
    attributes contain CSE GUID that correspond to the Group Policy
    extension. If the CSE GUID corresponding to the Group Policy extension
    is present in Extension List, it is invoked using the
    Implementation Identifier field. Applicability is determined as
    specified in section 3.2.1.5. The Group Policy Registry Extension MUST
    always execute first. All other applicable Group Policy extensions in
    the Extension List MUST be loaded and executed in Extension List order.
    A failure in any Group Policy extension sequence MUST NOT affect the
    execution of other Group Policy extensions.
    -------------------------------------------------------------------------
    
    I think we can practically treat wrong content of
    gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the
    GPO to pass through the Filtered GPO list. Thus, the GPO would be
    ignored.
    
    Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
    Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
    (cherry picked from commit b1a8b4a1291529367b46c79eb02448eced3bf8d2)
file modified
+20 -1
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.