diff options
author | Günther Deschner <gd@samba.org> | 2006-09-28 21:33:54 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:14:53 -0500 |
commit | 73f4ac012aaebfe4f778f6971ce59049c242be7b (patch) | |
tree | 953ae713a4ddaacf367c4ee8ae87753bc7e1d5b6 /source3/libads | |
parent | 18d417663395febe60b23f376b2e92c9869e1126 (diff) | |
download | samba-73f4ac012aaebfe4f778f6971ce59049c242be7b.tar.gz samba-73f4ac012aaebfe4f778f6971ce59049c242be7b.tar.bz2 samba-73f4ac012aaebfe4f778f6971ce59049c242be7b.zip |
r18982: Move the gpo related functions to "libgpo".
Guenther
(This used to be commit 1308a842716bc3bd1a9853b9b206dc7308a8c1dd)
Diffstat (limited to 'source3/libads')
-rw-r--r-- | source3/libads/gpo.c | 682 | ||||
-rw-r--r-- | source3/libads/gpo_util.c | 523 |
2 files changed, 0 insertions, 1205 deletions
diff --git a/source3/libads/gpo.c b/source3/libads/gpo.c deleted file mode 100644 index 4a121e9f6a..0000000000 --- a/source3/libads/gpo.c +++ /dev/null @@ -1,682 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" - -#ifdef HAVE_LDAP - -ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, - const char *extension_raw, - struct GP_EXT *gp_ext) -{ - char **ext_list; - char **ext_strings; - int i; - - DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw)); - - ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]"); - if (ext_list == NULL) { - goto parse_error; - } - - for (i = 0; ext_list[i] != NULL; i++) { - /* no op */ - } - - gp_ext->num_exts = i; - - gp_ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); - gp_ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); - gp_ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); - gp_ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); - - gp_ext->gp_extension = talloc_strdup(mem_ctx, extension_raw); - - if (gp_ext->extensions == NULL || gp_ext->extensions_guid == NULL || - gp_ext->snapins == NULL || gp_ext->snapins_guid == NULL || - gp_ext->gp_extension == NULL) { - goto parse_error; - } - - for (i = 0; ext_list[i] != NULL; i++) { - - int k; - char *p, *q; - - DEBUGADD(10,("extension #%d\n", i)); - - p = ext_list[i]; - - if (p[0] == '[') { - p++; - } - - ext_strings = str_list_make_talloc(mem_ctx, p, "}"); - if (ext_strings == NULL) { - goto parse_error; - } - - for (k = 0; ext_strings[k] != NULL; k++) { - /* no op */ - } - - q = ext_strings[0]; - - if (q[0] == '{') { - q++; - } - - gp_ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q)); - gp_ext->extensions_guid[i] = talloc_strdup(mem_ctx, q); - - /* we might have no name for the guid */ - if (gp_ext->extensions_guid[i] == NULL) { - goto parse_error; - } - - for (k = 1; ext_strings[k] != NULL; k++) { - - char *m = ext_strings[k]; - - if (m[0] == '{') { - m++; - } - - /* FIXME: theoretically there could be more than one snapin per extension */ - gp_ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m)); - gp_ext->snapins_guid[i] = talloc_strdup(mem_ctx, m); - - /* we might have no name for the guid */ - if (gp_ext->snapins_guid[i] == NULL) { - goto parse_error; - } - } - } - - if (ext_list) { - str_list_free_talloc(mem_ctx, &ext_list); - } - if (ext_strings) { - str_list_free_talloc(mem_ctx, &ext_strings); - } - - return ADS_ERROR(LDAP_SUCCESS); - -parse_error: - if (ext_list) { - str_list_free_talloc(mem_ctx, &ext_list); - } - if (ext_strings) { - str_list_free_talloc(mem_ctx, &ext_strings); - } - - return ADS_ERROR(LDAP_NO_MEMORY); -} - -ADS_STATUS ads_parse_gplink(TALLOC_CTX *mem_ctx, - const char *gp_link_raw, - uint32 options, - struct GP_LINK *gp_link) -{ - char **link_list; - int i; - - DEBUG(10,("ads_parse_gplink: gPLink: %s\n", gp_link_raw)); - - link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]"); - if (link_list == NULL) { - goto parse_error; - } - - for (i = 0; link_list[i] != NULL; i++) { - /* no op */ - } - - gp_link->gp_opts = options; - gp_link->num_links = i; - - gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links); - gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links); - - gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw); - - if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) { - goto parse_error; - } - - for (i = 0; link_list[i] != NULL; i++) { - - char *p, *q; - - DEBUGADD(10,("ads_parse_gplink: processing link #%d\n", i)); - - q = link_list[i]; - if (q[0] == '[') { - q++; - }; - - p = strchr(q, ';'); - - if (p == NULL) { - goto parse_error; - } - - gp_link->link_names[i] = talloc_strdup(mem_ctx, q); - if (gp_link->link_names[i] == NULL) { - goto parse_error; - } - gp_link->link_names[i][PTR_DIFF(p, q)] = 0; - - gp_link->link_opts[i] = atoi(p + 1); - - DEBUGADD(10,("ads_parse_gplink: link: %s\n", gp_link->link_names[i])); - DEBUGADD(10,("ads_parse_gplink: opt: %d\n", gp_link->link_opts[i])); - - } - - if (link_list) { - str_list_free_talloc(mem_ctx, &link_list); - } - - return ADS_ERROR(LDAP_SUCCESS); - -parse_error: - if (link_list) { - str_list_free_talloc(mem_ctx, &link_list); - } - - return ADS_ERROR(LDAP_NO_MEMORY); -} - -ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - struct GP_LINK *gp_link_struct) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", "gPOptions", NULL}; - LDAPMessage *res = NULL; - const char *gp_link; - uint32 gp_options; - - ZERO_STRUCTP(gp_link_struct); - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_get_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); - } - - if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) { - DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n")); - gp_options = 0; - } - - ads_msgfree(ads, res); - - return ads_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); -} - -ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - const char *gpo_dn, - uint32 gpo_opt) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", NULL}; - LDAPMessage *res = NULL; - const char *gp_link, *gp_link_new; - ADS_MODLIST mods; - - - /* although ADS allows to set anything here, we better check here if - * the gpo_dn is sane */ - - if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) { - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_add_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt); - } else { - gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); - } - - ads_msgfree(ads, res); - if (gp_link_new == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - mods = ads_init_mods(mem_ctx); - if (mods == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ads_gen_mod(ads, link_dn, mods); -} - -/* untested & broken */ -ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - const char *gpo_dn) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", NULL}; - LDAPMessage *res = NULL; - const char *gp_link, *gp_link_new = NULL; - ADS_MODLIST mods; - - /* check for a sane gpo_dn */ - if (gpo_dn[0] != '[') { - DEBUG(10,("ads_delete_gpo_link: first char not: [\n")); - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - if (gpo_dn[strlen(gpo_dn)] != ']') { - DEBUG(10,("ads_delete_gpo_link: last char not: ]\n")); - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_delete_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); - } - - /* find link to delete */ - /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */ - - ads_msgfree(ads, res); - if (gp_link_new == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - mods = ads_init_mods(mem_ctx); - if (mods == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ads_gen_mod(ads, link_dn, mods); -} - - ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - LDAPMessage *res, - const char *gpo_dn, - struct GROUP_POLICY_OBJECT *gpo) -{ - ZERO_STRUCTP(gpo); - - if (res == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - if (gpo_dn) { - gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn); - } else { - gpo->ds_path = ads_get_dn(ads, res); - } - if (gpo->ds_path == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - /* split here for convenience */ - gpo->version_user = GPO_VERSION_USER(gpo->version); - gpo->version_machine = GPO_VERSION_MACHINE(gpo->version); - - /* sure ??? */ - if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath"); - if (gpo->file_sys_path == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName"); - if (gpo->display_name == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - gpo->name = ads_pull_string(ads, mem_ctx, res, "name"); - if (gpo->name == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - /* ???, this is optional to have and what does it depend on, the 'flags' ?) */ - gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames"); - gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames"); - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *gpo_dn, - const char *display_name, - const char *guid_name, - struct GROUP_POLICY_OBJECT *gpo) -{ - ADS_STATUS status; - LDAPMessage *res = NULL; - char *dn; - const char *filter; - const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath", - "gPCFunctionalityVersion", "gPCMachineExtensionNames", - "gPCUserExtensionNames", "gPCWQLFilter", "name", - "versionNumber", NULL}; - - ZERO_STRUCTP(gpo); - - if (!gpo_dn && !display_name && !guid_name) { - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - if (gpo_dn) { - - if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) { - gpo_dn = gpo_dn + strlen("LDAP://"); - } - - status = ads_search_dn(ads, &res, gpo_dn, attrs); - - } else if (display_name || guid_name) { - - filter = talloc_asprintf(mem_ctx, - "(&(objectclass=groupPolicyContainer)(%s=%s))", - display_name ? "displayName" : "name", - display_name ? display_name : guid_name); - if (filter == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_do_search_all(ads, ads->config.bind_path, - LDAP_SCOPE_SUBTREE, filter, - attrs, &res); - } - - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_get_gpo: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - dn = ads_get_dn(ads, res); - if (dn == NULL) { - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo); - ads_msgfree(ads, res); - ads_memfree(ads, dn); - - return status; -} - -ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT **gpo_list, - const char *link_dn, - struct GP_LINK *gp_link, - enum GPO_LINK_TYPE link_type, - BOOL only_add_forced_gpos) -{ - ADS_STATUS status; - int i; - - for (i = 0; i < gp_link->num_links; i++) { - - struct GROUP_POLICY_OBJECT *new_gpo = NULL; - - if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { - DEBUG(10,("skipping disabled GPO\n")); - continue; - } - - if (only_add_forced_gpos) { - - if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) { - DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n")); - continue; - } else { - DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n")); - } - } - - new_gpo = TALLOC_P(mem_ctx, struct GROUP_POLICY_OBJECT); - if (new_gpo == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - ZERO_STRUCTP(new_gpo); - - status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo); - if (!ADS_ERR_OK(status)) { - return status; - } - - new_gpo->link = link_dn; - new_gpo->link_type = link_type; - - DLIST_ADD(*gpo_list, new_gpo); - - DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n", - i, gp_link->link_names[i])); - } - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *dn, - uint32 flags, - struct GROUP_POLICY_OBJECT **gpo_list) -{ - /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */ - - ADS_STATUS status; - struct GP_LINK gp_link; - const char *parent_dn, *site_dn, *tmp_dn; - BOOL add_only_forced_gpos = False; - - ZERO_STRUCTP(gpo_list); - - DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn)); - - /* (L)ocal */ - /* not yet... */ - - /* (S)ite */ - - /* are site GPOs valid for users as well ??? */ - if (flags & GPO_LIST_FLAG_MACHINE) { - - status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn); - if (!ADS_ERR_OK(status)) { - return status; - } - - DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, - site_dn, &gp_link, GP_LINK_SITE, - add_only_forced_gpos); - if (!ADS_ERR_OK(status)) { - return status; - } - - if (flags & GPO_LIST_FLAG_SITEONLY) { - return ADS_ERROR(LDAP_SUCCESS); - } - - /* inheritance can't be blocked at the site level */ - } - } - - tmp_dn = dn; - - while ( (parent_dn = ads_parent_dn(tmp_dn)) && - (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { - - /* (D)omain */ - - /* An account can just be a member of one domain */ - if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) { - - DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - /* block inheritance from now on */ - if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { - add_only_forced_gpos = True; - } - - status = add_gplink_to_gpo_list(ads, mem_ctx, - gpo_list, parent_dn, - &gp_link, GP_LINK_DOMAIN, - add_only_forced_gpos); - if (!ADS_ERR_OK(status)) { - return status; - } - } - } - - tmp_dn = parent_dn; - } - - /* reset dn again */ - tmp_dn = dn; - - while ( (parent_dn = ads_parent_dn(tmp_dn)) && - (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { - - - /* (O)rganizational(U)nit */ - - /* An account can be a member of more OUs */ - if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) { - - DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - /* block inheritance from now on */ - if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { - add_only_forced_gpos = True; - } - - status = add_gplink_to_gpo_list(ads, mem_ctx, - gpo_list, parent_dn, - &gp_link, GP_LINK_OU, - add_only_forced_gpos); - if (!ADS_ERR_OK(status)) { - return status; - } - } - } - - tmp_dn = parent_dn; - - }; - - return ADS_ERROR(LDAP_SUCCESS); -} - -#endif /* HAVE_LDAP */ diff --git a/source3/libads/gpo_util.c b/source3/libads/gpo_util.c deleted file mode 100644 index a30df6e9eb..0000000000 --- a/source3/libads/gpo_util.c +++ /dev/null @@ -1,523 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" - -#ifdef HAVE_LDAP - -#define DEFAULT_DOMAIN_POLICY "Default Domain Policy" -#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy" - -/* should we store a parsed guid ? */ -struct gpo_table { - const char *name; - const char *guid_string; -}; - -struct snapin_table { - const char *name; - const char *guid_string; - ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx, const char *, const char *); -}; - -#if 0 /* unused */ -static struct gpo_table gpo_default_policy[] = { - { DEFAULT_DOMAIN_POLICY, - "31B2F340-016D-11D2-945F-00C04FB984F9" }, - { DEFAULT_DOMAIN_CONTROLLERS_POLICY, - "6AC1786C-016F-11D2-945F-00C04fB984F9" }, - { NULL, NULL } -}; -#endif - -/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */ - -static struct gpo_table gpo_cse_extensions[] = { - { "Administrative Templates Extension", - "35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */ - { "Microsoft Disc Quota", - "3610EDA5-77EF-11D2-8DC5-00C04FA31A66" }, - { "EFS recovery", - "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" }, - { "Folder Redirection", - "25537BA6-77A8-11D2-9B6C-0000F8080861" }, - { "IP Security", - "E437BC1C-AA7D-11D2-A382-00C04F991E27" }, - { "Internet Explorer Branding", - "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" }, - { "QoS Packet Scheduler", - "426031c0-0b47-4852-b0ca-ac3d37bfcb39" }, - { "Scripts", - "42B5FAAE-6536-11D2-AE5A-0000F87571E3" }, - { "Security", - "827D319E-6EAC-11D2-A4EA-00C04F79F83A" }, - { "Software Installation", - "C6DC5466-785A-11D2-84D0-00C04FB169F7" }, - { "Wireless Group Policy", - "0ACDD40C-75AC-BAA0-BF6DE7E7FE63" }, - { NULL, NULL } -}; - -/* guess work */ -static struct snapin_table gpo_cse_snapin_extensions[] = { - { "Administrative Templates", - "0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none }, - { "Certificates", - "53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, - { "EFS recovery policy processing", - "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none }, - { "Folder Redirection policy processing", - "25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none }, - { "Folder Redirection", - "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none }, - { "Registry policy processing", - "35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none }, - { "Remote Installation Services", - "3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, - { "Security Settings", - "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings }, - { "Security policy processing", - "827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings }, - { "unknown", - "3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, - { "unknown2", - "53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, - { NULL, NULL, NULL } -}; - -static const char *name_to_guid_string(const char *name, struct gpo_table *table) -{ - int i; - - for (i = 0; table[i].name; i++) { - if (strequal(name, table[i].name)) { - return table[i].guid_string; - } - } - - return NULL; -} - -static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table) -{ - int i; - - for (i = 0; table[i].guid_string; i++) { - if (strequal(guid_string, table[i].guid_string)) { - return table[i].name; - } - } - - return NULL; -} - -static const char *snapin_guid_string_to_name(const char *guid_string, - struct snapin_table *table) -{ - int i; - for (i = 0; table[i].guid_string; i++) { - if (strequal(guid_string, table[i].guid_string)) { - return table[i].name; - } - } - return NULL; -} - -#if 0 /* unused */ -static const char *default_gpo_name_to_guid_string(const char *name) -{ - return name_to_guid_string(name, gpo_default_policy); -} - -static const char *default_gpo_guid_string_to_name(const char *guid) -{ - return guid_string_to_name(guid, gpo_default_policy); -} -#endif - -const char *cse_gpo_guid_string_to_name(const char *guid) -{ - return guid_string_to_name(guid, gpo_cse_extensions); -} - -static const char *cse_gpo_name_to_guid_string(const char *name) -{ - return name_to_guid_string(name, gpo_cse_extensions); -} - -const char *cse_snapin_gpo_guid_string_to_name(const char *guid) -{ - return snapin_guid_string_to_name(guid, gpo_cse_snapin_extensions); -} - -void dump_gp_ext(struct GP_EXT *gp_ext) -{ - int lvl = 10; - int i; - - if (gp_ext == NULL) { - return; - } - - DEBUG(lvl,("---------------------\n\n")); - DEBUGADD(lvl,("name:\t\t\t%s\n", gp_ext->gp_extension)); - - for (i=0; i< gp_ext->num_exts; i++) { - - DEBUGADD(lvl,("extension:\t\t\t%s\n", gp_ext->extensions_guid[i])); - DEBUGADD(lvl,("extension (name):\t\t\t%s\n", gp_ext->extensions[i])); - - DEBUGADD(lvl,("snapin:\t\t\t%s\n", gp_ext->snapins_guid[i])); - DEBUGADD(lvl,("snapin (name):\t\t\t%s\n", gp_ext->snapins[i])); - } -} - -void dump_gpo(TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo) -{ - int lvl = 1; - - if (gpo == NULL) { - return; - } - - DEBUG(lvl,("---------------------\n\n")); - - DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name)); - DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name)); - DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version)); - DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", gpo->version_user, gpo->version_user)); - DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", gpo->version_machine, gpo->version_machine)); - DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path)); - DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path)); - - DEBUGADD(lvl,("options:\t\t%d ", gpo->options)); - if (gpo->options & GPFLAGS_USER_SETTINGS_DISABLED) { - DEBUGADD(lvl,("GPFLAGS_USER_SETTINGS_DISABLED ")); - } - if (gpo->options & GPFLAGS_MACHINE_SETTINGS_DISABLED) { - DEBUGADD(lvl,("GPFLAGS_MACHINE_SETTINGS_DISABLED")); - } - DEBUGADD(lvl,("\n")); - - DEBUGADD(lvl,("link:\t\t\t%s\n", gpo->link)); - DEBUGADD(lvl,("link_type:\t\t%d ", gpo->link_type)); - switch (gpo->link_type) { - case GP_LINK_UNKOWN: - DEBUGADD(lvl,("GP_LINK_UNKOWN\n")); - break; - case GP_LINK_OU: - DEBUGADD(lvl,("GP_LINK_OU\n")); - break; - case GP_LINK_DOMAIN: - DEBUGADD(lvl,("GP_LINK_DOMAIN\n")); - break; - case GP_LINK_SITE: - DEBUGADD(lvl,("GP_LINK_SITE\n")); - break; - case GP_LINK_MACHINE: - DEBUGADD(lvl,("GP_LINK_MACHINE\n")); - break; - default: - break; - } - - if (gpo->machine_extensions) { - - struct GP_EXT gp_ext; - ADS_STATUS status; - - DEBUGADD(lvl,("machine_extensions:\t%s\n", gpo->machine_extensions)); - - status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); - if (!ADS_ERR_OK(status)) { - return; - } - dump_gp_ext(&gp_ext); - } - - if (gpo->user_extensions) { - - struct GP_EXT gp_ext; - ADS_STATUS status; - - DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions)); - - status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); - if (!ADS_ERR_OK(status)) { - return; - } - dump_gp_ext(&gp_ext); - } -}; - -void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) -{ - ADS_STATUS status; - int i; - int lvl = 10; - - if (gp_link == NULL) { - return; - } - - DEBUG(lvl,("---------------------\n\n")); - - DEBUGADD(lvl,("gplink: %s\n", gp_link->gp_link)); - DEBUGADD(lvl,("gpopts: %d ", gp_link->gp_opts)); - switch (gp_link->gp_opts) { - case GPOPTIONS_INHERIT: - DEBUGADD(lvl,("GPOPTIONS_INHERIT\n")); - break; - case GPOPTIONS_BLOCK_INHERITANCE: - DEBUGADD(lvl,("GPOPTIONS_BLOCK_INHERITANCE\n")); - break; - default: - break; - } - - DEBUGADD(lvl,("num links: %d\n", gp_link->num_links)); - - for (i = 0; i < gp_link->num_links; i++) { - - DEBUGADD(lvl,("---------------------\n\n")); - - DEBUGADD(lvl,("link: #%d\n", i + 1)); - DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i])); - - DEBUGADD(lvl,("opt: %d ", gp_link->link_opts[i])); - if (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) { - DEBUGADD(lvl,("GPO_LINK_OPT_ENFORCED ")); - } - if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { - DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED")); - } - DEBUGADD(lvl,("\n")); - - if (ads != NULL && mem_ctx != NULL) { - - struct GROUP_POLICY_OBJECT gpo; - - status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo); - if (!ADS_ERR_OK(status)) { - DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status))); - return; - } - dump_gpo(mem_ctx, &gpo); - } - } -} - -ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *extension_guid, - const char *snapin_guid) -{ - int i; - - for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) { - - if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) { - - return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, - extension_guid, snapin_guid); - } - } - - DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n", - extension_guid, snapin_guid)); - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo, - const char *extension_guid, - uint32 flags) -{ - ADS_STATUS status; - struct GP_EXT gp_ext; - int i; - - if (flags & GPO_LIST_FLAG_MACHINE) { - - if (gpo->machine_extensions) { - - status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); - - if (!ADS_ERR_OK(status)) { - return status; - } - - } else { - /* nothing to apply */ - return ADS_ERROR(LDAP_SUCCESS); - } - - } else { - - if (gpo->user_extensions) { - - status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); - - if (!ADS_ERR_OK(status)) { - return status; - } - } else { - /* nothing to apply */ - return ADS_ERROR(LDAP_SUCCESS); - } - } - - for (i=0; i<gp_ext.num_exts; i++) { - - if (extension_guid && !strequal(extension_guid, gp_ext.extensions_guid[i])) { - continue; - } - - status = process_extension_with_snapin(ads, mem_ctx, gp_ext.extensions_guid[i], - gp_ext.snapins_guid[i]); - if (!ADS_ERR_OK(status)) { - return status; - } - } - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT **gpo_list, - const char *extensions_guid, - uint32 flags) -{ - ADS_STATUS status; - struct GROUP_POLICY_OBJECT *gpo = *gpo_list; - - for (gpo = *gpo_list; gpo; gpo = gpo->next) { - - status = gpo_process_a_gpo(ads, mem_ctx, gpo, - extensions_guid, flags); - - if (!ADS_ERR_OK(status)) { - return status; - } - - } - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *extension_guid, - const char *snapin_guid) -{ - DEBUG(10,("gpo_snapin_handler_none\n")); - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *extension_guid, - const char *snapin_guid) -{ - DEBUG(10,("gpo_snapin_handler_security_settings\n")); - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *hostname, - SAM_UNK_INFO_12 *lockout_policy) -{ - return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED); -} - -ADS_STATUS gpo_password_policy(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *hostname, - SAM_UNK_INFO_1 *password_policy) -{ - ADS_STATUS status; - struct GROUP_POLICY_OBJECT *gpo_list; - const char *attrs[] = {"distinguishedName", "userAccountControl", NULL}; - char *filter, *dn; - LDAPMessage *res = NULL; - uint32 uac; - - filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", hostname); - if (filter == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_do_search_all(ads, ads->config.bind_path, - LDAP_SCOPE_SUBTREE, - filter, attrs, &res); - - if (!ADS_ERR_OK(status)) { - return status; - } - - if (ads_count_replies(ads, res) != 1) { - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - dn = ads_get_dn(ads, res); - if (dn == NULL) { - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_MEMORY); - } - - if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) { - ads_msgfree(ads, res); - ads_memfree(ads, dn); - return ADS_ERROR(LDAP_NO_MEMORY); - } - - ads_msgfree(ads, res); - - if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) { - ads_memfree(ads, dn); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list); - if (!ADS_ERR_OK(status)) { - ads_memfree(ads, dn); - return status; - } - - ads_memfree(ads, dn); - - status = gpo_process_gpo_list(ads, mem_ctx, &gpo_list, - cse_gpo_name_to_guid_string("Security"), - GPO_LIST_FLAG_MACHINE); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ADS_ERROR(LDAP_SUCCESS); -} - -#endif /* HAVE_LDAP */ |