>From 4954d897c916e0c81ee0cf31fe969ee0dd85dc99 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Fri, 25 Jul 2014 17:55:33 +0200
Subject: [PATCH] AD: Check return value of ad_gpo_evaluate_dacl

---
 src/providers/ad/ad_gpo.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c
index 7f86000c8c9be81ab0e0023342ba096fb0e18989..a650fa13867e40bf8275a646885e229fa44bc57b 100644
--- a/src/providers/ad/ad_gpo.c
+++ b/src/providers/ad/ad_gpo.c
@@ -565,8 +565,13 @@ ad_gpo_filter_gpos_by_dacl(TALLOC_CTX *mem_ctx,
             break;
         }
 
-        ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, group_sids,
-                             group_size, &access_allowed);
+        ret = ad_gpo_evaluate_dacl(dacl, idmap_ctx, user_sid, group_sids,
+                                   group_size, &access_allowed);
+        if (ret != EOK) {
+            DEBUG(SSSDBG_MINOR_FAILURE, "Could not determine if GPO is applicable\n");
+            continue;
+        }
+
         if (access_allowed) {
             DEBUG(SSSDBG_TRACE_ALL,
                   "GPO applicable to target per security filtering\n");
-- 
1.9.3