2006-02-04 01:19:41 +03:00
/*
* Unix SMB / CIFS implementation .
* Group Policy Object Support
* Copyright ( C ) Guenther Deschner 2005
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
* the Free Software Foundation ; either version 3 of the License , or
2006-02-04 01:19:41 +03:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
* along with this program ; if not , write to the Free Software
* Foundation , Inc . , 675 Mass Ave , Cambridge , MA 0213 9 , USA .
*/
# include "includes.h"
2006-09-22 13:34:25 +04:00
# ifdef HAVE_LDAP
2006-09-29 03:04:17 +04:00
/****************************************************************
parse the raw extension string into a GP_EXT structure
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
ADS_STATUS ads_parse_gp_ext ( TALLOC_CTX * mem_ctx ,
const char * extension_raw ,
2007-07-09 19:48:17 +04:00
struct GP_EXT * * gp_ext )
2006-02-04 01:19:41 +03:00
{
2007-07-09 19:48:17 +04:00
struct GP_EXT * ext = NULL ;
2006-02-04 01:19:41 +03:00
char * * ext_list ;
2006-10-25 00:12:38 +04:00
char * * ext_strings = NULL ;
2006-02-04 01:19:41 +03:00
int i ;
2007-07-09 19:48:17 +04:00
if ( ! extension_raw ) {
goto parse_error ;
}
2006-02-04 01:19:41 +03:00
DEBUG ( 20 , ( " ads_parse_gp_ext: %s \n " , extension_raw ) ) ;
2007-07-09 19:48:17 +04:00
ext = TALLOC_ZERO_P ( mem_ctx , struct GP_EXT ) ;
if ( ! ext ) {
goto parse_error ;
}
2006-02-04 01:19:41 +03:00
ext_list = str_list_make_talloc ( mem_ctx , extension_raw , " ] " ) ;
if ( ext_list = = NULL ) {
goto parse_error ;
}
for ( i = 0 ; ext_list [ i ] ! = NULL ; i + + ) {
/* no op */
}
2007-07-09 19:48:17 +04:00
ext - > num_exts = i ;
2006-02-04 01:19:41 +03:00
2007-07-09 19:48:17 +04:00
if ( ext - > num_exts ) {
ext - > extensions = TALLOC_ZERO_ARRAY ( mem_ctx , char * , ext - > num_exts ) ;
ext - > extensions_guid = TALLOC_ZERO_ARRAY ( mem_ctx , char * , ext - > num_exts ) ;
ext - > snapins = TALLOC_ZERO_ARRAY ( mem_ctx , char * , ext - > num_exts ) ;
ext - > snapins_guid = TALLOC_ZERO_ARRAY ( mem_ctx , char * , ext - > num_exts ) ;
2007-04-30 06:51:26 +04:00
} else {
2007-07-09 19:48:17 +04:00
ext - > extensions = NULL ;
ext - > extensions_guid = NULL ;
ext - > snapins = NULL ;
ext - > snapins_guid = NULL ;
2007-04-30 06:51:26 +04:00
}
2006-02-04 01:19:41 +03:00
2007-07-09 19:48:17 +04:00
ext - > gp_extension = talloc_strdup ( mem_ctx , extension_raw ) ;
if ( ext - > extensions = = NULL | | ext - > extensions_guid = = NULL | |
ext - > snapins = = NULL | | ext - > snapins_guid = = NULL | |
ext - > gp_extension = = NULL ) {
2006-02-04 01:19:41 +03:00
goto parse_error ;
}
for ( i = 0 ; ext_list [ i ] ! = NULL ; i + + ) {
int k ;
char * p , * q ;
DEBUGADD ( 10 , ( " extension #%d \n " , i ) ) ;
p = ext_list [ i ] ;
if ( p [ 0 ] = = ' [ ' ) {
p + + ;
}
ext_strings = str_list_make_talloc ( mem_ctx , p , " } " ) ;
if ( ext_strings = = NULL ) {
goto parse_error ;
}
for ( k = 0 ; ext_strings [ k ] ! = NULL ; k + + ) {
/* no op */
}
q = ext_strings [ 0 ] ;
if ( q [ 0 ] = = ' { ' ) {
q + + ;
}
2007-07-09 19:48:17 +04:00
ext - > extensions [ i ] = talloc_strdup ( mem_ctx , cse_gpo_guid_string_to_name ( q ) ) ;
ext - > extensions_guid [ i ] = talloc_strdup ( mem_ctx , q ) ;
2006-02-04 01:19:41 +03:00
/* we might have no name for the guid */
2007-07-09 19:48:17 +04:00
if ( ext - > extensions_guid [ i ] = = NULL ) {
2006-02-04 01:19:41 +03:00
goto parse_error ;
}
for ( k = 1 ; ext_strings [ k ] ! = NULL ; k + + ) {
char * m = ext_strings [ k ] ;
if ( m [ 0 ] = = ' { ' ) {
m + + ;
}
/* FIXME: theoretically there could be more than one snapin per extension */
2007-07-09 19:48:17 +04:00
ext - > snapins [ i ] = talloc_strdup ( mem_ctx , cse_snapin_gpo_guid_string_to_name ( m ) ) ;
ext - > snapins_guid [ i ] = talloc_strdup ( mem_ctx , m ) ;
2006-02-04 01:19:41 +03:00
/* we might have no name for the guid */
2007-07-09 19:48:17 +04:00
if ( ext - > snapins_guid [ i ] = = NULL ) {
2006-02-04 01:19:41 +03:00
goto parse_error ;
}
}
}
if ( ext_list ) {
str_list_free_talloc ( mem_ctx , & ext_list ) ;
}
if ( ext_strings ) {
str_list_free_talloc ( mem_ctx , & ext_strings ) ;
}
2007-07-09 19:48:17 +04:00
* gp_ext = ext ;
2006-02-04 01:19:41 +03:00
return ADS_ERROR ( LDAP_SUCCESS ) ;
parse_error :
if ( ext_list ) {
str_list_free_talloc ( mem_ctx , & ext_list ) ;
}
if ( ext_strings ) {
str_list_free_talloc ( mem_ctx , & ext_strings ) ;
}
return ADS_ERROR ( LDAP_NO_MEMORY ) ;
}
2006-09-29 03:04:17 +04:00
/****************************************************************
parse the raw link string into a GP_LINK structure
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-07-09 19:48:17 +04:00
static ADS_STATUS gpo_parse_gplink ( TALLOC_CTX * mem_ctx ,
const char * gp_link_raw ,
uint32 options ,
struct GP_LINK * gp_link )
2006-02-04 01:19:41 +03:00
{
char * * link_list ;
int i ;
2007-07-09 19:48:17 +04:00
DEBUG ( 10 , ( " gpo_parse_gplink: gPLink: %s \n " , gp_link_raw ) ) ;
2006-02-04 01:19:41 +03:00
link_list = str_list_make_talloc ( mem_ctx , gp_link_raw , " ] " ) ;
if ( link_list = = NULL ) {
goto parse_error ;
}
for ( i = 0 ; link_list [ i ] ! = NULL ; i + + ) {
/* no op */
}
gp_link - > gp_opts = options ;
gp_link - > num_links = i ;
2007-04-30 06:51:26 +04:00
if ( gp_link - > num_links ) {
gp_link - > link_names = TALLOC_ZERO_ARRAY ( mem_ctx , char * , gp_link - > num_links ) ;
gp_link - > link_opts = TALLOC_ZERO_ARRAY ( mem_ctx , uint32 , gp_link - > num_links ) ;
} else {
gp_link - > link_names = NULL ;
gp_link - > link_opts = NULL ;
}
2006-02-04 01:19:41 +03:00
gp_link - > gp_link = talloc_strdup ( mem_ctx , gp_link_raw ) ;
if ( gp_link - > link_names = = NULL | | gp_link - > link_opts = = NULL | | gp_link - > gp_link = = NULL ) {
goto parse_error ;
}
for ( i = 0 ; link_list [ i ] ! = NULL ; i + + ) {
char * p , * q ;
2007-07-09 19:48:17 +04:00
DEBUGADD ( 10 , ( " gpo_parse_gplink: processing link #%d \n " , i ) ) ;
2006-02-04 01:19:41 +03:00
q = link_list [ i ] ;
if ( q [ 0 ] = = ' [ ' ) {
q + + ;
} ;
p = strchr ( q , ' ; ' ) ;
if ( p = = NULL ) {
goto parse_error ;
}
gp_link - > link_names [ i ] = talloc_strdup ( mem_ctx , q ) ;
if ( gp_link - > link_names [ i ] = = NULL ) {
goto parse_error ;
}
gp_link - > link_names [ i ] [ PTR_DIFF ( p , q ) ] = 0 ;
gp_link - > link_opts [ i ] = atoi ( p + 1 ) ;
2007-07-09 19:48:17 +04:00
DEBUGADD ( 10 , ( " gpo_parse_gplink: link: %s \n " , gp_link - > link_names [ i ] ) ) ;
DEBUGADD ( 10 , ( " gpo_parse_gplink: opt: %d \n " , gp_link - > link_opts [ i ] ) ) ;
2006-02-04 01:19:41 +03:00
}
if ( link_list ) {
str_list_free_talloc ( mem_ctx , & link_list ) ;
}
return ADS_ERROR ( LDAP_SUCCESS ) ;
parse_error :
if ( link_list ) {
str_list_free_talloc ( mem_ctx , & link_list ) ;
}
return ADS_ERROR ( LDAP_NO_MEMORY ) ;
}
2006-09-29 03:04:17 +04:00
/****************************************************************
helper call to get a GP_LINK structure from a linkdn
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
ADS_STATUS ads_get_gpo_link ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
const char * link_dn ,
struct GP_LINK * gp_link_struct )
{
ADS_STATUS status ;
const char * attrs [ ] = { " gPLink " , " gPOptions " , NULL } ;
2006-09-22 13:00:59 +04:00
LDAPMessage * res = NULL ;
2006-02-04 01:19:41 +03:00
const char * gp_link ;
uint32 gp_options ;
ZERO_STRUCTP ( gp_link_struct ) ;
status = ads_search_dn ( ads , & res , link_dn , attrs ) ;
if ( ! ADS_ERR_OK ( status ) ) {
DEBUG ( 10 , ( " ads_get_gpo_link: search failed with %s \n " , ads_errstr ( status ) ) ) ;
return status ;
}
if ( ads_count_replies ( ads , res ) ! = 1 ) {
DEBUG ( 10 , ( " ads_get_gpo_link: no result \n " ) ) ;
ads_msgfree ( ads , res ) ;
return ADS_ERROR ( LDAP_NO_SUCH_OBJECT ) ;
}
gp_link = ads_pull_string ( ads , mem_ctx , res , " gPLink " ) ;
if ( gp_link = = NULL ) {
DEBUG ( 10 , ( " ads_get_gpo_link: no 'gPLink' attribute found \n " ) ) ;
ads_msgfree ( ads , res ) ;
return ADS_ERROR ( LDAP_NO_SUCH_ATTRIBUTE ) ;
}
2007-07-09 19:48:17 +04:00
/* perfectly legal to have no options */
2006-02-04 01:19:41 +03:00
if ( ! ads_pull_uint32 ( ads , res , " gPOptions " , & gp_options ) ) {
DEBUG ( 10 , ( " ads_get_gpo_link: no 'gPOptions' attribute found \n " ) ) ;
gp_options = 0 ;
}
ads_msgfree ( ads , res ) ;
2007-07-09 19:48:17 +04:00
return gpo_parse_gplink ( mem_ctx , gp_link , gp_options , gp_link_struct ) ;
2006-02-04 01:19:41 +03:00
}
2006-09-29 03:04:17 +04:00
/****************************************************************
helper call to add a gp link
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
ADS_STATUS ads_add_gpo_link ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
const char * link_dn ,
const char * gpo_dn ,
uint32 gpo_opt )
{
ADS_STATUS status ;
const char * attrs [ ] = { " gPLink " , NULL } ;
2006-09-22 13:00:59 +04:00
LDAPMessage * res = NULL ;
2006-02-04 01:19:41 +03:00
const char * gp_link , * gp_link_new ;
ADS_MODLIST mods ;
/* although ADS allows to set anything here, we better check here if
* the gpo_dn is sane */
if ( ! strnequal ( gpo_dn , " LDAP://CN={ " , strlen ( " LDAP://CN={ " ) ) ! = 0 ) {
return ADS_ERROR ( LDAP_INVALID_DN_SYNTAX ) ;
}
status = ads_search_dn ( ads , & res , link_dn , attrs ) ;
if ( ! ADS_ERR_OK ( status ) ) {
DEBUG ( 10 , ( " ads_add_gpo_link: search failed with %s \n " , ads_errstr ( status ) ) ) ;
return status ;
}
if ( ads_count_replies ( ads , res ) ! = 1 ) {
DEBUG ( 10 , ( " ads_add_gpo_link: no result \n " ) ) ;
2006-09-26 20:27:18 +04:00
ads_msgfree ( ads , res ) ;
2006-02-04 01:19:41 +03:00
return ADS_ERROR ( LDAP_NO_SUCH_OBJECT ) ;
}
gp_link = ads_pull_string ( ads , mem_ctx , res , " gPLink " ) ;
if ( gp_link = = NULL ) {
gp_link_new = talloc_asprintf ( mem_ctx , " [%s;%d] " , gpo_dn , gpo_opt ) ;
} else {
gp_link_new = talloc_asprintf ( mem_ctx , " %s[%s;%d] " , gp_link , gpo_dn , gpo_opt ) ;
}
2006-09-26 20:27:18 +04:00
ads_msgfree ( ads , res ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( gp_link_new ) ;
2006-02-04 01:19:41 +03:00
mods = ads_init_mods ( mem_ctx ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( mods ) ;
2006-02-04 01:19:41 +03:00
status = ads_mod_str ( mem_ctx , & mods , " gPLink " , gp_link_new ) ;
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
return ads_gen_mod ( ads , link_dn , mods ) ;
}
2006-09-29 03:04:17 +04:00
/****************************************************************
helper call to delete add a gp link
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
/* untested & broken */
ADS_STATUS ads_delete_gpo_link ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
const char * link_dn ,
const char * gpo_dn )
{
ADS_STATUS status ;
const char * attrs [ ] = { " gPLink " , NULL } ;
2006-09-22 13:00:59 +04:00
LDAPMessage * res = NULL ;
2006-02-04 01:19:41 +03:00
const char * gp_link , * gp_link_new = NULL ;
ADS_MODLIST mods ;
/* check for a sane gpo_dn */
if ( gpo_dn [ 0 ] ! = ' [ ' ) {
DEBUG ( 10 , ( " ads_delete_gpo_link: first char not: [ \n " ) ) ;
return ADS_ERROR ( LDAP_INVALID_DN_SYNTAX ) ;
}
if ( gpo_dn [ strlen ( gpo_dn ) ] ! = ' ] ' ) {
DEBUG ( 10 , ( " ads_delete_gpo_link: last char not: ] \n " ) ) ;
return ADS_ERROR ( LDAP_INVALID_DN_SYNTAX ) ;
}
status = ads_search_dn ( ads , & res , link_dn , attrs ) ;
if ( ! ADS_ERR_OK ( status ) ) {
DEBUG ( 10 , ( " ads_delete_gpo_link: search failed with %s \n " , ads_errstr ( status ) ) ) ;
return status ;
}
if ( ads_count_replies ( ads , res ) ! = 1 ) {
DEBUG ( 10 , ( " ads_delete_gpo_link: no result \n " ) ) ;
2006-09-26 20:27:18 +04:00
ads_msgfree ( ads , res ) ;
2006-02-04 01:19:41 +03:00
return ADS_ERROR ( LDAP_NO_SUCH_OBJECT ) ;
}
gp_link = ads_pull_string ( ads , mem_ctx , res , " gPLink " ) ;
if ( gp_link = = NULL ) {
return ADS_ERROR ( LDAP_NO_SUCH_ATTRIBUTE ) ;
}
/* find link to delete */
2006-09-26 20:27:18 +04:00
/* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */
2006-02-04 01:19:41 +03:00
2006-09-26 20:27:18 +04:00
ads_msgfree ( ads , res ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( gp_link_new ) ;
2006-02-04 01:19:41 +03:00
mods = ads_init_mods ( mem_ctx ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( mods ) ;
2006-02-04 01:19:41 +03:00
status = ads_mod_str ( mem_ctx , & mods , " gPLink " , gp_link_new ) ;
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
return ads_gen_mod ( ads , link_dn , mods ) ;
}
2006-09-29 03:04:17 +04:00
/****************************************************************
parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-09-24 07:15:58 +04:00
ADS_STATUS ads_parse_gpo ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
LDAPMessage * res ,
const char * gpo_dn ,
struct GROUP_POLICY_OBJECT * gpo )
2006-02-04 01:19:41 +03:00
{
ZERO_STRUCTP ( gpo ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( res ) ;
2006-02-04 01:19:41 +03:00
if ( gpo_dn ) {
gpo - > ds_path = talloc_strdup ( mem_ctx , gpo_dn ) ;
} else {
gpo - > ds_path = ads_get_dn ( ads , res ) ;
}
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( gpo - > ds_path ) ;
2006-02-04 01:19:41 +03:00
if ( ! ads_pull_uint32 ( ads , res , " versionNumber " , & gpo - > version ) ) {
return ADS_ERROR ( LDAP_NO_MEMORY ) ;
}
/* sure ??? */
if ( ! ads_pull_uint32 ( ads , res , " flags " , & gpo - > options ) ) {
return ADS_ERROR ( LDAP_NO_MEMORY ) ;
}
gpo - > file_sys_path = ads_pull_string ( ads , mem_ctx , res , " gPCFileSysPath " ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( gpo - > file_sys_path ) ;
2006-02-04 01:19:41 +03:00
gpo - > display_name = ads_pull_string ( ads , mem_ctx , res , " displayName " ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( gpo - > display_name ) ;
2006-02-04 01:19:41 +03:00
gpo - > name = ads_pull_string ( ads , mem_ctx , res , " name " ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( gpo - > name ) ;
2006-02-04 01:19:41 +03:00
/* ???, this is optional to have and what does it depend on, the 'flags' ?) */
gpo - > machine_extensions = ads_pull_string ( ads , mem_ctx , res , " gPCMachineExtensionNames " ) ;
gpo - > user_extensions = ads_pull_string ( ads , mem_ctx , res , " gPCUserExtensionNames " ) ;
2007-05-11 16:41:11 +04:00
ads_pull_sd ( ads , mem_ctx , res , " ntSecurityDescriptor " , & gpo - > security_descriptor ) ;
ADS_ERROR_HAVE_NO_MEMORY ( gpo - > security_descriptor ) ;
2006-02-04 01:19:41 +03:00
return ADS_ERROR ( LDAP_SUCCESS ) ;
}
2006-09-29 03:04:17 +04:00
/****************************************************************
get a GROUP_POLICY_OBJECT structure based on different input paramters
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
ADS_STATUS ads_get_gpo ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
const char * gpo_dn ,
const char * display_name ,
const char * guid_name ,
struct GROUP_POLICY_OBJECT * gpo )
{
ADS_STATUS status ;
2006-09-22 13:00:59 +04:00
LDAPMessage * res = NULL ;
2006-02-04 01:19:41 +03:00
char * dn ;
const char * filter ;
const char * attrs [ ] = { " cn " , " displayName " , " flags " , " gPCFileSysPath " ,
" gPCFunctionalityVersion " , " gPCMachineExtensionNames " ,
" gPCUserExtensionNames " , " gPCWQLFilter " , " name " ,
2007-05-11 16:41:11 +04:00
" versionNumber " , " ntSecurityDescriptor " , NULL } ;
2007-05-11 16:52:48 +04:00
uint32 sd_flags = DACL_SECURITY_INFORMATION ;
2006-02-04 01:19:41 +03:00
ZERO_STRUCTP ( gpo ) ;
if ( ! gpo_dn & & ! display_name & & ! guid_name ) {
return ADS_ERROR ( LDAP_NO_SUCH_OBJECT ) ;
}
if ( gpo_dn ) {
if ( strnequal ( gpo_dn , " LDAP:// " , strlen ( " LDAP:// " ) ) ! = 0 ) {
gpo_dn = gpo_dn + strlen ( " LDAP:// " ) ;
}
2007-05-11 16:52:48 +04:00
status = ads_search_retry_dn_sd_flags ( ads , & res ,
sd_flags ,
gpo_dn , attrs ) ;
2006-02-04 01:19:41 +03:00
} else if ( display_name | | guid_name ) {
filter = talloc_asprintf ( mem_ctx ,
" (&(objectclass=groupPolicyContainer)(%s=%s)) " ,
display_name ? " displayName " : " name " ,
display_name ? display_name : guid_name ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( filter ) ;
2006-02-04 01:19:41 +03:00
2007-05-11 16:52:48 +04:00
status = ads_do_search_all_sd_flags ( ads , ads - > config . bind_path ,
LDAP_SCOPE_SUBTREE , filter ,
attrs , sd_flags , & res ) ;
2006-02-04 01:19:41 +03:00
}
if ( ! ADS_ERR_OK ( status ) ) {
DEBUG ( 10 , ( " ads_get_gpo: search failed with %s \n " , ads_errstr ( status ) ) ) ;
return status ;
}
if ( ads_count_replies ( ads , res ) ! = 1 ) {
DEBUG ( 10 , ( " ads_get_gpo: no result \n " ) ) ;
2006-09-25 03:44:00 +04:00
ads_msgfree ( ads , res ) ;
2006-02-04 01:19:41 +03:00
return ADS_ERROR ( LDAP_NO_SUCH_OBJECT ) ;
}
dn = ads_get_dn ( ads , res ) ;
if ( dn = = NULL ) {
2006-09-25 03:44:00 +04:00
ads_msgfree ( ads , res ) ;
2006-02-04 01:19:41 +03:00
return ADS_ERROR ( LDAP_NO_MEMORY ) ;
}
status = ads_parse_gpo ( ads , mem_ctx , res , dn , gpo ) ;
2006-09-25 03:44:00 +04:00
ads_msgfree ( ads , res ) ;
2006-02-04 01:19:41 +03:00
ads_memfree ( ads , dn ) ;
return status ;
}
2006-09-29 03:04:17 +04:00
/****************************************************************
add a gplink to the GROUP_POLICY_OBJECT linked list
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-07-09 19:48:17 +04:00
static ADS_STATUS add_gplink_to_gpo_list ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
struct GROUP_POLICY_OBJECT * * gpo_list ,
const char * link_dn ,
struct GP_LINK * gp_link ,
enum GPO_LINK_TYPE link_type ,
BOOL only_add_forced_gpos ,
struct GPO_SID_TOKEN * token )
2006-02-04 01:19:41 +03:00
{
ADS_STATUS status ;
int i ;
for ( i = 0 ; i < gp_link - > num_links ; i + + ) {
struct GROUP_POLICY_OBJECT * new_gpo = NULL ;
if ( gp_link - > link_opts [ i ] & GPO_LINK_OPT_DISABLED ) {
DEBUG ( 10 , ( " skipping disabled GPO \n " ) ) ;
continue ;
}
if ( only_add_forced_gpos ) {
if ( ! ( gp_link - > link_opts [ i ] & GPO_LINK_OPT_ENFORCED ) ) {
DEBUG ( 10 , ( " skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set \n " ) ) ;
continue ;
} else {
DEBUG ( 10 , ( " adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set \n " ) ) ;
}
}
2007-05-11 19:08:05 +04:00
new_gpo = TALLOC_ZERO_P ( mem_ctx , struct GROUP_POLICY_OBJECT ) ;
2006-09-29 03:04:17 +04:00
ADS_ERROR_HAVE_NO_MEMORY ( new_gpo ) ;
2006-02-04 01:19:41 +03:00
status = ads_get_gpo ( ads , mem_ctx , gp_link - > link_names [ i ] , NULL , NULL , new_gpo ) ;
if ( ! ADS_ERR_OK ( status ) ) {
2007-05-11 19:08:05 +04:00
DEBUG ( 10 , ( " failed to get gpo: %s \n " , gp_link - > link_names [ i ] ) ) ;
2006-02-04 01:19:41 +03:00
return status ;
}
2007-05-11 19:08:05 +04:00
status = ADS_ERROR_NT ( gpo_apply_security_filtering ( new_gpo , token ) ) ;
if ( ! ADS_ERR_OK ( status ) ) {
DEBUG ( 10 , ( " skipping GPO \" %s \" as object has no access to it \n " ,
new_gpo - > display_name ) ) ;
TALLOC_FREE ( new_gpo ) ;
continue ;
}
2006-02-04 01:19:41 +03:00
new_gpo - > link = link_dn ;
new_gpo - > link_type = link_type ;
DLIST_ADD ( * gpo_list , new_gpo ) ;
DEBUG ( 10 , ( " add_gplink_to_gplist: added GPLINK #%d %s to GPO list \n " ,
i , gp_link - > link_names [ i ] ) ) ;
}
return ADS_ERROR ( LDAP_SUCCESS ) ;
}
2007-05-11 17:33:37 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-07-09 19:48:17 +04:00
static ADS_STATUS ads_get_gpo_sid_token ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
const char * dn ,
struct GPO_SID_TOKEN * * token )
2007-05-11 17:33:37 +04:00
{
ADS_STATUS status ;
DOM_SID object_sid ;
DOM_SID primary_group_sid ;
DOM_SID * ad_token_sids ;
size_t num_ad_token_sids = 0 ;
DOM_SID * token_sids ;
size_t num_token_sids = 0 ;
struct GPO_SID_TOKEN * new_token = NULL ;
int i ;
new_token = TALLOC_ZERO_P ( mem_ctx , struct GPO_SID_TOKEN ) ;
ADS_ERROR_HAVE_NO_MEMORY ( new_token ) ;
status = ads_get_tokensids ( ads , mem_ctx , dn ,
& object_sid , & primary_group_sid ,
& ad_token_sids , & num_ad_token_sids ) ;
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
new_token - > object_sid = object_sid ;
new_token - > primary_group_sid = primary_group_sid ;
token_sids = TALLOC_ARRAY ( mem_ctx , DOM_SID , 1 ) ;
ADS_ERROR_HAVE_NO_MEMORY ( token_sids ) ;
for ( i = 0 ; i < num_ad_token_sids ; i + + ) {
if ( sid_check_is_in_builtin ( & ad_token_sids [ i ] ) ) {
continue ;
}
if ( ! add_sid_to_array_unique ( mem_ctx , & ad_token_sids [ i ] ,
& token_sids , & num_token_sids ) ) {
return ADS_ERROR ( LDAP_NO_MEMORY ) ;
}
}
/* Add S-1-5-11 to token */
if ( ! add_sid_to_array_unique ( mem_ctx , & global_sid_Authenticated_Users ,
& token_sids , & num_token_sids ) ) {
return ADS_ERROR ( LDAP_NO_MEMORY ) ;
}
new_token - > token_sids = token_sids ;
new_token - > num_token_sids = num_token_sids ;
* token = new_token ;
return ADS_ERROR_LDAP ( LDAP_SUCCESS ) ;
}
2006-09-29 03:04:17 +04:00
/****************************************************************
get the full list of GROUP_POLICY_OBJECTs for a given dn
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
ADS_STATUS ads_get_gpo_list ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
const char * dn ,
uint32 flags ,
struct GROUP_POLICY_OBJECT * * gpo_list )
{
/* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
ADS_STATUS status ;
struct GP_LINK gp_link ;
2007-05-11 17:37:51 +04:00
struct GPO_SID_TOKEN * token = NULL ;
2006-02-04 01:19:41 +03:00
const char * parent_dn , * site_dn , * tmp_dn ;
BOOL add_only_forced_gpos = False ;
ZERO_STRUCTP ( gpo_list ) ;
DEBUG ( 10 , ( " ads_get_gpo_list: getting GPO list for [%s] \n " , dn ) ) ;
2007-05-11 17:37:51 +04:00
status = ads_get_gpo_sid_token ( ads , mem_ctx , dn , & token ) ;
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
2006-02-04 01:19:41 +03:00
/* (L)ocal */
/* not yet... */
/* (S)ite */
/* are site GPOs valid for users as well ??? */
if ( flags & GPO_LIST_FLAG_MACHINE ) {
status = ads_site_dn_for_machine ( ads , mem_ctx , ads - > config . ldap_server_name , & site_dn ) ;
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
DEBUG ( 10 , ( " ads_get_gpo_list: query SITE: [%s] for GPOs \n " , site_dn ) ) ;
status = ads_get_gpo_link ( ads , mem_ctx , site_dn , & gp_link ) ;
if ( ADS_ERR_OK ( status ) ) {
2007-07-09 19:48:17 +04:00
2006-02-04 01:19:41 +03:00
if ( DEBUGLEVEL > = 100 ) {
dump_gplink ( ads , mem_ctx , & gp_link ) ;
}
2007-07-09 19:48:17 +04:00
2006-02-04 01:19:41 +03:00
status = add_gplink_to_gpo_list ( ads , mem_ctx , gpo_list ,
site_dn , & gp_link , GP_LINK_SITE ,
2007-05-11 17:37:51 +04:00
add_only_forced_gpos ,
token ) ;
2006-02-04 01:19:41 +03:00
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
2007-07-09 19:48:17 +04:00
2006-02-04 01:19:41 +03:00
if ( flags & GPO_LIST_FLAG_SITEONLY ) {
return ADS_ERROR ( LDAP_SUCCESS ) ;
}
2007-07-09 19:48:17 +04:00
2006-02-04 01:19:41 +03:00
/* inheritance can't be blocked at the site level */
}
}
tmp_dn = dn ;
while ( ( parent_dn = ads_parent_dn ( tmp_dn ) ) & &
( ! strequal ( parent_dn , ads_parent_dn ( ads - > config . bind_path ) ) ) ) {
/* (D)omain */
/* An account can just be a member of one domain */
if ( strncmp ( parent_dn , " DC= " , strlen ( " DC= " ) ) = = 0 ) {
DEBUG ( 10 , ( " ads_get_gpo_list: query DC: [%s] for GPOs \n " , parent_dn ) ) ;
status = ads_get_gpo_link ( ads , mem_ctx , parent_dn , & gp_link ) ;
if ( ADS_ERR_OK ( status ) ) {
if ( DEBUGLEVEL > = 100 ) {
dump_gplink ( ads , mem_ctx , & gp_link ) ;
}
/* block inheritance from now on */
if ( gp_link . gp_opts & GPOPTIONS_BLOCK_INHERITANCE ) {
add_only_forced_gpos = True ;
}
status = add_gplink_to_gpo_list ( ads , mem_ctx ,
gpo_list , parent_dn ,
& gp_link , GP_LINK_DOMAIN ,
2007-05-11 17:37:51 +04:00
add_only_forced_gpos ,
token ) ;
2006-02-04 01:19:41 +03:00
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
}
}
tmp_dn = parent_dn ;
}
/* reset dn again */
tmp_dn = dn ;
while ( ( parent_dn = ads_parent_dn ( tmp_dn ) ) & &
( ! strequal ( parent_dn , ads_parent_dn ( ads - > config . bind_path ) ) ) ) {
/* (O)rganizational(U)nit */
/* An account can be a member of more OUs */
if ( strncmp ( parent_dn , " OU= " , strlen ( " OU= " ) ) = = 0 ) {
DEBUG ( 10 , ( " ads_get_gpo_list: query OU: [%s] for GPOs \n " , parent_dn ) ) ;
status = ads_get_gpo_link ( ads , mem_ctx , parent_dn , & gp_link ) ;
if ( ADS_ERR_OK ( status ) ) {
if ( DEBUGLEVEL > = 100 ) {
dump_gplink ( ads , mem_ctx , & gp_link ) ;
}
/* block inheritance from now on */
if ( gp_link . gp_opts & GPOPTIONS_BLOCK_INHERITANCE ) {
add_only_forced_gpos = True ;
}
status = add_gplink_to_gpo_list ( ads , mem_ctx ,
gpo_list , parent_dn ,
& gp_link , GP_LINK_OU ,
2007-05-11 17:37:51 +04:00
add_only_forced_gpos ,
token ) ;
2006-02-04 01:19:41 +03:00
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
}
}
tmp_dn = parent_dn ;
} ;
return ADS_ERROR ( LDAP_SUCCESS ) ;
}
2006-09-22 13:34:25 +04:00
# endif /* HAVE_LDAP */
