diff options
-rw-r--r-- | source4/lib/policy/gp_ldap.c | 61 | ||||
-rw-r--r-- | source4/lib/policy/policy.h | 4 | ||||
-rw-r--r-- | source4/utils/net/net_gpo.c | 102 |
3 files changed, 158 insertions, 9 deletions
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c index 2d8d4f921c..f8806e9643 100644 --- a/source4/lib/policy/gp_ldap.c +++ b/source4/lib/policy/gp_ldap.c @@ -677,3 +677,64 @@ NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char talloc_free(mem_ctx); return NT_STATUS_OK; } + +NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance) +{ + TALLOC_CTX *mem_ctx; + struct ldb_result *result; + struct ldb_dn *dn; + const char *attrs[] = { "gPOptions", NULL }; + int rv; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + + dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + + rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + if (result->count != 1) { + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + *inheritance = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0); + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} + +NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance) +{ + char *inheritance_string; + struct ldb_message *msg; + int rv; + + msg = ldb_msg_new(gp_ctx); + msg->dn = ldb_dn_new(msg, gp_ctx->ldb_ctx, dn_str); + + inheritance_string = talloc_asprintf(msg, "%d", inheritance); + + rv = ldb_msg_add_string(msg, "gPOptions", inheritance_string); + if (rv != 0) { + DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv))); + talloc_free(msg); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + rv = ldb_modify(gp_ctx->ldb_ctx, msg); + if (rv != 0) { + DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv))); + talloc_free(msg); + return NT_STATUS_UNSUCCESSFUL; + } + + talloc_free(msg); + return NT_STATUS_OK; +} diff --git a/source4/lib/policy/policy.h b/source4/lib/policy/policy.h index 05a2815989..2811abf608 100644 --- a/source4/lib/policy/policy.h +++ b/source4/lib/policy/policy.h @@ -29,6 +29,8 @@ #define GPO_FLAG_USER_DISABLE (1 << 0) #define GPO_FLAG_MACHINE_DISABLE (1 << 1) +struct security_token; + enum gpo_inheritance { GPO_INHERIT = 0, GPO_BLOCK_INHERITANCE = 1, @@ -82,5 +84,7 @@ NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink); NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gp_dn); +NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance); +NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance); #endif diff --git a/source4/utils/net/net_gpo.c b/source4/utils/net/net_gpo.c index 61e10bc395..bfcb0f0ad2 100644 --- a/source4/utils/net/net_gpo.c +++ b/source4/utils/net/net_gpo.c @@ -134,8 +134,8 @@ static int net_gpo_get_gpo(struct net_context *ctx, int argc, const char **argv) static int net_gpo_link_get_usage(struct net_context *ctx, int argc, const char **argv) { - d_printf("Syntax: net gpo linkget <dn> [options]\n"); - d_printf("For a list of available options, please type net gpo linkget --help\n"); + d_printf("Syntax: net gpo getlink <dn> [options]\n"); + d_printf("For a list of available options, please type net gpo getlink --help\n"); return 0; } @@ -274,8 +274,8 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv) static int net_gpo_link_set_usage(struct net_context *ctx, int argc, const char **argv) { - d_printf("Syntax: net gpo linkset <container> <gpo> ['disable'] ['enforce'] [options]\n"); - d_printf("For a list of available options, please type net gpo linkset --help\n"); + d_printf("Syntax: net gpo setlink <container> <gpo> ['disable'] ['enforce'] [options]\n"); + d_printf("For a list of available options, please type net gpo setlink --help\n"); return 0; } @@ -324,8 +324,8 @@ static int net_gpo_link_set(struct net_context *ctx, int argc, const char **argv static int net_gpo_link_del_usage(struct net_context *ctx, int argc, const char **argv) { - d_printf("Syntax: net gpo linkdel <container> <gpo> [options]\n"); - d_printf("For a list of available options, please type net gpo linkdel --help\n"); + d_printf("Syntax: net gpo dellink <container> <gpo> [options]\n"); + d_printf("For a list of available options, please type net gpo dellink --help\n"); return 0; } @@ -358,12 +358,96 @@ static int net_gpo_link_del(struct net_context *ctx, int argc, const char **argv return 0; } +static int net_gpo_inheritance_get_usage(struct net_context *ctx, int argc, const char **argv) +{ + d_printf("Syntax: net gpo getinheritance <container> [options]\n"); + d_printf("For a list of available options, please type net gpo getinheritance --help\n"); + return 0; +} + +static int net_gpo_inheritance_get(struct net_context *ctx, int argc, const char **argv) +{ + struct gp_context *gp_ctx; + enum gpo_inheritance inheritance; + NTSTATUS status; + + if (argc != 1) { + return net_gpo_inheritance_get_usage(ctx, argc, argv); + } + + status = gp_init(ctx, ctx->lp_ctx, ctx->credentials, ctx->event_ctx, &gp_ctx); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to connect to DC's LDAP: %s\n", get_friendly_nt_error_msg(status))); + return 1; + } + + status = gp_get_inheritance(gp_ctx, argv[0], &inheritance); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set GPO link on container: %s\n", get_friendly_nt_error_msg(status))); + return 1; + } + + if (inheritance == GPO_BLOCK_INHERITANCE) { + d_printf("container has GPO_BLOCK_INHERITANCE\n"); + } else { + d_printf("container has GPO_INHERIT\n"); + } + + talloc_free(gp_ctx); + return 0; +} + +static int net_gpo_inheritance_set_usage(struct net_context *ctx, int argc, const char **argv) +{ + d_printf("Syntax: net gpo setinheritance <container> <\"block\"|\"inherit\"> [options]\n"); + d_printf("For a list of available options, please type net gpo setinheritance --help\n"); + return 0; +} + +static int net_gpo_inheritance_set(struct net_context *ctx, int argc, const char **argv) +{ + struct gp_context *gp_ctx; + enum gpo_inheritance inheritance; + NTSTATUS status; + + if (argc != 2) { + return net_gpo_inheritance_set_usage(ctx, argc, argv); + } + + if (strcmp(argv[1], "inherit") == 0) { + inheritance = GPO_INHERIT; + } else if (strcmp(argv[1], "block") == 0) { + inheritance = GPO_BLOCK_INHERITANCE; + } else { + return net_gpo_inheritance_set_usage(ctx, argc, argv); + } + + status = gp_init(ctx, ctx->lp_ctx, ctx->credentials, ctx->event_ctx, &gp_ctx); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to connect to DC's LDAP: %s\n", get_friendly_nt_error_msg(status))); + return 1; + } + + status = gp_set_inheritance(gp_ctx, argv[0], inheritance); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set GPO link on container: %s\n", get_friendly_nt_error_msg(status))); + return 1; + } + + /* Display current links */ + net_gpo_inheritance_get(ctx, 1, argv); + + return 0; +} + static const struct net_functable net_gpo_functable[] = { { "listall", "List all GPO's on a DC\n", net_gpo_list_all, net_gpo_list_all_usage }, { "getgpo", "List specificied GPO\n", net_gpo_get_gpo, net_gpo_get_gpo_usage }, - { "linkget", "List gPLink of container\n", net_gpo_link_get, net_gpo_link_get_usage }, - { "linkset", "Link a GPO to a container\n", net_gpo_link_set, net_gpo_link_set_usage }, - { "linkdel", "Delete GPO link from a container\n", net_gpo_link_del, net_gpo_link_del_usage }, + { "getlink", "List gPLink of container\n", net_gpo_link_get, net_gpo_link_get_usage }, + { "setlink", "Link a GPO to a container\n", net_gpo_link_set, net_gpo_link_set_usage }, + { "dellink", "Delete GPO link from a container\n", net_gpo_link_del, net_gpo_link_del_usage }, + { "getinheritance", "Get inheritance flag from a container\n", net_gpo_inheritance_get, net_gpo_inheritance_get_usage }, + { "setinheritance", "Set inheritance flag on a container\n", net_gpo_inheritance_set, net_gpo_inheritance_set_usage }, { "list", "List all GPO's for a machine/user\n", net_gpo_list, net_gpo_list_usage }, /* { "apply", "Apply GPO to container\n", net_gpo_apply, net_gpo_usage }, */ // { "refresh", "List all GPO's for machine/user and download them\n", net_gpo_refresh, net_gpo_refresh_usage }, |