diff options
author | Wilco Baan Hofman <wilco@baanhofman.nl> | 2010-04-06 20:15:38 +0200 |
---|---|---|
committer | Jelmer Vernooij <jelmer@samba.org> | 2010-06-20 17:19:10 +0200 |
commit | 8d5f8f577f2e906cd80a6a11b76114922182cb99 (patch) | |
tree | 1d2ba442dadf7c2ddfb4564f8b099d04d0db1323 /source4 | |
parent | cfee179d03e9c3b8d02a51995bd1c205daabb6c3 (diff) | |
download | samba-8d5f8f577f2e906cd80a6a11b76114922182cb99.tar.gz samba-8d5f8f577f2e906cd80a6a11b76114922182cb99.tar.bz2 samba-8d5f8f577f2e906cd80a6a11b76114922182cb99.zip |
Created net gpo and new libgpo for samba 4. This adds the init function which finds a DC and connects to its LDAP. It also can return information on all group policy objects on a DC.
Aborted earlier attempt at reconciliation with samba 3.
Did not work out due to lack of ldb support in samba 3, also the
different registry libraries and different libnet did not help..
Signed-off-by: Jelmer Vernooij <jelmer@samba.org>
Diffstat (limited to 'source4')
-rw-r--r-- | source4/Makefile.in | 2 | ||||
-rw-r--r-- | source4/libgpo/ads_convenience.c | 284 | ||||
-rw-r--r-- | source4/libgpo/ads_convenience.h | 103 | ||||
-rw-r--r-- | source4/libgpo/config.mk | 4 | ||||
-rw-r--r-- | source4/libgpo/gpo.h | 56 | ||||
-rw-r--r-- | source4/libgpo/gpo_filesync.c | 241 | ||||
-rw-r--r-- | source4/libgpo/gpo_ldap.c | 150 | ||||
-rw-r--r-- | source4/libgpo/gpo_s4.h | 40 | ||||
-rw-r--r-- | source4/main.mk | 2 | ||||
-rw-r--r-- | source4/utils/net/config.mk | 4 | ||||
-rw-r--r-- | source4/utils/net/net.c | 1 | ||||
-rw-r--r-- | source4/utils/net/net_gpo.c | 85 |
12 files changed, 301 insertions, 671 deletions
diff --git a/source4/Makefile.in b/source4/Makefile.in index 40ea2868dd..b40d367602 100644 --- a/source4/Makefile.in +++ b/source4/Makefile.in @@ -46,7 +46,7 @@ ALL_PREDEP = basics .NOTPARALLEL: endif -base_srcdirs = $(srcdir) ../librpc/ ../lib/ ../libcli ../libgpo ../nsswitch ../libds +base_srcdirs = $(srcdir) ../librpc/ ../lib/ ../libcli ../nsswitch ../libds include $(srcdir)/build/make/rules.mk include $(srcdir)/build/make/python.mk diff --git a/source4/libgpo/ads_convenience.c b/source4/libgpo/ads_convenience.c deleted file mode 100644 index 09ceecc752..0000000000 --- a/source4/libgpo/ads_convenience.c +++ /dev/null @@ -1,284 +0,0 @@ -/* - Samba CIFS implementation - ADS convenience functions for GPO - - Copyright (C) 2001 Andrew Tridgell (from samba3 ads.c) - Copyright (C) 2001 Remus Koos (from samba3 ads.c) - Copyright (C) 2001 Andrew Bartlett (from samba3 ads.c) - Copyright (C) 2008 Jelmer Vernooij, jelmer@samba.org - Copyright (C) 2008 Wilco Baan Hofman, wilco@baanhofman.nl - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#include "includes.h" -#include "libnet/libnet.h" -#include "librpc/gen_ndr/ndr_security.h" -#include "libgpo/ads_convenience.h" -#include "param/param.h" -#include "libcli/libcli.h" -#include "ldb_wrap.h" - -static ADS_STATUS ads_connect(ADS_STRUCT *ads); - -WERROR ads_startup (struct libnet_context *netctx, ADS_STRUCT **ads) -{ - *ads = talloc(netctx, ADS_STRUCT); - (*ads)->netctx = netctx; - - ads_connect(*ads); - - return WERR_OK; -} - -static ADS_STATUS ads_connect(ADS_STRUCT *ads) -{ - struct libnet_LookupDCs *io; - char *url; - - io = talloc_zero(ads, struct libnet_LookupDCs); - - /* We are looking for the PDC of the active domain. */ - io->in.name_type = NBT_NAME_PDC; - io->in.domain_name = lp_workgroup(ads->netctx->lp_ctx); - libnet_LookupDCs(ads->netctx, ads, io); - - url = talloc_asprintf(ads, "ldap://%s", io->out.dcs[0].name); - ads->ldbctx = ldb_wrap_connect(ads, ads->netctx->event_ctx, ads->netctx->lp_ctx, - url, NULL, ads->netctx->cred, 0); - if (ads->ldbctx == NULL) { - return ADS_ERROR_NT(NT_STATUS_UNSUCCESSFUL); - } - - return ADS_ERROR_NT(NT_STATUS_OK); -} - -ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res, - const char *dn, const char **attrs) -{ - ADS_STATUS status; - - status.err.rc = ldb_search(ads->ldbctx, ads, res, - ldb_dn_new(ads, ads->ldbctx, dn), - LDB_SCOPE_BASE, - attrs, - "(objectclass=*)"); - - status.error_type = ENUM_ADS_ERROR_LDAP; - return status; -} - -const char * ads_get_dn(ADS_STRUCT *ads, LDAPMessage *res) -{ - return ldb_dn_get_linearized(res->msgs[0]->dn); -} - -bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *ctx, LDAPMessage *res, const char *field, struct security_descriptor **sd) -{ - const struct ldb_val *val; - enum ndr_err_code ndr_err; - - val = ldb_msg_find_ldb_val(res->msgs[0], field); - - *sd = talloc(ctx, struct security_descriptor); - if (*sd == NULL) { - return -1; - } - /* We can't use ndr_pull_struct_blob_all because this contains relative pointers */ - ndr_err = ndr_pull_struct_blob(val, *sd, NULL, *sd, - (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - talloc_free(*sd); - return -1; - } - return 0; -} - -ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res, uint32_t sd_flags, - const char *dn, const char **attrs) -{ - return ads_do_search_all_sd_flags(ads, dn, LDB_SCOPE_BASE, "(objectclass=*)", attrs, sd_flags, res); -} - -ADS_STATUS ads_do_search_all_sd_flags (ADS_STRUCT *ads, const char *dn, int scope, - const char *filter, const char **attrs, - uint32_t sd_flags, LDAPMessage **res) -{ - int rv; - struct ldb_request *req; - struct ldb_control **controls; - struct ldb_parse_tree *tree; - struct ldb_dn *ldb_dn; - - controls = talloc_zero_array(ads, struct ldb_control *, 2); - controls[0] = talloc(ads, struct ldb_control); - controls[0]->oid = LDB_CONTROL_SD_FLAGS_OID; - controls[0]->data = &sd_flags; - controls[0]->critical = 1; - - tree = ldb_parse_tree(ads, filter); - - ldb_dn = ldb_dn_new(ads, ads->ldbctx, dn); - - rv = ldb_build_search_req_ex(&req, ads->ldbctx, (TALLOC_CTX *)res, ldb_dn, scope, tree, attrs, controls, - res, ldb_search_default_callback, NULL); - if (rv != LDB_SUCCESS) { - talloc_free(*res); - talloc_free(req); - talloc_free(tree); - return ADS_ERROR(rv); - } - rv = ldb_request(ads->ldbctx, req); - if (rv == LDB_SUCCESS) { - rv = ldb_wait(req->handle, LDB_WAIT_ALL); - } - - talloc_free(req); - talloc_free(tree); - return ADS_ERROR(rv); - -} - -const char * ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *ctx, LDAPMessage *res, const char *field) -{ - return ldb_msg_find_attr_as_string(res->msgs[0], field, NULL); -} - -bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *res, const char *field, uint32_t *ret) -{ - if (ldb_msg_find_element(res->msgs[0], field) == NULL) { - return false; - } - *ret = ldb_msg_find_attr_as_uint(res->msgs[0], field, 0); - return true; -} - - -int ads_count_replies(ADS_STRUCT *ads, LDAPMessage *res) -{ - return res->count; -} - -ADS_STATUS ads_msgfree(ADS_STRUCT *ads, LDAPMessage *res) -{ - talloc_free(res); - return ADS_ERROR_NT(NT_STATUS_OK); -} - -/* - do a rough conversion between ads error codes and NT status codes - we'll need to fill this in more -*/ -NTSTATUS ads_ntstatus(ADS_STATUS status) -{ - switch (status.error_type) { - case ENUM_ADS_ERROR_NT: - return status.err.nt_status; - case ENUM_ADS_ERROR_SYSTEM: - return map_nt_error_from_unix(status.err.rc); - case ENUM_ADS_ERROR_LDAP: - if (status.err.rc == LDB_SUCCESS) { - return NT_STATUS_OK; - } - return NT_STATUS_UNSUCCESSFUL; - default: - break; - } - - if (ADS_ERR_OK(status)) { - return NT_STATUS_OK; - } - return NT_STATUS_UNSUCCESSFUL; -} - -/* - return a string for an error from an ads routine -*/ -const char *ads_errstr(ADS_STATUS status) -{ - switch (status.error_type) { - case ENUM_ADS_ERROR_SYSTEM: - return strerror(status.err.rc); - case ENUM_ADS_ERROR_LDAP: - return ldb_strerror(status.err.rc); - case ENUM_ADS_ERROR_NT: - return get_friendly_nt_error_msg(ads_ntstatus(status)); - default: - return "Unknown ADS error type!? (not compiled in?)"; - } -} - -ADS_STATUS ads_build_ldap_error(int ldb_error) -{ - ADS_STATUS ret; - ret.err.rc = ldb_error; - ret.error_type = ENUM_ADS_ERROR_LDAP; - return ret; -} - -ADS_STATUS ads_build_nt_error(NTSTATUS nt_status) -{ - ADS_STATUS ret; - ret.err.nt_status = nt_status; - ret.error_type = ENUM_ADS_ERROR_NT; - return ret; -} - - -bool nt_token_check_sid( const struct dom_sid *sid, const NT_USER_TOKEN *token) -{ - int i; - - if (!sid || !token) { - return false; - } - - if (dom_sid_equal(sid, token->user_sid)) { - return true; - } - if (dom_sid_equal(sid, token->group_sid)) { - return true; - } - for (i = 0; i < token->num_sids; i++) { - if (dom_sid_equal(sid, token->sids[i])) { - return true; - } - } - - return false; -} -const char *ads_get_ldap_server_name(ADS_STRUCT *ads) { - return ads->ldap_server_name; -} - - -/* - FIXME - Stub write functions, these do not do anything, though they should. -- Wilco -*/ - -ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx) -{ - return NULL; -} - -ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods, const char *name, const char *val) -{ - return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED); -} - -ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods) -{ - return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED); -} diff --git a/source4/libgpo/ads_convenience.h b/source4/libgpo/ads_convenience.h deleted file mode 100644 index ce2b9b6a06..0000000000 --- a/source4/libgpo/ads_convenience.h +++ /dev/null @@ -1,103 +0,0 @@ -/* - Samba CIFS implementation - ADS convenience functions for GPO - - Copyright (C) 2008 Jelmer Vernooij, jelmer@samba.org - Copyright (C) 2008 Wilco Baan Hofman, wilco@baanhofman.nl - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#ifndef __ADS_CONVENIENCE_H__ -#define __ADS_CONVENIENCE_H__ - -#include "librpc/gen_ndr/security.h" - -#define ADS_ERR_OK(status) ((status.error_type == ENUM_ADS_ERROR_NT) ? NT_STATUS_IS_OK(status.err.nt_status):(status.err.rc == 0)) -#define ADS_ERROR(rc) ads_build_ldap_error(rc) -#define ADS_ERROR_NT(rc) ads_build_nt_error(rc) -#define ADS_SUCCESS ADS_ERROR(0) - -#define ADS_ERROR_HAVE_NO_MEMORY(x) do { \ - if (!(x)) {\ - return ADS_ERROR_NT(NT_STATUS_NO_MEMORY);\ - }\ -} while (0) - -#define LDAP_SCOPE_BASE LDB_SCOPE_BASE -#define LDAP_SCOPE_SUBTREE LDB_SCOPE_SUBTREE -#define LDAP_SCOPE_ONELEVEL LDB_SCOPE_ONELEVEL - - - - -typedef struct { - struct libnet_context *netctx; - struct ldb_context *ldbctx; - char *ldap_server_name; - - /* State information for the smb connection */ - struct cli_credentials *credentials; - struct smbcli_state *cli; -} ADS_STRUCT; - - -typedef struct security_token NT_USER_TOKEN; - -typedef struct ldb_result LDAPMessage; -typedef void ** ADS_MODLIST; - -/* there are 3 possible types of errors the ads subsystem can produce */ -enum ads_error_type { ENUM_ADS_ERROR_LDAP, ENUM_ADS_ERROR_SYSTEM, ENUM_ADS_ERROR_NT}; - -typedef struct { - enum ads_error_type error_type; - union err_state{ - int rc; - NTSTATUS nt_status; - } err; - int minor_status; -} ADS_STATUS; - - -/* Prototypes from ads_convenience.c */ -ADS_STATUS ads_build_nt_error(NTSTATUS); -ADS_STATUS ads_build_ldap_error(int); - -ADS_STATUS ads_startup (struct libnet_context *netctx, ADS_STRUCT **ads); -const char *ads_errstr(ADS_STATUS status); -const char * ads_get_dn(ADS_STRUCT *ads, LDAPMessage *res); -bool ads_pull_sd(ADS_STRUCT *ads, TALLOC_CTX *ctx, LDAPMessage *res, const char *field, struct security_descriptor **sd); -const char * ads_pull_string(ADS_STRUCT *ads, TALLOC_CTX *ctx, LDAPMessage *res, const char *field); -bool ads_pull_uint32(ADS_STRUCT *ads, LDAPMessage *res, const char *field, uint32_t *ret); -int ads_count_replies(ADS_STRUCT *ads, LDAPMessage *res); -ADS_STATUS ads_do_search_all_sd_flags (ADS_STRUCT *ads, const char *dn, int scope, - const char *filter, const char **attrs, - uint32_t sd_flags, LDAPMessage **res); -ADS_STATUS ads_search_dn(ADS_STRUCT *ads, LDAPMessage **res, - const char *dn, const char **attrs); -ADS_STATUS ads_search_retry_dn_sd_flags(ADS_STRUCT *ads, LDAPMessage **res, uint32_t sd_flags, - const char *dn, const char **attrs); -ADS_STATUS ads_msgfree(ADS_STRUCT *ads, LDAPMessage *res); -NTSTATUS ads_ntstatus(ADS_STATUS status); -ADS_STATUS ads_build_ldap_error(int ldb_error); -ADS_STATUS ads_build_nt_error(NTSTATUS nt_status); -bool nt_token_check_sid( const struct dom_sid *sid, const NT_USER_TOKEN *token); -ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx); -ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods, const char *name, const char *val); -ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods); -const char *ads_get_ldap_server_name(ADS_STRUCT *ads); - - -#endif diff --git a/source4/libgpo/config.mk b/source4/libgpo/config.mk new file mode 100644 index 0000000000..77eb3073ac --- /dev/null +++ b/source4/libgpo/config.mk @@ -0,0 +1,4 @@ +[SUBSYSTEM::LIBGPO] +PRIVATE_DEPENDENCIES = LIBLDB LIBSAMBA-NET + +LIBGPO_OBJ_FILES = $(libgpodir)/gpo_ldap.o diff --git a/source4/libgpo/gpo.h b/source4/libgpo/gpo.h new file mode 100644 index 0000000000..808718ea49 --- /dev/null +++ b/source4/libgpo/gpo.h @@ -0,0 +1,56 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Guenther Deschner 2005-2008 (from samba 3 gpo.h) + * Copyright (C) Wilco Baan Hofman 2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef __GPO_H__ +#define __GPO_H__ + + +/* GPO_OPTIONS */ +#define GPO_FLAG_DISABLE 0x00000001 +#define GPO_FLAG_FORCE 0x00000002 + +struct gp_context { + struct ldb_context *ldb_ctx; + struct loadparm_context *lp_ctx; + struct cli_credentials *credentials; + struct tevent_context *ev_ctx; +}; + +struct gp_object { + uint32_t version; + uint32_t flags; + const char *display_name; + const char *name; + const char *dn; + const char *file_sys_path; + struct security_descriptor *security_descriptor; +}; + +NTSTATUS gp_fetch_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); +NTSTATUS gp_apply_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); +NTSTATUS gp_check_refresh_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); + +NTSTATUS gp_init(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct cli_credentials *creds, + struct tevent_context *ev_ctx, + struct gp_context **gp_ctx); +NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret); +#endif diff --git a/source4/libgpo/gpo_filesync.c b/source4/libgpo/gpo_filesync.c deleted file mode 100644 index 3f6f5f7960..0000000000 --- a/source4/libgpo/gpo_filesync.c +++ /dev/null @@ -1,241 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * - * Copyright (C) Guenther Deschner 2006 - * Copyright (C) Wilco Baan Hofman 2008 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see <http://www.gnu.org/licenses/>. - */ - -#include "includes.h" -#include "libcli/libcli.h" -#include "system/filesys.h" - - -struct sync_context { - TALLOC_CTX *mem_ctx; - struct smbcli_state *cli; - char *remote_path; - char *local_path; - char *mask; - uint16_t attribute; -}; - -static void gpo_sync_func(struct clilist_file_info *info, - const char *mask, - void *state); - -NTSTATUS gpo_copy_file(TALLOC_CTX *mem_ctx, - struct smbcli_state *cli, - const char *nt_path, - const char *unix_path) -{ - NTSTATUS result; - int fnum; - int fd = 0; - char *data = NULL; - static int io_bufsize = 64512; - int read_size = io_bufsize; - off_t nread = 0; - - if ((fnum = smbcli_open(cli->tree, nt_path, O_RDONLY, DENY_NONE)) == -1) { - result = NT_STATUS_NO_SUCH_FILE; - goto out; - } - - if ((fd = open(unix_path, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) { - result = map_nt_error_from_unix(errno); - goto out; - } - - if ((data = talloc_size(mem_ctx, read_size)) == NULL) { - result = NT_STATUS_NO_MEMORY; - goto out; - } - - while (1) { - - int n = smbcli_read(cli->tree, fnum, data, nread, read_size); - - if (n <= 0) - break; - - if (write(fd, data, n) != n) { - break; - } - - nread += n; - } - - result = NT_STATUS_OK; - - out: - SAFE_FREE(data); - if (fnum) { - smbcli_close(cli->tree, fnum); - } - if (fd) { - close(fd); - } - - return result; -} - -/**************************************************************** - copy dir -****************************************************************/ - -static NTSTATUS gpo_copy_dir(const char *nt_dir, const char *unix_path) -{ - if ((mkdir(unix_path, 0644)) < 0 && errno != EEXIST) { - return NT_STATUS_ACCESS_DENIED; - } - - return NT_STATUS_OK; -} - -/**************************************************************** - sync files -****************************************************************/ - -static bool gpo_sync_files(struct sync_context *ctx) -{ - DEBUG(3,("calling cli_list with mask: %s\n", ctx->mask)); - - if (smbcli_list(ctx->cli->tree, - ctx->mask, - ctx->attribute, - gpo_sync_func, - ctx) == -1) { - DEBUG(1,("listing [%s] failed with error: %s\n", - ctx->mask, smbcli_errstr(ctx->cli->tree))); - return false; - } - - return true; -} - -/**************************************************************** - syncronisation call back -****************************************************************/ - -static void gpo_sync_func(struct clilist_file_info *info, - const char *mask, - void *state) -{ - NTSTATUS result; - struct sync_context *ctx; - char *nt_filename, *unix_filename; - char *nt_dir, *unix_dir; - char *old_nt_dir, *old_unix_dir; - - ctx = (struct sync_context *)state; - - if (strequal(info->name, ".") || strequal(info->name, "..")) { - return; - } - - DEBUG(5,("gpo_sync_func: got mask: [%s], name: [%s]\n", - mask, info->name)); - - if (info->attrib & FILE_ATTRIBUTE_DIRECTORY) { - - DEBUG(3,("got dir: [%s]\n", info->name)); - - nt_dir = talloc_asprintf(ctx->mem_ctx, "%s\\%s", - ctx->remote_path, - info->name); - - unix_dir = talloc_asprintf(ctx->mem_ctx, "%s/%s", - ctx->local_path, - info->name); - - result = gpo_copy_dir(nt_dir, unix_dir); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1,("failed to copy dir: %s\n", - nt_errstr(result))); - } - - old_nt_dir = ctx->remote_path; - ctx->remote_path = talloc_strdup(ctx->mem_ctx, nt_dir); - - old_unix_dir = ctx->local_path; - ctx->local_path = talloc_strdup(ctx->mem_ctx, unix_dir); - - ctx->mask = talloc_asprintf(ctx->mem_ctx, - "%s\\*", - nt_dir); - if (!ctx->local_path || !ctx->mask || !ctx->remote_path) { - DEBUG(0,("gpo_sync_func: ENOMEM\n")); - return; - } - if (!gpo_sync_files(ctx)) { - DEBUG(0,("could not sync files\n")); - } - - ctx->remote_path = old_nt_dir; - ctx->local_path = old_unix_dir; - return; - } - - DEBUG(3,("got file: [%s]\n", info->name)); - - nt_filename = talloc_asprintf(ctx->mem_ctx, "%s\\%s", - ctx->remote_path, - info->name); - - unix_filename = talloc_asprintf(ctx->mem_ctx, "%s/%s", - ctx->local_path, - info->name); - - result = gpo_copy_file(ctx->mem_ctx, ctx->cli, - nt_filename, unix_filename); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(1,("failed to copy file: %s\n", - nt_errstr(result))); - } -} - - -/**************************************************************** - list a remote directory and download recursivly -****************************************************************/ - -NTSTATUS gpo_sync_directories(TALLOC_CTX *mem_ctx, - struct smbcli_state *cli, - const char *nt_path, - const char *local_path) -{ - struct sync_context ctx; - - ctx.mem_ctx = mem_ctx; - ctx.cli = cli; - ctx.remote_path = discard_const_p(char, nt_path); - ctx.local_path = discard_const_p(char, local_path); - ctx.attribute = (FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_DIRECTORY); - - ctx.mask = talloc_asprintf(mem_ctx, - "%s\\*", - nt_path); - if (!ctx.mask) { - return NT_STATUS_NO_MEMORY; - } - - if (!gpo_sync_files(&ctx)) { - return NT_STATUS_NO_SUCH_FILE; - } - - return NT_STATUS_OK; -} diff --git a/source4/libgpo/gpo_ldap.c b/source4/libgpo/gpo_ldap.c new file mode 100644 index 0000000000..dd8a26bfc1 --- /dev/null +++ b/source4/libgpo/gpo_ldap.c @@ -0,0 +1,150 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Jelmer Vernooij 2008 + * Copyright (C) Wilco Baan Hofman 2008-2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ +#include "includes.h" +#include "param/param.h" +#include "lib/ldb/include/ldb.h" +#include "lib/ldb_wrap.h" +#include "auth/credentials/credentials.h" +#include "../librpc/gen_ndr/nbt.h" +#include "libcli/libcli.h" +#include "libnet/libnet.h" +#include "gpo.h" + +NTSTATUS gp_init(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct cli_credentials *credentials, + struct tevent_context *ev_ctx, + struct gp_context **gp_ctx) +{ + + struct libnet_LookupDCs *io; + char *url; + struct libnet_context *net_ctx; + struct ldb_context *ldb_ctx; + NTSTATUS rv; + + /* Initialise the libnet context */ + net_ctx = libnet_context_init(ev_ctx, lp_ctx); + net_ctx->cred = credentials; + + /* Prepare libnet lookup structure for looking a DC (PDC is correct). */ + io = talloc_zero(mem_ctx, struct libnet_LookupDCs); + io->in.name_type = NBT_NAME_PDC; + io->in.domain_name = lp_workgroup(lp_ctx); + + /* Find Active DC's */ + rv = libnet_LookupDCs(net_ctx, mem_ctx, io); + if (!NT_STATUS_IS_OK(rv)) { + DEBUG(0, ("Failed to lookup DCs in domain\n")); + return rv; + } + + /* Connect to ldap://DC_NAME with all relevant contexts*/ + url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name); + ldb_ctx = ldb_wrap_connect(mem_ctx, net_ctx->event_ctx, lp_ctx, + url, NULL, net_ctx->cred, 0); + if (ldb_ctx == NULL) { + return NT_STATUS_UNSUCCESSFUL; + } + + talloc_free(net_ctx); + + *gp_ctx = talloc_zero(mem_ctx, struct gp_context); + (*gp_ctx)->lp_ctx = lp_ctx; + (*gp_ctx)->credentials = credentials; + (*gp_ctx)->ev_ctx = ev_ctx; + (*gp_ctx)->ldb_ctx = ldb_ctx; + return NT_STATUS_OK; + +} + +NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret) +{ + struct ldb_result *result; + int rv; + TALLOC_CTX *mem_ctx; + struct ldb_dn *dn; + struct gp_object **gpo; + unsigned int i, j; /* same as in struct ldb_result */ + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + dn = ldb_get_default_basedn(gp_ctx->ldb_ctx); + rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System")); + if (!rv) { + DEBUG(0, ("Can't append subtree to DN\n")); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn))); + + rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_ONELEVEL, NULL, "(objectClass=groupPolicyContainer)"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx))); + return NT_STATUS_UNSUCCESSFUL; + } + + gpo = talloc_array(gp_ctx, struct gp_object *, result->count+1); + gpo[result->count] = NULL; + + for (i = 0; i < result->count; i++) { + gpo[i] = talloc(gp_ctx, struct gp_object); + + gpo[i]->dn = ldb_dn_get_linearized(result->msgs[i]->dn); + + DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo[i]->dn)); + for (j = 0; j < result->msgs[i]->num_elements; j++) { + struct ldb_message_element *element = &result->msgs[i]->elements[j]; + + if (strcmp(element->name, "displayName") == 0) { + SMB_ASSERT(element->num_values > 0); + gpo[i]->display_name = talloc_strdup(gp_ctx, (char *)element->values[0].data); + DEBUG(10, ("Found displayname: %s\n", gpo[i]->display_name)); + } + if (strcmp(element->name, "name") == 0) { + SMB_ASSERT(element->num_values > 0); + gpo[i]->name = talloc_strdup(gp_ctx, (char *)element->values[0].data); + DEBUG(10, ("Found name: %s\n", gpo[i]->name)); + } + if (strcmp(element->name, "flags") == 0) { + char *end; + SMB_ASSERT(element->num_values > 0); + gpo[i]->flags = (uint32_t) strtoll((char *)element->values[0].data, &end, 0); + SMB_ASSERT(*end == 0); + DEBUG(10, ("Found flags: %d\n", gpo[i]->flags)); + } + if (strcmp(element->name, "versionNumber") == 0) { + char *end; + SMB_ASSERT(element->num_values > 0); + gpo[i]->version = (uint32_t) strtoll((char *)element->values[0].data, &end, 0); + SMB_ASSERT(*end == 0); + DEBUG(10, ("Found version: %d\n", gpo[i]->version)); + } + if (strcmp(element->name, "gPCFileSysPath") == 0) { + SMB_ASSERT(element->num_values > 0); + gpo[i]->file_sys_path = talloc_strdup(gp_ctx, (char *)element->values[0].data); + DEBUG(10, ("Found file system path: %s\n", gpo[i]->file_sys_path)); + } + } + } + *ret = gpo; + talloc_free(mem_ctx); + return NT_STATUS_OK; +} diff --git a/source4/libgpo/gpo_s4.h b/source4/libgpo/gpo_s4.h deleted file mode 100644 index f616f6bd32..0000000000 --- a/source4/libgpo/gpo_s4.h +++ /dev/null @@ -1,40 +0,0 @@ - -/* - Samba CIFS implementation - ADS convenience functions for GPO - - Copyright (C) 2008 Jelmer Vernooij, jelmer@samba.org - Copyright (C) 2008 Wilco Baan Hofman, wilco@baanhofman.nl - - This program is free software; you can redistribute it and/or modify - it under the terms of the GNU General Public License as published by - the Free Software Foundation; either version 3 of the License, or - (at your option) any later version. - - This program is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - GNU General Public License for more details. - - You should have received a copy of the GNU General Public License - along with this program. If not, see <http://www.gnu.org/licenses/>. -*/ - -#ifndef __LIBGPO_GPO_S4_H__ -#define __LIBGPO_GPO_S4_H__ - -#if _SAMBA_BUILD_ == 4 -#include "source4/libcli/libcli.h" -#endif - -NTSTATUS gpo_copy_file(TALLOC_CTX *mem_ctx, - struct smbcli_state *cli, - const char *nt_path, - const char *unix_path); - -NTSTATUS gpo_sync_directories(TALLOC_CTX *mem_ctx, - struct smbcli_state *cli, - const char *nt_path, - const char *local_path); - -#endif diff --git a/source4/main.mk b/source4/main.mk index 880d877e50..fc085c90bb 100644 --- a/source4/main.mk +++ b/source4/main.mk @@ -60,5 +60,5 @@ mkinclude ../libcli/nbt/config.mk mkinclude ../libcli/auth/config.mk mkinclude ../libcli/drsuapi/config.mk mkinclude ../libcli/samsync/config.mk -mkinclude ../libgpo/config.mk +mkinclude libgpo/config.mk mkinclude ../libcli/named_pipe_auth/config.mk diff --git a/source4/utils/net/config.mk b/source4/utils/net/config.mk index 56d2d8a08f..5549d5d7e4 100644 --- a/source4/utils/net/config.mk +++ b/source4/utils/net/config.mk @@ -33,6 +33,7 @@ PRIVATE_DEPENDENCIES = \ LIBPOPT \ POPT_SAMBA \ POPT_CREDENTIALS \ + LIBGPO \ net_drs # End BINARY net ################################# @@ -41,7 +42,8 @@ net_OBJ_FILES = $(addprefix $(utilssrcdir)/net/, \ net.o \ net_password.o \ net_join.o \ - net_vampire.o) + net_vampire.o \ + net_gpo.o) $(eval $(call proto_header_template,$(utilssrcdir)/net/net_proto.h,$(net_OBJ_FILES:.o=.c))) diff --git a/source4/utils/net/net.c b/source4/utils/net/net.c index a534957f5b..55dcca0931 100644 --- a/source4/utils/net/net.c +++ b/source4/utils/net/net.c @@ -201,6 +201,7 @@ static const struct net_functable net_functable[] = { {"samdump", "dump the sam of a domain\n", net_samdump, net_samdump_usage}, {"samsync", "synchronise into the local ldb the sam of an NT4 domain\n", net_samsync_ldb, net_samsync_ldb_usage}, {"drs", "Implements functionality offered by repadmin.exe utility in Windows\n", net_drs, net_drs_usage}, + {"gpo", "Administer group policies\n", net_gpo, net_gpo_usage}, {NULL, NULL, NULL, NULL} }; diff --git a/source4/utils/net/net_gpo.c b/source4/utils/net/net_gpo.c new file mode 100644 index 0000000000..25dfaa315c --- /dev/null +++ b/source4/utils/net/net_gpo.c @@ -0,0 +1,85 @@ +/* + Samba Unix/Linux SMB client library + net ads commands for Group Policy + + Copyright (C) 2005-2008 Guenther Deschner + Copyright (C) 2009 Wilco Baan Hofman + + Based on Guenther's work in net_ads_gpo.h (samba 3) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "utils/net/net.h" +#include "libgpo/gpo.h" + +static int net_gpo_list_all(struct net_context *c, int argc, const char **argv) +{ + struct gp_context *gp_ctx; + struct gp_object **gpo; + unsigned int i; + NTSTATUS rv; + + rv = gp_init(c, c->lp_ctx, c->credentials, c->event_ctx, &gp_ctx); + if (!NT_STATUS_IS_OK(rv)) { + DEBUG(0, ("Failed to connect to DC's LDAP: %s\n", get_friendly_nt_error_msg(rv))); + return 1; + } + + rv = gp_list_all_gpos(gp_ctx, &gpo); + if (!NT_STATUS_IS_OK(rv)) { + DEBUG(0, ("Failed to list all GPO's: %s\n", get_friendly_nt_error_msg(rv))); + return 1; + } + + for (i = 0; gpo[i] != NULL; i++) { + d_printf("GPO : %s\n", gpo[i]->name); + d_printf("display name : %s\n", gpo[i]->display_name); + d_printf("path : %s\n", gpo[i]->file_sys_path); + d_printf("dn : %s\n", gpo[i]->dn); + d_printf("version : %d\n", gpo[i]->version); + d_printf("flags : %d\n", gpo[i]->flags); + d_printf("\n"); + } + talloc_free(gp_ctx); + + return 0; +} + +static const struct net_functable net_gpo_functable[] = { +/* { "apply", "Apply GPO to container\n", net_gpo_apply, net_gpo_usage }, */ +// { "getgpo", "List specificied GPO\n", net_gpo_get_gpo, net_gpo_usage }, +// { "linkadd", "Link a GPO to a container\n", net_gpo_link_add, net_gpo_usage }, +/* { "linkdelete", "Delete GPO link from a container\n", net_gpo_link_delete, net_gpo_usage }, */ +// { "linkget", "List gPLink of container\n", net_gpo_link_get, net_gpo_usage }, +// { "list", "List all GPO's for machine/user\n", net_gpo_list, net_gpo_usage }, + { "listall", "List all GPO's on a DC\n", net_gpo_list_all, net_gpo_usage }, +// { "refresh", "List all GPO's for machine/user and download them\n", net_gpo_refresh, net_gpo_refresh_usage }, + { NULL, NULL } +}; + + +int net_gpo(struct net_context *ctx, int argc, const char **argv) +{ + return net_run_function(ctx, argc, argv, net_gpo_functable, net_gpo_usage); +} + + +int net_gpo_usage(struct net_context *ctx, int argc, const char **argv) +{ + d_printf("Syntax: net gpo <command> [options]\n"); + d_printf("For available commands please type net gpo help\n"); + return 0; +} |