1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

r24413: Minor edits for libgpo.

Guenther
(This used to be commit 5dc791f4cf)
This commit is contained in:
Günther Deschner 2007-08-14 14:47:08 +00:00 committed by Gerald (Jerry) Carter
parent 2da44a2dee
commit 444fd1e848
6 changed files with 474 additions and 633 deletions

View File

@ -1,7 +1,7 @@
/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
* Copyright (C) Guenther Deschner 2005
* Copyright (C) Guenther Deschner 2005-2007
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -17,7 +17,6 @@
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
enum GPO_LINK_TYPE {
GP_LINK_UNKOWN = 0,
GP_LINK_MACHINE = 1,
@ -38,8 +37,8 @@ enum GPO_LINK_TYPE {
#define GPO_VERSION_MACHINE(x) (x & 0xffff)
struct GROUP_POLICY_OBJECT {
uint32 options; /* GPFLAGS_* */
uint32 version;
uint32_t options; /* GPFLAGS_* */
uint32_t version;
const char *ds_path;
const char *file_sys_path;
const char *display_name;
@ -76,15 +75,15 @@ enum GPO_INHERIT {
struct GP_LINK {
const char *gp_link; /* raw link name */
uint32 gp_opts; /* inheritance options GPO_INHERIT */
uint32 num_links; /* number of links */
uint32_t gp_opts; /* inheritance options GPO_INHERIT */
uint32_t num_links; /* number of links */
char **link_names; /* array of parsed link names */
uint32 *link_opts; /* array of parsed link opts GPO_LINK_OPT_* */
uint32_t *link_opts; /* array of parsed link opts GPO_LINK_OPT_* */
};
struct GP_EXT {
const char *gp_extension; /* raw extension name */
uint32 num_exts;
uint32_t num_exts;
char **extensions;
char **extensions_guid;
char **snapins;
@ -93,3 +92,7 @@ struct GP_EXT {
#define GPO_CACHE_DIR "gpo_cache"
#define GPT_INI "GPT.INI"
#define GP_EXT_SECURITY "827D319E-6EAC-11D2-A4EA-00C04F79F83A"
#define GP_EXT_REGISTRY "35378EAC-683F-11D2-A89A-00C04FBBCFA2"
#define GP_EXT_SCRIPTS "42B5FAAE-6536-11D2-AE5A-0000F87571E3"

View File

@ -25,13 +25,13 @@
parse the raw extension string into a GP_EXT structure
****************************************************************/
ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
const char *extension_raw,
struct GP_EXT **gp_ext)
BOOL ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
const char *extension_raw,
struct GP_EXT **gp_ext)
{
ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
BOOL ret = False;
struct GP_EXT *ext = NULL;
char **ext_list;
char **ext_list = NULL;
char **ext_strings = NULL;
int i;
@ -47,7 +47,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
}
ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]");
if (ext_list == NULL) {
if (!ext_list) {
goto parse_error;
}
@ -58,22 +58,21 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
ext->num_exts = i;
if (ext->num_exts) {
ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
} else {
ext->extensions = NULL;
ext->extensions_guid = NULL;
ext->snapins = NULL;
ext->snapins_guid = NULL;
ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->num_exts);
ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->num_exts);
ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->num_exts);
ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->num_exts);
}
ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
if (ext->extensions == NULL || ext->extensions_guid == NULL ||
ext->snapins == NULL || ext->snapins_guid == NULL ||
ext->gp_extension == NULL) {
if (!ext->extensions || !ext->extensions_guid ||
!ext->snapins || !ext->snapins_guid ||
!ext->gp_extension) {
goto parse_error;
}
@ -105,7 +104,8 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
q++;
}
ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q));
ext->extensions[i] = talloc_strdup(mem_ctx,
cse_gpo_guid_string_to_name(q));
ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
/* we might have no name for the guid */
@ -121,8 +121,10 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
m++;
}
/* FIXME: theoretically there could be more than one snapin per extension */
ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m));
/* FIXME: theoretically there could be more than one
* snapin per extension */
ext->snapins[i] = talloc_strdup(mem_ctx,
cse_snapin_gpo_guid_string_to_name(m));
ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
/* we might have no name for the guid */
@ -134,9 +136,9 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
*gp_ext = ext;
status = ADS_ERROR_NT(NT_STATUS_OK);
ret = True;
parse_error:
parse_error:
if (ext_list) {
str_list_free_talloc(mem_ctx, &ext_list);
}
@ -144,7 +146,7 @@ parse_error:
str_list_free_talloc(mem_ctx, &ext_strings);
}
return status;
return ret;
}
/****************************************************************
@ -153,16 +155,19 @@ parse_error:
static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
const char *gp_link_raw,
uint32 options,
uint32_t options,
struct GP_LINK *gp_link)
{
ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
char **link_list;
int i;
ZERO_STRUCTP(gp_link);
DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]");
if (link_list == NULL) {
if (!link_list) {
goto parse_error;
}
@ -174,16 +179,15 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
gp_link->num_links = i;
if (gp_link->num_links) {
gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links);
gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links);
} else {
gp_link->link_names = NULL;
gp_link->link_opts = NULL;
gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *,
gp_link->num_links);
gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t,
gp_link->num_links);
}
gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) {
if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
goto parse_error;
}
@ -212,23 +216,22 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
gp_link->link_opts[i] = atoi(p + 1);
DEBUGADD(10,("gpo_parse_gplink: link: %s\n", gp_link->link_names[i]));
DEBUGADD(10,("gpo_parse_gplink: opt: %d\n", gp_link->link_opts[i]));
DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
gp_link->link_names[i]));
DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
gp_link->link_opts[i]));
}
status = ADS_SUCCESS;
parse_error:
if (link_list) {
str_list_free_talloc(mem_ctx, &link_list);
}
return ADS_ERROR(LDAP_SUCCESS);
parse_error:
if (link_list) {
str_list_free_talloc(mem_ctx, &link_list);
}
return ADS_ERROR(LDAP_NO_MEMORY);
return status;
}
/****************************************************************
@ -244,13 +247,14 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
const char *attrs[] = {"gPLink", "gPOptions", NULL};
LDAPMessage *res = NULL;
const char *gp_link;
uint32 gp_options;
uint32_t gp_options;
ZERO_STRUCTP(gp_link_struct);
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status)));
DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status;
}
@ -269,7 +273,8 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
/* perfectly legal to have no options */
if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n"));
DEBUG(10,("ads_get_gpo_link: "
"no 'gPOptions' attribute found\n"));
gp_options = 0;
}
@ -286,7 +291,7 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *link_dn,
const char *gpo_dn,
uint32 gpo_opt)
uint32_t gpo_opt)
{
ADS_STATUS status;
const char *attrs[] = {"gPLink", NULL};
@ -303,7 +308,8 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status)));
DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status;
}
@ -315,9 +321,11 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) {
gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt);
gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
gpo_dn, gpo_opt);
} else {
gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt);
gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
gp_link, gpo_dn, gpo_opt);
}
ads_msgfree(ads, res);
@ -363,7 +371,8 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status)));
DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status;
}
@ -379,7 +388,8 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
}
/* find link to delete */
/* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */
/* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
gpo_dn, gpo_opt); */
ads_msgfree(ads, res);
ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
@ -425,19 +435,25 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_MEMORY);
}
gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath");
gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
"gPCFileSysPath");
ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName");
gpo->display_name = ads_pull_string(ads, mem_ctx, res,
"displayName");
ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
gpo->name = ads_pull_string(ads, mem_ctx, res,
"name");
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
"gPCMachineExtensionNames");
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
"gPCUserExtensionNames");
ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", &gpo->security_descriptor);
ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
&gpo->security_descriptor);
ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
return ADS_ERROR(LDAP_SUCCESS);
@ -458,11 +474,20 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
LDAPMessage *res = NULL;
char *dn;
const char *filter;
const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath",
"gPCFunctionalityVersion", "gPCMachineExtensionNames",
"gPCUserExtensionNames", "gPCWQLFilter", "name",
"versionNumber", "ntSecurityDescriptor", NULL};
uint32 sd_flags = DACL_SECURITY_INFORMATION;
const char *attrs[] = {
"cn",
"displayName",
"flags",
"gPCFileSysPath",
"gPCFunctionalityVersion",
"gPCMachineExtensionNames",
"gPCUserExtensionNames",
"gPCWQLFilter",
"name",
"ntSecurityDescriptor",
"versionNumber",
NULL};
uint32_t sd_flags = DACL_SECURITY_INFORMATION;
ZERO_STRUCTP(gpo);
@ -483,9 +508,9 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
} else if (display_name || guid_name) {
filter = talloc_asprintf(mem_ctx,
"(&(objectclass=groupPolicyContainer)(%s=%s))",
display_name ? "displayName" : "name",
display_name ? display_name : guid_name);
"(&(objectclass=groupPolicyContainer)(%s=%s))",
display_name ? "displayName" : "name",
display_name ? display_name : guid_name);
ADS_ERROR_HAVE_NO_MEMORY(filter);
status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
@ -494,7 +519,8 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
}
if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status)));
DEBUG(10,("ads_get_gpo: search failed with %s\n",
ads_errstr(status)));
return status;
}
@ -544,26 +570,34 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
if (only_add_forced_gpos) {
if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
DEBUG(10,("skipping nonenforced GPO link "
"because GPOPTIONS_BLOCK_INHERITANCE "
"has been set\n"));
continue;
} else {
DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
DEBUG(10,("adding enforced GPO link although "
"the GPOPTIONS_BLOCK_INHERITANCE "
"has been set\n"));
}
}
new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo);
status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
NULL, NULL, new_gpo);
if (!ADS_ERR_OK(status)) {
DEBUG(10,("failed to get gpo: %s\n", gp_link->link_names[i]));
DEBUG(10,("failed to get gpo: %s\n",
gp_link->link_names[i]));
return status;
}
status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo, token));
status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
token));
if (!ADS_ERR_OK(status)) {
DEBUG(10,("skipping GPO \"%s\" as object has no access to it\n",
DEBUG(10,("skipping GPO \"%s\" as object "
"has no access to it\n",
new_gpo->display_name));
TALLOC_FREE(new_gpo);
continue;
@ -574,8 +608,8 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
DLIST_ADD(*gpo_list, new_gpo);
DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n",
i, gp_link->link_names[i]));
DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
"to GPO list\n", i, gp_link->link_names[i]));
}
return ADS_ERROR(LDAP_SUCCESS);
@ -637,6 +671,33 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
return ADS_ERROR_LDAP(LDAP_SUCCESS);
}
/****************************************************************
****************************************************************/
static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT **gpo_list,
enum GPO_LINK_TYPE link_type)
{
struct GROUP_POLICY_OBJECT *gpo = NULL;
ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
ADS_ERROR_HAVE_NO_MEMORY(gpo);
gpo->name = talloc_strdup(mem_ctx, "Local Policy");
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
gpo->link_type = link_type;
DLIST_ADD(*gpo_list, gpo);
return ADS_ERROR_NT(NT_STATUS_OK);
}
/****************************************************************
get the full list of GROUP_POLICY_OBJECTs for a given dn
****************************************************************/
@ -644,14 +705,14 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *dn,
uint32 flags,
uint32_t flags,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT **gpo_list)
{
/* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
ADS_STATUS status;
struct GP_LINK gp_link;
struct nt_user_token *token = NULL;
const char *parent_dn, *site_dn, *tmp_dn;
BOOL add_only_forced_gpos = False;
@ -663,25 +724,27 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
/* (L)ocal */
status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
GP_LINK_UNKOWN);
if (!ADS_ERR_OK(status)) {
return status;
}
/* (L)ocal */
/* not yet... */
/* (S)ite */
/* are site GPOs valid for users as well ??? */
if (flags & GPO_LIST_FLAG_MACHINE) {
status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn);
status = ads_site_dn_for_machine(ads, mem_ctx,
ads->config.ldap_server_name,
&site_dn);
if (!ADS_ERR_OK(status)) {
return status;
}
DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn));
DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
site_dn));
status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
if (ADS_ERR_OK(status)) {
@ -691,7 +754,8 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
}
status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
site_dn, &gp_link, GP_LINK_SITE,
site_dn, &gp_link,
GP_LINK_SITE,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) {
@ -708,17 +772,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
tmp_dn = dn;
while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
while ((parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
/* (D)omain */
/* An account can just be a member of one domain */
if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn));
DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
parent_dn));
status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
&gp_link);
if (ADS_ERR_OK(status)) {
if (DEBUGLEVEL >= 100) {
@ -726,15 +792,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
}
/* block inheritance from now on */
if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
if (gp_link.gp_opts &
GPOPTIONS_BLOCK_INHERITANCE) {
add_only_forced_gpos = True;
}
status = add_gplink_to_gpo_list(ads, mem_ctx,
gpo_list, parent_dn,
&gp_link, GP_LINK_DOMAIN,
add_only_forced_gpos,
token);
status = add_gplink_to_gpo_list(ads,
mem_ctx,
gpo_list,
parent_dn,
&gp_link,
GP_LINK_DOMAIN,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) {
return status;
}
@ -747,8 +817,8 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
/* reset dn again */
tmp_dn = dn;
while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
while ((parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
/* (O)rganizational(U)nit */
@ -756,9 +826,11 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
/* An account can be a member of more OUs */
if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn));
DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
parent_dn));
status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
&gp_link);
if (ADS_ERR_OK(status)) {
if (DEBUGLEVEL >= 100) {
@ -766,15 +838,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
}
/* block inheritance from now on */
if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
if (gp_link.gp_opts &
GPOPTIONS_BLOCK_INHERITANCE) {
add_only_forced_gpos = True;
}
status = add_gplink_to_gpo_list(ads, mem_ctx,
gpo_list, parent_dn,
&gp_link, GP_LINK_OU,
add_only_forced_gpos,
token);
status = add_gplink_to_gpo_list(ads,
mem_ctx,
gpo_list,
parent_dn,
&gp_link,
GP_LINK_OU,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) {
return status;
}

View File

@ -74,225 +74,3 @@ NTSTATUS parse_gpt_ini(TALLOC_CTX *mem_ctx, const char *filename, uint32 *versio
return result;
}
#if 0 /* not yet */
/****************************************************************
parse the Version section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_VERSION "Version"
#define GPTTMPL_PARAMETER_REVISION "Revision"
#define GPTTMPL_PARAMETER_SIGNATURE "signature"
#define GPTTMPL_CHICAGO "$CHICAGO$" /* whatever this is good for... */
#define GPTTMPL_SECTION_UNICODE "Unicode"
#define GPTTMPL_PARAMETER_UNICODE "Unicode"
static NTSTATUS parse_gpttmpl(dictionary *d, uint32 *version_out)
{
const char *signature = NULL;
uint32 version;
if ((signature = iniparser_getstring(d, GPTTMPL_SECTION_VERSION
":"GPTTMPL_PARAMETER_SIGNATURE, NULL)) == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (!strequal(signature, GPTTMPL_CHICAGO)) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if ((version = iniparser_getint(d, GPTTMPL_SECTION_VERSION
":"GPTTMPL_PARAMETER_REVISION, Undefined)) == Undefined) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (version_out) {
*version_out = version;
}
/* treat that as boolean */
if ((!iniparser_getboolean(d, GPTTMPL_SECTION_UNICODE
":"GPTTMPL_PARAMETER_UNICODE, Undefined)) == Undefined) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
return NT_STATUS_OK;
}
/****************************************************************
parse the "System Access" section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_SYSTEM_ACCESS "System Access"
#define GPTTMPL_PARAMETER_MINPWDAGE "MinimumPasswordAge"
#define GPTTMPL_PARAMETER_MAXPWDAGE "MaximumPasswordAge"
#define GPTTMPL_PARAMETER_MINPWDLEN "MinimumPasswordLength"
#define GPTTMPL_PARAMETER_PWDCOMPLEX "PasswordComplexity"
#define GPTTMPL_PARAMETER_PWDHISTORY "PasswordHistorySize"
#define GPTTMPL_PARAMETER_LOCKOUTCOUNT "LockoutBadCount"
static NTSTATUS parse_gpttmpl_system_access(const char *filename)
{
NTSTATUS status;
dictionary *d = NULL;
uint32 pwd_min_age, pwd_max_age, pwd_min_len, pwd_history;
uint32 lockout_count;
BOOL pwd_complex;
uint32 version;
d = iniparser_load(filename);
if (d == NULL) {
return NT_STATUS_NO_SUCH_FILE;
}
status = parse_gpttmpl(d, &version);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = NT_STATUS_INVALID_PARAMETER;
if ((pwd_min_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) {
goto out;
}
if ((pwd_max_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) {
goto out;
}
if ((pwd_min_len = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDLEN, Undefined)) == Undefined) {
goto out;
}
if ((pwd_complex = iniparser_getboolean(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_PWDCOMPLEX, Undefined)) == Undefined) {
goto out;
}
if ((pwd_history = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_PWDHISTORY, Undefined)) == Undefined) {
goto out;
}
if ((lockout_count = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_LOCKOUTCOUNT, Undefined)) == Undefined) {
goto out;
}
/* TODO ?
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
*/
status = NT_STATUS_OK;
out:
if (d) {
iniparser_freedict(d);
}
return status;
}
/****************************************************************
parse the "Kerberos Policy" section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_KERBEROS_POLICY "Kerberos Policy"
#define GPTTMPL_PARAMETER_MAXTKTAGE "MaxTicketAge"
#define GPTTMPL_PARAMETER_MAXRENEWAGE "MaxRenewAge"
#define GPTTMPL_PARAMETER_MAXTGSAGE "MaxServiceAge"
#define GPTTMPL_PARAMETER_MAXCLOCKSKEW "MaxClockSkew"
#define GPTTMPL_PARAMETER_TKTVALIDATECLIENT "TicketValidateClient"
static NTSTATUS parse_gpttmpl_kerberos_policy(const char *filename)
{
NTSTATUS status;
dictionary *d = NULL;
uint32 tkt_max_age, tkt_max_renew, tgs_max_age, max_clock_skew;
BOOL tkt_validate;
uint32 version;
d = iniparser_load(filename);
if (d == NULL) {
return NT_STATUS_NO_SUCH_FILE;
}
status = parse_gpttmpl(d, &version);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = NT_STATUS_INVALID_PARAMETER;
if ((tkt_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXTKTAGE, Undefined)) != Undefined) {
goto out;
}
if ((tkt_max_renew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXRENEWAGE, Undefined)) != Undefined) {
goto out;
}
if ((tgs_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXTGSAGE, Undefined)) != Undefined) {
goto out;
}
if ((max_clock_skew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXCLOCKSKEW, Undefined)) != Undefined) {
goto out;
}
if ((tkt_validate = iniparser_getboolean(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_TKTVALIDATECLIENT, Undefined)) != Undefined) {
goto out;
}
status = NT_STATUS_OK;
out:
if (d) {
iniparser_freedict(d);
}
return status;
}
#endif
/*
perfectly parseable with iniparser:
{GUID}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Version]
signature="$CHICAGO$"
Revision=1
*/

View File

@ -70,7 +70,7 @@ static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
/****************************************************************
****************************************************************/
static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
static BOOL gpo_sd_check_agp_access_bits(uint32_t access_mask)
{
return (access_mask & SEC_RIGHTS_EXTENDED);
}
@ -79,9 +79,9 @@ static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
/****************************************************************
****************************************************************/
static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
static BOOL gpo_sd_check_read_access_bits(uint32_t access_mask)
{
uint32 read_bits = SEC_RIGHTS_LIST_CONTENTS |
uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS |
SEC_RIGHTS_READ_ALL_PROP |
SEC_RIGHTS_READ_PERMS;
@ -98,7 +98,8 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n",
DEBUG(10,("gpo_sd_check_ace_denied_object: "
"Access denied as of ace for %s\n",
sid_string_static(&ace->trustee)));
return NT_STATUS_ACCESS_DENIED;
}
@ -115,7 +116,8 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n",
DEBUG(10,("gpo_sd_check_ace_allowed_object: "
"Access granted as of ace for %s\n",
sid_string_static(&ace->trustee)));
return NT_STATUS_OK;
}

View File

@ -1,7 +1,7 @@
/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
* Copyright (C) Guenther Deschner 2005-2006
* Copyright (C) Guenther Deschner 2005-2007
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -25,21 +25,13 @@
#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy"
/* should we store a parsed guid ? */
struct gpo_table {
struct gp_table {
const char *name;
const char *guid_string;
};
struct snapin_table {
const char *name;
const char *guid_string;
ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *, const char *);
};
#if 0 /* unused */
static struct gpo_table gpo_default_policy[] = {
static struct gp_table gpo_default_policy[] = {
{ DEFAULT_DOMAIN_POLICY,
"31B2F340-016D-11D2-945F-00C04FB984F9" },
{ DEFAULT_DOMAIN_CONTROLLERS_POLICY,
@ -48,11 +40,14 @@ static struct gpo_table gpo_default_policy[] = {
};
#endif
/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */
/* the following is seen in gPCMachineExtensionNames / gPCUserExtensionNames */
static struct gpo_table gpo_cse_extensions[] = {
{ "Administrative Templates Extension",
"35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */
static struct gp_table gpo_cse_extensions[] = {
/* used to be "Administrative Templates Extension" */
/* "Registry Settings"
(http://support.microsoft.com/kb/216357/EN-US/) */
{ "Registry Settings",
GP_EXT_REGISTRY },
{ "Microsoft Disc Quota",
"3610EDA5-77EF-11D2-8DC5-00C04FA31A66" },
{ "EFS recovery",
@ -66,47 +61,52 @@ static struct gpo_table gpo_cse_extensions[] = {
{ "QoS Packet Scheduler",
"426031c0-0b47-4852-b0ca-ac3d37bfcb39" },
{ "Scripts",
"42B5FAAE-6536-11D2-AE5A-0000F87571E3" },
GP_EXT_SCRIPTS },
{ "Security",
"827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
GP_EXT_SECURITY },
{ "Software Installation",
"C6DC5466-785A-11D2-84D0-00C04FB169F7" },
{ "Wireless Group Policy",
"0ACDD40C-75AC-BAA0-BF6DE7E7FE63" },
{ "Application Management",
"C6DC5466-785A-11D2-84D0-00C04FB169F7" },
{ "unknown",
"3060E8D0-7020-11D2-842D-00C04FA372D4" },
{ NULL, NULL }
};
/* guess work */
static struct snapin_table gpo_cse_snapin_extensions[] = {
static struct gp_table gpo_cse_snapin_extensions[] = {
{ "Administrative Templates",
"0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none },
"0F6B957D-509E-11D1-A7CC-0000F87571E3" },
{ "Certificates",
"53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
"53D6AB1D-2488-11D1-A28C-00C04FB94F17" },
{ "EFS recovery policy processing",
"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none },
"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
{ "Folder Redirection policy processing",
"25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none },
"25537BA6-77A8-11D2-9B6C-0000F8080861" },
{ "Folder Redirection",
"88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none },
"88E729D6-BDC1-11D1-BD2A-00C04FB9603F" },
{ "Registry policy processing",
"35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none },
"35378EAC-683F-11D2-A89A-00C04FBBCFA2" },
{ "Remote Installation Services",
"3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
"3060E8CE-7020-11D2-842D-00C04FA372D4" },
{ "Security Settings",
"803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings },
"803E14A0-B4FB-11D0-A0D0-00A0C90F574B" },
{ "Security policy processing",
"827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings },
"827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
{ "unknown",
"3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
"3060E8D0-7020-11D2-842D-00C04FA372D4" },
{ "unknown2",
"53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
{ NULL, NULL, NULL }
"53D6AB1B-2488-11D1-A28C-00C04FB94F17" },
{ NULL, NULL }
};
/****************************************************************
****************************************************************/
static const char *name_to_guid_string(const char *name, struct gpo_table *table)
static const char *name_to_guid_string(const char *name,
struct gp_table *table)
{
int i;
@ -122,7 +122,8 @@ static const char *name_to_guid_string(const char *name, struct gpo_table *table
/****************************************************************
****************************************************************/
static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table)
static const char *guid_string_to_name(const char *guid_string,
struct gp_table *table)
{
int i;
@ -139,7 +140,7 @@ static const char *guid_string_to_name(const char *guid_string, struct gpo_table
****************************************************************/
static const char *snapin_guid_string_to_name(const char *guid_string,
struct snapin_table *table)
struct gp_table *table)
{
int i;
for (i = 0; table[i].guid_string; i++) {
@ -203,18 +204,25 @@ void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel)
for (i=0; i< gp_ext->num_exts; i++) {
DEBUGADD(lvl,("\textension:\t\t\t%s\n", gp_ext->extensions_guid[i]));
DEBUGADD(lvl,("\textension (name):\t\t\t%s\n", gp_ext->extensions[i]));
DEBUGADD(lvl,("\textension:\t\t\t%s\n",
gp_ext->extensions_guid[i]));
DEBUGADD(lvl,("\textension (name):\t\t\t%s\n",
gp_ext->extensions[i]));
DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n", gp_ext->snapins_guid[i]));
DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n", gp_ext->snapins[i]));
DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n",
gp_ext->snapins_guid[i]));
DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n",
gp_ext->snapins[i]));
}
}
/****************************************************************
****************************************************************/
void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo, int debuglevel)
void dump_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
int debuglevel)
{
int lvl = debuglevel;
@ -227,10 +235,12 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name));
DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name));
DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version));
DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", GPO_VERSION_USER(gpo->version),
GPO_VERSION_USER(gpo->version)));
DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", GPO_VERSION_MACHINE(gpo->version),
GPO_VERSION_MACHINE(gpo->version)));
DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n",
GPO_VERSION_USER(gpo->version),
GPO_VERSION_USER(gpo->version)));
DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n",
GPO_VERSION_MACHINE(gpo->version),
GPO_VERSION_MACHINE(gpo->version)));
DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path));
DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path));
@ -280,10 +290,9 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
if (gpo->machine_extensions) {
struct GP_EXT *gp_ext = NULL;
ADS_STATUS status;
status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) {
if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
&gp_ext)) {
return;
}
dump_gp_ext(gp_ext, lvl);
@ -294,10 +303,9 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
if (gpo->user_extensions) {
struct GP_EXT *gp_ext = NULL;
ADS_STATUS status;
status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) {
if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
&gp_ext)) {
return;
}
dump_gp_ext(gp_ext, lvl);
@ -373,9 +381,13 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
struct GROUP_POLICY_OBJECT gpo;
status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo);
status = ads_get_gpo(ads, mem_ctx,
gp_link->link_names[i],
NULL, NULL, &gpo);
if (!ADS_ERR_OK(status)) {
DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status)));
DEBUG(lvl,("get gpo for %s failed: %s\n",
gp_link->link_names[i],
ads_errstr(status)));
return;
}
dump_gpo(ads, mem_ctx, &gpo, lvl);
@ -386,27 +398,21 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
/****************************************************************
****************************************************************/
ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
NTSTATUS process_extension(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{
int i;
DEBUG(0,("process_extension: no extension available for:\n"));
DEBUGADD(0,("%s (%s) (snapin: %s)\n",
extension_guid,
cse_gpo_guid_string_to_name(extension_guid),
snapin_guid));
for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) {
if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) {
return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, gpo,
extension_guid, snapin_guid);
}
}
DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n",
extension_guid, snapin_guid));
return ADS_SUCCESS;
return NT_STATUS_OK;
}
/****************************************************************
@ -414,22 +420,28 @@ ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid_filter,
uint32 flags)
uint32_t flags)
{
ADS_STATUS status;
struct GP_EXT *gp_ext = NULL;
int i;
DEBUG(10,("gpo_process_a_gpo: processing gpo %s (%s)\n",
gpo->name, gpo->display_name));
if (extension_guid_filter) {
DEBUGADD(10,("gpo_process_a_gpo: using filter %s\n",
extension_guid_filter));
}
if (flags & GPO_LIST_FLAG_MACHINE) {
if (gpo->machine_extensions) {
status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) {
return status;
if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
&gp_ext)) {
return ADS_ERROR(LDAP_PARAM_ERROR);
}
} else {
@ -441,10 +453,9 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
if (gpo->user_extensions) {
status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) {
return status;
if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
&gp_ext)) {
return ADS_ERROR(LDAP_PARAM_ERROR);
}
} else {
/* nothing to apply */
@ -454,15 +465,20 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
for (i=0; i<gp_ext->num_exts; i++) {
if (extension_guid_filter && !strequal(extension_guid_filter, gp_ext->extensions_guid[i])) {
NTSTATUS ntstatus;
if (extension_guid_filter &&
!strequal(extension_guid_filter,
gp_ext->extensions_guid[i])) {
continue;
}
status = process_extension_with_snapin(ads, mem_ctx, gpo,
gp_ext->extensions_guid[i],
gp_ext->snapins_guid[i]);
if (!ADS_ERR_OK(status)) {
return status;
ntstatus = process_extension(ads, mem_ctx,
flags, token, gpo,
gp_ext->extensions_guid[i],
gp_ext->snapins_guid[i]);
if (!NT_STATUS_IS_OK(ntstatus)) {
ADS_ERROR_NT(ntstatus);
}
}
@ -474,19 +490,27 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extensions_guid,
uint32 flags)
uint32_t flags)
{
ADS_STATUS status;
struct GROUP_POLICY_OBJECT *gpo;
/* FIXME: ok, this is wrong, windows does process the extensions and
* hands the list of gpos to each extension and not process each gpo
* with all extensions (this is how the extension can store the list
* gplist in the registry) */
for (gpo = gpo_list; gpo; gpo = gpo->next) {
status = gpo_process_a_gpo(ads, mem_ctx, gpo,
status = gpo_process_a_gpo(ads, mem_ctx, token, gpo,
extensions_guid, flags);
if (!ADS_ERR_OK(status)) {
DEBUG(0,("failed to process gpo: %s\n",
ads_errstr(status)));
return status;
}
@ -495,73 +519,6 @@ ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
return ADS_SUCCESS;
}
ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{
DEBUG(10,("gpo_snapin_handler_none\n"));
return ADS_SUCCESS;
}
ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{
DEBUG(10,("gpo_snapin_handler_security_settings\n"));
return ADS_SUCCESS;
}
ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *hostname,
SAM_UNK_INFO_12 *lockout_policy)
{
return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED);
}
/****************************************************************
****************************************************************/
ADS_STATUS gpo_password_policy(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *hostname,
SAM_UNK_INFO_1 *password_policy)
{
ADS_STATUS status;
struct GROUP_POLICY_OBJECT *gpo_list;
const char *dn = NULL;
uint32 uac = 0;
status = ads_find_samaccount(ads, mem_ctx, hostname, &uac, &dn);
if (!ADS_ERR_OK(status)) {
return status;
}
if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) {
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list);
if (!ADS_ERR_OK(status)) {
return status;
}
status = gpo_process_gpo_list(ads, mem_ctx, gpo_list,
cse_gpo_name_to_guid_string("Security"),
GPO_LIST_FLAG_MACHINE);
if (!ADS_ERR_OK(status)) {
return status;
}
return ADS_SUCCESS;
}
/****************************************************************
check wether the version number in a GROUP_POLICY_OBJECT match those of the
locally stored version. If not, fetch the required policy via CIFS
@ -569,6 +526,7 @@ ADS_STATUS gpo_password_policy(ADS_STRUCT *ads,
NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo,
struct cli_state **cli_out)
{
@ -577,7 +535,7 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
char *share = NULL;
char *nt_path = NULL;
char *unix_path = NULL;
uint32 sysvol_gpt_version = 0;
uint32_t sysvol_gpt_version = 0;
char *display_name = NULL;
struct cli_state *cli = NULL;
@ -594,26 +552,37 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
&display_name);
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) {
DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
DEBUG(10,("check_refresh_gpo: "
"failed to get local gpt version: %s\n",
nt_errstr(result)));
goto out;
}
DEBUG(10,("check_refresh_gpo: versions gpo %d sysvol %d\n",
gpo->version, sysvol_gpt_version));
/* FIXME: handle GPO_INFO_FLAG_FORCED_REFRESH from flags */
while (gpo->version > sysvol_gpt_version) {
DEBUG(1,("check_refresh_gpo: need to refresh GPO\n"));
if (*cli_out == NULL) {
result = cli_full_connection(&cli, global_myname(),
server, /* ads->config.ldap_server_name, */
NULL, 0,
share, "A:",
ads->auth.user_name, NULL, ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS,
Undefined, NULL);
result = cli_full_connection(&cli,
global_myname(),
ads->config.ldap_server_name,
/* server */
NULL, 0,
share, "A:",
ads->auth.user_name, NULL,
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS,
Undefined, NULL);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: failed to connect: %s\n", nt_errstr(result)));
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
nt_errstr(result)));
goto out;
}
@ -630,7 +599,8 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
&sysvol_gpt_version,
&display_name);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
DEBUG(10,("check_refresh_gpo: "
"failed to get local gpt version: %s\n",
nt_errstr(result)));
goto out;
}
@ -640,7 +610,7 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
}
}
DEBUG(10,("Name:\t\t\t%s\n", gpo->display_name));
DEBUG(10,("Name:\t\t\t%s (%s)\n", gpo->display_name, gpo->name));
DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
sysvol_gpt_version,
GPO_VERSION_USER(sysvol_gpt_version),
@ -664,6 +634,7 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo_list)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@ -676,7 +647,7 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
for (gpo = gpo_list; gpo; gpo = gpo->next) {
result = check_refresh_gpo(ads, mem_ctx, gpo, &cli);
result = check_refresh_gpo(ads, mem_ctx, flags, gpo, &cli);
if (!NT_STATUS_IS_OK(result)) {
goto out;
}
@ -691,5 +662,4 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
return result;
}
#endif /* HAVE_LDAP */

View File

@ -52,6 +52,7 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo;
NTSTATUS result;
struct nt_user_token *token = NULL;
if (argc < 1) {
printf("usage: net ads gpo refresh <username|machinename>\n");
@ -82,12 +83,17 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) {
goto out;
}
if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, gpo_list))) {
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}
if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, flags, gpo_list))) {
printf("failed to refresh GPOs: %s\n", nt_errstr(result));
goto out;
}
@ -206,6 +212,7 @@ static int net_ads_gpo_list(int argc, const char **argv)
uint32 uac = 0;
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo_list;
struct nt_user_token *token = NULL;
if (argc < 1) {
printf("usage: net ads gpo list <username|machinename>\n");
@ -235,7 +242,12 @@ static int net_ads_gpo_list(int argc, const char **argv)
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}