authpolicy: Handle GPOs blocking inheritance |
||
Issue description
Blocking GPO inheritance on an OU level does not work as expected. Inheritance blocking is supposed to block GPOs from all parent levels. You can set inheritance blocking by right-clicking on an OU.
Imagine the AD structure is:
Domain
- GPO1
- OU1
+ GPO2
If OU1 does NOT have the 'Block Inheritance' flag set, both GPO1 and GPO2 should apply to OU1. That works as intended.
If OU1 has the 'Block Inheritance' flag set, only GPO2 should apply, GPO1 should be blocked. That does not work. What's actually happening is that GPO1 is applied and GPO2 is blocked.
From looking at libgpo/gpo_ldap.c, ads_get_gpo_list(), it seems like there are two separate issues:
1) (S)ites and (D)omains are handled before (O)rganizational(U)nits. Hence, if GPOPTIONS_BLOCK_INHERITANCE is encountered when parsing an OU, it won't apply to the domain anymore.
2) add_only_forced_gpos is set to true before adding the GPOs of an OU. Thus, GPOs of the same OU get blocked.
,
May 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/b58604f37018d4e44e8cfe11c949707ad9c4b21d commit b58604f37018d4e44e8cfe11c949707ad9c4b21d Author: Lutz Justen <ljusten@chromium.org> Date: Sun May 14 23:24:02 2017 samba: Add patches for net ads gpo list Adds three patches that fix issues with the gpo list of the net ads tool. samba-4.5.3-reorder_ads_get_gpo_list.patch: Changes order to match GPO application order. The order of GPOs in a gpo_list generated by ads_get_gpo_list did not match the order of application. Since GPOs are pushed to the FRONT of gpo_list, GPOs have to be pushed in the opposite order of application. (Pushing to front is useful to get inheritance blocking right). samba-4.5.3-fix_block_inheritance.patch: Fixes issue with GPOPTIONS_BLOCK_INHERITANCE. GP links with the GPOPTIONS_BLOCK_INHERITANCE option set were blocking GPOs from the same link (i.e. an OU with the flag set would block its own GPOs). This CL makes sure the GPOs from the link are added to the list. samba-4.5.3-list_forced_gpos_last: ads_get_gpo_list: Put enforced GPOs at the end of the list Enforced GPOs should be applied on top of all non-enforced GPOs, so that they override policies set in non-enforced GPOs. BUG= chromium:710469 , chromium:710434 , chromium:708476 TEST=Made sure that GPO order matches application order. Change-Id: Idf5aaf70d2725b10021ca8f1bc939edd13d1e52a Reviewed-on: https://chromium-review.googlesource.com/480092 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Zentaro Kavanagh <zentaro@google.com> [add] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/files/samba-4.5.3-list_forced_gpos_last.patch [add] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/files/samba-4.5.3-fix_block_inheritance.patch [modify] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/samba-4.5.3.ebuild [rename] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/samba-4.5.3-r7.ebuild [add] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/files/samba-4.5.3-reorder_ads_get_gpo_list.patch
,
May 15 2017
|
||
►
Sign in to add a comment |
||
Comment 1 by ljusten@chromium.org
, Apr 13 2017