1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

r24413: Minor edits for libgpo.

Guenther
This commit is contained in:
Günther Deschner 2007-08-14 14:47:08 +00:00 committed by Gerald (Jerry) Carter
parent 394987f522
commit 5dc791f4cf
6 changed files with 474 additions and 633 deletions

View File

@ -1,23 +1,22 @@
/*
/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
* Copyright (C) Guenther Deschner 2005
*
* Copyright (C) Guenther Deschner 2005-2007
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
enum GPO_LINK_TYPE {
GP_LINK_UNKOWN = 0,
GP_LINK_MACHINE = 1,
@ -38,8 +37,8 @@ enum GPO_LINK_TYPE {
#define GPO_VERSION_MACHINE(x) (x & 0xffff)
struct GROUP_POLICY_OBJECT {
uint32 options; /* GPFLAGS_* */
uint32 version;
uint32_t options; /* GPFLAGS_* */
uint32_t version;
const char *ds_path;
const char *file_sys_path;
const char *display_name;
@ -76,15 +75,15 @@ enum GPO_INHERIT {
struct GP_LINK {
const char *gp_link; /* raw link name */
uint32 gp_opts; /* inheritance options GPO_INHERIT */
uint32 num_links; /* number of links */
uint32_t gp_opts; /* inheritance options GPO_INHERIT */
uint32_t num_links; /* number of links */
char **link_names; /* array of parsed link names */
uint32 *link_opts; /* array of parsed link opts GPO_LINK_OPT_* */
uint32_t *link_opts; /* array of parsed link opts GPO_LINK_OPT_* */
};
struct GP_EXT {
const char *gp_extension; /* raw extension name */
uint32 num_exts;
uint32_t num_exts;
char **extensions;
char **extensions_guid;
char **snapins;
@ -93,3 +92,7 @@ struct GP_EXT {
#define GPO_CACHE_DIR "gpo_cache"
#define GPT_INI "GPT.INI"
#define GP_EXT_SECURITY "827D319E-6EAC-11D2-A4EA-00C04F79F83A"
#define GP_EXT_REGISTRY "35378EAC-683F-11D2-A89A-00C04FBBCFA2"
#define GP_EXT_SCRIPTS "42B5FAAE-6536-11D2-AE5A-0000F87571E3"

View File

@ -25,13 +25,13 @@
parse the raw extension string into a GP_EXT structure
****************************************************************/
ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
const char *extension_raw,
struct GP_EXT **gp_ext)
BOOL ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
const char *extension_raw,
struct GP_EXT **gp_ext)
{
ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
BOOL ret = False;
struct GP_EXT *ext = NULL;
char **ext_list;
char **ext_list = NULL;
char **ext_strings = NULL;
int i;
@ -47,7 +47,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
}
ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]");
if (ext_list == NULL) {
if (!ext_list) {
goto parse_error;
}
@ -56,24 +56,23 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
}
ext->num_exts = i;
if (ext->num_exts) {
ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
} else {
ext->extensions = NULL;
ext->extensions_guid = NULL;
ext->snapins = NULL;
ext->snapins_guid = NULL;
ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->num_exts);
ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->num_exts);
ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->num_exts);
ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
ext->num_exts);
}
ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
if (ext->extensions == NULL || ext->extensions_guid == NULL ||
ext->snapins == NULL || ext->snapins_guid == NULL ||
ext->gp_extension == NULL) {
if (!ext->extensions || !ext->extensions_guid ||
!ext->snapins || !ext->snapins_guid ||
!ext->gp_extension) {
goto parse_error;
}
@ -81,7 +80,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
int k;
char *p, *q;
DEBUGADD(10,("extension #%d\n", i));
p = ext_list[i];
@ -105,14 +104,15 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
q++;
}
ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q));
ext->extensions[i] = talloc_strdup(mem_ctx,
cse_gpo_guid_string_to_name(q));
ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
/* we might have no name for the guid */
if (ext->extensions_guid[i] == NULL) {
goto parse_error;
}
for (k = 1; ext_strings[k] != NULL; k++) {
char *m = ext_strings[k];
@ -121,8 +121,10 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
m++;
}
/* FIXME: theoretically there could be more than one snapin per extension */
ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m));
/* FIXME: theoretically there could be more than one
* snapin per extension */
ext->snapins[i] = talloc_strdup(mem_ctx,
cse_snapin_gpo_guid_string_to_name(m));
ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
/* we might have no name for the guid */
@ -134,35 +136,38 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
*gp_ext = ext;
status = ADS_ERROR_NT(NT_STATUS_OK);
ret = True;
parse_error:
parse_error:
if (ext_list) {
str_list_free_talloc(mem_ctx, &ext_list);
str_list_free_talloc(mem_ctx, &ext_list);
}
if (ext_strings) {
str_list_free_talloc(mem_ctx, &ext_strings);
str_list_free_talloc(mem_ctx, &ext_strings);
}
return status;
return ret;
}
/****************************************************************
parse the raw link string into a GP_LINK structure
****************************************************************/
static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
const char *gp_link_raw,
uint32 options,
uint32_t options,
struct GP_LINK *gp_link)
{
ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
char **link_list;
int i;
ZERO_STRUCTP(gp_link);
DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]");
if (link_list == NULL) {
if (!link_list) {
goto parse_error;
}
@ -172,18 +177,17 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
gp_link->gp_opts = options;
gp_link->num_links = i;
if (gp_link->num_links) {
gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links);
gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links);
} else {
gp_link->link_names = NULL;
gp_link->link_opts = NULL;
gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *,
gp_link->num_links);
gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t,
gp_link->num_links);
}
gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) {
if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
goto parse_error;
}
@ -199,7 +203,7 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
};
p = strchr(q, ';');
if (p == NULL) {
goto parse_error;
}
@ -212,23 +216,22 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
gp_link->link_opts[i] = atoi(p + 1);
DEBUGADD(10,("gpo_parse_gplink: link: %s\n", gp_link->link_names[i]));
DEBUGADD(10,("gpo_parse_gplink: opt: %d\n", gp_link->link_opts[i]));
DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
gp_link->link_names[i]));
DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
gp_link->link_opts[i]));
}
status = ADS_SUCCESS;
parse_error:
if (link_list) {
str_list_free_talloc(mem_ctx, &link_list);
}
return ADS_ERROR(LDAP_SUCCESS);
parse_error:
if (link_list) {
str_list_free_talloc(mem_ctx, &link_list);
}
return ADS_ERROR(LDAP_NO_MEMORY);
return status;
}
/****************************************************************
@ -244,13 +247,14 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
const char *attrs[] = {"gPLink", "gPOptions", NULL};
LDAPMessage *res = NULL;
const char *gp_link;
uint32 gp_options;
uint32_t gp_options;
ZERO_STRUCTP(gp_link_struct);
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status)));
DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status;
}
@ -260,33 +264,34 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) {
DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
}
/* perfectly legal to have no options */
if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n"));
DEBUG(10,("ads_get_gpo_link: "
"no 'gPOptions' attribute found\n"));
gp_options = 0;
}
ads_msgfree(ads, res);
return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
}
/****************************************************************
helper call to add a gp link
****************************************************************/
ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *link_dn,
const char *gpo_dn,
uint32 gpo_opt)
ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *link_dn,
const char *gpo_dn,
uint32_t gpo_opt)
{
ADS_STATUS status;
const char *attrs[] = {"gPLink", NULL};
@ -298,12 +303,13 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
* the gpo_dn is sane */
if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
}
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status)));
DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status;
}
@ -313,11 +319,13 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) {
gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt);
gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
gpo_dn, gpo_opt);
} else {
gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt);
gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
gp_link, gpo_dn, gpo_opt);
}
ads_msgfree(ads, res);
@ -331,7 +339,7 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
return status;
}
return ads_gen_mod(ads, link_dn, mods);
return ads_gen_mod(ads, link_dn, mods);
}
/****************************************************************
@ -339,9 +347,9 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
****************************************************************/
/* untested & broken */
ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *link_dn,
ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *link_dn,
const char *gpo_dn)
{
ADS_STATUS status;
@ -355,7 +363,7 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
}
if (gpo_dn[strlen(gpo_dn)] != ']') {
DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
@ -363,7 +371,8 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status)));
DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
ads_errstr(status)));
return status;
}
@ -373,13 +382,14 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) {
return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
}
/* find link to delete */
/* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */
/* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
gpo_dn, gpo_opt); */
ads_msgfree(ads, res);
ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
@ -392,7 +402,7 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return status;
}
return ads_gen_mod(ads, link_dn, mods);
return ads_gen_mod(ads, link_dn, mods);
}
/****************************************************************
@ -425,19 +435,25 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_MEMORY);
}
gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath");
gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
"gPCFileSysPath");
ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName");
gpo->display_name = ads_pull_string(ads, mem_ctx, res,
"displayName");
ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
gpo->name = ads_pull_string(ads, mem_ctx, res,
"name");
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
"gPCMachineExtensionNames");
gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
"gPCUserExtensionNames");
ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", &gpo->security_descriptor);
ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
&gpo->security_descriptor);
ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
return ADS_ERROR(LDAP_SUCCESS);
@ -458,11 +474,20 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
LDAPMessage *res = NULL;
char *dn;
const char *filter;
const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath",
"gPCFunctionalityVersion", "gPCMachineExtensionNames",
"gPCUserExtensionNames", "gPCWQLFilter", "name",
"versionNumber", "ntSecurityDescriptor", NULL};
uint32 sd_flags = DACL_SECURITY_INFORMATION;
const char *attrs[] = {
"cn",
"displayName",
"flags",
"gPCFileSysPath",
"gPCFunctionalityVersion",
"gPCMachineExtensionNames",
"gPCUserExtensionNames",
"gPCWQLFilter",
"name",
"ntSecurityDescriptor",
"versionNumber",
NULL};
uint32_t sd_flags = DACL_SECURITY_INFORMATION;
ZERO_STRUCTP(gpo);
@ -471,30 +496,31 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
}
if (gpo_dn) {
if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
gpo_dn = gpo_dn + strlen("LDAP://");
}
status = ads_search_retry_dn_sd_flags(ads, &res,
status = ads_search_retry_dn_sd_flags(ads, &res,
sd_flags,
gpo_dn, attrs);
} else if (display_name || guid_name) {
filter = talloc_asprintf(mem_ctx,
"(&(objectclass=groupPolicyContainer)(%s=%s))",
display_name ? "displayName" : "name",
display_name ? display_name : guid_name);
filter = talloc_asprintf(mem_ctx,
"(&(objectclass=groupPolicyContainer)(%s=%s))",
display_name ? "displayName" : "name",
display_name ? display_name : guid_name);
ADS_ERROR_HAVE_NO_MEMORY(filter);
status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
LDAP_SCOPE_SUBTREE, filter,
LDAP_SCOPE_SUBTREE, filter,
attrs, sd_flags, &res);
}
if (!ADS_ERR_OK(status)) {
DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status)));
DEBUG(10,("ads_get_gpo: search failed with %s\n",
ads_errstr(status)));
return status;
}
@ -509,7 +535,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
ads_msgfree(ads, res);
ads_memfree(ads, dn);
@ -522,7 +548,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
****************************************************************/
static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT **gpo_list,
const char *link_dn,
struct GP_LINK *gp_link,
@ -543,39 +569,47 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
}
if (only_add_forced_gpos) {
if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
DEBUG(10,("skipping nonenforced GPO link "
"because GPOPTIONS_BLOCK_INHERITANCE "
"has been set\n"));
continue;
} else {
DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
DEBUG(10,("adding enforced GPO link although "
"the GPOPTIONS_BLOCK_INHERITANCE "
"has been set\n"));
}
}
new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo);
status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
NULL, NULL, new_gpo);
if (!ADS_ERR_OK(status)) {
DEBUG(10,("failed to get gpo: %s\n", gp_link->link_names[i]));
DEBUG(10,("failed to get gpo: %s\n",
gp_link->link_names[i]));
return status;
}
status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo, token));
status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
token));
if (!ADS_ERR_OK(status)) {
DEBUG(10,("skipping GPO \"%s\" as object has no access to it\n",
DEBUG(10,("skipping GPO \"%s\" as object "
"has no access to it\n",
new_gpo->display_name));
TALLOC_FREE(new_gpo);
continue;
}
new_gpo->link = link_dn;
new_gpo->link_type = link_type;
new_gpo->link_type = link_type;
DLIST_ADD(*gpo_list, new_gpo);
DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n",
i, gp_link->link_names[i]));
DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
"to GPO list\n", i, gp_link->link_names[i]));
}
return ADS_ERROR(LDAP_SUCCESS);
@ -599,7 +633,7 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
struct nt_user_token *new_token = NULL;
int i;
status = ads_get_tokensids(ads, mem_ctx, dn,
status = ads_get_tokensids(ads, mem_ctx, dn,
&object_sid, &primary_group_sid,
&ad_token_sids, &num_ad_token_sids);
if (!ADS_ERR_OK(status)) {
@ -609,24 +643,24 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
ADS_ERROR_HAVE_NO_MEMORY(token_sids);
if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
&num_token_sids)) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
for (i = 0; i < num_ad_token_sids; i++) {
if (sid_check_is_in_builtin(&ad_token_sids[i])) {
continue;
}
if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i],
if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i],
&token_sids, &num_token_sids)) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
}
new_token = create_local_nt_token(mem_ctx, &object_sid, False,
new_token = create_local_nt_token(mem_ctx, &object_sid, False,
num_token_sids, token_sids);
ADS_ERROR_HAVE_NO_MEMORY(new_token);
@ -637,21 +671,48 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
return ADS_ERROR_LDAP(LDAP_SUCCESS);
}
/****************************************************************
****************************************************************/
static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT **gpo_list,
enum GPO_LINK_TYPE link_type)
{
struct GROUP_POLICY_OBJECT *gpo = NULL;
ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
ADS_ERROR_HAVE_NO_MEMORY(gpo);
gpo->name = talloc_strdup(mem_ctx, "Local Policy");
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
gpo->link_type = link_type;
DLIST_ADD(*gpo_list, gpo);
return ADS_ERROR_NT(NT_STATUS_OK);
}
/****************************************************************
get the full list of GROUP_POLICY_OBJECTs for a given dn
****************************************************************/
ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *dn,
uint32 flags,
uint32_t flags,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT **gpo_list)
{
/* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
ADS_STATUS status;
struct GP_LINK gp_link;
struct nt_user_token *token = NULL;
const char *parent_dn, *site_dn, *tmp_dn;
BOOL add_only_forced_gpos = False;
@ -663,25 +724,27 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
/* (L)ocal */
status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
GP_LINK_UNKOWN);
if (!ADS_ERR_OK(status)) {
return status;
}
/* (L)ocal */
/* not yet... */
/* (S)ite */
/* are site GPOs valid for users as well ??? */
if (flags & GPO_LIST_FLAG_MACHINE) {
status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn);
status = ads_site_dn_for_machine(ads, mem_ctx,
ads->config.ldap_server_name,
&site_dn);
if (!ADS_ERR_OK(status)) {
return status;
}
DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn));
DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
site_dn));
status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
if (ADS_ERR_OK(status)) {
@ -690,8 +753,9 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
dump_gplink(ads, mem_ctx, &gp_link);
}
status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
site_dn, &gp_link, GP_LINK_SITE,
status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
site_dn, &gp_link,
GP_LINK_SITE,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) {
@ -708,33 +772,39 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
tmp_dn = dn;
while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
while ((parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
/* (D)omain */
/* An account can just be a member of one domain */
if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn));
DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
parent_dn));
status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
&gp_link);
if (ADS_ERR_OK(status)) {
if (DEBUGLEVEL >= 100) {
dump_gplink(ads, mem_ctx, &gp_link);
}
/* block inheritance from now on */
if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
if (gp_link.gp_opts &
GPOPTIONS_BLOCK_INHERITANCE) {
add_only_forced_gpos = True;
}
status = add_gplink_to_gpo_list(ads, mem_ctx,
gpo_list, parent_dn,
&gp_link, GP_LINK_DOMAIN,
add_only_forced_gpos,
token);
status = add_gplink_to_gpo_list(ads,
mem_ctx,
gpo_list,
parent_dn,
&gp_link,
GP_LINK_DOMAIN,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) {
return status;
}
@ -746,19 +816,21 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
/* reset dn again */
tmp_dn = dn;
while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
while ((parent_dn = ads_parent_dn(tmp_dn)) &&
(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
/* (O)rganizational(U)nit */
/* An account can be a member of more OUs */
if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn));
status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
parent_dn));
status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
&gp_link);
if (ADS_ERR_OK(status)) {
if (DEBUGLEVEL >= 100) {
@ -766,15 +838,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
}
/* block inheritance from now on */
if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
if (gp_link.gp_opts &
GPOPTIONS_BLOCK_INHERITANCE) {
add_only_forced_gpos = True;
}
status = add_gplink_to_gpo_list(ads, mem_ctx,
gpo_list, parent_dn,
&gp_link, GP_LINK_OU,
add_only_forced_gpos,
token);
status = add_gplink_to_gpo_list(ads,
mem_ctx,
gpo_list,
parent_dn,
&gp_link,
GP_LINK_OU,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) {
return status;
}

View File

@ -74,225 +74,3 @@ NTSTATUS parse_gpt_ini(TALLOC_CTX *mem_ctx, const char *filename, uint32 *versio
return result;
}
#if 0 /* not yet */
/****************************************************************
parse the Version section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_VERSION "Version"
#define GPTTMPL_PARAMETER_REVISION "Revision"
#define GPTTMPL_PARAMETER_SIGNATURE "signature"
#define GPTTMPL_CHICAGO "$CHICAGO$" /* whatever this is good for... */
#define GPTTMPL_SECTION_UNICODE "Unicode"
#define GPTTMPL_PARAMETER_UNICODE "Unicode"
static NTSTATUS parse_gpttmpl(dictionary *d, uint32 *version_out)
{
const char *signature = NULL;
uint32 version;
if ((signature = iniparser_getstring(d, GPTTMPL_SECTION_VERSION
":"GPTTMPL_PARAMETER_SIGNATURE, NULL)) == NULL) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (!strequal(signature, GPTTMPL_CHICAGO)) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if ((version = iniparser_getint(d, GPTTMPL_SECTION_VERSION
":"GPTTMPL_PARAMETER_REVISION, Undefined)) == Undefined) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (version_out) {
*version_out = version;
}
/* treat that as boolean */
if ((!iniparser_getboolean(d, GPTTMPL_SECTION_UNICODE
":"GPTTMPL_PARAMETER_UNICODE, Undefined)) == Undefined) {
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
return NT_STATUS_OK;
}
/****************************************************************
parse the "System Access" section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_SYSTEM_ACCESS "System Access"
#define GPTTMPL_PARAMETER_MINPWDAGE "MinimumPasswordAge"
#define GPTTMPL_PARAMETER_MAXPWDAGE "MaximumPasswordAge"
#define GPTTMPL_PARAMETER_MINPWDLEN "MinimumPasswordLength"
#define GPTTMPL_PARAMETER_PWDCOMPLEX "PasswordComplexity"
#define GPTTMPL_PARAMETER_PWDHISTORY "PasswordHistorySize"
#define GPTTMPL_PARAMETER_LOCKOUTCOUNT "LockoutBadCount"
static NTSTATUS parse_gpttmpl_system_access(const char *filename)
{
NTSTATUS status;
dictionary *d = NULL;
uint32 pwd_min_age, pwd_max_age, pwd_min_len, pwd_history;
uint32 lockout_count;
BOOL pwd_complex;
uint32 version;
d = iniparser_load(filename);
if (d == NULL) {
return NT_STATUS_NO_SUCH_FILE;
}
status = parse_gpttmpl(d, &version);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = NT_STATUS_INVALID_PARAMETER;
if ((pwd_min_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) {
goto out;
}
if ((pwd_max_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) {
goto out;
}
if ((pwd_min_len = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_MINPWDLEN, Undefined)) == Undefined) {
goto out;
}
if ((pwd_complex = iniparser_getboolean(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_PWDCOMPLEX, Undefined)) == Undefined) {
goto out;
}
if ((pwd_history = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_PWDHISTORY, Undefined)) == Undefined) {
goto out;
}
if ((lockout_count = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
":"GPTTMPL_PARAMETER_LOCKOUTCOUNT, Undefined)) == Undefined) {
goto out;
}
/* TODO ?
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
*/
status = NT_STATUS_OK;
out:
if (d) {
iniparser_freedict(d);
}
return status;
}
/****************************************************************
parse the "Kerberos Policy" section from gpttmpl file
****************************************************************/
#define GPTTMPL_SECTION_KERBEROS_POLICY "Kerberos Policy"
#define GPTTMPL_PARAMETER_MAXTKTAGE "MaxTicketAge"
#define GPTTMPL_PARAMETER_MAXRENEWAGE "MaxRenewAge"
#define GPTTMPL_PARAMETER_MAXTGSAGE "MaxServiceAge"
#define GPTTMPL_PARAMETER_MAXCLOCKSKEW "MaxClockSkew"
#define GPTTMPL_PARAMETER_TKTVALIDATECLIENT "TicketValidateClient"
static NTSTATUS parse_gpttmpl_kerberos_policy(const char *filename)
{
NTSTATUS status;
dictionary *d = NULL;
uint32 tkt_max_age, tkt_max_renew, tgs_max_age, max_clock_skew;
BOOL tkt_validate;
uint32 version;
d = iniparser_load(filename);
if (d == NULL) {
return NT_STATUS_NO_SUCH_FILE;
}
status = parse_gpttmpl(d, &version);
if (!NT_STATUS_IS_OK(status)) {
goto out;
}
status = NT_STATUS_INVALID_PARAMETER;
if ((tkt_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXTKTAGE, Undefined)) != Undefined) {
goto out;
}
if ((tkt_max_renew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXRENEWAGE, Undefined)) != Undefined) {
goto out;
}
if ((tgs_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXTGSAGE, Undefined)) != Undefined) {
goto out;
}
if ((max_clock_skew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_MAXCLOCKSKEW, Undefined)) != Undefined) {
goto out;
}
if ((tkt_validate = iniparser_getboolean(d, GPTTMPL_SECTION_KERBEROS_POLICY
":"GPTTMPL_PARAMETER_TKTVALIDATECLIENT, Undefined)) != Undefined) {
goto out;
}
status = NT_STATUS_OK;
out:
if (d) {
iniparser_freedict(d);
}
return status;
}
#endif
/*
perfectly parseable with iniparser:
{GUID}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
[Unicode]
Unicode=yes
[System Access]
MinimumPasswordAge = 1
MaximumPasswordAge = 42
MinimumPasswordLength = 7
PasswordComplexity = 1
PasswordHistorySize = 24
LockoutBadCount = 0
RequireLogonToChangePassword = 0
ForceLogoffWhenHourExpire = 0
ClearTextPassword = 0
[Kerberos Policy]
MaxTicketAge = 10
MaxRenewAge = 7
MaxServiceAge = 600
MaxClockSkew = 5
TicketValidateClient = 1
[Version]
signature="$CHICAGO$"
Revision=1
*/

View File

@ -1,18 +1,18 @@
/*
/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
* Copyright (C) Guenther Deschner 2007
*
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
@ -70,7 +70,7 @@ static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
/****************************************************************
****************************************************************/
static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
static BOOL gpo_sd_check_agp_access_bits(uint32_t access_mask)
{
return (access_mask & SEC_RIGHTS_EXTENDED);
}
@ -79,9 +79,9 @@ static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
/****************************************************************
****************************************************************/
static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
static BOOL gpo_sd_check_read_access_bits(uint32_t access_mask)
{
uint32 read_bits = SEC_RIGHTS_LIST_CONTENTS |
uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS |
SEC_RIGHTS_READ_ALL_PROP |
SEC_RIGHTS_READ_PERMS;
@ -92,13 +92,14 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
/****************************************************************
****************************************************************/
static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
const struct nt_user_token *token)
static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
const struct nt_user_token *token)
{
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n",
DEBUG(10,("gpo_sd_check_ace_denied_object: "
"Access denied as of ace for %s\n",
sid_string_static(&ace->trustee)));
return NT_STATUS_ACCESS_DENIED;
}
@ -109,13 +110,14 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
/****************************************************************
****************************************************************/
static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
const struct nt_user_token *token)
static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
const struct nt_user_token *token)
{
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n",
DEBUG(10,("gpo_sd_check_ace_allowed_object: "
"Access granted as of ace for %s\n",
sid_string_static(&ace->trustee)));
return NT_STATUS_OK;
}
@ -126,8 +128,8 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
/****************************************************************
****************************************************************/
static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
const struct nt_user_token *token)
static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
const struct nt_user_token *token)
{
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
@ -142,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
/****************************************************************
****************************************************************/
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
const struct nt_user_token *token)
{
SEC_DESC *sd = gpo->security_descriptor;

View File

@ -1,18 +1,18 @@
/*
/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
* Copyright (C) Guenther Deschner 2005-2006
*
* Copyright (C) Guenther Deschner 2005-2007
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
@ -25,88 +25,88 @@
#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy"
/* should we store a parsed guid ? */
struct gpo_table {
struct gp_table {
const char *name;
const char *guid_string;
};
struct snapin_table {
const char *name;
const char *guid_string;
ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *, const char *);
};
#if 0 /* unused */
static struct gpo_table gpo_default_policy[] = {
{ DEFAULT_DOMAIN_POLICY,
static struct gp_table gpo_default_policy[] = {
{ DEFAULT_DOMAIN_POLICY,
"31B2F340-016D-11D2-945F-00C04FB984F9" },
{ DEFAULT_DOMAIN_CONTROLLERS_POLICY,
{ DEFAULT_DOMAIN_CONTROLLERS_POLICY,
"6AC1786C-016F-11D2-945F-00C04fB984F9" },
{ NULL, NULL }
};
#endif
/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */
/* the following is seen in gPCMachineExtensionNames / gPCUserExtensionNames */
static struct gpo_table gpo_cse_extensions[] = {
{ "Administrative Templates Extension",
"35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */
{ "Microsoft Disc Quota",
static struct gp_table gpo_cse_extensions[] = {
/* used to be "Administrative Templates Extension" */
/* "Registry Settings"
(http://support.microsoft.com/kb/216357/EN-US/) */
{ "Registry Settings",
GP_EXT_REGISTRY },
{ "Microsoft Disc Quota",
"3610EDA5-77EF-11D2-8DC5-00C04FA31A66" },
{ "EFS recovery",
{ "EFS recovery",
"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
{ "Folder Redirection",
{ "Folder Redirection",
"25537BA6-77A8-11D2-9B6C-0000F8080861" },
{ "IP Security",
{ "IP Security",
"E437BC1C-AA7D-11D2-A382-00C04F991E27" },
{ "Internet Explorer Branding",
{ "Internet Explorer Branding",
"A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" },
{ "QoS Packet Scheduler",
{ "QoS Packet Scheduler",
"426031c0-0b47-4852-b0ca-ac3d37bfcb39" },
{ "Scripts",
"42B5FAAE-6536-11D2-AE5A-0000F87571E3" },
{ "Security",
"827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
{ "Software Installation",
{ "Scripts",
GP_EXT_SCRIPTS },
{ "Security",
GP_EXT_SECURITY },
{ "Software Installation",
"C6DC5466-785A-11D2-84D0-00C04FB169F7" },
{ "Wireless Group Policy",
{ "Wireless Group Policy",
"0ACDD40C-75AC-BAA0-BF6DE7E7FE63" },
{ "Application Management",
"C6DC5466-785A-11D2-84D0-00C04FB169F7" },
{ "unknown",
"3060E8D0-7020-11D2-842D-00C04FA372D4" },
{ NULL, NULL }
};
/* guess work */
static struct snapin_table gpo_cse_snapin_extensions[] = {
{ "Administrative Templates",
"0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none },
{ "Certificates",
"53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
{ "EFS recovery policy processing",
"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none },
{ "Folder Redirection policy processing",
"25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none },
{ "Folder Redirection",
"88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none },
{ "Registry policy processing",
"35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none },
{ "Remote Installation Services",
"3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
{ "Security Settings",
"803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings },
{ "Security policy processing",
"827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings },
{ "unknown",
"3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
{ "unknown2",
"53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
{ NULL, NULL, NULL }
static struct gp_table gpo_cse_snapin_extensions[] = {
{ "Administrative Templates",
"0F6B957D-509E-11D1-A7CC-0000F87571E3" },
{ "Certificates",
"53D6AB1D-2488-11D1-A28C-00C04FB94F17" },
{ "EFS recovery policy processing",
"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
{ "Folder Redirection policy processing",
"25537BA6-77A8-11D2-9B6C-0000F8080861" },
{ "Folder Redirection",
"88E729D6-BDC1-11D1-BD2A-00C04FB9603F" },
{ "Registry policy processing",
"35378EAC-683F-11D2-A89A-00C04FBBCFA2" },
{ "Remote Installation Services",
"3060E8CE-7020-11D2-842D-00C04FA372D4" },
{ "Security Settings",
"803E14A0-B4FB-11D0-A0D0-00A0C90F574B" },
{ "Security policy processing",
"827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
{ "unknown",
"3060E8D0-7020-11D2-842D-00C04FA372D4" },
{ "unknown2",
"53D6AB1B-2488-11D1-A28C-00C04FB94F17" },
{ NULL, NULL }
};
/****************************************************************
****************************************************************/
static const char *name_to_guid_string(const char *name, struct gpo_table *table)
static const char *name_to_guid_string(const char *name,
struct gp_table *table)
{
int i;
@ -115,14 +115,15 @@ static const char *name_to_guid_string(const char *name, struct gpo_table *table
return table[i].guid_string;
}
}
return NULL;
}
/****************************************************************
****************************************************************/
static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table)
static const char *guid_string_to_name(const char *guid_string,
struct gp_table *table)
{
int i;
@ -131,15 +132,15 @@ static const char *guid_string_to_name(const char *guid_string, struct gpo_table
return table[i].name;
}
}
return NULL;
}
/****************************************************************
****************************************************************/
static const char *snapin_guid_string_to_name(const char *guid_string,
struct snapin_table *table)
static const char *snapin_guid_string_to_name(const char *guid_string,
struct gp_table *table)
{
int i;
for (i = 0; table[i].guid_string; i++) {
@ -203,18 +204,25 @@ void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel)
for (i=0; i< gp_ext->num_exts; i++) {
DEBUGADD(lvl,("\textension:\t\t\t%s\n", gp_ext->extensions_guid[i]));
DEBUGADD(lvl,("\textension (name):\t\t\t%s\n", gp_ext->extensions[i]));
DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n", gp_ext->snapins_guid[i]));
DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n", gp_ext->snapins[i]));
DEBUGADD(lvl,("\textension:\t\t\t%s\n",
gp_ext->extensions_guid[i]));
DEBUGADD(lvl,("\textension (name):\t\t\t%s\n",
gp_ext->extensions[i]));
DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n",
gp_ext->snapins_guid[i]));
DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n",
gp_ext->snapins[i]));
}
}
/****************************************************************
****************************************************************/
void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo, int debuglevel)
void dump_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
int debuglevel)
{
int lvl = debuglevel;
@ -227,10 +235,12 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name));
DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name));
DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version));
DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", GPO_VERSION_USER(gpo->version),
GPO_VERSION_USER(gpo->version)));
DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", GPO_VERSION_MACHINE(gpo->version),
GPO_VERSION_MACHINE(gpo->version)));
DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n",
GPO_VERSION_USER(gpo->version),
GPO_VERSION_USER(gpo->version)));
DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n",
GPO_VERSION_MACHINE(gpo->version),
GPO_VERSION_MACHINE(gpo->version)));
DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path));
DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path));
@ -280,24 +290,22 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
if (gpo->machine_extensions) {
struct GP_EXT *gp_ext = NULL;
ADS_STATUS status;
status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) {
if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
&gp_ext)) {
return;
}
dump_gp_ext(gp_ext, lvl);
}
DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions));
if (gpo->user_extensions) {
struct GP_EXT *gp_ext = NULL;
ADS_STATUS status;
status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) {
if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
&gp_ext)) {
return;
}
dump_gp_ext(gp_ext, lvl);
@ -311,9 +319,9 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
/****************************************************************
****************************************************************/
void dump_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo_list,
void dump_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo_list,
int debuglevel)
{
struct GROUP_POLICY_OBJECT *gpo = NULL;
@ -354,9 +362,9 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
DEBUGADD(lvl,("num links: %d\n", gp_link->num_links));
for (i = 0; i < gp_link->num_links; i++) {
DEBUGADD(lvl,("---------------------\n\n"));
DEBUGADD(lvl,("link: #%d\n", i + 1));
DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i]));
@ -373,9 +381,13 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
struct GROUP_POLICY_OBJECT gpo;
status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo);
status = ads_get_gpo(ads, mem_ctx,
gp_link->link_names[i],
NULL, NULL, &gpo);
if (!ADS_ERR_OK(status)) {
DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status)));
DEBUG(lvl,("get gpo for %s failed: %s\n",
gp_link->link_names[i],
ads_errstr(status)));
return;
}
dump_gpo(ads, mem_ctx, &gpo, lvl);
@ -386,27 +398,21 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
/****************************************************************
****************************************************************/
ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
NTSTATUS process_extension(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{
int i;
DEBUG(0,("process_extension: no extension available for:\n"));
DEBUGADD(0,("%s (%s) (snapin: %s)\n",
extension_guid,
cse_gpo_guid_string_to_name(extension_guid),
snapin_guid));
for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) {
if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) {
return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, gpo,
extension_guid, snapin_guid);
}
}
DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n",
extension_guid, snapin_guid));
return ADS_SUCCESS;
return NT_STATUS_OK;
}
/****************************************************************
@ -414,37 +420,42 @@ ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid_filter,
uint32 flags)
uint32_t flags)
{
ADS_STATUS status;
struct GP_EXT *gp_ext = NULL;
int i;
DEBUG(10,("gpo_process_a_gpo: processing gpo %s (%s)\n",
gpo->name, gpo->display_name));
if (extension_guid_filter) {
DEBUGADD(10,("gpo_process_a_gpo: using filter %s\n",
extension_guid_filter));
}
if (flags & GPO_LIST_FLAG_MACHINE) {
if (gpo->machine_extensions) {
status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) {
return status;
if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
&gp_ext)) {
return ADS_ERROR(LDAP_PARAM_ERROR);
}
} else {
/* nothing to apply */
return ADS_SUCCESS;
}
} else {
if (gpo->user_extensions) {
status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
if (!ADS_ERR_OK(status)) {
return status;
if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
&gp_ext)) {
return ADS_ERROR(LDAP_PARAM_ERROR);
}
} else {
/* nothing to apply */
@ -454,15 +465,20 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
for (i=0; i<gp_ext->num_exts; i++) {
if (extension_guid_filter && !strequal(extension_guid_filter, gp_ext->extensions_guid[i])) {
NTSTATUS ntstatus;
if (extension_guid_filter &&
!strequal(extension_guid_filter,
gp_ext->extensions_guid[i])) {
continue;
}
status = process_extension_with_snapin(ads, mem_ctx, gpo,
gp_ext->extensions_guid[i],
gp_ext->snapins_guid[i]);
if (!ADS_ERR_OK(status)) {
return status;
ntstatus = process_extension(ads, mem_ctx,
flags, token, gpo,
gp_ext->extensions_guid[i],
gp_ext->snapins_guid[i]);
if (!NT_STATUS_IS_OK(ntstatus)) {
ADS_ERROR_NT(ntstatus);
}
}
@ -474,19 +490,27 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extensions_guid,
uint32 flags)
uint32_t flags)
{
ADS_STATUS status;
struct GROUP_POLICY_OBJECT *gpo;
/* FIXME: ok, this is wrong, windows does process the extensions and
* hands the list of gpos to each extension and not process each gpo
* with all extensions (this is how the extension can store the list
* gplist in the registry) */
for (gpo = gpo_list; gpo; gpo = gpo->next) {
status = gpo_process_a_gpo(ads, mem_ctx, gpo,
status = gpo_process_a_gpo(ads, mem_ctx, token, gpo,
extensions_guid, flags);
if (!ADS_ERR_OK(status)) {
DEBUG(0,("failed to process gpo: %s\n",
ads_errstr(status)));
return status;
}
@ -495,80 +519,14 @@ ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
return ADS_SUCCESS;
}
ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{
DEBUG(10,("gpo_snapin_handler_none\n"));
return ADS_SUCCESS;
}
ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid)
{
DEBUG(10,("gpo_snapin_handler_security_settings\n"));
return ADS_SUCCESS;
}
ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *hostname,
SAM_UNK_INFO_12 *lockout_policy)
{
return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED);
}
/****************************************************************
****************************************************************/
ADS_STATUS gpo_password_policy(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *hostname,
SAM_UNK_INFO_1 *password_policy)
{
ADS_STATUS status;
struct GROUP_POLICY_OBJECT *gpo_list;
const char *dn = NULL;
uint32 uac = 0;
status = ads_find_samaccount(ads, mem_ctx, hostname, &uac, &dn);
if (!ADS_ERR_OK(status)) {
return status;
}
if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) {
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list);
if (!ADS_ERR_OK(status)) {
return status;
}
status = gpo_process_gpo_list(ads, mem_ctx, gpo_list,
cse_gpo_name_to_guid_string("Security"),
GPO_LIST_FLAG_MACHINE);
if (!ADS_ERR_OK(status)) {
return status;
}
return ADS_SUCCESS;
}
/****************************************************************
check wether the version number in a GROUP_POLICY_OBJECT match those of the
locally stored version. If not, fetch the required policy via CIFS
****************************************************************/
NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo,
struct cli_state **cli_out)
{
@ -577,43 +535,54 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
char *share = NULL;
char *nt_path = NULL;
char *unix_path = NULL;
uint32 sysvol_gpt_version = 0;
uint32_t sysvol_gpt_version = 0;
char *display_name = NULL;
struct cli_state *cli = NULL;
result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
&server, &share, &nt_path, &unix_path);
if (!NT_STATUS_IS_OK(result)) {
goto out;
}
result = gpo_get_sysvol_gpt_version(mem_ctx,
result = gpo_get_sysvol_gpt_version(mem_ctx,
unix_path,
&sysvol_gpt_version,
&display_name);
if (!NT_STATUS_IS_OK(result) &&
if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) {
DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
DEBUG(10,("check_refresh_gpo: "
"failed to get local gpt version: %s\n",
nt_errstr(result)));
goto out;
}
DEBUG(10,("check_refresh_gpo: versions gpo %d sysvol %d\n",
gpo->version, sysvol_gpt_version));
/* FIXME: handle GPO_INFO_FLAG_FORCED_REFRESH from flags */
while (gpo->version > sysvol_gpt_version) {
DEBUG(1,("check_refresh_gpo: need to refresh GPO\n"));
if (*cli_out == NULL) {
result = cli_full_connection(&cli, global_myname(),
server, /* ads->config.ldap_server_name, */
NULL, 0,
share, "A:",
ads->auth.user_name, NULL, ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS,
Undefined, NULL);
result = cli_full_connection(&cli,
global_myname(),
ads->config.ldap_server_name,
/* server */
NULL, 0,
share, "A:",
ads->auth.user_name, NULL,
ads->auth.password,
CLI_FULL_CONNECTION_USE_KERBEROS,
Undefined, NULL);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: failed to connect: %s\n", nt_errstr(result)));
DEBUG(10,("check_refresh_gpo: "
"failed to connect: %s\n",
nt_errstr(result)));
goto out;
}
@ -625,27 +594,28 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
goto out;
}
result = gpo_get_sysvol_gpt_version(mem_ctx,
unix_path,
result = gpo_get_sysvol_gpt_version(mem_ctx,
unix_path,
&sysvol_gpt_version,
&display_name);
&display_name);
if (!NT_STATUS_IS_OK(result)) {
DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
DEBUG(10,("check_refresh_gpo: "
"failed to get local gpt version: %s\n",
nt_errstr(result)));
goto out;
}
if (gpo->version == sysvol_gpt_version) {
break;
}
}
}
DEBUG(10,("Name:\t\t\t%s\n", gpo->display_name));
DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
sysvol_gpt_version,
GPO_VERSION_USER(sysvol_gpt_version),
GPO_VERSION_MACHINE(sysvol_gpt_version)));
DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
DEBUG(10,("Name:\t\t\t%s (%s)\n", gpo->display_name, gpo->name));
DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
sysvol_gpt_version,
GPO_VERSION_USER(sysvol_gpt_version),
GPO_VERSION_MACHINE(sysvol_gpt_version)));
DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
gpo->version,
GPO_VERSION_USER(gpo->version),
GPO_VERSION_MACHINE(gpo->version)));
@ -662,8 +632,9 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
not, go and get each required GPO via CIFS
****************************************************************/
NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo_list)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@ -676,7 +647,7 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
for (gpo = gpo_list; gpo; gpo = gpo->next) {
result = check_refresh_gpo(ads, mem_ctx, gpo, &cli);
result = check_refresh_gpo(ads, mem_ctx, flags, gpo, &cli);
if (!NT_STATUS_IS_OK(result)) {
goto out;
}
@ -691,5 +662,4 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
return result;
}
#endif /* HAVE_LDAP */

View File

@ -52,7 +52,8 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo;
NTSTATUS result;
struct nt_user_token *token = NULL;
if (argc < 1) {
printf("usage: net ads gpo refresh <username|machinename>\n");
return -1;
@ -82,12 +83,17 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) {
goto out;
}
if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, gpo_list))) {
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}
if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, flags, gpo_list))) {
printf("failed to refresh GPOs: %s\n", nt_errstr(result));
goto out;
}
@ -206,6 +212,7 @@ static int net_ads_gpo_list(int argc, const char **argv)
uint32 uac = 0;
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo_list;
struct nt_user_token *token = NULL;
if (argc < 1) {
printf("usage: net ads gpo list <username|machinename>\n");
@ -235,7 +242,12 @@ static int net_ads_gpo_list(int argc, const char **argv)
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}