summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2006-09-29 01:49:26 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 12:14:54 -0500
commit21bdd5833efff11324c2c736283a2272f5a46e90 (patch)
tree6fb3c701a1e7c7eb17707c611d28eb31cbd5a091
parent7a5d2f5c1a2be36366667921450eef6ecdd435d5 (diff)
downloadsamba-21bdd5833efff11324c2c736283a2272f5a46e90.tar.gz
samba-21bdd5833efff11324c2c736283a2272f5a46e90.tar.bz2
samba-21bdd5833efff11324c2c736283a2272f5a46e90.zip
r18988: Check and refresh expired GPOs.
Guenther (This used to be commit e0e44bfadbf9bce8a5d3fe969c0f6da59a0cc29e)
-rw-r--r--source3/libgpo/gpo_util.c125
-rw-r--r--source3/utils/net_ads_gpo.c5
2 files changed, 129 insertions, 1 deletions
diff --git a/source3/libgpo/gpo_util.c b/source3/libgpo/gpo_util.c
index 37d3bb2ba8..4c74d10031 100644
--- a/source3/libgpo/gpo_util.c
+++ b/source3/libgpo/gpo_util.c
@@ -1,7 +1,7 @@
/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
- * Copyright (C) Guenther Deschner 2005
+ * Copyright (C) Guenther Deschner 2005-2006
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@@ -522,4 +522,127 @@ ADS_STATUS gpo_password_policy(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_SUCCESS);
}
+/****************************************************************
+ check wether the version number in a GROUP_POLICY_OBJECT match those of the
+ locally stored version. If not, fetch the required policy via CIFS
+****************************************************************/
+
+NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT *gpo,
+ struct cli_state **cli_out)
+{
+ NTSTATUS result;
+ char *server, *share, *nt_path, *unix_path;
+ uint32 sysvol_gpt_version = 0;
+ char *display_name;
+ struct cli_state *cli = NULL;
+
+ result = ads_gpo_explode_filesyspath(ads, mem_ctx, gpo->file_sys_path,
+ &server, &share, &nt_path, &unix_path);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+
+ result = ads_gpo_get_sysvol_gpt_version(ads, mem_ctx,
+ unix_path,
+ &sysvol_gpt_version,
+ &display_name);
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) {
+ DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+
+ while (gpo->version > sysvol_gpt_version) {
+
+ DEBUG(1,("check_refresh_gpo: need to refresh GPO\n"));
+
+ if (*cli_out == NULL) {
+
+ result = cli_full_connection(&cli, global_myname(),
+ server, /* ads->config.ldap_server_name, */
+ NULL, 0,
+ share, "A:",
+ ads->auth.user_name, NULL, ads->auth.password,
+ CLI_FULL_CONNECTION_USE_KERBEROS,
+ Undefined, NULL);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("check_refresh_gpo: failed to connect: %s\n", nt_errstr(result)));
+ goto out;
+ }
+
+ *cli_out = cli;
+ }
+
+ result = ads_fetch_gpo_files(ads, mem_ctx, *cli_out, gpo);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+
+ result = ads_gpo_get_sysvol_gpt_version(ads, mem_ctx,
+ unix_path,
+ &sysvol_gpt_version,
+ &display_name);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+
+ if (gpo->version == sysvol_gpt_version) {
+ break;
+ }
+ }
+
+ DEBUG(10,("Name:\t\t\t%s\n", gpo->display_name));
+ DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
+ sysvol_gpt_version,
+ GPO_VERSION_USER(sysvol_gpt_version),
+ GPO_VERSION_MACHINE(sysvol_gpt_version)));
+ DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
+ gpo->version,
+ GPO_VERSION_USER(gpo->version),
+ GPO_VERSION_MACHINE(gpo->version)));
+
+ result = NT_STATUS_OK;
+
+ out:
+ return result;
+
+}
+
+/****************************************************************
+ check wether the version numbers in the gpo_list match the locally stored, if
+ not, go and get each required GPO via CIFS
+ ****************************************************************/
+
+NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT *gpo_list)
+{
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ struct cli_state *cli = NULL;
+ struct GROUP_POLICY_OBJECT *gpo;
+
+ for (gpo = gpo_list; gpo; gpo = gpo->next) {
+
+ result = check_refresh_gpo(ads, mem_ctx, gpo, &cli);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+ }
+
+ result = NT_STATUS_OK;
+
+ out:
+ if (cli) {
+ cli_shutdown(cli);
+ }
+
+ return result;
+}
+
#endif /* HAVE_LDAP */
diff --git a/source3/utils/net_ads_gpo.c b/source3/utils/net_ads_gpo.c
index be018ad78f..0a9e0fb62a 100644
--- a/source3/utils/net_ads_gpo.c
+++ b/source3/utils/net_ads_gpo.c
@@ -111,6 +111,11 @@ static int net_ads_gpo_effective(int argc, const char **argv)
goto out;
}
+ if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, gpo_list))) {
+ printf("failed to refresh GPOs: %s\n", nt_errstr(result));
+ goto out;
+ }
+
for (gpo = gpo_list; gpo; gpo = gpo->next) {
char *server, *share, *nt_path, *unix_path;