From 7cf6b86408e53c5c2c5f6da89aef3dec68223c59 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 27 Feb 2020 06:54:21 +0100
Subject: [PATCH] GPO: fix link order in a SOM

GPOs of the same OU were applied in the wrong order. Details about how
GPOs should be processed can be found e.g. at
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)

Resolves: https://github.com/SSSD/sssd/issues/5103

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit dce025b882db7247571b135e928afb47f069a60f)
---
 src/providers/ad/ad_gpo.c | 59 +++++++++++++++++++++++++++++----------
 1 file changed, 45 insertions(+), 14 deletions(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 5f85910a9..4b991783b 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -3183,14 +3183,19 @@ ad_gpo_process_som_recv(struct tevent_req *req,
  * - GPOs linked to an OU will be applied after GPOs linked to a Domain,
  *   which will be applied after GPOs linked to a Site.
  * - multiple GPOs linked to a single SOM are applied in their link order
- *   (i.e. 1st GPO linked to SOM is applied after 2nd GPO linked to SOM, etc).
+ *   (i.e. 1st GPO linked to SOM is applied before 2nd GPO linked to SOM, etc).
  * - enforced GPOs are applied after unenforced GPOs.
  *
  * As such, the _candidate_gpos output's dn fields looks like (in link order):
- * [unenforced {Site, Domain, OU}; enforced {Site, Domain, OU}]
+ * [unenforced {Site, Domain, OU}; enforced {OU, Domain, Site}]
  *
  * Note that in the case of conflicting policy settings, GPOs appearing later
- * in the list will trump GPOs appearing earlier in the list.
+ * in the list will trump GPOs appearing earlier in the list. Therefore the
+ * enforced GPOs are applied in revers order after the unenforced GPOs to
+ * make sure the enforced setting form the highest level will be applied.
+ *
+ * GPO processing details can be found e.g. at
+ * https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
  */
 static errno_t
 ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
@@ -3214,6 +3219,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
     int i = 0;
     int j = 0;
     int ret;
+    size_t som_count = 0;
 
     tmp_ctx = talloc_new(NULL);
     if (tmp_ctx == NULL) {
@@ -3240,6 +3246,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
         }
         i++;
     }
+    som_count = i;
 
     num_candidate_gpos = num_enforced + num_unenforced;
 
@@ -3262,9 +3269,43 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
         goto done;
     }
 
+    i = som_count -1 ;
+    while (i >= 0) {
+        gp_som = som_list[i];
+
+        /* For unenforced_gpo_dns the most specific GPOs with the highest
+         * priority should be the last. We start with the top-level SOM and go
+         * down to the most specific one and add the unenforced following the
+         * gplink_list where the GPO with the highest priority comes last. */
+        j = 0;
+        while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) {
+                gp_gplink = gp_som->gplink_list[j];
+
+                if (!gp_gplink->enforced) {
+                    unenforced_gpo_dns[unenforced_idx] =
+                        talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn);
+
+                    if (unenforced_gpo_dns[unenforced_idx] == NULL) {
+                        ret = ENOMEM;
+                        goto done;
+                    }
+                    unenforced_idx++;
+                }
+                j++;
+        }
+        i--;
+    }
+
     i = 0;
     while (som_list[i]) {
         gp_som = som_list[i];
+
+        /* For enforced GPOs we start processing with the most specific SOM to
+         * make sur enforced GPOs from higher levels override to lower level
+         * ones. According to the 'Group Policy Inheritance' tab in the
+         * Windows 'Goup Policy Management' utility in the same SOM the link
+         * order is still observed and an enforced GPO with a lower link order
+         * value still overrides an enforced GPO with a higher link order. */
         j = 0;
         while (gp_som && gp_som->gplink_list && gp_som->gplink_list[j]) {
             gp_gplink = gp_som->gplink_list[j];
@@ -3282,16 +3323,6 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
                     goto done;
                 }
                 enforced_idx++;
-            } else {
-
-                unenforced_gpo_dns[unenforced_idx] =
-                    talloc_steal(unenforced_gpo_dns, gp_gplink->gpo_dn);
-
-                if (unenforced_gpo_dns[unenforced_idx] == NULL) {
-                    ret = ENOMEM;
-                    goto done;
-                }
-                unenforced_idx++;
             }
             j++;
         }
@@ -3310,7 +3341,7 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx,
     }
 
     gpo_dn_idx = 0;
-    for (i = num_unenforced - 1; i >= 0; i--) {
+    for (i = 0; i < num_unenforced; i++) {
         candidate_gpos[gpo_dn_idx] = talloc_zero(candidate_gpos, struct gp_gpo);
         if (candidate_gpos[gpo_dn_idx] == NULL) {
             ret = ENOMEM;
-- 
2.21.1