summaryrefslogtreecommitdiff
path: root/source3/utils
diff options
context:
space:
mode:
authorGünther Deschner <gd@samba.org>2008-03-18 21:30:34 +0100
committerGünther Deschner <gd@samba.org>2008-03-18 21:31:24 +0100
commite8bd75ec73a804375753be9eb15d7fc5d9bc18c7 (patch)
treef6053a6c279ae75eec4ec73862c8fae223e7e3d3 /source3/utils
parentf152fe2103750301b7f8b2cda06baeed19c800f7 (diff)
downloadsamba-e8bd75ec73a804375753be9eb15d7fc5d9bc18c7.tar.gz
samba-e8bd75ec73a804375753be9eb15d7fc5d9bc18c7.tar.bz2
samba-e8bd75ec73a804375753be9eb15d7fc5d9bc18c7.zip
Bind Group Policy processing closer to the samba registry.
Guenther (This used to be commit e9c56250eb7a2dc4e69962c5b48875834941ccfc)
Diffstat (limited to 'source3/utils')
-rw-r--r--source3/utils/net_ads_gpo.c194
1 files changed, 157 insertions, 37 deletions
diff --git a/source3/utils/net_ads_gpo.c b/source3/utils/net_ads_gpo.c
index 5f53982da9..d71fa908e9 100644
--- a/source3/utils/net_ads_gpo.c
+++ b/source3/utils/net_ads_gpo.c
@@ -1,20 +1,20 @@
-/*
- Samba Unix/Linux SMB client library
+/*
+ Samba Unix/Linux SMB client library
net ads commands for Group Policy
- Copyright (C) 2005 Guenther Deschner (gd@samba.org)
+ Copyright (C) 2005-2008 Guenther Deschner (gd@samba.org)
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
-
+
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
-
+
You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/>.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
@@ -48,6 +48,7 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
ADS_STATUS status;
const char *dn = NULL;
struct GROUP_POLICY_OBJECT *gpo_list = NULL;
+ struct GROUP_POLICY_OBJECT *read_list = NULL;
uint32 uac = 0;
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo;
@@ -66,6 +67,7 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
status = ads_startup(False, &ads);
if (!ADS_ERR_OK(status)) {
+ printf("failed to connect AD server: %s\n", ads_errstr(status));
goto out;
}
@@ -79,27 +81,61 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
flags |= GPO_LIST_FLAG_MACHINE;
}
- printf("\n%s: '%s' has dn: '%s'\n\n",
- (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
+ printf("\n%s: '%s' has dn: '%s'\n\n",
+ (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
- status = ads_get_sid_token(ads, mem_ctx, dn, &token);
+ printf("* fetching token ");
+ if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
+ status = gp_get_machine_token(ads, mem_ctx, dn, &token);
+ } else {
+ status = ads_get_sid_token(ads, mem_ctx, dn, &token);
+ }
+
if (!ADS_ERR_OK(status)) {
+ printf("failed: %s\n", ads_errstr(status));
goto out;
}
+ printf("finished\n");
+ printf("* fetching GPO List ");
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
+ printf("failed: %s\n", ads_errstr(status));
goto out;
}
+ printf("finished\n");
- if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, flags, gpo_list))) {
- printf("failed to refresh GPOs: %s\n", nt_errstr(result));
+ printf("* refreshing Group Policy Data ");
+ if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx,
+ flags,
+ gpo_list))) {
+ printf("failed: %s\n", nt_errstr(result));
goto out;
}
+ printf("finished\n");
+
+ printf("* storing GPO list to registry ");
- for (gpo = gpo_list; gpo; gpo = gpo->next) {
+ {
+ WERROR werr = gp_reg_state_store(mem_ctx, flags, dn,
+ token, gpo_list);
+ if (!W_ERROR_IS_OK(werr)) {
+ printf("failed: %s\n", dos_errstr(werr));
+ goto out;
+ }
+ }
+ printf("finished\n");
+
+ if (opt_verbose) {
+
+ printf("* dumping GPO list\n");
+
+ for (gpo = gpo_list; gpo; gpo = gpo->next) {
+
+ dump_gpo(ads, mem_ctx, gpo, 0);
+#if 0
char *server, *share, *nt_path, *unix_path;
printf("--------------------------------------\n");
@@ -110,7 +146,8 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
GPO_VERSION_MACHINE(gpo->version));
result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
- &server, &share, &nt_path, &unix_path);
+ &server, &share, &nt_path,
+ &unix_path);
if (!NT_STATUS_IS_OK(result)) {
printf("got: %s\n", nt_errstr(result));
}
@@ -118,6 +155,54 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
printf("GPO stored on server: %s, share: %s\n", server, share);
printf("\tremote path:\t%s\n", nt_path);
printf("\tlocal path:\t%s\n", unix_path);
+#endif
+ }
+ }
+
+ printf("* re-reading GPO list from registry ");
+
+ {
+ WERROR werr = gp_reg_state_read(mem_ctx, flags,
+ &token->user_sids[0],
+ &read_list);
+ if (!W_ERROR_IS_OK(werr)) {
+ printf("failed: %s\n", dos_errstr(werr));
+ goto out;
+ }
+ }
+
+ printf("finished\n");
+
+ if (opt_verbose) {
+
+ printf("* dumping GPO list from registry\n");
+
+ for (gpo = read_list; gpo; gpo = gpo->next) {
+
+ dump_gpo(ads, mem_ctx, gpo, 0);
+
+#if 0
+ char *server, *share, *nt_path, *unix_path;
+
+ printf("--------------------------------------\n");
+ printf("Name:\t\t\t%s\n", gpo->display_name);
+ printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
+ gpo->version,
+ GPO_VERSION_USER(gpo->version),
+ GPO_VERSION_MACHINE(gpo->version));
+
+ result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
+ &server, &share, &nt_path,
+ &unix_path);
+ if (!NT_STATUS_IS_OK(result)) {
+ printf("got: %s\n", nt_errstr(result));
+ }
+
+ printf("GPO stored on server: %s, share: %s\n", server, share);
+ printf("\tremote path:\t%s\n", nt_path);
+ printf("\tlocal path:\t%s\n", unix_path);
+#endif
+ }
}
out:
@@ -168,14 +253,16 @@ static int net_ads_gpo_list_all(int argc, const char **argv)
if (!ADS_ERR_OK(status)) {
d_printf("search failed: %s\n", ads_errstr(status));
goto out;
- }
+ }
num_reply = ads_count_replies(ads, res);
-
+
d_printf("Got %d replies\n\n", num_reply);
/* dump the results */
- for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
+ for (msg = ads_first_entry(ads, res);
+ msg;
+ msg = ads_next_entry(ads, msg)) {
if ((dn = ads_get_dn(ads, msg)) == NULL) {
goto out;
@@ -184,10 +271,11 @@ static int net_ads_gpo_list_all(int argc, const char **argv)
status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
if (!ADS_ERR_OK(status)) {
- d_printf("ads_parse_gpo failed: %s\n", ads_errstr(status));
+ d_printf("ads_parse_gpo failed: %s\n",
+ ads_errstr(status));
ads_memfree(ads, dn);
goto out;
- }
+ }
dump_gpo(ads, mem_ctx, &gpo, 0);
ads_memfree(ads, dn);
@@ -198,7 +286,7 @@ out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
-
+
return 0;
}
@@ -238,11 +326,16 @@ static int net_ads_gpo_list(int argc, const char **argv)
flags |= GPO_LIST_FLAG_MACHINE;
}
- printf("%s: '%s' has dn: '%s'\n",
- (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
+ printf("%s: '%s' has dn: '%s'\n",
+ (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
- status = ads_get_sid_token(ads, mem_ctx, dn, &token);
+ if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
+ status = gp_get_machine_token(ads, mem_ctx, dn, &token);
+ } else {
+ status = ads_get_sid_token(ads, mem_ctx, dn, &token);
+ }
+
if (!ADS_ERR_OK(status)) {
goto out;
}
@@ -259,11 +352,11 @@ out:
talloc_destroy(mem_ctx);
ads_destroy(&ads);
-
+
return 0;
}
-#if 0 /* not yet */
+#if 0
static int net_ads_gpo_apply(int argc, const char **argv)
{
TALLOC_CTX *mem_ctx;
@@ -273,7 +366,9 @@ static int net_ads_gpo_apply(int argc, const char **argv)
struct GROUP_POLICY_OBJECT *gpo_list;
uint32 uac = 0;
uint32 flags = 0;
-
+ struct nt_user_token *token = NULL;
+ const char *filter = NULL;
+
if (argc < 1) {
printf("usage: net ads gpo apply <username|machinename>\n");
return -1;
@@ -284,13 +379,20 @@ static int net_ads_gpo_apply(int argc, const char **argv)
goto out;
}
+ if (argc >= 2) {
+ filter = cse_gpo_name_to_guid_string(argv[1]);
+ }
+
status = ads_startup(False, &ads);
if (!ADS_ERR_OK(status)) {
+ printf("got: %s\n", ads_errstr(status));
goto out;
}
status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
if (!ADS_ERR_OK(status)) {
+ printf("failed to find samaccount for %s: %s\n",
+ argv[0], ads_errstr(status));
goto out;
}
@@ -298,18 +400,34 @@ static int net_ads_gpo_apply(int argc, const char **argv)
flags |= GPO_LIST_FLAG_MACHINE;
}
- printf("%s: '%s' has dn: '%s'\n",
- (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
+ if (opt_verbose) {
+ flags |= GPO_INFO_FLAG_VERBOSE;
+ }
+
+ printf("%s: '%s' has dn: '%s'\n",
+ (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
- status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
+ if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
+ status = gp_get_machine_token(ads, mem_ctx, dn, &token);
+ } else {
+ status = ads_get_sid_token(ads, mem_ctx, dn, &token);
+ }
+
if (!ADS_ERR_OK(status)) {
goto out;
}
- /* FIXME: allow to process just a single extension */
- status = gpo_process_gpo_list(ads, mem_ctx, gpo_list, NULL, flags);
+ status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
+
+ status = gpo_process_gpo_list(ads, mem_ctx, token, gpo_list,
+ filter, flags);
if (!ADS_ERR_OK(status)) {
+ d_printf("failed to process gpo list: %s\n",
+ ads_errstr(status));
goto out;
}
@@ -318,7 +436,6 @@ out:
talloc_destroy(mem_ctx);
return 0;
}
-
#endif
static int net_ads_gpo_link_get(int argc, const char **argv)
@@ -345,9 +462,10 @@ static int net_ads_gpo_link_get(int argc, const char **argv)
status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
if (!ADS_ERR_OK(status)) {
- d_printf("get link for %s failed: %s\n", argv[0], ads_errstr(status));
+ d_printf("get link for %s failed: %s\n", argv[0],
+ ads_errstr(status));
goto out;
- }
+ }
dump_gplink(ads, mem_ctx, &gp_link);
@@ -367,7 +485,8 @@ static int net_ads_gpo_link_add(int argc, const char **argv)
if (argc < 2) {
printf("usage: net ads gpo linkadd <linkdn> <gpodn> [options]\n");
- printf("note: DNs must be provided properly escaped.\n See RFC 4514 for details\n");
+ printf("note: DNs must be provided properly escaped.\n");
+ printf("See RFC 4514 for details\n");
return -1;
}
@@ -424,7 +543,7 @@ static int net_ads_gpo_link_delete(int argc, const char **argv)
if (!ADS_ERR_OK(status)) {
d_printf("delete link failed: %s\n", ads_errstr(status));
goto out;
- }
+ }
out:
talloc_destroy(mem_ctx);
@@ -464,9 +583,10 @@ static int net_ads_gpo_get_gpo(int argc, const char **argv)
}
if (!ADS_ERR_OK(status)) {
- d_printf("get gpo for [%s] failed: %s\n", argv[0], ads_errstr(status));
+ d_printf("get gpo for [%s] failed: %s\n", argv[0],
+ ads_errstr(status));
goto out;
- }
+ }
dump_gpo(ads, mem_ctx, &gpo, 1);