From 662af3eaefdb11aff02947c0d34d31ba37c7b09c Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Michal=20=C5=BDidek?= <mzidek@redhat.com>

Date: Fri, 29 Jul 2016 16:09:16 +0200

Subject: [PATCH 87/87] gpo: gPCMachineExtensionNames with just whitespaces

Resolves:

https://fedorahosted.org/sssd/ticket/3114

We failed GPO procesing if the gPCMachineExtensionNames

attribute contained just whitespaces. This coused

failures in some server settings.

Comment from Alexander Bokovoy quoting:

You should use MS-GPOL spec. 2.2.4 'GPO Search' section says that when

processing gPCMachineExtensionNames, "Group Policy processing terminates

at the first <CSE GUIDn> out of sequence."

Since ' ' (space only) does not fall into defined syntax for

gPCMachineExtensionNames, this Group Policy processing is stopped and

its CSE GUIDs are set to 'empty list'.

Because of the 3.2.5.1.10 'Extension Protocol Sequences' language

------------------------------------------------------------------------

The Group Policy client MUST evaluate the subset of the abstract element

Filtered GPO list separately for each Group Policy extension by

including in the subset only those GPOs whose gPCUserExtensionNames (for

user policy mode) or gPCMachineExtensionNames (for computer policy mode)

attributes contain CSE GUID that correspond to the Group Policy

extension. If the CSE GUID corresponding to the Group Policy extension

is present in Extension List, it is invoked using the

Implementation Identifier field. Applicability is determined as

specified in section 3.2.1.5. The Group Policy Registry Extension MUST

always execute first. All other applicable Group Policy extensions in

the Extension List MUST be loaded and executed in Extension List order.

A failure in any Group Policy extension sequence MUST NOT affect the

execution of other Group Policy extensions.

-------------------------------------------------------------------------

I think we can practically treat wrong content of

gPCMachineExtensionNames (and gPCUserExtensionNames) as inability of the

GPO to pass through the Filtered GPO list. Thus, the GPO would be

ignored.

Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>

---

 src/providers/ad/ad_gpo.c | 21 ++++++++++++++++++++-

 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c

index f609d28136918adfe6a8d5e95319b27ffcab79c0..63c68ce35922ca0407ae6ea32c0a78100e14504b 100644

--- a/src/providers/ad/ad_gpo.c

+++ b/src/providers/ad/ad_gpo.c

@@ -3765,6 +3765,24 @@ done:

    }

 }

+static bool machine_ext_names_is_blank(char *attr_value)

+{

+    char *ptr;

+

+    if (attr_value == NULL) {

+        return true;

+    }

+

+    ptr = attr_value;

+    for (; *ptr != '\0'; ptr++) {

+        if (!isspace(*ptr)) {

+            return false;

+        }

+    }

+

+    return true;

+}

+

 static errno_t

 ad_gpo_sd_process_attrs(struct tevent_req *req,

                         char *smb_host,

@@ -3880,7 +3898,8 @@ ad_gpo_sd_process_attrs(struct tevent_req *req,

         goto done;

     }

-    if ((ret == ENOENT) || (el->num_values == 0)) {

+    if ((ret == ENOENT) || (el->num_values == 0)

+            || machine_ext_names_is_blank((char *) el[0].values[0].data)) {

         /*

          * if gpo has no machine_ext_names (which is perfectly valid: it could

          * have only user_ext_names, for example), we continue to next gpo

-- 

2.4.11