2007-08-14 18:47:08 +04:00
/*
2006-02-04 01:19:41 +03:00
* Unix SMB / CIFS implementation .
* Group Policy Object Support
2008-02-29 22:52:35 +03:00
* Copyright ( C ) Guenther Deschner 2005 - 2008
2007-08-14 18:47:08 +04:00
*
2006-02-04 01:19:41 +03:00
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2007-07-09 23:25:36 +04:00
* the Free Software Foundation ; either version 3 of the License , or
2006-02-04 01:19:41 +03:00
* ( at your option ) any later version .
2007-08-14 18:47:08 +04:00
*
2006-02-04 01:19:41 +03:00
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
2007-08-14 18:47:08 +04:00
*
2006-02-04 01:19:41 +03:00
* You should have received a copy of the GNU General Public License
2007-07-10 09:23:25 +04:00
* along with this program ; if not , see < http : //www.gnu.org/licenses/>.
2006-02-04 01:19:41 +03:00
*/
2009-03-15 06:40:12 +03:00
# define TALLOC_DEPRECATED 1
2006-02-04 01:19:41 +03:00
# include "includes.h"
2009-03-01 18:25:57 +03:00
# include "librpc/gen_ndr/ndr_misc.h"
2010-05-28 04:19:32 +04:00
# include "../librpc/gen_ndr/ndr_security.h"
2010-05-10 02:07:10 +04:00
# include "../libgpo/gpo.h"
2010-10-12 08:27:50 +04:00
# include "../libcli/security/security.h"
2009-03-01 18:25:57 +03:00
# if _SAMBA_BUILD_ == 4
2009-03-15 06:40:12 +03:00
# include "system/filesys.h"
# include "auth/auth.h"
2010-06-13 21:35:48 +04:00
# include <talloc.h>
2009-03-01 18:25:57 +03:00
# include "source4/libgpo/ads_convenience.h"
# endif
2009-03-01 04:13:21 +03:00
# undef strdup
2006-02-04 01:19:41 +03:00
2009-03-15 06:40:12 +03:00
#if 0
2006-02-04 01:19:41 +03:00
# define DEFAULT_DOMAIN_POLICY "Default Domain Policy"
# define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy"
2009-03-15 06:40:12 +03:00
# endif
2006-02-04 01:19:41 +03:00
2006-09-22 13:07:31 +04:00
/* should we store a parsed guid ? */
2007-08-14 18:47:08 +04:00
struct gp_table {
2006-02-04 01:19:41 +03:00
const char * name ;
const char * guid_string ;
} ;
2006-09-22 14:09:15 +04:00
#if 0 /* unused */
2007-08-14 18:47:08 +04:00
static struct gp_table gpo_default_policy [ ] = {
{ DEFAULT_DOMAIN_POLICY ,
2006-02-04 01:19:41 +03:00
" 31B2F340-016D-11D2-945F-00C04FB984F9 " } ,
2007-08-14 18:47:08 +04:00
{ DEFAULT_DOMAIN_CONTROLLERS_POLICY ,
2006-02-04 01:19:41 +03:00
" 6AC1786C-016F-11D2-945F-00C04fB984F9 " } ,
{ NULL , NULL }
} ;
2006-09-22 14:09:15 +04:00
# endif
2006-02-04 01:19:41 +03:00
2007-08-14 18:47:08 +04:00
/* the following is seen in gPCMachineExtensionNames / gPCUserExtensionNames */
2006-02-04 01:19:41 +03:00
2007-08-14 18:47:08 +04:00
static struct gp_table gpo_cse_extensions [ ] = {
/* used to be "Administrative Templates Extension" */
/* "Registry Settings"
( http : //support.microsoft.com/kb/216357/EN-US/) */
{ " Registry Settings " ,
2007-09-26 01:41:57 +04:00
GP_EXT_GUID_REGISTRY } ,
2007-08-14 18:47:08 +04:00
{ " Microsoft Disc Quota " ,
2006-02-04 01:19:41 +03:00
" 3610EDA5-77EF-11D2-8DC5-00C04FA31A66 " } ,
2007-08-14 18:47:08 +04:00
{ " EFS recovery " ,
2006-02-04 01:19:41 +03:00
" B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A " } ,
2007-08-14 18:47:08 +04:00
{ " Folder Redirection " ,
2006-02-04 01:19:41 +03:00
" 25537BA6-77A8-11D2-9B6C-0000F8080861 " } ,
2007-08-14 18:47:08 +04:00
{ " IP Security " ,
2006-02-04 01:19:41 +03:00
" E437BC1C-AA7D-11D2-A382-00C04F991E27 " } ,
2007-08-14 18:47:08 +04:00
{ " Internet Explorer Branding " ,
2006-02-04 01:19:41 +03:00
" A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B " } ,
2007-08-14 18:47:08 +04:00
{ " QoS Packet Scheduler " ,
2006-02-04 01:19:41 +03:00
" 426031c0-0b47-4852-b0ca-ac3d37bfcb39 " } ,
2007-08-14 18:47:08 +04:00
{ " Scripts " ,
2007-09-26 01:41:57 +04:00
GP_EXT_GUID_SCRIPTS } ,
2007-08-14 18:47:08 +04:00
{ " Security " ,
2007-09-26 01:41:57 +04:00
GP_EXT_GUID_SECURITY } ,
2007-08-14 18:47:08 +04:00
{ " Software Installation " ,
2006-02-04 01:19:41 +03:00
" C6DC5466-785A-11D2-84D0-00C04FB169F7 " } ,
2007-08-14 18:47:08 +04:00
{ " Wireless Group Policy " ,
2006-02-04 01:19:41 +03:00
" 0ACDD40C-75AC-BAA0-BF6DE7E7FE63 " } ,
2007-08-14 18:47:08 +04:00
{ " Application Management " ,
" C6DC5466-785A-11D2-84D0-00C04FB169F7 " } ,
{ " unknown " ,
" 3060E8D0-7020-11D2-842D-00C04FA372D4 " } ,
2006-02-04 01:19:41 +03:00
{ NULL , NULL }
} ;
/* guess work */
2007-08-14 18:47:08 +04:00
static struct gp_table gpo_cse_snapin_extensions [ ] = {
{ " Administrative Templates " ,
" 0F6B957D-509E-11D1-A7CC-0000F87571E3 " } ,
{ " Certificates " ,
" 53D6AB1D-2488-11D1-A28C-00C04FB94F17 " } ,
{ " EFS recovery policy processing " ,
" B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A " } ,
{ " Folder Redirection policy processing " ,
" 25537BA6-77A8-11D2-9B6C-0000F8080861 " } ,
{ " Folder Redirection " ,
" 88E729D6-BDC1-11D1-BD2A-00C04FB9603F " } ,
{ " Registry policy processing " ,
" 35378EAC-683F-11D2-A89A-00C04FBBCFA2 " } ,
{ " Remote Installation Services " ,
" 3060E8CE-7020-11D2-842D-00C04FA372D4 " } ,
{ " Security Settings " ,
" 803E14A0-B4FB-11D0-A0D0-00A0C90F574B " } ,
{ " Security policy processing " ,
" 827D319E-6EAC-11D2-A4EA-00C04F79F83A " } ,
{ " unknown " ,
" 3060E8D0-7020-11D2-842D-00C04FA372D4 " } ,
{ " unknown2 " ,
" 53D6AB1B-2488-11D1-A28C-00C04FB94F17 " } ,
{ NULL , NULL }
2006-02-04 01:19:41 +03:00
} ;
2007-07-14 03:38:19 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 18:47:08 +04:00
static const char * name_to_guid_string ( const char * name ,
struct gp_table * table )
2006-02-04 01:19:41 +03:00
{
int i ;
for ( i = 0 ; table [ i ] . name ; i + + ) {
if ( strequal ( name , table [ i ] . name ) ) {
return table [ i ] . guid_string ;
}
}
2007-08-14 18:47:08 +04:00
2006-02-04 01:19:41 +03:00
return NULL ;
}
2007-07-14 03:38:19 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 18:47:08 +04:00
static const char * guid_string_to_name ( const char * guid_string ,
struct gp_table * table )
2006-02-04 01:19:41 +03:00
{
int i ;
for ( i = 0 ; table [ i ] . guid_string ; i + + ) {
if ( strequal ( guid_string , table [ i ] . guid_string ) ) {
return table [ i ] . name ;
}
}
2007-08-14 18:47:08 +04:00
2006-02-04 01:19:41 +03:00
return NULL ;
}
2007-07-14 03:38:19 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 18:47:08 +04:00
static const char * snapin_guid_string_to_name ( const char * guid_string ,
struct gp_table * table )
2006-09-22 14:09:15 +04:00
{
int i ;
for ( i = 0 ; table [ i ] . guid_string ; i + + ) {
if ( strequal ( guid_string , table [ i ] . guid_string ) ) {
return table [ i ] . name ;
}
}
return NULL ;
}
#if 0 /* unused */
2006-02-04 01:19:41 +03:00
static const char * default_gpo_name_to_guid_string ( const char * name )
{
return name_to_guid_string ( name , gpo_default_policy ) ;
}
static const char * default_gpo_guid_string_to_name ( const char * guid )
{
return guid_string_to_name ( guid , gpo_default_policy ) ;
}
2006-09-22 14:09:15 +04:00
# endif
2006-02-04 01:19:41 +03:00
2007-07-14 03:38:19 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
const char * cse_gpo_guid_string_to_name ( const char * guid )
{
return guid_string_to_name ( guid , gpo_cse_extensions ) ;
}
2007-07-14 03:38:19 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
const char * cse_gpo_name_to_guid_string ( const char * name )
2006-02-04 01:19:41 +03:00
{
return name_to_guid_string ( name , gpo_cse_extensions ) ;
}
2007-07-14 03:38:19 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
const char * cse_snapin_gpo_guid_string_to_name ( const char * guid )
{
2006-09-22 14:09:15 +04:00
return snapin_guid_string_to_name ( guid , gpo_cse_snapin_extensions ) ;
2006-02-04 01:19:41 +03:00
}
2007-07-14 03:38:19 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-09-29 21:15:45 +04:00
void dump_gp_ext ( struct GP_EXT * gp_ext , int debuglevel )
2006-02-04 01:19:41 +03:00
{
2006-09-29 21:15:45 +04:00
int lvl = debuglevel ;
2006-02-04 01:19:41 +03:00
int i ;
if ( gp_ext = = NULL ) {
return ;
}
2006-09-29 21:15:45 +04:00
DEBUG ( lvl , ( " \t --------------------- \n \n " ) ) ;
DEBUGADD ( lvl , ( " \t name: \t \t \t %s \n " , gp_ext - > gp_extension ) ) ;
2006-02-04 01:19:41 +03:00
for ( i = 0 ; i < gp_ext - > num_exts ; i + + ) {
2007-08-14 18:47:08 +04:00
DEBUGADD ( lvl , ( " \t extension: \t \t \t %s \n " ,
gp_ext - > extensions_guid [ i ] ) ) ;
DEBUGADD ( lvl , ( " \t extension (name): \t \t \t %s \n " ,
gp_ext - > extensions [ i ] ) ) ;
DEBUGADD ( lvl , ( " \t snapin: \t \t \t %s \n " ,
gp_ext - > snapins_guid [ i ] ) ) ;
DEBUGADD ( lvl , ( " \t snapin (name): \t \t \t %s \n " ,
gp_ext - > snapins [ i ] ) ) ;
2006-02-04 01:19:41 +03:00
}
}
2007-08-20 13:47:13 +04:00
# ifdef HAVE_LDAP
2007-07-14 03:38:19 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 18:47:08 +04:00
void dump_gpo ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
struct GROUP_POLICY_OBJECT * gpo ,
int debuglevel )
2006-02-04 01:19:41 +03:00
{
2006-09-29 21:15:45 +04:00
int lvl = debuglevel ;
2006-02-04 01:19:41 +03:00
if ( gpo = = NULL ) {
return ;
}
DEBUG ( lvl , ( " --------------------- \n \n " ) ) ;
DEBUGADD ( lvl , ( " name: \t \t \t %s \n " , gpo - > name ) ) ;
DEBUGADD ( lvl , ( " displayname: \t \t %s \n " , gpo - > display_name ) ) ;
DEBUGADD ( lvl , ( " version: \t \t %d (0x%08x) \n " , gpo - > version , gpo - > version ) ) ;
2007-08-14 18:47:08 +04:00
DEBUGADD ( lvl , ( " version_user: \t \t %d (0x%04x) \n " ,
GPO_VERSION_USER ( gpo - > version ) ,
GPO_VERSION_USER ( gpo - > version ) ) ) ;
DEBUGADD ( lvl , ( " version_machine: \t %d (0x%04x) \n " ,
GPO_VERSION_MACHINE ( gpo - > version ) ,
GPO_VERSION_MACHINE ( gpo - > version ) ) ) ;
2006-02-04 01:19:41 +03:00
DEBUGADD ( lvl , ( " filesyspath: \t \t %s \n " , gpo - > file_sys_path ) ) ;
DEBUGADD ( lvl , ( " dspath: \t \t %s \n " , gpo - > ds_path ) ) ;
DEBUGADD ( lvl , ( " options: \t \t %d " , gpo - > options ) ) ;
2007-07-14 03:34:42 +04:00
switch ( gpo - > options ) {
case GPFLAGS_ALL_ENABLED :
DEBUGADD ( lvl , ( " GPFLAGS_ALL_ENABLED \n " ) ) ;
break ;
case GPFLAGS_USER_SETTINGS_DISABLED :
DEBUGADD ( lvl , ( " GPFLAGS_USER_SETTINGS_DISABLED \n " ) ) ;
break ;
case GPFLAGS_MACHINE_SETTINGS_DISABLED :
DEBUGADD ( lvl , ( " GPFLAGS_MACHINE_SETTINGS_DISABLED \n " ) ) ;
break ;
case GPFLAGS_ALL_DISABLED :
DEBUGADD ( lvl , ( " GPFLAGS_ALL_DISABLED \n " ) ) ;
break ;
default :
DEBUGADD ( lvl , ( " unknown option: %d \n " , gpo - > options ) ) ;
break ;
2006-02-04 01:19:41 +03:00
}
DEBUGADD ( lvl , ( " link: \t \t \t %s \n " , gpo - > link ) ) ;
DEBUGADD ( lvl , ( " link_type: \t \t %d " , gpo - > link_type ) ) ;
switch ( gpo - > link_type ) {
2007-07-09 19:48:17 +04:00
case GP_LINK_UNKOWN :
DEBUGADD ( lvl , ( " GP_LINK_UNKOWN \n " ) ) ;
break ;
case GP_LINK_OU :
DEBUGADD ( lvl , ( " GP_LINK_OU \n " ) ) ;
break ;
case GP_LINK_DOMAIN :
DEBUGADD ( lvl , ( " GP_LINK_DOMAIN \n " ) ) ;
break ;
case GP_LINK_SITE :
DEBUGADD ( lvl , ( " GP_LINK_SITE \n " ) ) ;
break ;
case GP_LINK_MACHINE :
DEBUGADD ( lvl , ( " GP_LINK_MACHINE \n " ) ) ;
break ;
default :
break ;
2006-02-04 01:19:41 +03:00
}
2007-07-09 19:48:17 +04:00
DEBUGADD ( lvl , ( " machine_extensions: \t %s \n " , gpo - > machine_extensions ) ) ;
2006-02-04 01:19:41 +03:00
if ( gpo - > machine_extensions ) {
2007-07-09 19:48:17 +04:00
struct GP_EXT * gp_ext = NULL ;
2006-02-04 01:19:41 +03:00
2007-08-14 18:47:08 +04:00
if ( ! ads_parse_gp_ext ( mem_ctx , gpo - > machine_extensions ,
& gp_ext ) ) {
2006-02-04 01:19:41 +03:00
return ;
}
2007-07-09 19:48:17 +04:00
dump_gp_ext ( gp_ext , lvl ) ;
2006-02-04 01:19:41 +03:00
}
2007-08-14 18:47:08 +04:00
2007-07-09 19:48:17 +04:00
DEBUGADD ( lvl , ( " user_extensions: \t %s \n " , gpo - > user_extensions ) ) ;
2006-02-04 01:19:41 +03:00
if ( gpo - > user_extensions ) {
2007-08-14 18:47:08 +04:00
2007-07-09 19:48:17 +04:00
struct GP_EXT * gp_ext = NULL ;
2007-08-14 18:47:08 +04:00
if ( ! ads_parse_gp_ext ( mem_ctx , gpo - > user_extensions ,
& gp_ext ) ) {
2006-02-04 01:19:41 +03:00
return ;
}
2007-07-09 19:48:17 +04:00
dump_gp_ext ( gp_ext , lvl ) ;
2006-02-04 01:19:41 +03:00
}
2009-10-11 02:12:28 +04:00
if ( gpo - > security_descriptor ) {
DEBUGADD ( lvl , ( " security descriptor: \n " ) ) ;
2007-07-14 03:38:19 +04:00
2009-10-11 02:12:28 +04:00
NDR_PRINT_DEBUG ( security_descriptor , gpo - > security_descriptor ) ;
}
2007-01-08 17:16:42 +03:00
}
2006-02-04 01:19:41 +03:00
2007-07-09 19:48:17 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 18:47:08 +04:00
void dump_gpo_list ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
struct GROUP_POLICY_OBJECT * gpo_list ,
2007-07-09 19:48:17 +04:00
int debuglevel )
{
struct GROUP_POLICY_OBJECT * gpo = NULL ;
for ( gpo = gpo_list ; gpo ; gpo = gpo - > next ) {
2007-07-14 03:38:19 +04:00
dump_gpo ( ads , mem_ctx , gpo , debuglevel ) ;
2007-07-09 19:48:17 +04:00
}
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
void dump_gplink ( ADS_STRUCT * ads , TALLOC_CTX * mem_ctx , struct GP_LINK * gp_link )
{
ADS_STATUS status ;
int i ;
int lvl = 10 ;
if ( gp_link = = NULL ) {
return ;
}
DEBUG ( lvl , ( " --------------------- \n \n " ) ) ;
DEBUGADD ( lvl , ( " gplink: %s \n " , gp_link - > gp_link ) ) ;
DEBUGADD ( lvl , ( " gpopts: %d " , gp_link - > gp_opts ) ) ;
switch ( gp_link - > gp_opts ) {
2007-07-09 19:48:17 +04:00
case GPOPTIONS_INHERIT :
DEBUGADD ( lvl , ( " GPOPTIONS_INHERIT \n " ) ) ;
break ;
case GPOPTIONS_BLOCK_INHERITANCE :
DEBUGADD ( lvl , ( " GPOPTIONS_BLOCK_INHERITANCE \n " ) ) ;
break ;
default :
break ;
2006-02-04 01:19:41 +03:00
}
DEBUGADD ( lvl , ( " num links: %d \n " , gp_link - > num_links ) ) ;
for ( i = 0 ; i < gp_link - > num_links ; i + + ) {
2007-08-14 18:47:08 +04:00
2006-02-04 01:19:41 +03:00
DEBUGADD ( lvl , ( " --------------------- \n \n " ) ) ;
2007-08-14 18:47:08 +04:00
2006-02-04 01:19:41 +03:00
DEBUGADD ( lvl , ( " link: #%d \n " , i + 1 ) ) ;
DEBUGADD ( lvl , ( " name: %s \n " , gp_link - > link_names [ i ] ) ) ;
DEBUGADD ( lvl , ( " opt: %d " , gp_link - > link_opts [ i ] ) ) ;
if ( gp_link - > link_opts [ i ] & GPO_LINK_OPT_ENFORCED ) {
DEBUGADD ( lvl , ( " GPO_LINK_OPT_ENFORCED " ) ) ;
}
if ( gp_link - > link_opts [ i ] & GPO_LINK_OPT_DISABLED ) {
DEBUGADD ( lvl , ( " GPO_LINK_OPT_DISABLED " ) ) ;
}
DEBUGADD ( lvl , ( " \n " ) ) ;
if ( ads ! = NULL & & mem_ctx ! = NULL ) {
struct GROUP_POLICY_OBJECT gpo ;
2007-08-14 18:47:08 +04:00
status = ads_get_gpo ( ads , mem_ctx ,
gp_link - > link_names [ i ] ,
NULL , NULL , & gpo ) ;
2006-02-04 01:19:41 +03:00
if ( ! ADS_ERR_OK ( status ) ) {
2007-08-14 18:47:08 +04:00
DEBUG ( lvl , ( " get gpo for %s failed: %s \n " ,
gp_link - > link_names [ i ] ,
ads_errstr ( status ) ) ) ;
2006-02-04 01:19:41 +03:00
return ;
}
2007-07-14 03:38:19 +04:00
dump_gpo ( ads , mem_ctx , & gpo , lvl ) ;
2006-02-04 01:19:41 +03:00
}
}
}
2007-08-20 13:47:13 +04:00
# endif /* HAVE_LDAP */
2007-07-09 19:48:17 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-03-18 23:30:34 +03:00
static bool gpo_get_gp_ext_from_gpo ( TALLOC_CTX * mem_ctx ,
uint32_t flags ,
struct GROUP_POLICY_OBJECT * gpo ,
struct GP_EXT * * gp_ext )
2006-02-04 01:19:41 +03:00
{
2008-03-18 23:30:34 +03:00
ZERO_STRUCTP ( * gp_ext ) ;
if ( flags & GPO_INFO_FLAG_MACHINE ) {
if ( gpo - > machine_extensions ) {
if ( ! ads_parse_gp_ext ( mem_ctx , gpo - > machine_extensions ,
gp_ext ) ) {
return false ;
}
}
} else {
2006-02-04 01:19:41 +03:00
2008-03-18 23:30:34 +03:00
if ( gpo - > user_extensions ) {
if ( ! ads_parse_gp_ext ( mem_ctx , gpo - > user_extensions ,
gp_ext ) ) {
return false ;
}
}
}
return true ;
2006-02-04 01:19:41 +03:00
}
2007-07-09 19:48:17 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2006-02-04 01:19:41 +03:00
ADS_STATUS gpo_process_a_gpo ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
2010-08-26 16:08:22 +04:00
const struct security_token * token ,
2008-03-18 23:30:34 +03:00
struct registry_key * root_key ,
2006-02-04 01:19:41 +03:00
struct GROUP_POLICY_OBJECT * gpo ,
2007-07-09 19:48:17 +04:00
const char * extension_guid_filter ,
2007-08-14 18:47:08 +04:00
uint32_t flags )
2006-02-04 01:19:41 +03:00
{
2007-07-09 19:48:17 +04:00
struct GP_EXT * gp_ext = NULL ;
2006-02-04 01:19:41 +03:00
int i ;
2007-08-14 18:47:08 +04:00
DEBUG ( 10 , ( " gpo_process_a_gpo: processing gpo %s (%s) \n " ,
gpo - > name , gpo - > display_name ) ) ;
if ( extension_guid_filter ) {
2008-03-18 23:30:34 +03:00
DEBUGADD ( 10 , ( " gpo_process_a_gpo: using filter %s (%s) \n " ,
extension_guid_filter ,
cse_gpo_guid_string_to_name ( extension_guid_filter ) ) ) ;
2007-08-14 18:47:08 +04:00
}
2008-03-18 23:30:34 +03:00
if ( ! gpo_get_gp_ext_from_gpo ( mem_ctx , flags , gpo , & gp_ext ) ) {
return ADS_ERROR_NT ( NT_STATUS_INVALID_PARAMETER ) ;
}
2006-02-04 01:19:41 +03:00
2008-03-18 23:30:34 +03:00
if ( ! gp_ext | | ! gp_ext - > num_exts ) {
if ( flags & GPO_INFO_FLAG_VERBOSE ) {
DEBUG ( 0 , ( " gpo_process_a_gpo: "
" no policies in %s (%s) for this extension \n " ,
gpo - > name , gpo - > display_name ) ) ;
2006-02-04 01:19:41 +03:00
}
2008-03-18 23:30:34 +03:00
return ADS_SUCCESS ;
2006-02-04 01:19:41 +03:00
}
2007-07-09 19:48:17 +04:00
for ( i = 0 ; i < gp_ext - > num_exts ; i + + ) {
2006-02-04 01:19:41 +03:00
2007-08-14 18:47:08 +04:00
NTSTATUS ntstatus ;
if ( extension_guid_filter & &
! strequal ( extension_guid_filter ,
2009-03-01 04:13:21 +03:00
gp_ext - > extensions_guid [ i ] ) ) {
2006-02-04 01:19:41 +03:00
continue ;
}
2008-03-18 23:30:34 +03:00
ntstatus = gpext_process_extension ( ads , mem_ctx ,
flags , token , root_key , gpo ,
gp_ext - > extensions_guid [ i ] ,
gp_ext - > snapins_guid [ i ] ) ;
2007-08-14 18:47:08 +04:00
if ( ! NT_STATUS_IS_OK ( ntstatus ) ) {
ADS_ERROR_NT ( ntstatus ) ;
2006-02-04 01:19:41 +03:00
}
}
2007-05-16 13:42:29 +04:00
return ADS_SUCCESS ;
2006-02-04 01:19:41 +03:00
}
2007-07-09 19:48:17 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-03-18 23:30:34 +03:00
static ADS_STATUS gpo_process_gpo_list_by_ext ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
2010-08-26 16:08:22 +04:00
const struct security_token * token ,
2008-03-18 23:30:34 +03:00
struct registry_key * root_key ,
struct GROUP_POLICY_OBJECT * gpo_list ,
const char * extensions_guid ,
uint32_t flags )
2006-02-04 01:19:41 +03:00
{
ADS_STATUS status ;
2007-07-09 19:48:17 +04:00
struct GROUP_POLICY_OBJECT * gpo ;
2006-02-04 01:19:41 +03:00
2007-07-09 19:48:17 +04:00
for ( gpo = gpo_list ; gpo ; gpo = gpo - > next ) {
2007-08-14 18:47:08 +04:00
2008-03-18 23:30:34 +03:00
if ( gpo - > link_type = = GP_LINK_LOCAL ) {
continue ;
}
/* FIXME: we need to pass down the *list* down to the
* extension , otherwise we cannot store the e . g . the * list * of
* logon - scripts correctly ( for more then one GPO ) */
status = gpo_process_a_gpo ( ads , mem_ctx , token , root_key ,
gpo , extensions_guid , flags ) ;
2007-08-14 18:47:08 +04:00
2006-02-04 01:19:41 +03:00
if ( ! ADS_ERR_OK ( status ) ) {
2008-03-18 23:30:34 +03:00
DEBUG ( 0 , ( " failed to process gpo by ext: %s \n " ,
2007-08-14 18:47:08 +04:00
ads_errstr ( status ) ) ) ;
2006-02-04 01:19:41 +03:00
return status ;
}
}
2007-05-16 13:42:29 +04:00
return ADS_SUCCESS ;
2006-02-04 01:19:41 +03:00
}
2008-03-18 23:30:34 +03:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
ADS_STATUS gpo_process_gpo_list ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
2010-08-26 16:08:22 +04:00
const struct security_token * token ,
2008-03-18 23:30:34 +03:00
struct GROUP_POLICY_OBJECT * gpo_list ,
const char * extensions_guid_filter ,
uint32_t flags )
{
ADS_STATUS status = ADS_SUCCESS ;
struct gp_extension * gp_ext_list = NULL ;
struct gp_extension * gp_ext = NULL ;
struct registry_key * root_key = NULL ;
struct gp_registry_context * reg_ctx = NULL ;
2009-03-15 22:34:59 +03:00
#if 0
2008-03-18 23:30:34 +03:00
WERROR werr ;
2009-03-15 22:34:59 +03:00
# endif
2008-03-18 23:30:34 +03:00
status = ADS_ERROR_NT ( init_gp_extensions ( mem_ctx ) ) ;
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
gp_ext_list = get_gp_extension_list ( ) ;
if ( ! gp_ext_list ) {
return ADS_ERROR_NT ( NT_STATUS_DLL_INIT_FAILED ) ;
}
2009-03-01 21:49:42 +03:00
/* FIXME Needs to be replaced with new patchfile_preg calls */
#if 0
2008-03-18 23:30:34 +03:00
/* get the key here */
if ( flags & GPO_LIST_FLAG_MACHINE ) {
werr = gp_init_reg_ctx ( mem_ctx , KEY_HKLM , REG_KEY_WRITE ,
get_system_token ( ) ,
& reg_ctx ) ;
} else {
werr = gp_init_reg_ctx ( mem_ctx , KEY_HKCU , REG_KEY_WRITE ,
token ,
& reg_ctx ) ;
}
if ( ! W_ERROR_IS_OK ( werr ) ) {
2009-03-15 06:40:12 +03:00
talloc_free ( reg_ctx ) ;
2008-03-18 23:30:34 +03:00
return ADS_ERROR_NT ( werror_to_ntstatus ( werr ) ) ;
}
2009-03-15 22:34:59 +03:00
# endif
2008-03-18 23:30:34 +03:00
root_key = reg_ctx - > curr_key ;
for ( gp_ext = gp_ext_list ; gp_ext ; gp_ext = gp_ext - > next ) {
const char * guid_str = NULL ;
guid_str = GUID_string ( mem_ctx , gp_ext - > guid ) ;
if ( ! guid_str ) {
status = ADS_ERROR_NT ( NT_STATUS_NO_MEMORY ) ;
goto done ;
}
if ( extensions_guid_filter & &
( ! strequal ( guid_str , extensions_guid_filter ) ) ) {
continue ;
}
DEBUG ( 0 , ( " ------------------------------------------------- \n " ) ) ;
DEBUG ( 0 , ( " gpo_process_gpo_list: processing ext: %s {%s} \n " ,
gp_ext - > name , guid_str ) ) ;
status = gpo_process_gpo_list_by_ext ( ads , mem_ctx , token ,
root_key , gpo_list ,
guid_str , flags ) ;
if ( ! ADS_ERR_OK ( status ) ) {
goto done ;
}
}
done :
2009-03-15 06:40:12 +03:00
talloc_free ( reg_ctx ) ;
2009-03-01 18:25:57 +03:00
talloc_free ( root_key ) ;
2008-03-18 23:30:34 +03:00
free_gp_extensions ( ) ;
return status ;
}
2006-09-29 05:49:26 +04:00
/****************************************************************
check wether the version number in a GROUP_POLICY_OBJECT match those of the
locally stored version . If not , fetch the required policy via CIFS
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 18:47:08 +04:00
NTSTATUS check_refresh_gpo ( ADS_STRUCT * ads ,
2006-09-29 05:49:26 +04:00
TALLOC_CTX * mem_ctx ,
2009-03-15 22:34:59 +03:00
const char * cache_dir ,
2009-03-15 06:40:12 +03:00
struct loadparm_context * lp_ctx ,
2007-08-14 18:47:08 +04:00
uint32_t flags ,
2009-03-15 06:40:12 +03:00
struct GROUP_POLICY_OBJECT * gpo )
2006-09-29 05:49:26 +04:00
{
NTSTATUS result ;
2007-07-09 19:48:17 +04:00
char * server = NULL ;
char * share = NULL ;
char * nt_path = NULL ;
char * unix_path = NULL ;
2007-08-14 18:47:08 +04:00
uint32_t sysvol_gpt_version = 0 ;
2007-07-09 19:48:17 +04:00
char * display_name = NULL ;
2006-09-29 05:49:26 +04:00
2009-03-15 22:34:59 +03:00
result = gpo_explode_filesyspath ( mem_ctx , cache_dir , gpo - > file_sys_path ,
2007-07-09 19:48:17 +04:00
& server , & share , & nt_path , & unix_path ) ;
2006-09-29 05:49:26 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
goto out ;
}
2007-08-14 18:47:08 +04:00
result = gpo_get_sysvol_gpt_version ( mem_ctx ,
2007-07-09 19:48:17 +04:00
unix_path ,
& sysvol_gpt_version ,
& display_name ) ;
2007-08-14 18:47:08 +04:00
if ( ! NT_STATUS_IS_OK ( result ) & &
2006-09-29 05:49:26 +04:00
! NT_STATUS_EQUAL ( result , NT_STATUS_NO_SUCH_FILE ) ) {
2007-08-14 18:47:08 +04:00
DEBUG ( 10 , ( " check_refresh_gpo: "
" failed to get local gpt version: %s \n " ,
2006-09-29 05:49:26 +04:00
nt_errstr ( result ) ) ) ;
goto out ;
}
2007-08-14 18:47:08 +04:00
DEBUG ( 10 , ( " check_refresh_gpo: versions gpo %d sysvol %d \n " ,
gpo - > version , sysvol_gpt_version ) ) ;
/* FIXME: handle GPO_INFO_FLAG_FORCED_REFRESH from flags */
2006-09-29 05:49:26 +04:00
while ( gpo - > version > sysvol_gpt_version ) {
DEBUG ( 1 , ( " check_refresh_gpo: need to refresh GPO \n " ) ) ;
2009-03-15 22:34:59 +03:00
result = gpo_fetch_files ( mem_ctx , ads , lp_ctx , cache_dir , gpo ) ;
2006-09-29 05:49:26 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
goto out ;
}
2007-08-14 18:47:08 +04:00
result = gpo_get_sysvol_gpt_version ( mem_ctx ,
unix_path ,
2007-07-09 19:48:17 +04:00
& sysvol_gpt_version ,
2007-08-14 18:47:08 +04:00
& display_name ) ;
2006-09-29 05:49:26 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
2007-08-14 18:47:08 +04:00
DEBUG ( 10 , ( " check_refresh_gpo: "
" failed to get local gpt version: %s \n " ,
2006-09-29 05:49:26 +04:00
nt_errstr ( result ) ) ) ;
goto out ;
}
2007-08-14 18:47:08 +04:00
2006-09-29 05:49:26 +04:00
if ( gpo - > version = = sysvol_gpt_version ) {
break ;
}
2007-08-14 18:47:08 +04:00
}
DEBUG ( 10 , ( " Name: \t \t \t %s (%s) \n " , gpo - > display_name , gpo - > name ) ) ;
DEBUGADD ( 10 , ( " sysvol GPT version: \t %d (user: %d, machine: %d) \n " ,
sysvol_gpt_version ,
GPO_VERSION_USER ( sysvol_gpt_version ) ,
GPO_VERSION_MACHINE ( sysvol_gpt_version ) ) ) ;
DEBUGADD ( 10 , ( " LDAP GPO version: \t %d (user: %d, machine: %d) \n " ,
2006-09-29 05:49:26 +04:00
gpo - > version ,
GPO_VERSION_USER ( gpo - > version ) ,
GPO_VERSION_MACHINE ( gpo - > version ) ) ) ;
2008-03-18 23:30:34 +03:00
DEBUGADD ( 10 , ( " LDAP GPO link: \t \t %s \n " , gpo - > link ) ) ;
2006-09-29 05:49:26 +04:00
result = NT_STATUS_OK ;
out :
return result ;
}
/****************************************************************
check wether the version numbers in the gpo_list match the locally stored , if
not , go and get each required GPO via CIFS
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 18:47:08 +04:00
NTSTATUS check_refresh_gpo_list ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
2009-03-15 22:34:59 +03:00
const char * cache_dir ,
2009-03-15 06:40:12 +03:00
struct loadparm_context * lp_ctx ,
2007-08-14 18:47:08 +04:00
uint32_t flags ,
2006-09-29 05:49:26 +04:00
struct GROUP_POLICY_OBJECT * gpo_list )
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL ;
struct GROUP_POLICY_OBJECT * gpo ;
2007-07-09 19:48:17 +04:00
if ( ! gpo_list ) {
return NT_STATUS_INVALID_PARAMETER ;
}
2006-09-29 05:49:26 +04:00
for ( gpo = gpo_list ; gpo ; gpo = gpo - > next ) {
2009-03-15 22:34:59 +03:00
result = check_refresh_gpo ( ads , mem_ctx , cache_dir , lp_ctx , flags , gpo ) ;
2006-09-29 05:49:26 +04:00
if ( ! NT_STATUS_IS_OK ( result ) ) {
goto out ;
}
}
result = NT_STATUS_OK ;
out :
2009-03-15 06:40:12 +03:00
/* FIXME close cli connection */
2006-09-29 05:49:26 +04:00
return result ;
}
2007-08-14 19:17:50 +04:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2008-02-29 19:06:22 +03:00
NTSTATUS gpo_get_unix_path ( TALLOC_CTX * mem_ctx ,
2009-03-15 22:34:59 +03:00
const char * cache_dir ,
2008-02-29 19:06:22 +03:00
struct GROUP_POLICY_OBJECT * gpo ,
char * * unix_path )
{
char * server , * share , * nt_path ;
2009-03-15 22:34:59 +03:00
return gpo_explode_filesyspath ( mem_ctx , cache_dir , gpo - > file_sys_path ,
2008-02-29 19:06:22 +03:00
& server , & share , & nt_path , unix_path ) ;
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2009-03-15 06:40:12 +03:00
char * gpo_flag_str ( TALLOC_CTX * ctx , uint32_t flags )
2008-02-29 18:03:23 +03:00
{
2009-03-15 06:40:12 +03:00
char * str = NULL ;
2008-02-29 18:03:23 +03:00
if ( flags = = 0 ) {
return NULL ;
}
if ( flags & GPO_INFO_FLAG_SLOWLINK )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_SLOWLINK " ) ;
2008-02-29 18:03:23 +03:00
if ( flags & GPO_INFO_FLAG_VERBOSE )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_VERBOSE " ) ;
2008-02-29 18:03:23 +03:00
if ( flags & GPO_INFO_FLAG_SAFEMODE_BOOT )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_SAFEMODE_BOOT " ) ;
2008-02-29 18:03:23 +03:00
if ( flags & GPO_INFO_FLAG_NOCHANGES )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_NOCHANGES " ) ;
2008-02-29 18:03:23 +03:00
if ( flags & GPO_INFO_FLAG_MACHINE )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_MACHINE " ) ;
2008-02-29 18:03:23 +03:00
if ( flags & GPO_INFO_FLAG_LOGRSOP_TRANSITION )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_LOGRSOP_TRANSITION " ) ;
2008-02-29 18:03:23 +03:00
if ( flags & GPO_INFO_FLAG_LINKTRANSITION )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_LINKTRANSITION " ) ;
2008-02-29 18:03:23 +03:00
if ( flags & GPO_INFO_FLAG_FORCED_REFRESH )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_FORCED_REFRESH " ) ;
2008-02-29 18:03:23 +03:00
if ( flags & GPO_INFO_FLAG_BACKGROUND )
2009-03-15 06:40:12 +03:00
str = talloc_append_string ( ctx , str , " GPO_INFO_FLAG_BACKGROUND " ) ;
2008-02-29 18:03:23 +03:00
2009-03-15 06:40:12 +03:00
return str ;
2008-02-29 18:03:23 +03:00
}
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
2007-08-14 19:17:50 +04:00
NTSTATUS gp_find_file ( TALLOC_CTX * mem_ctx ,
uint32_t flags ,
const char * filename ,
const char * suffix ,
const char * * filename_out )
{
const char * tmp = NULL ;
2009-03-01 04:13:21 +03:00
struct stat sbuf ;
2007-08-14 19:17:50 +04:00
const char * path = NULL ;
if ( flags & GPO_LIST_FLAG_MACHINE ) {
path = " Machine " ;
} else {
path = " User " ;
}
tmp = talloc_asprintf ( mem_ctx , " %s/%s/%s " , filename ,
path , suffix ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp ) ;
2009-03-01 04:13:21 +03:00
if ( stat ( tmp , & sbuf ) = = 0 ) {
2007-08-14 19:17:50 +04:00
* filename_out = tmp ;
return NT_STATUS_OK ;
}
2008-03-03 11:43:10 +03:00
path = talloc_strdup_upper ( mem_ctx , path ) ;
NT_STATUS_HAVE_NO_MEMORY ( path ) ;
tmp = talloc_asprintf ( mem_ctx , " %s/%s/%s " , filename ,
path , suffix ) ;
2007-08-14 19:17:50 +04:00
NT_STATUS_HAVE_NO_MEMORY ( tmp ) ;
2009-03-01 18:25:57 +03:00
if ( stat ( tmp , & sbuf ) = = 0 ) {
2007-08-14 19:17:50 +04:00
* filename_out = tmp ;
return NT_STATUS_OK ;
}
return NT_STATUS_NO_SUCH_FILE ;
}
2008-02-29 20:23:53 +03:00
/****************************************************************
* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */
ADS_STATUS gp_get_machine_token ( ADS_STRUCT * ads ,
TALLOC_CTX * mem_ctx ,
2009-03-15 06:40:12 +03:00
struct loadparm_context * lp_ctx ,
2008-02-29 20:23:53 +03:00
const char * dn ,
2010-08-26 16:08:22 +04:00
struct security_token * * token )
2008-02-29 20:23:53 +03:00
{
2010-08-26 16:08:22 +04:00
struct security_token * ad_token = NULL ;
2008-02-29 20:23:53 +03:00
ADS_STATUS status ;
2009-03-15 06:40:12 +03:00
# if _SAMBA_BUILD_ == 4
struct auth_session_info * info ;
# else
2008-02-29 20:23:53 +03:00
NTSTATUS ntstatus ;
2009-03-15 06:40:12 +03:00
# endif
2008-02-29 20:23:53 +03:00
2008-02-29 22:52:35 +03:00
# ifndef HAVE_ADS
return ADS_ERROR_NT ( NT_STATUS_NOT_SUPPORTED ) ;
# endif
2008-02-29 20:23:53 +03:00
status = ads_get_sid_token ( ads , mem_ctx , dn , & ad_token ) ;
if ( ! ADS_ERR_OK ( status ) ) {
return status ;
}
2009-03-15 06:40:12 +03:00
# if _SAMBA_BUILD_ == 4
info = system_session ( mem_ctx , lp_ctx ) ;
* token = info - > security_token ;
# else
2008-02-29 20:23:53 +03:00
ntstatus = merge_nt_token ( mem_ctx , ad_token , get_system_token ( ) ,
token ) ;
if ( ! NT_STATUS_IS_OK ( ntstatus ) ) {
return ADS_ERROR_NT ( ntstatus ) ;
}
2009-03-15 06:40:12 +03:00
# endif
2008-02-29 20:23:53 +03:00
return ADS_SUCCESS ;
}