diff options
author | Günther Deschner <gd@samba.org> | 2007-08-14 14:47:08 +0000 |
---|---|---|
committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 12:29:42 -0500 |
commit | 444fd1e8481ae4ec971c4cac5996e47a751b8a17 (patch) | |
tree | 5363603744f98dc1945c215bec5ecd99483526cf /source3/libgpo | |
parent | 2da44a2dee1ad425a25f9a188896ce031356630c (diff) | |
download | samba-444fd1e8481ae4ec971c4cac5996e47a751b8a17.tar.gz samba-444fd1e8481ae4ec971c4cac5996e47a751b8a17.tar.bz2 samba-444fd1e8481ae4ec971c4cac5996e47a751b8a17.zip |
r24413: Minor edits for libgpo.
Guenther
(This used to be commit 5dc791f4cfdee2bc350c1e65aeed5705c1745356)
Diffstat (limited to 'source3/libgpo')
-rw-r--r-- | source3/libgpo/gpo_ldap.c | 374 | ||||
-rw-r--r-- | source3/libgpo/gpo_parse.c | 222 | ||||
-rw-r--r-- | source3/libgpo/gpo_sec.c | 36 | ||||
-rw-r--r-- | source3/libgpo/gpo_util.c | 426 |
4 files changed, 442 insertions, 616 deletions
diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c index e32522ab5c..856bcd4e68 100644 --- a/source3/libgpo/gpo_ldap.c +++ b/source3/libgpo/gpo_ldap.c @@ -25,13 +25,13 @@ parse the raw extension string into a GP_EXT structure ****************************************************************/ -ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, - const char *extension_raw, - struct GP_EXT **gp_ext) +BOOL ads_parse_gp_ext(TALLOC_CTX *mem_ctx, + const char *extension_raw, + struct GP_EXT **gp_ext) { - ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); + BOOL ret = False; struct GP_EXT *ext = NULL; - char **ext_list; + char **ext_list = NULL; char **ext_strings = NULL; int i; @@ -47,7 +47,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, } ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]"); - if (ext_list == NULL) { + if (!ext_list) { goto parse_error; } @@ -56,24 +56,23 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, } ext->num_exts = i; - + if (ext->num_exts) { - ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts); - ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts); - ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts); - ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts); - } else { - ext->extensions = NULL; - ext->extensions_guid = NULL; - ext->snapins = NULL; - ext->snapins_guid = NULL; + ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, + ext->num_exts); + ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, + ext->num_exts); + ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, + ext->num_exts); + ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, + ext->num_exts); } ext->gp_extension = talloc_strdup(mem_ctx, extension_raw); - if (ext->extensions == NULL || ext->extensions_guid == NULL || - ext->snapins == NULL || ext->snapins_guid == NULL || - ext->gp_extension == NULL) { + if (!ext->extensions || !ext->extensions_guid || + !ext->snapins || !ext->snapins_guid || + !ext->gp_extension) { goto parse_error; } @@ -81,7 +80,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, int k; char *p, *q; - + DEBUGADD(10,("extension #%d\n", i)); p = ext_list[i]; @@ -105,14 +104,15 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, q++; } - ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q)); + ext->extensions[i] = talloc_strdup(mem_ctx, + cse_gpo_guid_string_to_name(q)); ext->extensions_guid[i] = talloc_strdup(mem_ctx, q); /* we might have no name for the guid */ if (ext->extensions_guid[i] == NULL) { goto parse_error; } - + for (k = 1; ext_strings[k] != NULL; k++) { char *m = ext_strings[k]; @@ -121,8 +121,10 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, m++; } - /* FIXME: theoretically there could be more than one snapin per extension */ - ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m)); + /* FIXME: theoretically there could be more than one + * snapin per extension */ + ext->snapins[i] = talloc_strdup(mem_ctx, + cse_snapin_gpo_guid_string_to_name(m)); ext->snapins_guid[i] = talloc_strdup(mem_ctx, m); /* we might have no name for the guid */ @@ -134,35 +136,38 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, *gp_ext = ext; - status = ADS_ERROR_NT(NT_STATUS_OK); + ret = True; -parse_error: + parse_error: if (ext_list) { - str_list_free_talloc(mem_ctx, &ext_list); + str_list_free_talloc(mem_ctx, &ext_list); } if (ext_strings) { - str_list_free_talloc(mem_ctx, &ext_strings); + str_list_free_talloc(mem_ctx, &ext_strings); } - return status; + return ret; } /**************************************************************** parse the raw link string into a GP_LINK structure ****************************************************************/ -static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, +static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, const char *gp_link_raw, - uint32 options, + uint32_t options, struct GP_LINK *gp_link) { + ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY); char **link_list; int i; - + + ZERO_STRUCTP(gp_link); + DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw)); link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]"); - if (link_list == NULL) { + if (!link_list) { goto parse_error; } @@ -172,18 +177,17 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, gp_link->gp_opts = options; gp_link->num_links = i; - + if (gp_link->num_links) { - gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links); - gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links); - } else { - gp_link->link_names = NULL; - gp_link->link_opts = NULL; + gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, + gp_link->num_links); + gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t, + gp_link->num_links); } - + gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw); - if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) { + if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) { goto parse_error; } @@ -199,7 +203,7 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, }; p = strchr(q, ';'); - + if (p == NULL) { goto parse_error; } @@ -212,23 +216,22 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, gp_link->link_opts[i] = atoi(p + 1); - DEBUGADD(10,("gpo_parse_gplink: link: %s\n", gp_link->link_names[i])); - DEBUGADD(10,("gpo_parse_gplink: opt: %d\n", gp_link->link_opts[i])); + DEBUGADD(10,("gpo_parse_gplink: link: %s\n", + gp_link->link_names[i])); + DEBUGADD(10,("gpo_parse_gplink: opt: %d\n", + gp_link->link_opts[i])); } - if (link_list) { - str_list_free_talloc(mem_ctx, &link_list); - } + status = ADS_SUCCESS; - return ADS_ERROR(LDAP_SUCCESS); + parse_error: -parse_error: if (link_list) { str_list_free_talloc(mem_ctx, &link_list); } - return ADS_ERROR(LDAP_NO_MEMORY); + return status; } /**************************************************************** @@ -244,13 +247,14 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads, const char *attrs[] = {"gPLink", "gPOptions", NULL}; LDAPMessage *res = NULL; const char *gp_link; - uint32 gp_options; + uint32_t gp_options; ZERO_STRUCTP(gp_link_struct); status = ads_search_dn(ads, &res, link_dn, attrs); if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status))); + DEBUG(10,("ads_get_gpo_link: search failed with %s\n", + ads_errstr(status))); return status; } @@ -260,33 +264,34 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads, return ADS_ERROR(LDAP_NO_SUCH_OBJECT); } - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); + gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); if (gp_link == NULL) { DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n")); ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); + return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); } /* perfectly legal to have no options */ if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) { - DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n")); + DEBUG(10,("ads_get_gpo_link: " + "no 'gPOptions' attribute found\n")); gp_options = 0; } ads_msgfree(ads, res); - return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); + return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); } /**************************************************************** helper call to add a gp link ****************************************************************/ -ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - const char *gpo_dn, - uint32 gpo_opt) +ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *link_dn, + const char *gpo_dn, + uint32_t gpo_opt) { ADS_STATUS status; const char *attrs[] = {"gPLink", NULL}; @@ -298,12 +303,13 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, * the gpo_dn is sane */ if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) { - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); + return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); } status = ads_search_dn(ads, &res, link_dn, attrs); if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status))); + DEBUG(10,("ads_add_gpo_link: search failed with %s\n", + ads_errstr(status))); return status; } @@ -313,11 +319,13 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, return ADS_ERROR(LDAP_NO_SUCH_OBJECT); } - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); + gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); if (gp_link == NULL) { - gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt); + gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", + gpo_dn, gpo_opt); } else { - gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); + gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", + gp_link, gpo_dn, gpo_opt); } ads_msgfree(ads, res); @@ -331,7 +339,7 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, return status; } - return ads_gen_mod(ads, link_dn, mods); + return ads_gen_mod(ads, link_dn, mods); } /**************************************************************** @@ -339,9 +347,9 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, ****************************************************************/ /* untested & broken */ -ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, +ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *link_dn, const char *gpo_dn) { ADS_STATUS status; @@ -355,7 +363,7 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, DEBUG(10,("ads_delete_gpo_link: first char not: [\n")); return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); } - + if (gpo_dn[strlen(gpo_dn)] != ']') { DEBUG(10,("ads_delete_gpo_link: last char not: ]\n")); return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); @@ -363,7 +371,8 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, status = ads_search_dn(ads, &res, link_dn, attrs); if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status))); + DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", + ads_errstr(status))); return status; } @@ -373,13 +382,14 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, return ADS_ERROR(LDAP_NO_SUCH_OBJECT); } - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); + gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); if (gp_link == NULL) { return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); } /* find link to delete */ - /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */ + /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, + gpo_dn, gpo_opt); */ ads_msgfree(ads, res); ADS_ERROR_HAVE_NO_MEMORY(gp_link_new); @@ -392,7 +402,7 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, return status; } - return ads_gen_mod(ads, link_dn, mods); + return ads_gen_mod(ads, link_dn, mods); } /**************************************************************** @@ -425,19 +435,25 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, return ADS_ERROR(LDAP_NO_MEMORY); } - gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath"); + gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, + "gPCFileSysPath"); ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path); - gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName"); + gpo->display_name = ads_pull_string(ads, mem_ctx, res, + "displayName"); ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name); - gpo->name = ads_pull_string(ads, mem_ctx, res, "name"); + gpo->name = ads_pull_string(ads, mem_ctx, res, + "name"); ADS_ERROR_HAVE_NO_MEMORY(gpo->name); - gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames"); - gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames"); + gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, + "gPCMachineExtensionNames"); + gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, + "gPCUserExtensionNames"); - ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", &gpo->security_descriptor); + ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", + &gpo->security_descriptor); ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor); return ADS_ERROR(LDAP_SUCCESS); @@ -458,11 +474,20 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, LDAPMessage *res = NULL; char *dn; const char *filter; - const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath", - "gPCFunctionalityVersion", "gPCMachineExtensionNames", - "gPCUserExtensionNames", "gPCWQLFilter", "name", - "versionNumber", "ntSecurityDescriptor", NULL}; - uint32 sd_flags = DACL_SECURITY_INFORMATION; + const char *attrs[] = { + "cn", + "displayName", + "flags", + "gPCFileSysPath", + "gPCFunctionalityVersion", + "gPCMachineExtensionNames", + "gPCUserExtensionNames", + "gPCWQLFilter", + "name", + "ntSecurityDescriptor", + "versionNumber", + NULL}; + uint32_t sd_flags = DACL_SECURITY_INFORMATION; ZERO_STRUCTP(gpo); @@ -471,30 +496,31 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, } if (gpo_dn) { - + if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) { gpo_dn = gpo_dn + strlen("LDAP://"); } - status = ads_search_retry_dn_sd_flags(ads, &res, + status = ads_search_retry_dn_sd_flags(ads, &res, sd_flags, gpo_dn, attrs); - + } else if (display_name || guid_name) { - filter = talloc_asprintf(mem_ctx, - "(&(objectclass=groupPolicyContainer)(%s=%s))", - display_name ? "displayName" : "name", - display_name ? display_name : guid_name); + filter = talloc_asprintf(mem_ctx, + "(&(objectclass=groupPolicyContainer)(%s=%s))", + display_name ? "displayName" : "name", + display_name ? display_name : guid_name); ADS_ERROR_HAVE_NO_MEMORY(filter); status = ads_do_search_all_sd_flags(ads, ads->config.bind_path, - LDAP_SCOPE_SUBTREE, filter, + LDAP_SCOPE_SUBTREE, filter, attrs, sd_flags, &res); } if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status))); + DEBUG(10,("ads_get_gpo: search failed with %s\n", + ads_errstr(status))); return status; } @@ -509,7 +535,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, ads_msgfree(ads, res); return ADS_ERROR(LDAP_NO_MEMORY); } - + status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo); ads_msgfree(ads, res); ads_memfree(ads, dn); @@ -522,7 +548,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, ****************************************************************/ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, + TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT **gpo_list, const char *link_dn, struct GP_LINK *gp_link, @@ -543,39 +569,47 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, } if (only_add_forced_gpos) { - - if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) { - DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n")); + + if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) { + DEBUG(10,("skipping nonenforced GPO link " + "because GPOPTIONS_BLOCK_INHERITANCE " + "has been set\n")); continue; } else { - DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n")); + DEBUG(10,("adding enforced GPO link although " + "the GPOPTIONS_BLOCK_INHERITANCE " + "has been set\n")); } } new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT); ADS_ERROR_HAVE_NO_MEMORY(new_gpo); - status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo); + status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], + NULL, NULL, new_gpo); if (!ADS_ERR_OK(status)) { - DEBUG(10,("failed to get gpo: %s\n", gp_link->link_names[i])); + DEBUG(10,("failed to get gpo: %s\n", + gp_link->link_names[i])); return status; } - status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo, token)); + status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo, + token)); if (!ADS_ERR_OK(status)) { - DEBUG(10,("skipping GPO \"%s\" as object has no access to it\n", + DEBUG(10,("skipping GPO \"%s\" as object " + "has no access to it\n", new_gpo->display_name)); TALLOC_FREE(new_gpo); continue; } new_gpo->link = link_dn; - new_gpo->link_type = link_type; + new_gpo->link_type = link_type; DLIST_ADD(*gpo_list, new_gpo); - DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n", - i, gp_link->link_names[i])); + DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s " + "to GPO list\n", i, gp_link->link_names[i])); } return ADS_ERROR(LDAP_SUCCESS); @@ -599,7 +633,7 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads, struct nt_user_token *new_token = NULL; int i; - status = ads_get_tokensids(ads, mem_ctx, dn, + status = ads_get_tokensids(ads, mem_ctx, dn, &object_sid, &primary_group_sid, &ad_token_sids, &num_ad_token_sids); if (!ADS_ERR_OK(status)) { @@ -609,24 +643,24 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads, token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1); ADS_ERROR_HAVE_NO_MEMORY(token_sids); - if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids, + if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids, &num_token_sids)) { return ADS_ERROR(LDAP_NO_MEMORY); } for (i = 0; i < num_ad_token_sids; i++) { - + if (sid_check_is_in_builtin(&ad_token_sids[i])) { continue; } - if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i], + if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i], &token_sids, &num_token_sids)) { return ADS_ERROR(LDAP_NO_MEMORY); } } - new_token = create_local_nt_token(mem_ctx, &object_sid, False, + new_token = create_local_nt_token(mem_ctx, &object_sid, False, num_token_sids, token_sids); ADS_ERROR_HAVE_NO_MEMORY(new_token); @@ -638,20 +672,47 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads, } /**************************************************************** +****************************************************************/ + +static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx, + struct GROUP_POLICY_OBJECT **gpo_list, + enum GPO_LINK_TYPE link_type) +{ + struct GROUP_POLICY_OBJECT *gpo = NULL; + + ADS_ERROR_HAVE_NO_MEMORY(gpo_list); + + gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT); + ADS_ERROR_HAVE_NO_MEMORY(gpo); + + gpo->name = talloc_strdup(mem_ctx, "Local Policy"); + ADS_ERROR_HAVE_NO_MEMORY(gpo->name); + + gpo->display_name = talloc_strdup(mem_ctx, "Local Policy"); + ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name); + + gpo->link_type = link_type; + + DLIST_ADD(*gpo_list, gpo); + + return ADS_ERROR_NT(NT_STATUS_OK); +} + +/**************************************************************** get the full list of GROUP_POLICY_OBJECTs for a given dn ****************************************************************/ -ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, +ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, const char *dn, - uint32 flags, + uint32_t flags, + const struct nt_user_token *token, struct GROUP_POLICY_OBJECT **gpo_list) { /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */ - + ADS_STATUS status; struct GP_LINK gp_link; - struct nt_user_token *token = NULL; const char *parent_dn, *site_dn, *tmp_dn; BOOL add_only_forced_gpos = False; @@ -663,25 +724,27 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn)); - status = ads_get_sid_token(ads, mem_ctx, dn, &token); + /* (L)ocal */ + status = add_local_policy_to_gpo_list(mem_ctx, gpo_list, + GP_LINK_UNKOWN); if (!ADS_ERR_OK(status)) { return status; } - /* (L)ocal */ - /* not yet... */ - /* (S)ite */ /* are site GPOs valid for users as well ??? */ if (flags & GPO_LIST_FLAG_MACHINE) { - status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn); + status = ads_site_dn_for_machine(ads, mem_ctx, + ads->config.ldap_server_name, + &site_dn); if (!ADS_ERR_OK(status)) { return status; } - DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn)); + DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", + site_dn)); status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link); if (ADS_ERR_OK(status)) { @@ -690,8 +753,9 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, dump_gplink(ads, mem_ctx, &gp_link); } - status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, - site_dn, &gp_link, GP_LINK_SITE, + status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, + site_dn, &gp_link, + GP_LINK_SITE, add_only_forced_gpos, token); if (!ADS_ERR_OK(status)) { @@ -708,33 +772,39 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, tmp_dn = dn; - while ( (parent_dn = ads_parent_dn(tmp_dn)) && - (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { + while ((parent_dn = ads_parent_dn(tmp_dn)) && + (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { /* (D)omain */ /* An account can just be a member of one domain */ if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) { - DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn)); + DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", + parent_dn)); - status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); + status = ads_get_gpo_link(ads, mem_ctx, parent_dn, + &gp_link); if (ADS_ERR_OK(status)) { - + if (DEBUGLEVEL >= 100) { dump_gplink(ads, mem_ctx, &gp_link); } /* block inheritance from now on */ - if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { + if (gp_link.gp_opts & + GPOPTIONS_BLOCK_INHERITANCE) { add_only_forced_gpos = True; } - status = add_gplink_to_gpo_list(ads, mem_ctx, - gpo_list, parent_dn, - &gp_link, GP_LINK_DOMAIN, - add_only_forced_gpos, - token); + status = add_gplink_to_gpo_list(ads, + mem_ctx, + gpo_list, + parent_dn, + &gp_link, + GP_LINK_DOMAIN, + add_only_forced_gpos, + token); if (!ADS_ERR_OK(status)) { return status; } @@ -746,19 +816,21 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, /* reset dn again */ tmp_dn = dn; - - while ( (parent_dn = ads_parent_dn(tmp_dn)) && - (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { + + while ((parent_dn = ads_parent_dn(tmp_dn)) && + (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { /* (O)rganizational(U)nit */ /* An account can be a member of more OUs */ if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) { - - DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn)); - status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); + DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", + parent_dn)); + + status = ads_get_gpo_link(ads, mem_ctx, parent_dn, + &gp_link); if (ADS_ERR_OK(status)) { if (DEBUGLEVEL >= 100) { @@ -766,15 +838,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, } /* block inheritance from now on */ - if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { + if (gp_link.gp_opts & + GPOPTIONS_BLOCK_INHERITANCE) { add_only_forced_gpos = True; } - status = add_gplink_to_gpo_list(ads, mem_ctx, - gpo_list, parent_dn, - &gp_link, GP_LINK_OU, - add_only_forced_gpos, - token); + status = add_gplink_to_gpo_list(ads, + mem_ctx, + gpo_list, + parent_dn, + &gp_link, + GP_LINK_OU, + add_only_forced_gpos, + token); if (!ADS_ERR_OK(status)) { return status; } diff --git a/source3/libgpo/gpo_parse.c b/source3/libgpo/gpo_parse.c index 5430fde01d..8118ed7213 100644 --- a/source3/libgpo/gpo_parse.c +++ b/source3/libgpo/gpo_parse.c @@ -74,225 +74,3 @@ NTSTATUS parse_gpt_ini(TALLOC_CTX *mem_ctx, const char *filename, uint32 *versio return result; } - -#if 0 /* not yet */ - -/**************************************************************** - parse the Version section from gpttmpl file -****************************************************************/ - -#define GPTTMPL_SECTION_VERSION "Version" -#define GPTTMPL_PARAMETER_REVISION "Revision" -#define GPTTMPL_PARAMETER_SIGNATURE "signature" -#define GPTTMPL_CHICAGO "$CHICAGO$" /* whatever this is good for... */ -#define GPTTMPL_SECTION_UNICODE "Unicode" -#define GPTTMPL_PARAMETER_UNICODE "Unicode" - -static NTSTATUS parse_gpttmpl(dictionary *d, uint32 *version_out) -{ - const char *signature = NULL; - uint32 version; - - if ((signature = iniparser_getstring(d, GPTTMPL_SECTION_VERSION - ":"GPTTMPL_PARAMETER_SIGNATURE, NULL)) == NULL) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (!strequal(signature, GPTTMPL_CHICAGO)) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if ((version = iniparser_getint(d, GPTTMPL_SECTION_VERSION - ":"GPTTMPL_PARAMETER_REVISION, Undefined)) == Undefined) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (version_out) { - *version_out = version; - } - - /* treat that as boolean */ - if ((!iniparser_getboolean(d, GPTTMPL_SECTION_UNICODE - ":"GPTTMPL_PARAMETER_UNICODE, Undefined)) == Undefined) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - return NT_STATUS_OK; -} - -/**************************************************************** - parse the "System Access" section from gpttmpl file -****************************************************************/ - -#define GPTTMPL_SECTION_SYSTEM_ACCESS "System Access" -#define GPTTMPL_PARAMETER_MINPWDAGE "MinimumPasswordAge" -#define GPTTMPL_PARAMETER_MAXPWDAGE "MaximumPasswordAge" -#define GPTTMPL_PARAMETER_MINPWDLEN "MinimumPasswordLength" -#define GPTTMPL_PARAMETER_PWDCOMPLEX "PasswordComplexity" -#define GPTTMPL_PARAMETER_PWDHISTORY "PasswordHistorySize" -#define GPTTMPL_PARAMETER_LOCKOUTCOUNT "LockoutBadCount" - -static NTSTATUS parse_gpttmpl_system_access(const char *filename) -{ - NTSTATUS status; - dictionary *d = NULL; - uint32 pwd_min_age, pwd_max_age, pwd_min_len, pwd_history; - uint32 lockout_count; - BOOL pwd_complex; - uint32 version; - - d = iniparser_load(filename); - if (d == NULL) { - return NT_STATUS_NO_SUCH_FILE; - } - - status = parse_gpttmpl(d, &version); - if (!NT_STATUS_IS_OK(status)) { - goto out; - } - - status = NT_STATUS_INVALID_PARAMETER; - - if ((pwd_min_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS - ":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) { - goto out; - } - - if ((pwd_max_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS - ":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) { - goto out; - } - - if ((pwd_min_len = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS - ":"GPTTMPL_PARAMETER_MINPWDLEN, Undefined)) == Undefined) { - goto out; - } - - if ((pwd_complex = iniparser_getboolean(d, GPTTMPL_SECTION_SYSTEM_ACCESS - ":"GPTTMPL_PARAMETER_PWDCOMPLEX, Undefined)) == Undefined) { - goto out; - } - - if ((pwd_history = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS - ":"GPTTMPL_PARAMETER_PWDHISTORY, Undefined)) == Undefined) { - goto out; - } - - if ((lockout_count = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS - ":"GPTTMPL_PARAMETER_LOCKOUTCOUNT, Undefined)) == Undefined) { - goto out; - } - - /* TODO ? - RequireLogonToChangePassword = 0 - ForceLogoffWhenHourExpire = 0 - ClearTextPassword = 0 - */ - - status = NT_STATUS_OK; - - out: - if (d) { - iniparser_freedict(d); - } - - return status; -} - -/**************************************************************** - parse the "Kerberos Policy" section from gpttmpl file -****************************************************************/ - -#define GPTTMPL_SECTION_KERBEROS_POLICY "Kerberos Policy" -#define GPTTMPL_PARAMETER_MAXTKTAGE "MaxTicketAge" -#define GPTTMPL_PARAMETER_MAXRENEWAGE "MaxRenewAge" -#define GPTTMPL_PARAMETER_MAXTGSAGE "MaxServiceAge" -#define GPTTMPL_PARAMETER_MAXCLOCKSKEW "MaxClockSkew" -#define GPTTMPL_PARAMETER_TKTVALIDATECLIENT "TicketValidateClient" - -static NTSTATUS parse_gpttmpl_kerberos_policy(const char *filename) -{ - NTSTATUS status; - dictionary *d = NULL; - uint32 tkt_max_age, tkt_max_renew, tgs_max_age, max_clock_skew; - BOOL tkt_validate; - uint32 version; - - d = iniparser_load(filename); - if (d == NULL) { - return NT_STATUS_NO_SUCH_FILE; - } - - status = parse_gpttmpl(d, &version); - if (!NT_STATUS_IS_OK(status)) { - goto out; - } - - status = NT_STATUS_INVALID_PARAMETER; - - if ((tkt_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY - ":"GPTTMPL_PARAMETER_MAXTKTAGE, Undefined)) != Undefined) { - goto out; - } - - if ((tkt_max_renew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY - ":"GPTTMPL_PARAMETER_MAXRENEWAGE, Undefined)) != Undefined) { - goto out; - } - - if ((tgs_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY - ":"GPTTMPL_PARAMETER_MAXTGSAGE, Undefined)) != Undefined) { - goto out; - } - - if ((max_clock_skew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY - ":"GPTTMPL_PARAMETER_MAXCLOCKSKEW, Undefined)) != Undefined) { - goto out; - } - - if ((tkt_validate = iniparser_getboolean(d, GPTTMPL_SECTION_KERBEROS_POLICY - ":"GPTTMPL_PARAMETER_TKTVALIDATECLIENT, Undefined)) != Undefined) { - goto out; - } - - status = NT_STATUS_OK; - - out: - if (d) { - iniparser_freedict(d); - } - - return status; -} - -#endif - -/* - -perfectly parseable with iniparser: - -{GUID}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf - - -[Unicode] -Unicode=yes -[System Access] -MinimumPasswordAge = 1 -MaximumPasswordAge = 42 -MinimumPasswordLength = 7 -PasswordComplexity = 1 -PasswordHistorySize = 24 -LockoutBadCount = 0 -RequireLogonToChangePassword = 0 -ForceLogoffWhenHourExpire = 0 -ClearTextPassword = 0 -[Kerberos Policy] -MaxTicketAge = 10 -MaxRenewAge = 7 -MaxServiceAge = 600 -MaxClockSkew = 5 -TicketValidateClient = 1 -[Version] -signature="$CHICAGO$" -Revision=1 -*/ diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c index 3f104df299..54811c1123 100644 --- a/source3/libgpo/gpo_sec.c +++ b/source3/libgpo/gpo_sec.c @@ -1,18 +1,18 @@ -/* +/* * Unix SMB/CIFS implementation. * Group Policy Object Support * Copyright (C) Guenther Deschner 2007 - * + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ @@ -70,7 +70,7 @@ static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace) /**************************************************************** ****************************************************************/ -static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask) +static BOOL gpo_sd_check_agp_access_bits(uint32_t access_mask) { return (access_mask & SEC_RIGHTS_EXTENDED); } @@ -79,9 +79,9 @@ static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask) /**************************************************************** ****************************************************************/ -static BOOL gpo_sd_check_read_access_bits(uint32 access_mask) +static BOOL gpo_sd_check_read_access_bits(uint32_t access_mask) { - uint32 read_bits = SEC_RIGHTS_LIST_CONTENTS | + uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS | SEC_RIGHTS_READ_ALL_PROP | SEC_RIGHTS_READ_PERMS; @@ -92,13 +92,14 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask) /**************************************************************** ****************************************************************/ -static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, - const struct nt_user_token *token) +static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, + const struct nt_user_token *token) { if (gpo_sd_check_agp_object(ace) && gpo_sd_check_agp_access_bits(ace->access_mask) && nt_token_check_sid(&ace->trustee, token)) { - DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n", + DEBUG(10,("gpo_sd_check_ace_denied_object: " + "Access denied as of ace for %s\n", sid_string_static(&ace->trustee))); return NT_STATUS_ACCESS_DENIED; } @@ -109,13 +110,14 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace, /**************************************************************** ****************************************************************/ -static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, - const struct nt_user_token *token) +static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, + const struct nt_user_token *token) { if (gpo_sd_check_agp_object(ace) && - gpo_sd_check_agp_access_bits(ace->access_mask) && + gpo_sd_check_agp_access_bits(ace->access_mask) && nt_token_check_sid(&ace->trustee, token)) { - DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n", + DEBUG(10,("gpo_sd_check_ace_allowed_object: " + "Access granted as of ace for %s\n", sid_string_static(&ace->trustee))); return NT_STATUS_OK; } @@ -126,8 +128,8 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace, /**************************************************************** ****************************************************************/ -static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, - const struct nt_user_token *token) +static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, + const struct nt_user_token *token) { switch (ace->type) { case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT: @@ -142,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace, /**************************************************************** ****************************************************************/ -NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, +NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo, const struct nt_user_token *token) { SEC_DESC *sd = gpo->security_descriptor; diff --git a/source3/libgpo/gpo_util.c b/source3/libgpo/gpo_util.c index 385d6bd53a..c6e1b71885 100644 --- a/source3/libgpo/gpo_util.c +++ b/source3/libgpo/gpo_util.c @@ -1,18 +1,18 @@ -/* +/* * Unix SMB/CIFS implementation. * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005-2006 - * + * Copyright (C) Guenther Deschner 2005-2007 + * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. - * + * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. - * + * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ @@ -25,88 +25,88 @@ #define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy" /* should we store a parsed guid ? */ -struct gpo_table { +struct gp_table { const char *name; const char *guid_string; }; -struct snapin_table { - const char *name; - const char *guid_string; - ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo, - const char *, const char *); -}; - #if 0 /* unused */ -static struct gpo_table gpo_default_policy[] = { - { DEFAULT_DOMAIN_POLICY, +static struct gp_table gpo_default_policy[] = { + { DEFAULT_DOMAIN_POLICY, "31B2F340-016D-11D2-945F-00C04FB984F9" }, - { DEFAULT_DOMAIN_CONTROLLERS_POLICY, + { DEFAULT_DOMAIN_CONTROLLERS_POLICY, "6AC1786C-016F-11D2-945F-00C04fB984F9" }, { NULL, NULL } }; #endif -/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */ +/* the following is seen in gPCMachineExtensionNames / gPCUserExtensionNames */ -static struct gpo_table gpo_cse_extensions[] = { - { "Administrative Templates Extension", - "35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */ - { "Microsoft Disc Quota", +static struct gp_table gpo_cse_extensions[] = { + /* used to be "Administrative Templates Extension" */ + /* "Registry Settings" + (http://support.microsoft.com/kb/216357/EN-US/) */ + { "Registry Settings", + GP_EXT_REGISTRY }, + { "Microsoft Disc Quota", "3610EDA5-77EF-11D2-8DC5-00C04FA31A66" }, - { "EFS recovery", + { "EFS recovery", "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" }, - { "Folder Redirection", + { "Folder Redirection", "25537BA6-77A8-11D2-9B6C-0000F8080861" }, - { "IP Security", + { "IP Security", "E437BC1C-AA7D-11D2-A382-00C04F991E27" }, - { "Internet Explorer Branding", + { "Internet Explorer Branding", "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" }, - { "QoS Packet Scheduler", + { "QoS Packet Scheduler", "426031c0-0b47-4852-b0ca-ac3d37bfcb39" }, - { "Scripts", - "42B5FAAE-6536-11D2-AE5A-0000F87571E3" }, - { "Security", - "827D319E-6EAC-11D2-A4EA-00C04F79F83A" }, - { "Software Installation", + { "Scripts", + GP_EXT_SCRIPTS }, + { "Security", + GP_EXT_SECURITY }, + { "Software Installation", "C6DC5466-785A-11D2-84D0-00C04FB169F7" }, - { "Wireless Group Policy", + { "Wireless Group Policy", "0ACDD40C-75AC-BAA0-BF6DE7E7FE63" }, + { "Application Management", + "C6DC5466-785A-11D2-84D0-00C04FB169F7" }, + { "unknown", + "3060E8D0-7020-11D2-842D-00C04FA372D4" }, { NULL, NULL } }; /* guess work */ -static struct snapin_table gpo_cse_snapin_extensions[] = { - { "Administrative Templates", - "0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none }, - { "Certificates", - "53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, - { "EFS recovery policy processing", - "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none }, - { "Folder Redirection policy processing", - "25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none }, - { "Folder Redirection", - "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none }, - { "Registry policy processing", - "35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none }, - { "Remote Installation Services", - "3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, - { "Security Settings", - "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings }, - { "Security policy processing", - "827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings }, - { "unknown", - "3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, - { "unknown2", - "53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, - { NULL, NULL, NULL } +static struct gp_table gpo_cse_snapin_extensions[] = { + { "Administrative Templates", + "0F6B957D-509E-11D1-A7CC-0000F87571E3" }, + { "Certificates", + "53D6AB1D-2488-11D1-A28C-00C04FB94F17" }, + { "EFS recovery policy processing", + "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" }, + { "Folder Redirection policy processing", + "25537BA6-77A8-11D2-9B6C-0000F8080861" }, + { "Folder Redirection", + "88E729D6-BDC1-11D1-BD2A-00C04FB9603F" }, + { "Registry policy processing", + "35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, + { "Remote Installation Services", + "3060E8CE-7020-11D2-842D-00C04FA372D4" }, + { "Security Settings", + "803E14A0-B4FB-11D0-A0D0-00A0C90F574B" }, + { "Security policy processing", + "827D319E-6EAC-11D2-A4EA-00C04F79F83A" }, + { "unknown", + "3060E8D0-7020-11D2-842D-00C04FA372D4" }, + { "unknown2", + "53D6AB1B-2488-11D1-A28C-00C04FB94F17" }, + { NULL, NULL } }; /**************************************************************** ****************************************************************/ -static const char *name_to_guid_string(const char *name, struct gpo_table *table) +static const char *name_to_guid_string(const char *name, + struct gp_table *table) { int i; @@ -115,14 +115,15 @@ static const char *name_to_guid_string(const char *name, struct gpo_table *table return table[i].guid_string; } } - + return NULL; } /**************************************************************** ****************************************************************/ -static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table) +static const char *guid_string_to_name(const char *guid_string, + struct gp_table *table) { int i; @@ -131,15 +132,15 @@ static const char *guid_string_to_name(const char *guid_string, struct gpo_table return table[i].name; } } - + return NULL; } /**************************************************************** ****************************************************************/ -static const char *snapin_guid_string_to_name(const char *guid_string, - struct snapin_table *table) +static const char *snapin_guid_string_to_name(const char *guid_string, + struct gp_table *table) { int i; for (i = 0; table[i].guid_string; i++) { @@ -203,18 +204,25 @@ void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel) for (i=0; i< gp_ext->num_exts; i++) { - DEBUGADD(lvl,("\textension:\t\t\t%s\n", gp_ext->extensions_guid[i])); - DEBUGADD(lvl,("\textension (name):\t\t\t%s\n", gp_ext->extensions[i])); - - DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n", gp_ext->snapins_guid[i])); - DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n", gp_ext->snapins[i])); + DEBUGADD(lvl,("\textension:\t\t\t%s\n", + gp_ext->extensions_guid[i])); + DEBUGADD(lvl,("\textension (name):\t\t\t%s\n", + gp_ext->extensions[i])); + + DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n", + gp_ext->snapins_guid[i])); + DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n", + gp_ext->snapins[i])); } } /**************************************************************** ****************************************************************/ -void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo, int debuglevel) +void dump_gpo(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + struct GROUP_POLICY_OBJECT *gpo, + int debuglevel) { int lvl = debuglevel; @@ -227,10 +235,12 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT * DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name)); DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name)); DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version)); - DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", GPO_VERSION_USER(gpo->version), - GPO_VERSION_USER(gpo->version))); - DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", GPO_VERSION_MACHINE(gpo->version), - GPO_VERSION_MACHINE(gpo->version))); + DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", + GPO_VERSION_USER(gpo->version), + GPO_VERSION_USER(gpo->version))); + DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", + GPO_VERSION_MACHINE(gpo->version), + GPO_VERSION_MACHINE(gpo->version))); DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path)); DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path)); @@ -280,24 +290,22 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT * if (gpo->machine_extensions) { struct GP_EXT *gp_ext = NULL; - ADS_STATUS status; - status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); - if (!ADS_ERR_OK(status)) { + if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, + &gp_ext)) { return; } dump_gp_ext(gp_ext, lvl); } - + DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions)); if (gpo->user_extensions) { - + struct GP_EXT *gp_ext = NULL; - ADS_STATUS status; - - status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); - if (!ADS_ERR_OK(status)) { + + if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions, + &gp_ext)) { return; } dump_gp_ext(gp_ext, lvl); @@ -311,9 +319,9 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT * /**************************************************************** ****************************************************************/ -void dump_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo_list, +void dump_gpo_list(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + struct GROUP_POLICY_OBJECT *gpo_list, int debuglevel) { struct GROUP_POLICY_OBJECT *gpo = NULL; @@ -354,9 +362,9 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) DEBUGADD(lvl,("num links: %d\n", gp_link->num_links)); for (i = 0; i < gp_link->num_links; i++) { - + DEBUGADD(lvl,("---------------------\n\n")); - + DEBUGADD(lvl,("link: #%d\n", i + 1)); DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i])); @@ -373,9 +381,13 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) struct GROUP_POLICY_OBJECT gpo; - status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo); + status = ads_get_gpo(ads, mem_ctx, + gp_link->link_names[i], + NULL, NULL, &gpo); if (!ADS_ERR_OK(status)) { - DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status))); + DEBUG(lvl,("get gpo for %s failed: %s\n", + gp_link->link_names[i], + ads_errstr(status))); return; } dump_gpo(ads, mem_ctx, &gpo, lvl); @@ -386,27 +398,21 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) /**************************************************************** ****************************************************************/ -ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo, - const char *extension_guid, - const char *snapin_guid) +NTSTATUS process_extension(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + uint32_t flags, + const struct nt_user_token *token, + struct GROUP_POLICY_OBJECT *gpo, + const char *extension_guid, + const char *snapin_guid) { - int i; - - for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) { - - if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) { - - return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, gpo, - extension_guid, snapin_guid); - } - } - - DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n", - extension_guid, snapin_guid)); + DEBUG(0,("process_extension: no extension available for:\n")); + DEBUGADD(0,("%s (%s) (snapin: %s)\n", + extension_guid, + cse_gpo_guid_string_to_name(extension_guid), + snapin_guid)); - return ADS_SUCCESS; + return NT_STATUS_OK; } /**************************************************************** @@ -414,37 +420,42 @@ ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads, ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + const struct nt_user_token *token, struct GROUP_POLICY_OBJECT *gpo, const char *extension_guid_filter, - uint32 flags) + uint32_t flags) { - ADS_STATUS status; struct GP_EXT *gp_ext = NULL; int i; - + + DEBUG(10,("gpo_process_a_gpo: processing gpo %s (%s)\n", + gpo->name, gpo->display_name)); + if (extension_guid_filter) { + DEBUGADD(10,("gpo_process_a_gpo: using filter %s\n", + extension_guid_filter)); + } + if (flags & GPO_LIST_FLAG_MACHINE) { if (gpo->machine_extensions) { - status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); - - if (!ADS_ERR_OK(status)) { - return status; + if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, + &gp_ext)) { + return ADS_ERROR(LDAP_PARAM_ERROR); } } else { /* nothing to apply */ return ADS_SUCCESS; } - + } else { if (gpo->user_extensions) { - - status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); - if (!ADS_ERR_OK(status)) { - return status; + if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions, + &gp_ext)) { + return ADS_ERROR(LDAP_PARAM_ERROR); } } else { /* nothing to apply */ @@ -454,15 +465,20 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads, for (i=0; i<gp_ext->num_exts; i++) { - if (extension_guid_filter && !strequal(extension_guid_filter, gp_ext->extensions_guid[i])) { + NTSTATUS ntstatus; + + if (extension_guid_filter && + !strequal(extension_guid_filter, + gp_ext->extensions_guid[i])) { continue; } - status = process_extension_with_snapin(ads, mem_ctx, gpo, - gp_ext->extensions_guid[i], - gp_ext->snapins_guid[i]); - if (!ADS_ERR_OK(status)) { - return status; + ntstatus = process_extension(ads, mem_ctx, + flags, token, gpo, + gp_ext->extensions_guid[i], + gp_ext->snapins_guid[i]); + if (!NT_STATUS_IS_OK(ntstatus)) { + ADS_ERROR_NT(ntstatus); } } @@ -474,19 +490,27 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads, ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + const struct nt_user_token *token, struct GROUP_POLICY_OBJECT *gpo_list, const char *extensions_guid, - uint32 flags) + uint32_t flags) { ADS_STATUS status; struct GROUP_POLICY_OBJECT *gpo; + /* FIXME: ok, this is wrong, windows does process the extensions and + * hands the list of gpos to each extension and not process each gpo + * with all extensions (this is how the extension can store the list + * gplist in the registry) */ + for (gpo = gpo_list; gpo; gpo = gpo->next) { - - status = gpo_process_a_gpo(ads, mem_ctx, gpo, + + status = gpo_process_a_gpo(ads, mem_ctx, token, gpo, extensions_guid, flags); - + if (!ADS_ERR_OK(status)) { + DEBUG(0,("failed to process gpo: %s\n", + ads_errstr(status))); return status; } @@ -495,80 +519,14 @@ ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads, return ADS_SUCCESS; } -ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo, - const char *extension_guid, - const char *snapin_guid) -{ - DEBUG(10,("gpo_snapin_handler_none\n")); - - return ADS_SUCCESS; -} - -ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo, - const char *extension_guid, - const char *snapin_guid) -{ - DEBUG(10,("gpo_snapin_handler_security_settings\n")); - - return ADS_SUCCESS; -} - -ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *hostname, - SAM_UNK_INFO_12 *lockout_policy) -{ - return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED); -} - -/**************************************************************** -****************************************************************/ - -ADS_STATUS gpo_password_policy(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *hostname, - SAM_UNK_INFO_1 *password_policy) -{ - ADS_STATUS status; - struct GROUP_POLICY_OBJECT *gpo_list; - const char *dn = NULL; - uint32 uac = 0; - - status = ads_find_samaccount(ads, mem_ctx, hostname, &uac, &dn); - if (!ADS_ERR_OK(status)) { - return status; - } - - if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) { - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list); - if (!ADS_ERR_OK(status)) { - return status; - } - - status = gpo_process_gpo_list(ads, mem_ctx, gpo_list, - cse_gpo_name_to_guid_string("Security"), - GPO_LIST_FLAG_MACHINE); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ADS_SUCCESS; -} - /**************************************************************** check wether the version number in a GROUP_POLICY_OBJECT match those of the locally stored version. If not, fetch the required policy via CIFS ****************************************************************/ -NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, +NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + uint32_t flags, struct GROUP_POLICY_OBJECT *gpo, struct cli_state **cli_out) { @@ -577,43 +535,54 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, char *share = NULL; char *nt_path = NULL; char *unix_path = NULL; - uint32 sysvol_gpt_version = 0; + uint32_t sysvol_gpt_version = 0; char *display_name = NULL; struct cli_state *cli = NULL; - result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, + result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, &server, &share, &nt_path, &unix_path); if (!NT_STATUS_IS_OK(result)) { goto out; } - result = gpo_get_sysvol_gpt_version(mem_ctx, + result = gpo_get_sysvol_gpt_version(mem_ctx, unix_path, &sysvol_gpt_version, &display_name); - if (!NT_STATUS_IS_OK(result) && + if (!NT_STATUS_IS_OK(result) && !NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) { - DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n", + DEBUG(10,("check_refresh_gpo: " + "failed to get local gpt version: %s\n", nt_errstr(result))); goto out; } + DEBUG(10,("check_refresh_gpo: versions gpo %d sysvol %d\n", + gpo->version, sysvol_gpt_version)); + + /* FIXME: handle GPO_INFO_FLAG_FORCED_REFRESH from flags */ + while (gpo->version > sysvol_gpt_version) { DEBUG(1,("check_refresh_gpo: need to refresh GPO\n")); if (*cli_out == NULL) { - result = cli_full_connection(&cli, global_myname(), - server, /* ads->config.ldap_server_name, */ - NULL, 0, - share, "A:", - ads->auth.user_name, NULL, ads->auth.password, - CLI_FULL_CONNECTION_USE_KERBEROS, - Undefined, NULL); + result = cli_full_connection(&cli, + global_myname(), + ads->config.ldap_server_name, + /* server */ + NULL, 0, + share, "A:", + ads->auth.user_name, NULL, + ads->auth.password, + CLI_FULL_CONNECTION_USE_KERBEROS, + Undefined, NULL); if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("check_refresh_gpo: failed to connect: %s\n", nt_errstr(result))); + DEBUG(10,("check_refresh_gpo: " + "failed to connect: %s\n", + nt_errstr(result))); goto out; } @@ -625,27 +594,28 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, goto out; } - result = gpo_get_sysvol_gpt_version(mem_ctx, - unix_path, + result = gpo_get_sysvol_gpt_version(mem_ctx, + unix_path, &sysvol_gpt_version, - &display_name); + &display_name); if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n", + DEBUG(10,("check_refresh_gpo: " + "failed to get local gpt version: %s\n", nt_errstr(result))); goto out; } - + if (gpo->version == sysvol_gpt_version) { break; } - } - - DEBUG(10,("Name:\t\t\t%s\n", gpo->display_name)); - DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n", - sysvol_gpt_version, - GPO_VERSION_USER(sysvol_gpt_version), - GPO_VERSION_MACHINE(sysvol_gpt_version))); - DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n", + } + + DEBUG(10,("Name:\t\t\t%s (%s)\n", gpo->display_name, gpo->name)); + DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n", + sysvol_gpt_version, + GPO_VERSION_USER(sysvol_gpt_version), + GPO_VERSION_MACHINE(sysvol_gpt_version))); + DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n", gpo->version, GPO_VERSION_USER(gpo->version), GPO_VERSION_MACHINE(gpo->version))); @@ -662,8 +632,9 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, not, go and get each required GPO via CIFS ****************************************************************/ -NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, +NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + uint32_t flags, struct GROUP_POLICY_OBJECT *gpo_list) { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; @@ -676,7 +647,7 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, for (gpo = gpo_list; gpo; gpo = gpo->next) { - result = check_refresh_gpo(ads, mem_ctx, gpo, &cli); + result = check_refresh_gpo(ads, mem_ctx, flags, gpo, &cli); if (!NT_STATUS_IS_OK(result)) { goto out; } @@ -691,5 +662,4 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, return result; } - #endif /* HAVE_LDAP */ |