winbind: Enforce user group policy when enabled

This only enforces user group policy at logon.
We should also enforce this policy every 90 to
120 minutes, but a logoff will need to cancel the
timer and we cannot have multiple timers if there
are multiple sessions for the same user.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 21 18:48:18 UTC 2022 on sn-devel-184

source3/winbindd/winbindd_gpupdate.c

@@ -119,6 +119,52 @@ void gpupdate_init(void)
 	}
 }
 
+void gpupdate_user_init(const char *user)
+{
+	struct tevent_req *req = NULL;
+	TALLOC_CTX *ctx = talloc_new(global_event_context());
+	struct loadparm_context *lp_ctx =
+		loadparm_init_s3(NULL, loadparm_s3_helpers());
+	const char *const *gpupdate_cmd = lpcfg_gpo_update_command(lp_ctx);
+	const char *smbconf = lpcfg_configfile(lp_ctx);
+
+	if (ctx == NULL) {
+		DBG_ERR("talloc_new failed\n");
+		return;
+	}
+
+	/*
+	 * Check if gpupdate is enabled for winbind, if not
+	 * return without applying user policy.
+	 */
+	if (!lpcfg_apply_group_policies(lp_ctx)) {
+		return;
+	}
+
+	/*
+	 * Execute gpupdate for the user immediately.
+	 * TODO: This should be scheduled to reapply every 90 to 120 minutes.
+	 * Logoff will need to handle cancelling these events though, and
+	 * multiple timers cannot be run for the same user, even if there are
+	 * multiple active sessions.
+	 */
+	req = samba_runcmd_send(ctx, global_event_context(),
+				timeval_zero(), 2, 0,
+				gpupdate_cmd,
+				"-s",
+				smbconf,
+				"--target=User",
+				"-U",
+				user,
+				NULL);
+	if (req == NULL) {
+		DBG_ERR("Failed to execute the gpupdate command\n");
+		return;
+	}
+
+	tevent_req_set_callback(req, gpupdate_cmd_done, NULL);
+}
+
 static void gpupdate_cmd_done(struct tevent_req *subreq)
 {
 	int sys_errno;

source3/winbindd/winbindd_pam.c

@@ -2580,6 +2580,10 @@ done:
 	    local,
 	    result);
 
+	if (NT_STATUS_IS_OK(result)) {
+		gpupdate_user_init(r->in.info->username);
+	}
+
 	return result;
 }
 

source3/winbindd/winbindd_proto.h

@@ -987,6 +987,7 @@ bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain);
 
 /* The following definitions come from winbindd/winbindd_gpupdate.c  */
 void gpupdate_init(void);
+void gpupdate_user_init(const char *user);
 
 /* The following comes from winbindd/winbindd_dual_srv.c */
 bool reset_cm_connection_on_error(struct winbindd_domain *domain,