sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00
Code

r24413: Minor edits for libgpo.

Browse Source 
Guenther
(This used to be commit 5dc791f4cf)
This commit is contained in:
Günther Deschner 2007-08-14 14:47:08 +00:00 committed by Gerald (Jerry) Carter
parent 2da44a2dee
commit 444fd1e848
6 changed files with 474 additions and 633 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
source3/include/gpo.h
View File

@ -1,23 +1,22 @@
/* /*
* Unix SMB/CIFS implementation. * Unix SMB/CIFS implementation.
* Group Policy Object Support * Group Policy Object Support
* Copyright (C) Guenther Deschner 2005 * Copyright (C) Guenther Deschner 2005-2007
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or * the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, * This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details. * GNU General Public License for more details.
* *
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
enum GPO_LINK_TYPE { enum GPO_LINK_TYPE {
GP_LINK_UNKOWN = 0, GP_LINK_UNKOWN = 0,
GP_LINK_MACHINE = 1, GP_LINK_MACHINE = 1,
@ -38,8 +37,8 @@ enum GPO_LINK_TYPE {
#define GPO_VERSION_MACHINE(x) (x & 0xffff) #define GPO_VERSION_MACHINE(x) (x & 0xffff)
struct GROUP_POLICY_OBJECT { struct GROUP_POLICY_OBJECT {
uint32 options; /* GPFLAGS_* */ uint32_t options; /* GPFLAGS_* */
uint32 version; uint32_t version;
const char *ds_path; const char *ds_path;
const char *file_sys_path; const char *file_sys_path;
const char *display_name; const char *display_name;
@ -76,15 +75,15 @@ enum GPO_INHERIT {
struct GP_LINK { struct GP_LINK {
const char *gp_link; /* raw link name */ const char *gp_link; /* raw link name */
uint32 gp_opts; /* inheritance options GPO_INHERIT */ uint32_t gp_opts; /* inheritance options GPO_INHERIT */
uint32 num_links; /* number of links */ uint32_t num_links; /* number of links */
char **link_names; /* array of parsed link names */ char **link_names; /* array of parsed link names */
uint32 *link_opts; /* array of parsed link opts GPO_LINK_OPT_* */ uint32_t *link_opts; /* array of parsed link opts GPO_LINK_OPT_* */
}; };
struct GP_EXT { struct GP_EXT {
const char *gp_extension; /* raw extension name */ const char *gp_extension; /* raw extension name */
uint32 num_exts; uint32_t num_exts;
char **extensions; char **extensions;
char **extensions_guid; char **extensions_guid;
char **snapins; char **snapins;
@ -93,3 +92,7 @@ struct GP_EXT {
#define GPO_CACHE_DIR "gpo_cache" #define GPO_CACHE_DIR "gpo_cache"
#define GPT_INI "GPT.INI" #define GPT_INI "GPT.INI"
#define GP_EXT_SECURITY "827D319E-6EAC-11D2-A4EA-00C04F79F83A"
#define GP_EXT_REGISTRY "35378EAC-683F-11D2-A89A-00C04FBBCFA2"
#define GP_EXT_SCRIPTS "42B5FAAE-6536-11D2-AE5A-0000F87571E3"

378
source3/libgpo/gpo_ldap.c
View File

@ -25,13 +25,13 @@
parse the raw extension string into a GP_EXT structure parse the raw extension string into a GP_EXT structure
****************************************************************/ ****************************************************************/
ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, BOOL ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
const char *extension_raw, const char *extension_raw,
struct GP_EXT **gp_ext) struct GP_EXT **gp_ext)
{ {
ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); BOOL ret = False;
struct GP_EXT *ext = NULL; struct GP_EXT *ext = NULL;
char **ext_list; char **ext_list = NULL;
char **ext_strings = NULL; char **ext_strings = NULL;
int i; int i;
@ -47,7 +47,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
} }
ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]"); ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]");
if (ext_list == NULL) { if (!ext_list) {
goto parse_error; goto parse_error;
} }
@ -56,24 +56,23 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
} }
ext->num_exts = i; ext->num_exts = i;
if (ext->num_exts) { if (ext->num_exts) {
ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts); ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts); ext->num_exts);
ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts); ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts); ext->num_exts);
} else { ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->extensions = NULL; ext->num_exts);
ext->extensions_guid = NULL; ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->snapins = NULL; ext->num_exts);
ext->snapins_guid = NULL;
} }
ext->gp_extension = talloc_strdup(mem_ctx, extension_raw); ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
if (ext->extensions == NULL || ext->extensions_guid == NULL || if (!ext->extensions || !ext->extensions_guid ||
ext->snapins == NULL || ext->snapins_guid == NULL || !ext->snapins || !ext->snapins_guid ||
ext->gp_extension == NULL) { !ext->gp_extension) {
goto parse_error; goto parse_error;
} }
@ -81,7 +80,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
int k; int k;
char *p, *q; char *p, *q;
DEBUGADD(10,("extension #%d\n", i)); DEBUGADD(10,("extension #%d\n", i));
p = ext_list[i]; p = ext_list[i];
@ -105,14 +104,15 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
q++; q++;
} }
ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q)); ext->extensions[i] = talloc_strdup(mem_ctx,
cse_gpo_guid_string_to_name(q));
ext->extensions_guid[i] = talloc_strdup(mem_ctx, q); ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
/* we might have no name for the guid */ /* we might have no name for the guid */
if (ext->extensions_guid[i] == NULL) { if (ext->extensions_guid[i] == NULL) {
goto parse_error; goto parse_error;
} }
for (k = 1; ext_strings[k] != NULL; k++) { for (k = 1; ext_strings[k] != NULL; k++) {
char *m = ext_strings[k]; char *m = ext_strings[k];
@ -121,8 +121,10 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
m++; m++;
} }
/* FIXME: theoretically there could be more than one snapin per extension */ /* FIXME: theoretically there could be more than one
ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m)); * snapin per extension */
ext->snapins[i] = talloc_strdup(mem_ctx,
cse_snapin_gpo_guid_string_to_name(m));
ext->snapins_guid[i] = talloc_strdup(mem_ctx, m); ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
/* we might have no name for the guid */ /* we might have no name for the guid */
@ -134,35 +136,38 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
*gp_ext = ext; *gp_ext = ext;
status = ADS_ERROR_NT(NT_STATUS_OK); ret = True;
parse_error: parse_error:
if (ext_list) { if (ext_list) {
str_list_free_talloc(mem_ctx, &ext_list); str_list_free_talloc(mem_ctx, &ext_list);
} }
if (ext_strings) { if (ext_strings) {
str_list_free_talloc(mem_ctx, &ext_strings); str_list_free_talloc(mem_ctx, &ext_strings);
} }
return status; return ret;
} }
/**************************************************************** /****************************************************************
parse the raw link string into a GP_LINK structure parse the raw link string into a GP_LINK structure
****************************************************************/ ****************************************************************/
static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
const char *gp_link_raw, const char *gp_link_raw,
uint32 options, uint32_t options,
struct GP_LINK *gp_link) struct GP_LINK *gp_link)
{ {
ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
char **link_list; char **link_list;
int i; int i;
ZERO_STRUCTP(gp_link);
DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw)); DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]"); link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]");
if (link_list == NULL) { if (!link_list) {
goto parse_error; goto parse_error;
} }
@ -172,18 +177,17 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
gp_link->gp_opts = options; gp_link->gp_opts = options;
gp_link->num_links = i; gp_link->num_links = i;
if (gp_link->num_links) { if (gp_link->num_links) {
gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links); gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *,
gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links); gp_link->num_links);
} else { gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t,
gp_link->link_names = NULL; gp_link->num_links);
gp_link->link_opts = NULL;
} }
gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw); gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) { if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
goto parse_error; goto parse_error;
} }
@ -199,7 +203,7 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
}; };
p = strchr(q, ';'); p = strchr(q, ';');
if (p == NULL) { if (p == NULL) {
goto parse_error; goto parse_error;
} }
@ -212,23 +216,22 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
gp_link->link_opts[i] = atoi(p + 1); gp_link->link_opts[i] = atoi(p + 1);
DEBUGADD(10,("gpo_parse_gplink: link: %s\n", gp_link->link_names[i])); DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
DEBUGADD(10,("gpo_parse_gplink: opt: %d\n", gp_link->link_opts[i])); gp_link->link_names[i]));
DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
gp_link->link_opts[i]));
} }
status = ADS_SUCCESS;
parse_error:
if (link_list) { if (link_list) {
str_list_free_talloc(mem_ctx, &link_list); str_list_free_talloc(mem_ctx, &link_list);
} }
return ADS_ERROR(LDAP_SUCCESS); return status;
parse_error:
if (link_list) {
str_list_free_talloc(mem_ctx, &link_list);
}
return ADS_ERROR(LDAP_NO_MEMORY);
} }
/**************************************************************** /****************************************************************
@ -244,13 +247,14 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
const char *attrs[] = {"gPLink", "gPOptions", NULL}; const char *attrs[] = {"gPLink", "gPOptions", NULL};
LDAPMessage *res = NULL; LDAPMessage *res = NULL;
const char *gp_link; const char *gp_link;
uint32 gp_options; uint32_t gp_options;
ZERO_STRUCTP(gp_link_struct); ZERO_STRUCTP(gp_link_struct);
status = ads_search_dn(ads, &res, link_dn, attrs); status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status))); DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status; return status;
} }
@ -260,33 +264,34 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT); return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
} }
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) { if (gp_link == NULL) {
DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n")); DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
ads_msgfree(ads, res); ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
} }
/* perfectly legal to have no options */ /* perfectly legal to have no options */
if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) { if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n")); DEBUG(10,("ads_get_gpo_link: "
"no 'gPOptions' attribute found\n"));
gp_options = 0; gp_options = 0;
} }
ads_msgfree(ads, res); ads_msgfree(ads, res);
return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
} }
/**************************************************************** /****************************************************************
helper call to add a gp link helper call to add a gp link
****************************************************************/ ****************************************************************/
ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
const char *link_dn, const char *link_dn,
const char *gpo_dn, const char *gpo_dn,
uint32 gpo_opt) uint32_t gpo_opt)
{ {
ADS_STATUS status; ADS_STATUS status;
const char *attrs[] = {"gPLink", NULL}; const char *attrs[] = {"gPLink", NULL};
@ -298,12 +303,13 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
* the gpo_dn is sane */ * the gpo_dn is sane */
if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) { if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
} }
status = ads_search_dn(ads, &res, link_dn, attrs); status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status))); DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status; return status;
} }
@ -313,11 +319,13 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT); return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
} }
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) { if (gp_link == NULL) {
gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt); gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
gpo_dn, gpo_opt);
} else { } else {
gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
gp_link, gpo_dn, gpo_opt);
} }
ads_msgfree(ads, res); ads_msgfree(ads, res);
@ -331,7 +339,7 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
return status; return status;
} }
return ads_gen_mod(ads, link_dn, mods); return ads_gen_mod(ads, link_dn, mods);
} }
/**************************************************************** /****************************************************************
@ -339,9 +347,9 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
****************************************************************/ ****************************************************************/
/* untested & broken */ /* untested & broken */
ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
const char *link_dn, const char *link_dn,
const char *gpo_dn) const char *gpo_dn)
{ {
ADS_STATUS status; ADS_STATUS status;
@ -355,7 +363,7 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
DEBUG(10,("ads_delete_gpo_link: first char not: [\n")); DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
} }
if (gpo_dn[strlen(gpo_dn)] != ']') { if (gpo_dn[strlen(gpo_dn)] != ']') {
DEBUG(10,("ads_delete_gpo_link: last char not: ]\n")); DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
@ -363,7 +371,8 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
status = ads_search_dn(ads, &res, link_dn, attrs); status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status))); DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status; return status;
} }
@ -373,13 +382,14 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT); return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
} }
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) { if (gp_link == NULL) {
return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
} }
/* find link to delete */ /* find link to delete */
/* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */ /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
gpo_dn, gpo_opt); */
ads_msgfree(ads, res); ads_msgfree(ads, res);
ADS_ERROR_HAVE_NO_MEMORY(gp_link_new); ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
@ -392,7 +402,7 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return status; return status;
} }
return ads_gen_mod(ads, link_dn, mods); return ads_gen_mod(ads, link_dn, mods);
} }
/**************************************************************** /****************************************************************
@ -425,19 +435,25 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_MEMORY); return ADS_ERROR(LDAP_NO_MEMORY);
} }
gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath"); gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
"gPCFileSysPath");
ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path); ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName"); gpo->display_name = ads_pull_string(ads, mem_ctx, res,
"displayName");
ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name); ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
gpo->name = ads_pull_string(ads, mem_ctx, res, "name"); gpo->name = ads_pull_string(ads, mem_ctx, res,
"name");
ADS_ERROR_HAVE_NO_MEMORY(gpo->name); ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames"); gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames"); "gPCMachineExtensionNames");
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
"gPCUserExtensionNames");
ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", &gpo->security_descriptor); ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
&gpo->security_descriptor);
ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor); ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
return ADS_ERROR(LDAP_SUCCESS); return ADS_ERROR(LDAP_SUCCESS);
@ -458,11 +474,20 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
LDAPMessage *res = NULL; LDAPMessage *res = NULL;
char *dn; char *dn;
const char *filter; const char *filter;
const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath", const char *attrs[] = {
"gPCFunctionalityVersion", "gPCMachineExtensionNames", "cn",
"gPCUserExtensionNames", "gPCWQLFilter", "name", "displayName",
"versionNumber", "ntSecurityDescriptor", NULL}; "flags",
uint32 sd_flags = DACL_SECURITY_INFORMATION; "gPCFileSysPath",
"gPCFunctionalityVersion",
"gPCMachineExtensionNames",
"gPCUserExtensionNames",
"gPCWQLFilter",
"name",
"ntSecurityDescriptor",
"versionNumber",
NULL};
uint32_t sd_flags = DACL_SECURITY_INFORMATION;
ZERO_STRUCTP(gpo); ZERO_STRUCTP(gpo);
@ -471,30 +496,31 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
} }
if (gpo_dn) { if (gpo_dn) {
if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) { if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
gpo_dn = gpo_dn + strlen("LDAP://"); gpo_dn = gpo_dn + strlen("LDAP://");
} }
status = ads_search_retry_dn_sd_flags(ads, &res, status = ads_search_retry_dn_sd_flags(ads, &res,
sd_flags, sd_flags,
gpo_dn, attrs); gpo_dn, attrs);
} else if (display_name || guid_name) { } else if (display_name || guid_name) {
filter = talloc_asprintf(mem_ctx, filter = talloc_asprintf(mem_ctx,
"(&(objectclass=groupPolicyContainer)(%s=%s))", "(&(objectclass=groupPolicyContainer)(%s=%s))",
display_name ? "displayName" : "name", display_name ? "displayName" : "name",
display_name ? display_name : guid_name); display_name ? display_name : guid_name);
ADS_ERROR_HAVE_NO_MEMORY(filter); ADS_ERROR_HAVE_NO_MEMORY(filter);
status = ads_do_search_all_sd_flags(ads, ads->config.bind_path, status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
LDAP_SCOPE_SUBTREE, filter, LDAP_SCOPE_SUBTREE, filter,
attrs, sd_flags, &res); attrs, sd_flags, &res);
} }
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status))); DEBUG(10,("ads_get_gpo: search failed with %s\n",
ads_errstr(status)));
return status; return status;
} }
@ -509,7 +535,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
ads_msgfree(ads, res); ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY); return ADS_ERROR(LDAP_NO_MEMORY);
} }
status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo); status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
ads_msgfree(ads, res); ads_msgfree(ads, res);
ads_memfree(ads, dn); ads_memfree(ads, dn);
@ -522,7 +548,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
****************************************************************/ ****************************************************************/
static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT **gpo_list, struct GROUP_POLICY_OBJECT **gpo_list,
const char *link_dn, const char *link_dn,
struct GP_LINK *gp_link, struct GP_LINK *gp_link,
@ -543,39 +569,47 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
} }
if (only_add_forced_gpos) { if (only_add_forced_gpos) {
if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) { if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n")); DEBUG(10,("skipping nonenforced GPO link "
"because GPOPTIONS_BLOCK_INHERITANCE "
"has been set\n"));
continue; continue;
} else { } else {
DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n")); DEBUG(10,("adding enforced GPO link although "
"the GPOPTIONS_BLOCK_INHERITANCE "
"has been set\n"));
} }
} }
new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT); new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
ADS_ERROR_HAVE_NO_MEMORY(new_gpo); ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo); status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
NULL, NULL, new_gpo);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
DEBUG(10,("failed to get gpo: %s\n", gp_link->link_names[i])); DEBUG(10,("failed to get gpo: %s\n",
gp_link->link_names[i]));
return status; return status;
} }
status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo, token)); status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
token));
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
DEBUG(10,("skipping GPO \"%s\" as object has no access to it\n", DEBUG(10,("skipping GPO \"%s\" as object "
"has no access to it\n",
new_gpo->display_name)); new_gpo->display_name));
TALLOC_FREE(new_gpo); TALLOC_FREE(new_gpo);
continue; continue;
} }
new_gpo->link = link_dn; new_gpo->link = link_dn;
new_gpo->link_type = link_type; new_gpo->link_type = link_type;
DLIST_ADD(*gpo_list, new_gpo); DLIST_ADD(*gpo_list, new_gpo);
DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n", DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
i, gp_link->link_names[i])); "to GPO list\n", i, gp_link->link_names[i]));
} }
return ADS_ERROR(LDAP_SUCCESS); return ADS_ERROR(LDAP_SUCCESS);
@ -599,7 +633,7 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
struct nt_user_token *new_token = NULL; struct nt_user_token *new_token = NULL;
int i; int i;
status = ads_get_tokensids(ads, mem_ctx, dn, status = ads_get_tokensids(ads, mem_ctx, dn,
&object_sid, &primary_group_sid, &object_sid, &primary_group_sid,
&ad_token_sids, &num_ad_token_sids); &ad_token_sids, &num_ad_token_sids);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
@ -609,24 +643,24 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1); token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
ADS_ERROR_HAVE_NO_MEMORY(token_sids); ADS_ERROR_HAVE_NO_MEMORY(token_sids);
if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids, if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
&num_token_sids)) { &num_token_sids)) {
return ADS_ERROR(LDAP_NO_MEMORY); return ADS_ERROR(LDAP_NO_MEMORY);
} }
for (i = 0; i < num_ad_token_sids; i++) { for (i = 0; i < num_ad_token_sids; i++) {
if (sid_check_is_in_builtin(&ad_token_sids[i])) { if (sid_check_is_in_builtin(&ad_token_sids[i])) {
continue; continue;
} }
if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i], if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i],
&token_sids, &num_token_sids)) { &token_sids, &num_token_sids)) {
return ADS_ERROR(LDAP_NO_MEMORY); return ADS_ERROR(LDAP_NO_MEMORY);
} }
} }
new_token = create_local_nt_token(mem_ctx, &object_sid, False, new_token = create_local_nt_token(mem_ctx, &object_sid, False,
num_token_sids, token_sids); num_token_sids, token_sids);
ADS_ERROR_HAVE_NO_MEMORY(new_token); ADS_ERROR_HAVE_NO_MEMORY(new_token);
@ -637,21 +671,48 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
return ADS_ERROR_LDAP(LDAP_SUCCESS); return ADS_ERROR_LDAP(LDAP_SUCCESS);
} }
/****************************************************************
****************************************************************/
static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT **gpo_list,
enum GPO_LINK_TYPE link_type)
{
struct GROUP_POLICY_OBJECT *gpo = NULL;
ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
ADS_ERROR_HAVE_NO_MEMORY(gpo);
gpo->name = talloc_strdup(mem_ctx, "Local Policy");
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
gpo->link_type = link_type;
DLIST_ADD(*gpo_list, gpo);
return ADS_ERROR_NT(NT_STATUS_OK);
}
/**************************************************************** /****************************************************************
get the full list of GROUP_POLICY_OBJECTs for a given dn get the full list of GROUP_POLICY_OBJECTs for a given dn
****************************************************************/ ****************************************************************/
ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
const char *dn, const char *dn,
uint32 flags, uint32_t flags,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT **gpo_list) struct GROUP_POLICY_OBJECT **gpo_list)
{ {
/* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */ /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
ADS_STATUS status; ADS_STATUS status;
struct GP_LINK gp_link; struct GP_LINK gp_link;
struct nt_user_token *token = NULL;
const char *parent_dn, *site_dn, *tmp_dn; const char *parent_dn, *site_dn, *tmp_dn;
BOOL add_only_forced_gpos = False; BOOL add_only_forced_gpos = False;
@ -663,25 +724,27 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn)); DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
status = ads_get_sid_token(ads, mem_ctx, dn, &token); /* (L)ocal */
status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
GP_LINK_UNKOWN);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
return status; return status;
} }
/* (L)ocal */
/* not yet... */
/* (S)ite */ /* (S)ite */
/* are site GPOs valid for users as well ??? */ /* are site GPOs valid for users as well ??? */
if (flags & GPO_LIST_FLAG_MACHINE) { if (flags & GPO_LIST_FLAG_MACHINE) {
status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn); status = ads_site_dn_for_machine(ads, mem_ctx,
ads->config.ldap_server_name,
&site_dn);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
return status; return status;
} }
DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn)); DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
site_dn));
status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link); status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
if (ADS_ERR_OK(status)) { if (ADS_ERR_OK(status)) {
@ -690,8 +753,9 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
dump_gplink(ads, mem_ctx, &gp_link); dump_gplink(ads, mem_ctx, &gp_link);
} }
status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
site_dn, &gp_link, GP_LINK_SITE, site_dn, &gp_link,
GP_LINK_SITE,
add_only_forced_gpos, add_only_forced_gpos,
token); token);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
@ -708,33 +772,39 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
tmp_dn = dn; tmp_dn = dn;
while ( (parent_dn = ads_parent_dn(tmp_dn)) && while ((parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
/* (D)omain */ /* (D)omain */
/* An account can just be a member of one domain */ /* An account can just be a member of one domain */
if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) { if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn)); DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
parent_dn));
status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
&gp_link);
if (ADS_ERR_OK(status)) { if (ADS_ERR_OK(status)) {
if (DEBUGLEVEL >= 100) { if (DEBUGLEVEL >= 100) {
dump_gplink(ads, mem_ctx, &gp_link); dump_gplink(ads, mem_ctx, &gp_link);
} }
/* block inheritance from now on */ /* block inheritance from now on */
if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { if (gp_link.gp_opts &
GPOPTIONS_BLOCK_INHERITANCE) {
add_only_forced_gpos = True; add_only_forced_gpos = True;
} }
status = add_gplink_to_gpo_list(ads, mem_ctx, status = add_gplink_to_gpo_list(ads,
gpo_list, parent_dn, mem_ctx,
&gp_link, GP_LINK_DOMAIN, gpo_list,
add_only_forced_gpos, parent_dn,
token); &gp_link,
GP_LINK_DOMAIN,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
return status; return status;
} }
@ -746,19 +816,21 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
/* reset dn again */ /* reset dn again */
tmp_dn = dn; tmp_dn = dn;
while ( (parent_dn = ads_parent_dn(tmp_dn)) && while ((parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
/* (O)rganizational(U)nit */ /* (O)rganizational(U)nit */
/* An account can be a member of more OUs */ /* An account can be a member of more OUs */
if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) { if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn));
status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
parent_dn));
status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
&gp_link);
if (ADS_ERR_OK(status)) { if (ADS_ERR_OK(status)) {
if (DEBUGLEVEL >= 100) { if (DEBUGLEVEL >= 100) {
@ -766,15 +838,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
} }
/* block inheritance from now on */ /* block inheritance from now on */
if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { if (gp_link.gp_opts &
GPOPTIONS_BLOCK_INHERITANCE) {
add_only_forced_gpos = True; add_only_forced_gpos = True;
} }
status = add_gplink_to_gpo_list(ads, mem_ctx, status = add_gplink_to_gpo_list(ads,
gpo_list, parent_dn, mem_ctx,
&gp_link, GP_LINK_OU, gpo_list,
add_only_forced_gpos, parent_dn,
token); &gp_link,
GP_LINK_OU,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
return status; return status;
} }

222
source3/libgpo/gpo_parse.c
View File

@ -74,225 +74,3 @@ NTSTATUS parse_gpt_ini(TALLOC_CTX *mem_ctx, const char *filename, uint32 *versio
return result; return result;
} }
#if 0 /* not yet */
/****************************************************************
parse the Version section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_VERSION "Version"
#define GPTTMPL_PARAMETER_REVISION "Revision"
#define GPTTMPL_PARAMETER_SIGNATURE "signature"
#define GPTTMPL_CHICAGO "$CHICAGO$" /* whatever this is good for... */
#define GPTTMPL_SECTION_UNICODE "Unicode"
#define GPTTMPL_PARAMETER_UNICODE "Unicode"
static NTSTATUS parse_gpttmpl(dictionary *d, uint32 *version_out)
{
const char *signature = NULL;
uint32 version;
if ((signature = iniparser_getstring(d, GPTTMPL_SECTION_VERSION
":"GPTTMPL_PARAMETER_SIGNATURE, NULL)) == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (!strequal(signature, GPTTMPL_CHICAGO)) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if ((version = iniparser_getint(d, GPTTMPL_SECTION_VERSION
":"GPTTMPL_PARAMETER_REVISION, Undefined)) == Undefined) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (version_out) {
*version_out = version;
}
/* treat that as boolean */
if ((!iniparser_getboolean(d, GPTTMPL_SECTION_UNICODE
":"GPTTMPL_PARAMETER_UNICODE, Undefined)) == Undefined) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
return NT_STATUS_OK;
}
/****************************************************************
parse the "System Access" section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_SYSTEM_ACCESS "System Access"
#define GPTTMPL_PARAMETER_MINPWDAGE "MinimumPasswordAge"
#define GPTTMPL_PARAMETER_MAXPWDAGE "MaximumPasswordAge"
#define GPTTMPL_PARAMETER_MINPWDLEN "MinimumPasswordLength"
#define GPTTMPL_PARAMETER_PWDCOMPLEX "PasswordComplexity"
#define GPTTMPL_PARAMETER_PWDHISTORY "PasswordHistorySize"
#define GPTTMPL_PARAMETER_LOCKOUTCOUNT "LockoutBadCount"
static NTSTATUS parse_gpttmpl_system_access(const char *filename)
{
NTSTATUS status;
dictionary *d = NULL;
uint32 pwd_min_age, pwd_max_age, pwd_min_len, pwd_history;
uint32 lockout_count;
BOOL pwd_complex;
uint32 version;
d = iniparser_load(filename);
if (d == NULL) {
return NT_STATUS_NO_SUCH_FILE;
}
status = parse_gpttmpl(d, &version);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = NT_STATUS_INVALID_PARAMETER;
if ((pwd_min_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) {
goto out;
}
if ((pwd_max_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) {
goto out;
}
if ((pwd_min_len = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDLEN, Undefined)) == Undefined) {
goto out;
}
if ((pwd_complex = iniparser_getboolean(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_PWDCOMPLEX, Undefined)) == Undefined) {
goto out;
}
if ((pwd_history = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_PWDHISTORY, Undefined)) == Undefined) {
goto out;
}
if ((lockout_count = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_LOCKOUTCOUNT, Undefined)) == Undefined) {
goto out;
}
/* TODO ?
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
*/
status = NT_STATUS_OK;
out:
if (d) {
iniparser_freedict(d);
}
return status;
}
/****************************************************************
parse the "Kerberos Policy" section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_KERBEROS_POLICY "Kerberos Policy"
#define GPTTMPL_PARAMETER_MAXTKTAGE "MaxTicketAge"
#define GPTTMPL_PARAMETER_MAXRENEWAGE "MaxRenewAge"
#define GPTTMPL_PARAMETER_MAXTGSAGE "MaxServiceAge"
#define GPTTMPL_PARAMETER_MAXCLOCKSKEW "MaxClockSkew"
#define GPTTMPL_PARAMETER_TKTVALIDATECLIENT "TicketValidateClient"
static NTSTATUS parse_gpttmpl_kerberos_policy(const char *filename)
{
NTSTATUS status;
dictionary *d = NULL;
uint32 tkt_max_age, tkt_max_renew, tgs_max_age, max_clock_skew;
BOOL tkt_validate;
uint32 version;
d = iniparser_load(filename);
if (d == NULL) {
return NT_STATUS_NO_SUCH_FILE;
}
status = parse_gpttmpl(d, &version);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = NT_STATUS_INVALID_PARAMETER;
if ((tkt_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXTKTAGE, Undefined)) != Undefined) {
goto out;
}
if ((tkt_max_renew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXRENEWAGE, Undefined)) != Undefined) {
goto out;
}
if ((tgs_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXTGSAGE, Undefined)) != Undefined) {
goto out;
}
if ((max_clock_skew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXCLOCKSKEW, Undefined)) != Undefined) {
goto out;
}
if ((tkt_validate = iniparser_getboolean(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_TKTVALIDATECLIENT, Undefined)) != Undefined) {
goto out;
}
status = NT_STATUS_OK;
out:
if (d) {
iniparser_freedict(d);
}
return status;
}
#endif
/*
perfectly parseable with iniparser:
{GUID}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Version]
signature="$CHICAGO$"
Revision=1
*/

36
source3/libgpo/gpo_sec.c
View File

@ -1,18 +1,18 @@
/* /*
* Unix SMB/CIFS implementation. * Unix SMB/CIFS implementation.
* Group Policy Object Support * Group Policy Object Support
* Copyright (C) Guenther Deschner 2007 * Copyright (C) Guenther Deschner 2007
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or * the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, * This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details. * GNU General Public License for more details.
* *
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
@ -70,7 +70,7 @@ static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask) static BOOL gpo_sd_check_agp_access_bits(uint32_t access_mask)
{ {
return (access_mask & SEC_RIGHTS_EXTENDED); return (access_mask & SEC_RIGHTS_EXTENDED);
} }
@ -79,9 +79,9 @@ static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
static BOOL gpo_sd_check_read_access_bits(uint32 access_mask) static BOOL gpo_sd_check_read_access_bits(uint32_t access_mask)
{ {
uint32 read_bits = SEC_RIGHTS_LIST_CONTENTS | uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS |
SEC_RIGHTS_READ_ALL_PROP | SEC_RIGHTS_READ_ALL_PROP |
SEC_RIGHTS_READ_PERMS; SEC_RIGHTS_READ_PERMS;
@ -92,13 +92,14 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
const struct nt_user_token *token) const struct nt_user_token *token)
{ {
if (gpo_sd_check_agp_object(ace) && if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) { nt_token_check_sid(&ace->trustee, token)) {
DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", DEBUG(10,("gpo_sd_check_ace_denied_object: "
"Access denied as of ace for %s\n",
sid_string_static(&ace->trustee))); sid_string_static(&ace->trustee)));
return NT_STATUS_ACCESS_DENIED; return NT_STATUS_ACCESS_DENIED;
} }
@ -109,13 +110,14 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
const struct nt_user_token *token) const struct nt_user_token *token)
{ {
if (gpo_sd_check_agp_object(ace) && if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) && gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) { nt_token_check_sid(&ace->trustee, token)) {
DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", DEBUG(10,("gpo_sd_check_ace_allowed_object: "
"Access granted as of ace for %s\n",
sid_string_static(&ace->trustee))); sid_string_static(&ace->trustee)));
return NT_STATUS_OK; return NT_STATUS_OK;
} }
@ -126,8 +128,8 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
const struct nt_user_token *token) const struct nt_user_token *token)
{ {
switch (ace->type) { switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
@ -142,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
const struct nt_user_token *token) const struct nt_user_token *token)
{ {
SEC_DESC *sd = gpo->security_descriptor; SEC_DESC *sd = gpo->security_descriptor;

424
source3/libgpo/gpo_util.c
View File

@ -1,18 +1,18 @@
/* /*
* Unix SMB/CIFS implementation. * Unix SMB/CIFS implementation.
* Group Policy Object Support * Group Policy Object Support
* Copyright (C) Guenther Deschner 2005-2006 * Copyright (C) Guenther Deschner 2005-2007
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by * it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or * the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version. * (at your option) any later version.
* *
* This program is distributed in the hope that it will be useful, * This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details. * GNU General Public License for more details.
* *
* You should have received a copy of the GNU General Public License * You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>. * along with this program; if not, see <http://www.gnu.org/licenses/>.
*/ */
@ -25,88 +25,88 @@
#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy" #define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy"
/* should we store a parsed guid ? */ /* should we store a parsed guid ? */
struct gpo_table { struct gp_table {
const char *name; const char *name;
const char *guid_string; const char *guid_string;
}; };
struct snapin_table {
const char *name;
const char *guid_string;
ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *, const char *);
};
#if 0 /* unused */ #if 0 /* unused */
static struct gpo_table gpo_default_policy[] = { static struct gp_table gpo_default_policy[] = {
{ DEFAULT_DOMAIN_POLICY, { DEFAULT_DOMAIN_POLICY,
"31B2F340-016D-11D2-945F-00C04FB984F9" }, "31B2F340-016D-11D2-945F-00C04FB984F9" },
{ DEFAULT_DOMAIN_CONTROLLERS_POLICY, { DEFAULT_DOMAIN_CONTROLLERS_POLICY,
"6AC1786C-016F-11D2-945F-00C04fB984F9" }, "6AC1786C-016F-11D2-945F-00C04fB984F9" },
{ NULL, NULL } { NULL, NULL }
}; };
#endif #endif
/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */ /* the following is seen in gPCMachineExtensionNames / gPCUserExtensionNames */
static struct gpo_table gpo_cse_extensions[] = { static struct gp_table gpo_cse_extensions[] = {
{ "Administrative Templates Extension", /* used to be "Administrative Templates Extension" */
"35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */ /* "Registry Settings"
{ "Microsoft Disc Quota", (http://support.microsoft.com/kb/216357/EN-US/) */
{ "Registry Settings",
GP_EXT_REGISTRY },
{ "Microsoft Disc Quota",
"3610EDA5-77EF-11D2-8DC5-00C04FA31A66" }, "3610EDA5-77EF-11D2-8DC5-00C04FA31A66" },
{ "EFS recovery", { "EFS recovery",
"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" }, "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
{ "Folder Redirection", { "Folder Redirection",
"25537BA6-77A8-11D2-9B6C-0000F8080861" }, "25537BA6-77A8-11D2-9B6C-0000F8080861" },
{ "IP Security", { "IP Security",
"E437BC1C-AA7D-11D2-A382-00C04F991E27" }, "E437BC1C-AA7D-11D2-A382-00C04F991E27" },
{ "Internet Explorer Branding", { "Internet Explorer Branding",
"A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" }, "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" },
{ "QoS Packet Scheduler", { "QoS Packet Scheduler",
"426031c0-0b47-4852-b0ca-ac3d37bfcb39" }, "426031c0-0b47-4852-b0ca-ac3d37bfcb39" },
{ "Scripts", { "Scripts",
"42B5FAAE-6536-11D2-AE5A-0000F87571E3" }, GP_EXT_SCRIPTS },
{ "Security", { "Security",
"827D319E-6EAC-11D2-A4EA-00C04F79F83A" }, GP_EXT_SECURITY },
{ "Software Installation", { "Software Installation",
"C6DC5466-785A-11D2-84D0-00C04FB169F7" }, "C6DC5466-785A-11D2-84D0-00C04FB169F7" },
{ "Wireless Group Policy", { "Wireless Group Policy",
"0ACDD40C-75AC-BAA0-BF6DE7E7FE63" }, "0ACDD40C-75AC-BAA0-BF6DE7E7FE63" },
{ "Application Management",
"C6DC5466-785A-11D2-84D0-00C04FB169F7" },
{ "unknown",
"3060E8D0-7020-11D2-842D-00C04FA372D4" },
{ NULL, NULL } { NULL, NULL }
}; };
/* guess work */ /* guess work */
static struct snapin_table gpo_cse_snapin_extensions[] = { static struct gp_table gpo_cse_snapin_extensions[] = {
{ "Administrative Templates", { "Administrative Templates",
"0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none }, "0F6B957D-509E-11D1-A7CC-0000F87571E3" },
{ "Certificates", { "Certificates",
"53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, "53D6AB1D-2488-11D1-A28C-00C04FB94F17" },
{ "EFS recovery policy processing", { "EFS recovery policy processing",
"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none }, "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
{ "Folder Redirection policy processing", { "Folder Redirection policy processing",
"25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none }, "25537BA6-77A8-11D2-9B6C-0000F8080861" },
{ "Folder Redirection", { "Folder Redirection",
"88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none }, "88E729D6-BDC1-11D1-BD2A-00C04FB9603F" },
{ "Registry policy processing", { "Registry policy processing",
"35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none }, "35378EAC-683F-11D2-A89A-00C04FBBCFA2" },
{ "Remote Installation Services", { "Remote Installation Services",
"3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, "3060E8CE-7020-11D2-842D-00C04FA372D4" },
{ "Security Settings", { "Security Settings",
"803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings }, "803E14A0-B4FB-11D0-A0D0-00A0C90F574B" },
{ "Security policy processing", { "Security policy processing",
"827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings }, "827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
{ "unknown", { "unknown",
"3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, "3060E8D0-7020-11D2-842D-00C04FA372D4" },
{ "unknown2", { "unknown2",
"53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, "53D6AB1B-2488-11D1-A28C-00C04FB94F17" },
{ NULL, NULL, NULL } { NULL, NULL }
}; };
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
static const char *name_to_guid_string(const char *name, struct gpo_table *table) static const char *name_to_guid_string(const char *name,
struct gp_table *table)
{ {
int i; int i;
@ -115,14 +115,15 @@ static const char *name_to_guid_string(const char *name, struct gpo_table *table
return table[i].guid_string; return table[i].guid_string;
} }
} }
return NULL; return NULL;
} }
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table) static const char *guid_string_to_name(const char *guid_string,
struct gp_table *table)
{ {
int i; int i;
@ -131,15 +132,15 @@ static const char *guid_string_to_name(const char *guid_string, struct gpo_table
return table[i].name; return table[i].name;
} }
} }
return NULL; return NULL;
} }
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
static const char *snapin_guid_string_to_name(const char *guid_string, static const char *snapin_guid_string_to_name(const char *guid_string,
struct snapin_table *table) struct gp_table *table)
{ {
int i; int i;
for (i = 0; table[i].guid_string; i++) { for (i = 0; table[i].guid_string; i++) {
@ -203,18 +204,25 @@ void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel)
for (i=0; i< gp_ext->num_exts; i++) { for (i=0; i< gp_ext->num_exts; i++) {
DEBUGADD(lvl,("\textension:\t\t\t%s\n", gp_ext->extensions_guid[i])); DEBUGADD(lvl,("\textension:\t\t\t%s\n",
DEBUGADD(lvl,("\textension (name):\t\t\t%s\n", gp_ext->extensions[i])); gp_ext->extensions_guid[i]));
DEBUGADD(lvl,("\textension (name):\t\t\t%s\n",
DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n", gp_ext->snapins_guid[i])); gp_ext->extensions[i]));
DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n", gp_ext->snapins[i]));
DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n",
gp_ext->snapins_guid[i]));
DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n",
gp_ext->snapins[i]));
} }
} }
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo, int debuglevel) void dump_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
int debuglevel)
{ {
int lvl = debuglevel; int lvl = debuglevel;
@ -227,10 +235,12 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name)); DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name));
DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name)); DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name));
DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version)); DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version));
DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", GPO_VERSION_USER(gpo->version), DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n",
GPO_VERSION_USER(gpo->version))); GPO_VERSION_USER(gpo->version),
DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", GPO_VERSION_MACHINE(gpo->version), GPO_VERSION_USER(gpo->version)));
GPO_VERSION_MACHINE(gpo->version))); DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n",
GPO_VERSION_MACHINE(gpo->version),
GPO_VERSION_MACHINE(gpo->version)));
DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path)); DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path));
DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path)); DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path));
@ -280,24 +290,22 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
if (gpo->machine_extensions) { if (gpo->machine_extensions) {
struct GP_EXT *gp_ext = NULL; struct GP_EXT *gp_ext = NULL;
ADS_STATUS status;
status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
if (!ADS_ERR_OK(status)) { &gp_ext)) {
return; return;
} }
dump_gp_ext(gp_ext, lvl); dump_gp_ext(gp_ext, lvl);
} }
DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions)); DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions));
if (gpo->user_extensions) { if (gpo->user_extensions) {
struct GP_EXT *gp_ext = NULL; struct GP_EXT *gp_ext = NULL;
ADS_STATUS status;
if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); &gp_ext)) {
if (!ADS_ERR_OK(status)) {
return; return;
} }
dump_gp_ext(gp_ext, lvl); dump_gp_ext(gp_ext, lvl);
@ -311,9 +319,9 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
void dump_gpo_list(ADS_STRUCT *ads, void dump_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo_list, struct GROUP_POLICY_OBJECT *gpo_list,
int debuglevel) int debuglevel)
{ {
struct GROUP_POLICY_OBJECT *gpo = NULL; struct GROUP_POLICY_OBJECT *gpo = NULL;
@ -354,9 +362,9 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
DEBUGADD(lvl,("num links: %d\n", gp_link->num_links)); DEBUGADD(lvl,("num links: %d\n", gp_link->num_links));
for (i = 0; i < gp_link->num_links; i++) { for (i = 0; i < gp_link->num_links; i++) {
DEBUGADD(lvl,("---------------------\n\n")); DEBUGADD(lvl,("---------------------\n\n"));
DEBUGADD(lvl,("link: #%d\n", i + 1)); DEBUGADD(lvl,("link: #%d\n", i + 1));
DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i])); DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i]));
@ -373,9 +381,13 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
struct GROUP_POLICY_OBJECT gpo; struct GROUP_POLICY_OBJECT gpo;
status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo); status = ads_get_gpo(ads, mem_ctx,
gp_link->link_names[i],
NULL, NULL, &gpo);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status))); DEBUG(lvl,("get gpo for %s failed: %s\n",
gp_link->link_names[i],
ads_errstr(status)));
return; return;
} }
dump_gpo(ads, mem_ctx, &gpo, lvl); dump_gpo(ads, mem_ctx, &gpo, lvl);
@ -386,27 +398,21 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
/**************************************************************** /****************************************************************
****************************************************************/ ****************************************************************/
ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads, NTSTATUS process_extension(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo, uint32_t flags,
const char *extension_guid, const struct nt_user_token *token,
const char *snapin_guid) struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{ {
int i; DEBUG(0,("process_extension: no extension available for:\n"));
DEBUGADD(0,("%s (%s) (snapin: %s)\n",
extension_guid,
cse_gpo_guid_string_to_name(extension_guid),
snapin_guid));
for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) { return NT_STATUS_OK;
if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) {
return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, gpo,
extension_guid, snapin_guid);
}
}
DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n",
extension_guid, snapin_guid));
return ADS_SUCCESS;
} }
/**************************************************************** /****************************************************************
@ -414,37 +420,42 @@ ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads, ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo, struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid_filter, const char *extension_guid_filter,
uint32 flags) uint32_t flags)
{ {
ADS_STATUS status;
struct GP_EXT *gp_ext = NULL; struct GP_EXT *gp_ext = NULL;
int i; int i;
DEBUG(10,("gpo_process_a_gpo: processing gpo %s (%s)\n",
gpo->name, gpo->display_name));
if (extension_guid_filter) {
DEBUGADD(10,("gpo_process_a_gpo: using filter %s\n",
extension_guid_filter));
}
if (flags & GPO_LIST_FLAG_MACHINE) { if (flags & GPO_LIST_FLAG_MACHINE) {
if (gpo->machine_extensions) { if (gpo->machine_extensions) {
status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
&gp_ext)) {
if (!ADS_ERR_OK(status)) { return ADS_ERROR(LDAP_PARAM_ERROR);
return status;
} }
} else { } else {
/* nothing to apply */ /* nothing to apply */
return ADS_SUCCESS; return ADS_SUCCESS;
} }
} else { } else {
if (gpo->user_extensions) { if (gpo->user_extensions) {
status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) { if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
return status; &gp_ext)) {
return ADS_ERROR(LDAP_PARAM_ERROR);
} }
} else { } else {
/* nothing to apply */ /* nothing to apply */
@ -454,15 +465,20 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
for (i=0; i<gp_ext->num_exts; i++) { for (i=0; i<gp_ext->num_exts; i++) {
if (extension_guid_filter && !strequal(extension_guid_filter, gp_ext->extensions_guid[i])) { NTSTATUS ntstatus;
if (extension_guid_filter &&
!strequal(extension_guid_filter,
gp_ext->extensions_guid[i])) {
continue; continue;
} }
status = process_extension_with_snapin(ads, mem_ctx, gpo, ntstatus = process_extension(ads, mem_ctx,
gp_ext->extensions_guid[i], flags, token, gpo,
gp_ext->snapins_guid[i]); gp_ext->extensions_guid[i],
if (!ADS_ERR_OK(status)) { gp_ext->snapins_guid[i]);
return status; if (!NT_STATUS_IS_OK(ntstatus)) {
ADS_ERROR_NT(ntstatus);
} }
} }
@ -474,19 +490,27 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads, ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo_list, struct GROUP_POLICY_OBJECT *gpo_list,
const char *extensions_guid, const char *extensions_guid,
uint32 flags) uint32_t flags)
{ {
ADS_STATUS status; ADS_STATUS status;
struct GROUP_POLICY_OBJECT *gpo; struct GROUP_POLICY_OBJECT *gpo;
/* FIXME: ok, this is wrong, windows does process the extensions and
* hands the list of gpos to each extension and not process each gpo
* with all extensions (this is how the extension can store the list
* gplist in the registry) */
for (gpo = gpo_list; gpo; gpo = gpo->next) { for (gpo = gpo_list; gpo; gpo = gpo->next) {
status = gpo_process_a_gpo(ads, mem_ctx, gpo, status = gpo_process_a_gpo(ads, mem_ctx, token, gpo,
extensions_guid, flags); extensions_guid, flags);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
DEBUG(0,("failed to process gpo: %s\n",
ads_errstr(status)));
return status; return status;
} }
@ -495,80 +519,14 @@ ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
return ADS_SUCCESS; return ADS_SUCCESS;
} }
ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{
DEBUG(10,("gpo_snapin_handler_none\n"));
return ADS_SUCCESS;
}
ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{
DEBUG(10,("gpo_snapin_handler_security_settings\n"));
return ADS_SUCCESS;
}
ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *hostname,
SAM_UNK_INFO_12 *lockout_policy)
{
return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED);
}
/****************************************************************
****************************************************************/
ADS_STATUS gpo_password_policy(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *hostname,
SAM_UNK_INFO_1 *password_policy)
{
ADS_STATUS status;
struct GROUP_POLICY_OBJECT *gpo_list;
const char *dn = NULL;
uint32 uac = 0;
status = ads_find_samaccount(ads, mem_ctx, hostname, &uac, &dn);
if (!ADS_ERR_OK(status)) {
return status;
}
if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) {
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list);
if (!ADS_ERR_OK(status)) {
return status;
}
status = gpo_process_gpo_list(ads, mem_ctx, gpo_list,
cse_gpo_name_to_guid_string("Security"),
GPO_LIST_FLAG_MACHINE);
if (!ADS_ERR_OK(status)) {
return status;
}
return ADS_SUCCESS;
}
/**************************************************************** /****************************************************************
check wether the version number in a GROUP_POLICY_OBJECT match those of the check wether the version number in a GROUP_POLICY_OBJECT match those of the
locally stored version. If not, fetch the required policy via CIFS locally stored version. If not, fetch the required policy via CIFS
****************************************************************/ ****************************************************************/
NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo, struct GROUP_POLICY_OBJECT *gpo,
struct cli_state **cli_out) struct cli_state **cli_out)
{ {
@ -577,43 +535,54 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
char *share = NULL; char *share = NULL;
char *nt_path = NULL; char *nt_path = NULL;
char *unix_path = NULL; char *unix_path = NULL;
uint32 sysvol_gpt_version = 0; uint32_t sysvol_gpt_version = 0;
char *display_name = NULL; char *display_name = NULL;
struct cli_state *cli = NULL; struct cli_state *cli = NULL;
result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
&server, &share, &nt_path, &unix_path); &server, &share, &nt_path, &unix_path);
if (!NT_STATUS_IS_OK(result)) { if (!NT_STATUS_IS_OK(result)) {
goto out; goto out;
} }
result = gpo_get_sysvol_gpt_version(mem_ctx, result = gpo_get_sysvol_gpt_version(mem_ctx,
unix_path, unix_path,
&sysvol_gpt_version, &sysvol_gpt_version,
&display_name); &display_name);
if (!NT_STATUS_IS_OK(result) && if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) { !NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) {
DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n", DEBUG(10,("check_refresh_gpo: "
"failed to get local gpt version: %s\n",
nt_errstr(result))); nt_errstr(result)));
goto out; goto out;
} }
DEBUG(10,("check_refresh_gpo: versions gpo %d sysvol %d\n",
gpo->version, sysvol_gpt_version));
/* FIXME: handle GPO_INFO_FLAG_FORCED_REFRESH from flags */
while (gpo->version > sysvol_gpt_version) { while (gpo->version > sysvol_gpt_version) {
DEBUG(1,("check_refresh_gpo: need to refresh GPO\n")); DEBUG(1,("check_refresh_gpo: need to refresh GPO\n"));
if (*cli_out == NULL) { if (*cli_out == NULL) {
result = cli_full_connection(&cli, global_myname(), result = cli_full_connection(&cli,
server, /* ads->config.ldap_server_name, */ global_myname(),
NULL, 0, ads->config.ldap_server_name,
share, "A:", /* server */
ads->auth.user_name, NULL, ads->auth.password, NULL, 0,
CLI_FULL_CONNECTION_USE_KERBEROS, share, "A:",
Undefined, NULL); ads->auth.user_name, NULL,
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS,
Undefined, NULL);
if (!NT_STATUS_IS_OK(result)) { if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: failed to connect: %s\n", nt_errstr(result))); DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
nt_errstr(result)));
goto out; goto out;
} }
@ -625,27 +594,28 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
goto out; goto out;
} }
result = gpo_get_sysvol_gpt_version(mem_ctx, result = gpo_get_sysvol_gpt_version(mem_ctx,
unix_path, unix_path,
&sysvol_gpt_version, &sysvol_gpt_version,
&display_name); &display_name);
if (!NT_STATUS_IS_OK(result)) { if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n", DEBUG(10,("check_refresh_gpo: "
"failed to get local gpt version: %s\n",
nt_errstr(result))); nt_errstr(result)));
goto out; goto out;
} }
if (gpo->version == sysvol_gpt_version) { if (gpo->version == sysvol_gpt_version) {
break; break;
} }
} }
DEBUG(10,("Name:\t\t\t%s\n", gpo->display_name)); DEBUG(10,("Name:\t\t\t%s (%s)\n", gpo->display_name, gpo->name));
DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n", DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
sysvol_gpt_version, sysvol_gpt_version,
GPO_VERSION_USER(sysvol_gpt_version), GPO_VERSION_USER(sysvol_gpt_version),
GPO_VERSION_MACHINE(sysvol_gpt_version))); GPO_VERSION_MACHINE(sysvol_gpt_version)));
DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n", DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
gpo->version, gpo->version,
GPO_VERSION_USER(gpo->version), GPO_VERSION_USER(gpo->version),
GPO_VERSION_MACHINE(gpo->version))); GPO_VERSION_MACHINE(gpo->version)));
@ -662,8 +632,9 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
not, go and get each required GPO via CIFS not, go and get each required GPO via CIFS
****************************************************************/ ****************************************************************/
NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx, TALLOC_CTX *mem_ctx,
uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo_list) struct GROUP_POLICY_OBJECT *gpo_list)
{ {
NTSTATUS result = NT_STATUS_UNSUCCESSFUL; NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@ -676,7 +647,7 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
for (gpo = gpo_list; gpo; gpo = gpo->next) { for (gpo = gpo_list; gpo; gpo = gpo->next) {
result = check_refresh_gpo(ads, mem_ctx, gpo, &cli); result = check_refresh_gpo(ads, mem_ctx, flags, gpo, &cli);
if (!NT_STATUS_IS_OK(result)) { if (!NT_STATUS_IS_OK(result)) {
goto out; goto out;
} }
@ -691,5 +662,4 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
return result; return result;
} }
#endif /* HAVE_LDAP */ #endif /* HAVE_LDAP */

20
source3/utils/net_ads_gpo.c
View File

@ -52,7 +52,8 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
uint32 flags = 0; uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo; struct GROUP_POLICY_OBJECT *gpo;
NTSTATUS result; NTSTATUS result;
struct nt_user_token *token = NULL;
if (argc < 1) { if (argc < 1) {
printf("usage: net ads gpo refresh <username|machinename>\n"); printf("usage: net ads gpo refresh <username|machinename>\n");
return -1; return -1;
@ -82,12 +83,17 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn); argv[0], dn);
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list); status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
goto out; goto out;
} }
if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, gpo_list))) { status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}
if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, flags, gpo_list))) {
printf("failed to refresh GPOs: %s\n", nt_errstr(result)); printf("failed to refresh GPOs: %s\n", nt_errstr(result));
goto out; goto out;
} }
@ -206,6 +212,7 @@ static int net_ads_gpo_list(int argc, const char **argv)
uint32 uac = 0; uint32 uac = 0;
uint32 flags = 0; uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo_list; struct GROUP_POLICY_OBJECT *gpo_list;
struct nt_user_token *token = NULL;
if (argc < 1) { if (argc < 1) {
printf("usage: net ads gpo list <username|machinename>\n"); printf("usage: net ads gpo list <username|machinename>\n");
@ -235,7 +242,12 @@ static int net_ads_gpo_list(int argc, const char **argv)
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn); argv[0], dn);
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list); status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) { if (!ADS_ERR_OK(status)) {
goto out; goto out;
} }