summaryrefslogtreecommitdiff
path: root/source3/libgpo
diff options
context:
space:
mode:
Diffstat (limited to 'source3/libgpo')
-rw-r--r--source3/libgpo/gpext/gpext.c746
-rw-r--r--source3/libgpo/gpext/gpext.h79
-rw-r--r--source3/libgpo/gpext/registry.c643
-rw-r--r--source3/libgpo/gpext/scripts.c443
-rw-r--r--source3/libgpo/gpo_fetch.c187
-rw-r--r--source3/libgpo/gpo_filesync.c238
-rw-r--r--source3/libgpo/gpo_ini.c245
-rw-r--r--source3/libgpo/gpo_ini.h33
-rw-r--r--source3/libgpo/gpo_ldap.c866
-rw-r--r--source3/libgpo/gpo_reg.c1009
-rw-r--r--source3/libgpo/gpo_sec.c186
-rw-r--r--source3/libgpo/gpo_util.c870
12 files changed, 5545 insertions, 0 deletions
diff --git a/source3/libgpo/gpext/gpext.c b/source3/libgpo/gpext/gpext.c
new file mode 100644
index 0000000000..2ae9e2cebf
--- /dev/null
+++ b/source3/libgpo/gpext/gpext.c
@@ -0,0 +1,746 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Support
+ * Copyright (C) Guenther Deschner 2007-2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+static struct gp_extension *extensions = NULL;
+
+/****************************************************************
+****************************************************************/
+
+struct gp_extension *get_gp_extension_list(void)
+{
+ return extensions;
+}
+
+/****************************************************************
+****************************************************************/
+
+/* see http://support.microsoft.com/kb/216358/en-us/ for more info */
+
+struct gp_extension_reg_table gpext_reg_vals[] = {
+ { "DllName", REG_EXPAND_SZ },
+ { "ProcessGroupPolicy", REG_SZ },
+ { "NoMachinePolicy", REG_DWORD },
+ { "NoUserPolicy", REG_DWORD },
+ { "NoSlowLink", REG_DWORD },
+ { "NoBackgroundPolicy", REG_DWORD },
+ { "NoGPOListChanges", REG_DWORD },
+ { "PerUserLocalSettings", REG_DWORD },
+ { "RequiresSuccessfulRegistry", REG_DWORD },
+ { "EnableAsynchronousProcessing", REG_DWORD },
+ { "ExtensionDebugLevel", REG_DWORD },
+ /* new */
+ { "GenerateGroupPolicy", REG_SZ }, /* not supported on w2k */
+ { "NotifyLinkTransition", REG_DWORD },
+ { "ProcessGroupPolicyEx", REG_SZ }, /* not supported on w2k */
+ { "ExtensionEventSource", REG_MULTI_SZ }, /* not supported on w2k */
+ { "GenerateGroupPolicy", REG_SZ },
+ { "MaxNoGPOListChangesInterval", REG_DWORD },
+ { NULL, REG_NONE }
+};
+
+/****************************************************************
+****************************************************************/
+
+static struct gp_extension *get_extension_by_name(struct gp_extension *be,
+ const char *name)
+{
+ struct gp_extension *b;
+
+ for (b = be; b; b = b->next) {
+ if (strequal(b->name, name)) {
+ return b;
+ }
+ }
+
+ return NULL;
+}
+
+/****************************************************************
+****************************************************************/
+
+static struct gp_extension_methods *get_methods_by_name(struct gp_extension *be,
+ const char *name)
+{
+ struct gp_extension *b;
+
+ for (b = be; b; b = b->next) {
+ if (strequal(b->name, name)) {
+ return b->methods;
+ }
+ }
+
+ return NULL;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS unregister_gp_extension(const char *name)
+{
+ struct gp_extension *ext;
+
+ ext = get_extension_by_name(extensions, name);
+ if (!ext) {
+ return NT_STATUS_OK;
+ }
+
+ DLIST_REMOVE(extensions, ext);
+ TALLOC_FREE(ext);
+
+ DEBUG(2,("Successfully removed GP extension '%s'\n", name));
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS register_gp_extension(TALLOC_CTX *gpext_ctx,
+ int version,
+ const char *name,
+ const char *guid,
+ struct gp_extension_methods *methods)
+{
+ struct gp_extension_methods *test;
+ struct gp_extension *entry;
+ NTSTATUS status;
+
+ if (!gpext_ctx) {
+ return NT_STATUS_INTERNAL_DB_ERROR;
+ }
+
+ if ((version != SMB_GPEXT_INTERFACE_VERSION)) {
+ DEBUG(0,("Failed to register gp extension.\n"
+ "The module was compiled against "
+ "SMB_GPEXT_INTERFACE_VERSION %d,\n"
+ "current SMB_GPEXT_INTERFACE_VERSION is %d.\n"
+ "Please recompile against the current "
+ "version of samba!\n",
+ version, SMB_GPEXT_INTERFACE_VERSION));
+ return NT_STATUS_OBJECT_TYPE_MISMATCH;
+ }
+
+ if (!guid || !name || !name[0] || !methods) {
+ DEBUG(0,("Called with NULL pointer or empty name!\n"));
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ test = get_methods_by_name(extensions, name);
+ if (test) {
+ DEBUG(0,("GP extension module %s already registered!\n",
+ name));
+ return NT_STATUS_OBJECT_NAME_COLLISION;
+ }
+
+ entry = TALLOC_ZERO_P(gpext_ctx, struct gp_extension);
+ NT_STATUS_HAVE_NO_MEMORY(entry);
+
+ entry->name = talloc_strdup(gpext_ctx, name);
+ NT_STATUS_HAVE_NO_MEMORY(entry->name);
+
+ entry->guid = TALLOC_ZERO_P(gpext_ctx, struct GUID);
+ NT_STATUS_HAVE_NO_MEMORY(entry->guid);
+ status = GUID_from_string(guid, entry->guid);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ entry->methods = methods;
+ DLIST_ADD(extensions, entry);
+
+ DEBUG(2,("Successfully added GP extension '%s' %s\n",
+ name, GUID_string2(gpext_ctx, entry->guid)));
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gp_extension_init_module(TALLOC_CTX *mem_ctx,
+ const char *name,
+ struct gp_extension **gpext)
+{
+ NTSTATUS status;
+ struct gp_extension *ext = NULL;
+
+ ext = TALLOC_ZERO_P(mem_ctx, struct gp_extension);
+ NT_STATUS_HAVE_NO_MEMORY(gpext);
+
+ ext->methods = get_methods_by_name(extensions, name);
+ if (!ext->methods) {
+
+ status = smb_probe_module(SAMBA_SUBSYSTEM_GPEXT,
+ name);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ ext->methods = get_methods_by_name(extensions, name);
+ if (!ext->methods) {
+ return NT_STATUS_DLL_INIT_FAILED;
+ }
+ }
+
+ *gpext = ext;
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool add_gp_extension_reg_entry_to_array(TALLOC_CTX *mem_ctx,
+ struct gp_extension_reg_entry *entry,
+ struct gp_extension_reg_entry **entries,
+ size_t *num)
+{
+ *entries = TALLOC_REALLOC_ARRAY(mem_ctx, *entries,
+ struct gp_extension_reg_entry,
+ (*num)+1);
+ if (*entries == NULL) {
+ *num = 0;
+ return false;
+ }
+
+ (*entries)[*num].value = entry->value;
+ (*entries)[*num].data = entry->data;
+
+ *num += 1;
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool add_gp_extension_reg_info_entry_to_array(TALLOC_CTX *mem_ctx,
+ struct gp_extension_reg_info_entry *entry,
+ struct gp_extension_reg_info_entry **entries,
+ size_t *num)
+{
+ *entries = TALLOC_REALLOC_ARRAY(mem_ctx, *entries,
+ struct gp_extension_reg_info_entry,
+ (*num)+1);
+ if (*entries == NULL) {
+ *num = 0;
+ return false;
+ }
+
+ (*entries)[*num].guid = entry->guid;
+ (*entries)[*num].num_entries = entry->num_entries;
+ (*entries)[*num].entries = entry->entries;
+
+ *num += 1;
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gp_ext_info_add_reg(TALLOC_CTX *mem_ctx,
+ struct gp_extension_reg_info_entry *entry,
+ const char *value,
+ enum winreg_Type type,
+ const char *data_s)
+{
+ struct gp_extension_reg_entry *reg_entry = NULL;
+ struct registry_value *data = NULL;
+
+ reg_entry = TALLOC_ZERO_P(mem_ctx, struct gp_extension_reg_entry);
+ NT_STATUS_HAVE_NO_MEMORY(reg_entry);
+
+ data = TALLOC_ZERO_P(mem_ctx, struct registry_value);
+ NT_STATUS_HAVE_NO_MEMORY(data);
+
+ data->type = type;
+
+ switch (type) {
+ case REG_SZ:
+ case REG_EXPAND_SZ:
+ data->v.sz.str = talloc_strdup(mem_ctx, data_s);
+ NT_STATUS_HAVE_NO_MEMORY(data->v.sz.str);
+ data->v.sz.len = strlen(data_s);
+ break;
+ case REG_DWORD:
+ data->v.dword = atoi(data_s);
+ break;
+ default:
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ reg_entry->value = value;
+ reg_entry->data = data;
+
+ if (!add_gp_extension_reg_entry_to_array(mem_ctx, reg_entry,
+ &entry->entries,
+ &entry->num_entries)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gp_ext_info_add_reg_table(TALLOC_CTX *mem_ctx,
+ const char *module,
+ struct gp_extension_reg_info_entry *entry,
+ struct gp_extension_reg_table *table)
+{
+ NTSTATUS status;
+ const char *module_name = NULL;
+ int i;
+
+ module_name = talloc_asprintf(mem_ctx, "%s.%s", module, shlib_ext());
+ NT_STATUS_HAVE_NO_MEMORY(module_name);
+
+ status = gp_ext_info_add_reg(mem_ctx, entry,
+ "DllName", REG_EXPAND_SZ, module_name);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ for (i=0; table[i].val; i++) {
+ status = gp_ext_info_add_reg(mem_ctx, entry,
+ table[i].val,
+ table[i].type,
+ table[i].data);
+ NT_STATUS_NOT_OK_RETURN(status);
+ }
+
+ return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS gp_ext_info_add_entry(TALLOC_CTX *mem_ctx,
+ const char *module,
+ const char *ext_guid,
+ struct gp_extension_reg_table *table,
+ struct gp_extension_reg_info *info)
+{
+ NTSTATUS status;
+ struct gp_extension_reg_info_entry *entry = NULL;
+
+ entry = TALLOC_ZERO_P(mem_ctx, struct gp_extension_reg_info_entry);
+ NT_STATUS_HAVE_NO_MEMORY(entry);
+
+ status = GUID_from_string(ext_guid, &entry->guid);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ status = gp_ext_info_add_reg_table(mem_ctx, module, entry, table);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ if (!add_gp_extension_reg_info_entry_to_array(mem_ctx, entry,
+ &info->entries,
+ &info->num_entries)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool gp_extension_reg_info_verify_entry(struct gp_extension_reg_entry *entry)
+{
+ int i;
+
+ for (i=0; gpext_reg_vals[i].val; i++) {
+
+ if ((strequal(entry->value, gpext_reg_vals[i].val)) &&
+ (entry->data->type == gpext_reg_vals[i].type)) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool gp_extension_reg_info_verify(struct gp_extension_reg_info_entry *entry)
+{
+ int i;
+
+ for (i=0; i < entry->num_entries; i++) {
+ if (!gp_extension_reg_info_verify_entry(&entry->entries[i])) {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_extension_store_reg_vals(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ struct gp_extension_reg_info_entry *entry)
+{
+ WERROR werr = WERR_OK;
+ size_t i;
+
+ for (i=0; i < entry->num_entries; i++) {
+
+ werr = reg_setvalue(key,
+ entry->entries[i].value,
+ entry->entries[i].data);
+ W_ERROR_NOT_OK_RETURN(werr);
+ }
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_extension_store_reg_entry(TALLOC_CTX *mem_ctx,
+ struct gp_registry_context *reg_ctx,
+ struct gp_extension_reg_info_entry *entry)
+{
+ WERROR werr;
+ struct registry_key *key = NULL;
+ const char *subkeyname = NULL;
+
+ if (!gp_extension_reg_info_verify(entry)) {
+ return WERR_INVALID_PARAM;
+ }
+
+ subkeyname = GUID_string2(mem_ctx, &entry->guid);
+ W_ERROR_HAVE_NO_MEMORY(subkeyname);
+
+ strupper_m(CONST_DISCARD(char *,subkeyname));
+
+ werr = gp_store_reg_subkey(mem_ctx,
+ subkeyname,
+ reg_ctx->curr_key,
+ &key);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_extension_store_reg_vals(mem_ctx,
+ key,
+ entry);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_extension_store_reg(TALLOC_CTX *mem_ctx,
+ struct gp_registry_context *reg_ctx,
+ struct gp_extension_reg_info *info)
+{
+ WERROR werr = WERR_OK;
+ int i;
+
+ if (!info) {
+ return WERR_OK;
+ }
+
+ for (i=0; i < info->num_entries; i++) {
+ werr = gp_extension_store_reg_entry(mem_ctx,
+ reg_ctx,
+ &info->entries[i]);
+ W_ERROR_NOT_OK_RETURN(werr);
+ }
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gp_glob_ext_list(TALLOC_CTX *mem_ctx,
+ const char ***ext_list,
+ size_t *ext_list_len)
+{
+ SMB_STRUCT_DIR *dir = NULL;
+ SMB_STRUCT_DIRENT *dirent = NULL;
+
+ dir = sys_opendir(modules_path(SAMBA_SUBSYSTEM_GPEXT));
+ if (!dir) {
+ return map_nt_error_from_unix(errno);
+ }
+
+ while ((dirent = sys_readdir(dir))) {
+
+ fstring name; /* forgive me... */
+ char *p;
+
+ if ((strequal(dirent->d_name, ".")) ||
+ (strequal(dirent->d_name, ".."))) {
+ continue;
+ }
+
+ p = strrchr(dirent->d_name, '.');
+ if (!p) {
+ sys_closedir(dir);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!strcsequal(p+1, shlib_ext())) {
+ DEBUG(10,("gp_glob_ext_list: not a *.so file: %s\n",
+ dirent->d_name));
+ continue;
+ }
+
+ fstrcpy(name, dirent->d_name);
+ name[PTR_DIFF(p, dirent->d_name)] = 0;
+
+ if (!add_string_to_array(mem_ctx, name, ext_list,
+ (int *)ext_list_len)) {
+ sys_closedir(dir);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+ sys_closedir(dir);
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS shutdown_gp_extensions(void)
+{
+ struct gp_extension *ext = NULL;
+
+ for (ext = extensions; ext; ext = ext->next) {
+ if (ext->methods && ext->methods->shutdown) {
+ ext->methods->shutdown();
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS init_gp_extensions(TALLOC_CTX *mem_ctx)
+{
+ NTSTATUS status;
+ WERROR werr;
+ int i = 0;
+ const char **ext_array = NULL;
+ size_t ext_array_len = 0;
+ struct gp_extension *gpext = NULL;
+ struct gp_registry_context *reg_ctx = NULL;
+
+ if (get_gp_extension_list()) {
+ return NT_STATUS_OK;
+ }
+
+ status = gp_glob_ext_list(mem_ctx, &ext_array, &ext_array_len);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ for (i=0; i<ext_array_len; i++) {
+
+ struct gp_extension_reg_info *info = NULL;
+
+ status = gp_extension_init_module(mem_ctx, ext_array[i],
+ &gpext);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto out;
+ }
+
+ if (gpext->methods->get_reg_config) {
+
+ status = gpext->methods->initialize(mem_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ gpext->methods->shutdown();
+ goto out;
+ }
+
+ status = gpext->methods->get_reg_config(mem_ctx,
+ &info);
+ if (!NT_STATUS_IS_OK(status)) {
+ gpext->methods->shutdown();
+ goto out;
+ }
+
+ if (!reg_ctx) {
+ struct nt_user_token *token;
+
+ token = registry_create_system_token(mem_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(token);
+
+ werr = gp_init_reg_ctx(mem_ctx,
+ KEY_WINLOGON_GPEXT_PATH,
+ REG_KEY_WRITE,
+ token,
+ &reg_ctx);
+ if (!W_ERROR_IS_OK(werr)) {
+ status = werror_to_ntstatus(werr);
+ gpext->methods->shutdown();
+ goto out;
+ }
+ }
+
+ werr = gp_extension_store_reg(mem_ctx, reg_ctx, info);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(1,("gp_extension_store_reg failed: %s\n",
+ dos_errstr(werr)));
+ TALLOC_FREE(info);
+ gpext->methods->shutdown();
+ status = werror_to_ntstatus(werr);
+ goto out;
+ }
+ TALLOC_FREE(info);
+ }
+
+ }
+
+ out:
+ TALLOC_FREE(reg_ctx);
+
+ return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS free_gp_extensions(void)
+{
+ struct gp_extension *ext, *ext_next = NULL;
+
+ for (ext = extensions; ext; ext = ext_next) {
+ ext_next = ext->next;
+ DLIST_REMOVE(extensions, ext);
+ TALLOC_FREE(ext);
+ }
+
+ extensions = NULL;
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+void debug_gpext_header(int lvl,
+ const char *name,
+ uint32_t flags,
+ struct GROUP_POLICY_OBJECT *gpo,
+ const char *extension_guid,
+ const char *snapin_guid)
+{
+ char *flags_str = NULL;
+
+ DEBUG(lvl,("%s\n", name));
+ DEBUGADD(lvl,("\tgpo: %s (%s)\n", gpo->name,
+ gpo->display_name));
+ DEBUGADD(lvl,("\tcse extension: %s (%s)\n", extension_guid,
+ cse_gpo_guid_string_to_name(extension_guid)));
+ DEBUGADD(lvl,("\tgplink: %s\n", gpo->link));
+ DEBUGADD(lvl,("\tsnapin: %s (%s)\n", snapin_guid,
+ cse_snapin_gpo_guid_string_to_name(snapin_guid)));
+
+ flags_str = gpo_flag_str(flags);
+ DEBUGADD(lvl,("\tflags: 0x%08x %s\n", flags, flags_str));
+ SAFE_FREE(flags_str);
+}
+
+NTSTATUS process_gpo_list_with_extension(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT *gpo_list,
+ const char *extension_guid,
+ const char *snapin_guid)
+{
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS gpext_process_extension(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const struct nt_user_token *token,
+ struct registry_key *root_key,
+ struct GROUP_POLICY_OBJECT *gpo,
+ const char *extension_guid,
+ const char *snapin_guid)
+{
+ NTSTATUS status;
+ struct gp_extension *ext = NULL;
+ struct GUID guid;
+ bool cse_found = false;
+
+ status = init_gp_extensions(mem_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(1,("init_gp_extensions failed: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ status = GUID_from_string(extension_guid, &guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ for (ext = extensions; ext; ext = ext->next) {
+
+ if (GUID_equal(ext->guid, &guid)) {
+ cse_found = true;
+ break;
+ }
+ }
+
+ if (!cse_found) {
+ goto no_ext;
+ }
+
+ status = ext->methods->initialize(mem_ctx);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ status = ext->methods->process_group_policy(ads,
+ mem_ctx,
+ flags,
+ root_key,
+ token,
+ gpo,
+ extension_guid,
+ snapin_guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ ext->methods->shutdown();
+ }
+
+ return status;
+
+ no_ext:
+ if (flags & GPO_INFO_FLAG_VERBOSE) {
+ DEBUG(0,("process_extension: no extension available for:\n"));
+ DEBUGADD(0,("%s (%s) (snapin: %s)\n",
+ extension_guid,
+ cse_gpo_guid_string_to_name(extension_guid),
+ snapin_guid));
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/libgpo/gpext/gpext.h b/source3/libgpo/gpext/gpext.h
new file mode 100644
index 0000000000..0f0445701d
--- /dev/null
+++ b/source3/libgpo/gpext/gpext.h
@@ -0,0 +1,79 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Support
+ * Copyright (C) Guenther Deschner 2007-2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#define KEY_WINLOGON_GPEXT_PATH "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\GPExtensions"
+
+#define SAMBA_SUBSYSTEM_GPEXT "gpext"
+
+#define SMB_GPEXT_INTERFACE_VERSION 1
+
+struct gp_extension {
+ struct GUID *guid;
+ const char *name;
+ struct gp_extension_methods *methods;
+ struct gp_extension *prev, *next;
+};
+
+struct gp_extension_reg_table {
+ const char *val;
+ enum winreg_Type type;
+ const char *data;
+};
+
+struct gp_extension_reg_entry {
+ const char *value;
+ struct registry_value *data;
+};
+
+struct gp_extension_reg_info_entry {
+ struct GUID guid;
+ size_t num_entries;
+ struct gp_extension_reg_entry *entries;
+};
+
+struct gp_extension_reg_info {
+ size_t num_entries;
+ struct gp_extension_reg_info_entry *entries;
+};
+
+struct gp_extension_methods {
+
+ NTSTATUS (*initialize)(TALLOC_CTX *mem_ctx);
+
+ NTSTATUS (*process_group_policy)(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ struct registry_key *root_key,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT *gpo,
+ const char *extension_guid,
+ const char *snapin_guid);
+
+ NTSTATUS (*process_group_policy2)(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT *gpo_list,
+ const char *extension_guid);
+
+ NTSTATUS (*get_reg_config)(TALLOC_CTX *mem_ctx,
+ struct gp_extension_reg_info **info);
+
+ NTSTATUS (*shutdown)(void);
+};
diff --git a/source3/libgpo/gpext/registry.c b/source3/libgpo/gpext/registry.c
new file mode 100644
index 0000000000..188a48ab49
--- /dev/null
+++ b/source3/libgpo/gpext/registry.c
@@ -0,0 +1,643 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Support
+ * Copyright (C) Guenther Deschner 2007-2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#define GP_EXT_NAME "registry"
+
+/* more info can be found at:
+ * http://msdn2.microsoft.com/en-us/library/aa374407.aspx */
+
+#define GP_REGPOL_FILE "Registry.pol"
+
+#define GP_REGPOL_FILE_SIGNATURE 0x67655250 /* 'PReg' */
+#define GP_REGPOL_FILE_VERSION 1
+
+static TALLOC_CTX *ctx = NULL;
+
+struct gp_registry_file_header {
+ uint32_t signature;
+ uint32_t version;
+};
+
+struct gp_registry_file_entry {
+ UNISTR key;
+ UNISTR value;
+ enum winreg_Type type;
+ size_t size;
+ uint8_t *data;
+};
+
+struct gp_registry_file {
+ struct gp_registry_file_header header;
+ size_t num_entries;
+ struct gp_registry_entry *entries;
+};
+
+/****************************************************************
+****************************************************************/
+
+static bool reg_parse_header(const char *desc,
+ struct gp_registry_file_header *header,
+ prs_struct *ps,
+ int depth)
+{
+ if (!header)
+ return false;
+
+ prs_debug(ps, depth, desc, "reg_parse_header");
+ depth++;
+
+ if (!prs_uint32("signature", ps, depth, &header->signature))
+ return false;
+
+ if (!prs_uint32("version", ps, depth, &header->version))
+ return false;
+
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool reg_parse_and_verify_ucs2_char(const char *desc,
+ char character,
+ prs_struct *ps,
+ int depth)
+{
+ uint16_t tmp;
+
+ if (!prs_uint16(desc, ps, depth, &tmp))
+ return false;
+
+ if (tmp != UCS2_CHAR(character))
+ return false;
+
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool reg_parse_init(prs_struct *ps, int depth)
+{
+ return reg_parse_and_verify_ucs2_char("initiator '['", '[',
+ ps, depth);
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool reg_parse_sep(prs_struct *ps, int depth)
+{
+ return reg_parse_and_verify_ucs2_char("separator ';'", ';',
+ ps, depth);
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool reg_parse_term(prs_struct *ps, int depth)
+{
+ return reg_parse_and_verify_ucs2_char("terminator ']'", ']',
+ ps, depth);
+}
+
+
+/****************************************************************
+* [key;value;type;size;data]
+****************************************************************/
+
+static bool reg_parse_entry(TALLOC_CTX *mem_ctx,
+ const char *desc,
+ struct gp_registry_file_entry *entry,
+ prs_struct *ps,
+ int depth)
+{
+ uint32_t size = 0;
+
+ if (!entry)
+ return false;
+
+ prs_debug(ps, depth, desc, "reg_parse_entry");
+ depth++;
+
+ ZERO_STRUCTP(entry);
+
+ if (!reg_parse_init(ps, depth))
+ return false;
+
+ if (!prs_unistr("key", ps, depth, &entry->key))
+ return false;
+
+ if (!reg_parse_sep(ps, depth))
+ return false;
+
+ if (!prs_unistr("value", ps, depth, &entry->value))
+ return false;
+
+ if (!reg_parse_sep(ps, depth))
+ return false;
+
+ if (!prs_uint32("type", ps, depth, &entry->type))
+ return false;
+
+ if (!reg_parse_sep(ps, depth))
+ return false;
+
+ if (!prs_uint32("size", ps, depth, &size))
+ return false;
+
+ entry->size = size;
+
+ if (!reg_parse_sep(ps, depth))
+ return false;
+
+ if (entry->size) {
+ entry->data = TALLOC_ZERO_ARRAY(mem_ctx, uint8, entry->size);
+ if (!entry->data)
+ return false;
+ }
+
+ if (!prs_uint8s(false, "data", ps, depth, entry->data, entry->size))
+ return false;
+
+ if (!reg_parse_term(ps, depth))
+ return false;
+
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool reg_parse_value(TALLOC_CTX *mem_ctx,
+ char **value,
+ enum gp_reg_action *action)
+{
+ if (!*value) {
+ *action = GP_REG_ACTION_ADD_KEY;
+ return true;
+ }
+
+ if (strncmp(*value, "**", 2) != 0) {
+ *action = GP_REG_ACTION_ADD_VALUE;
+ return true;
+ }
+
+ if (strnequal(*value, "**DelVals.", 10)) {
+ *action = GP_REG_ACTION_DEL_ALL_VALUES;
+ return true;
+ }
+
+ if (strnequal(*value, "**Del.", 6)) {
+ *value = talloc_strdup(mem_ctx, *value + 6);
+ *action = GP_REG_ACTION_DEL_VALUE;
+ return true;
+ }
+
+ if (strnequal(*value, "**SecureKey", 11)) {
+ if (strnequal(*value, "**SecureKey=1", 13)) {
+ *action = GP_REG_ACTION_SEC_KEY_SET;
+ return true;
+ }
+
+ /*************** not tested from here on ***************/
+ if (strnequal(*value, "**SecureKey=0", 13)) {
+ smb_panic("not supported: **SecureKey=0");
+ *action = GP_REG_ACTION_SEC_KEY_RESET;
+ return true;
+ }
+ DEBUG(0,("unknown: SecureKey: %s\n", *value));
+ smb_panic("not supported SecureKey method");
+ return false;
+ }
+
+ if (strnequal(*value, "**DeleteValues", strlen("**DeleteValues"))) {
+ smb_panic("not supported: **DeleteValues");
+ *action = GP_REG_ACTION_DEL_VALUES;
+ return false;
+ }
+
+ if (strnequal(*value, "**DeleteKeys", strlen("**DeleteKeys"))) {
+ smb_panic("not supported: **DeleteKeys");
+ *action = GP_REG_ACTION_DEL_KEYS;
+ return false;
+ }
+
+ DEBUG(0,("unknown value: %s\n", *value));
+ smb_panic(*value);
+ return false;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool gp_reg_entry_from_file_entry(TALLOC_CTX *mem_ctx,
+ struct gp_registry_file_entry *file_entry,
+ struct gp_registry_entry **reg_entry)
+{
+ struct registry_value *data = NULL;
+ struct gp_registry_entry *entry = NULL;
+ char *key = NULL;
+ char *value = NULL;
+ enum gp_reg_action action = GP_REG_ACTION_NONE;
+ size_t converted_size;
+
+ ZERO_STRUCTP(*reg_entry);
+
+ data = TALLOC_ZERO_P(mem_ctx, struct registry_value);
+ if (!data)
+ return false;
+
+ if (strlen_w((const smb_ucs2_t *)file_entry->key.buffer) <= 0)
+ return false;
+
+ if (!pull_ucs2_talloc(mem_ctx, &key, file_entry->key.buffer,
+ &converted_size))
+ {
+ return false;
+ }
+
+ if (strlen_w((const smb_ucs2_t *)file_entry->value.buffer) > 0 &&
+ !pull_ucs2_talloc(mem_ctx, &value, file_entry->value.buffer,
+ &converted_size))
+ {
+ return false;
+ }
+
+ if (!reg_parse_value(mem_ctx, &value, &action))
+ return false;
+
+ data->type = file_entry->type;
+
+ switch (data->type) {
+ case REG_DWORD:
+ data->v.dword = atoi((char *)file_entry->data);
+ break;
+ case REG_BINARY:
+ data->v.binary = data_blob_talloc(mem_ctx,
+ file_entry->data,
+ file_entry->size);
+ break;
+ case REG_NONE:
+ break;
+ case REG_SZ:
+ if (!pull_ucs2_talloc(mem_ctx, &data->v.sz.str,
+ (const smb_ucs2_t *)
+ file_entry->data,
+ &data->v.sz.len)) {
+ data->v.sz.len = -1;
+ }
+
+ break;
+ case REG_DWORD_BIG_ENDIAN:
+ case REG_EXPAND_SZ:
+ case REG_LINK:
+ case REG_MULTI_SZ:
+ case REG_QWORD:
+/* case REG_DWORD_LITTLE_ENDIAN: */
+/* case REG_QWORD_LITTLE_ENDIAN: */
+ printf("not yet implemented: %d\n", data->type);
+ return false;
+ default:
+ printf("invalid reg type defined: %d\n", data->type);
+ return false;
+
+ }
+
+ entry = TALLOC_ZERO_P(mem_ctx, struct gp_registry_entry);
+ if (!entry)
+ return false;
+
+ entry->key = key;
+ entry->value = value;
+ entry->data = data;
+ entry->action = action;
+
+ *reg_entry = entry;
+
+ return true;
+}
+
+/****************************************************************
+* [key;value;type;size;data][key;value;type;size;data]...
+****************************************************************/
+
+static bool reg_parse_entries(TALLOC_CTX *mem_ctx,
+ const char *desc,
+ struct gp_registry_entry **entries,
+ size_t *num_entries,
+ prs_struct *ps,
+ int depth)
+{
+
+ if (!entries || !num_entries)
+ return false;
+
+ prs_debug(ps, depth, desc, "reg_parse_entries");
+ depth++;
+
+ *entries = NULL;
+ *num_entries = 0;
+
+ while (ps->buffer_size > ps->data_offset) {
+
+ struct gp_registry_file_entry f_entry;
+ struct gp_registry_entry *r_entry = NULL;
+
+ if (!reg_parse_entry(mem_ctx, desc, &f_entry,
+ ps, depth))
+ return false;
+
+ if (!gp_reg_entry_from_file_entry(mem_ctx,
+ &f_entry,
+ &r_entry))
+ return false;
+
+ if (!add_gp_registry_entry_to_array(mem_ctx,
+ r_entry,
+ entries,
+ num_entries))
+ return false;
+ }
+
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS reg_parse_registry(TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const char *filename,
+ struct gp_registry_entry **entries,
+ size_t *num_entries)
+{
+ uint16_t *buf = NULL;
+ size_t n = 0;
+ NTSTATUS status;
+ prs_struct ps;
+ struct gp_registry_file *reg_file;
+ const char *real_filename = NULL;
+
+ reg_file = TALLOC_ZERO_P(mem_ctx, struct gp_registry_file);
+ NT_STATUS_HAVE_NO_MEMORY(reg_file);
+
+ status = gp_find_file(mem_ctx,
+ flags,
+ filename,
+ GP_REGPOL_FILE,
+ &real_filename);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(reg_file);
+ return status;
+ }
+
+ buf = (uint16 *)file_load(real_filename, &n, 0);
+ if (!buf) {
+ TALLOC_FREE(reg_file);
+ return NT_STATUS_CANNOT_LOAD_REGISTRY_FILE;
+ }
+
+ if (!prs_init(&ps, n, mem_ctx, UNMARSHALL)) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ if (!prs_copy_data_in(&ps, (char *)buf, n)) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ prs_set_offset(&ps, 0);
+
+ if (!reg_parse_header("header", &reg_file->header, &ps, 0)) {
+ status = NT_STATUS_REGISTRY_IO_FAILED;
+ goto out;
+ }
+
+ if (reg_file->header.signature != GP_REGPOL_FILE_SIGNATURE) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (reg_file->header.version != GP_REGPOL_FILE_VERSION) {
+ status = NT_STATUS_INVALID_PARAMETER;
+ goto out;
+ }
+
+ if (!reg_parse_entries(mem_ctx, "entries", &reg_file->entries,
+ &reg_file->num_entries, &ps, 0)) {
+ status = NT_STATUS_REGISTRY_IO_FAILED;
+ goto out;
+ }
+
+ *entries = reg_file->entries;
+ *num_entries = reg_file->num_entries;
+
+ status = NT_STATUS_OK;
+
+ out:
+ SAFE_FREE(buf);
+ prs_mem_free(&ps);
+
+ return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR reg_apply_registry(TALLOC_CTX *mem_ctx,
+ const struct nt_user_token *token,
+ struct registry_key *root_key,
+ uint32_t flags,
+ struct gp_registry_entry *entries,
+ size_t num_entries)
+{
+ struct gp_registry_context *reg_ctx = NULL;
+ WERROR werr;
+ size_t i;
+
+ if (num_entries == 0) {
+ return WERR_OK;
+ }
+
+#if 0
+ if (flags & GPO_LIST_FLAG_MACHINE) {
+ werr = gp_init_reg_ctx(mem_ctx, KEY_HKLM, REG_KEY_WRITE,
+ get_system_token(),
+ &reg_ctx);
+ } else {
+ werr = gp_init_reg_ctx(mem_ctx, KEY_HKCU, REG_KEY_WRITE,
+ token,
+ &reg_ctx);
+ }
+ W_ERROR_NOT_OK_RETURN(werr);
+#endif
+ for (i=0; i<num_entries; i++) {
+
+ /* FIXME: maybe we should check here if we attempt to go beyond
+ * the 4 allowed reg keys */
+
+ werr = reg_apply_registry_entry(mem_ctx, root_key,
+ reg_ctx,
+ &(entries)[i],
+ token, flags);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("failed to apply registry: %s\n",
+ dos_errstr(werr)));
+ goto done;
+ }
+ }
+
+done:
+ gp_free_reg_ctx(reg_ctx);
+ return werr;
+}
+
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS registry_process_group_policy(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ struct registry_key *root_key,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT *gpo,
+ const char *extension_guid,
+ const char *snapin_guid)
+{
+ NTSTATUS status;
+ WERROR werr;
+ struct gp_registry_entry *entries = NULL;
+ size_t num_entries = 0;
+ char *unix_path = NULL;
+
+ debug_gpext_header(0, "registry_process_group_policy", flags, gpo,
+ extension_guid, snapin_guid);
+
+ status = gpo_get_unix_path(mem_ctx, gpo, &unix_path);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ status = reg_parse_registry(mem_ctx,
+ flags,
+ unix_path,
+ &entries,
+ &num_entries);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0,("failed to parse registry: %s\n",
+ nt_errstr(status)));
+ return status;
+ }
+
+ dump_reg_entries(flags, "READ", entries, num_entries);
+
+ werr = reg_apply_registry(mem_ctx, token, root_key, flags,
+ entries, num_entries);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("failed to apply registry: %s\n",
+ dos_errstr(werr)));
+ return werror_to_ntstatus(werr);
+ }
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS registry_get_reg_config(TALLOC_CTX *mem_ctx,
+ struct gp_extension_reg_info **reg_info)
+{
+ NTSTATUS status;
+ struct gp_extension_reg_info *info = NULL;
+ struct gp_extension_reg_table table[] = {
+ { "ProcessGroupPolicy", REG_SZ, "registry_process_group_policy" },
+ { NULL, REG_NONE, NULL }
+ };
+
+ info = TALLOC_ZERO_P(mem_ctx, struct gp_extension_reg_info);
+ NT_STATUS_HAVE_NO_MEMORY(info);
+
+ status = gp_ext_info_add_entry(mem_ctx, GP_EXT_NAME,
+ GP_EXT_GUID_REGISTRY,
+ table, info);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ *reg_info = info;
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS registry_initialize(TALLOC_CTX *mem_ctx)
+{
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS registry_shutdown(void)
+{
+ NTSTATUS status;
+
+ status = unregister_gp_extension(GP_EXT_NAME);
+ if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ TALLOC_FREE(ctx);
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static struct gp_extension_methods registry_methods = {
+ .initialize = registry_initialize,
+ .process_group_policy = registry_process_group_policy,
+ .get_reg_config = registry_get_reg_config,
+ .shutdown = registry_shutdown
+};
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS gpext_registry_init(void)
+{
+ NTSTATUS status;
+
+ ctx = talloc_init("gpext_registry_init");
+ NT_STATUS_HAVE_NO_MEMORY(ctx);
+
+ status = register_gp_extension(ctx, SMB_GPEXT_INTERFACE_VERSION,
+ GP_EXT_NAME, GP_EXT_GUID_REGISTRY,
+ &registry_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(ctx);
+ }
+
+ return status;
+}
diff --git a/source3/libgpo/gpext/scripts.c b/source3/libgpo/gpext/scripts.c
new file mode 100644
index 0000000000..c07407c3f0
--- /dev/null
+++ b/source3/libgpo/gpext/scripts.c
@@ -0,0 +1,443 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Support
+ * Copyright (C) Guenther Deschner 2007
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "libgpo/gpo_ini.h"
+
+#define GP_EXT_NAME "scripts"
+
+#define KEY_GP_SCRIPTS "Software\\Policies\\Microsoft\\Windows\\System\\Scripts"
+
+#define GP_SCRIPTS_INI "Scripts/scripts.ini"
+
+#define GP_SCRIPTS_INI_STARTUP "Startup"
+#define GP_SCRIPTS_INI_SHUTDOWN "Shutdown"
+#define GP_SCRIPTS_INI_LOGON "Logon"
+#define GP_SCRIPTS_INI_LOGOFF "Logoff"
+
+#define GP_SCRIPTS_SECTION_CMDLINE "cmdline"
+#define GP_SCRIPTS_SECTION_PARAMETERS "parameters"
+
+#define GP_SCRIPTS_REG_VAL_SCRIPT "Script"
+#define GP_SCRIPTS_REG_VAL_PARAMETERS "Parameters"
+#define GP_SCRIPTS_REG_VAL_EXECTIME "ExecTime"
+
+static TALLOC_CTX *ctx = NULL;
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS scripts_get_reg_config(TALLOC_CTX *mem_ctx,
+ struct gp_extension_reg_info **reg_info)
+{
+ NTSTATUS status;
+ struct gp_extension_reg_info *info = NULL;
+
+ struct gp_extension_reg_table table[] = {
+ { "ProcessGroupPolicy", REG_SZ, "scripts_process_group_policy" },
+ { "NoGPOListChanges", REG_DWORD, "1" },
+ { "NoSlowLink", REG_DWORD, "1" },
+ { "NotifyLinkTransition", REG_DWORD, "1" },
+ { NULL, REG_NONE, NULL },
+ };
+
+ info = TALLOC_ZERO_P(mem_ctx, struct gp_extension_reg_info);
+ NT_STATUS_HAVE_NO_MEMORY(info);
+
+ status = gp_ext_info_add_entry(mem_ctx, GP_EXT_NAME,
+ GP_EXT_GUID_SCRIPTS,
+ table, info);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ *reg_info = info;
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS generate_gp_registry_entry(TALLOC_CTX *mem_ctx,
+ const char *key,
+ const char *value,
+ uint32_t data_type,
+ const void *data_p,
+ enum gp_reg_action action,
+ struct gp_registry_entry **entry_out)
+{
+ struct gp_registry_entry *entry = NULL;
+ struct registry_value *data = NULL;
+
+ entry = TALLOC_ZERO_P(mem_ctx, struct gp_registry_entry);
+ NT_STATUS_HAVE_NO_MEMORY(entry);
+
+ data = TALLOC_ZERO_P(mem_ctx, struct registry_value);
+ NT_STATUS_HAVE_NO_MEMORY(data);
+
+ data->type = data_type;
+ switch (data->type) {
+ case REG_QWORD:
+ data->v.qword = (uint64_t)data_p;
+ break;
+ case REG_SZ:
+ data->v.sz.str = talloc_strdup(mem_ctx, (char *)data_p);
+ data->v.sz.len = strlen(data->v.sz.str);
+ break;
+ default:
+ return NT_STATUS_NOT_SUPPORTED;
+ }
+
+ entry->key = key;
+ entry->data = data;
+ entry->action = action;
+ entry->value = talloc_strdup(mem_ctx, value);
+ NT_STATUS_HAVE_NO_MEMORY(entry->value);
+
+ *entry_out = entry;
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS scripts_parse_ini_section(struct gp_inifile_context *ini_ctx,
+ uint32_t flags,
+ const char *section,
+ struct gp_registry_entry **entries,
+ size_t *num_entries)
+{
+ NTSTATUS status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
+ int i = 0;
+
+ while (1) {
+
+ const char *key = NULL;
+ const char *script = NULL;
+ const char *count = NULL;
+ const char *parameters = NULL;
+
+ count = talloc_asprintf(ini_ctx->mem_ctx, "%d", i);
+ NT_STATUS_HAVE_NO_MEMORY(count);
+
+ key = talloc_asprintf(ini_ctx->mem_ctx, "%s:%s%s",
+ section, count,
+ GP_SCRIPTS_SECTION_CMDLINE);
+ NT_STATUS_HAVE_NO_MEMORY(key);
+
+ script = iniparser_getstring(ini_ctx->dict, key, NULL);
+ if (!script) {
+ break;
+ }
+
+ key = talloc_asprintf(ini_ctx->mem_ctx, "%s:%s%s",
+ section, count,
+ GP_SCRIPTS_SECTION_PARAMETERS);
+ NT_STATUS_HAVE_NO_MEMORY(key);
+
+ parameters = iniparser_getstring(ini_ctx->dict, key, NULL);
+
+ {
+ struct gp_registry_entry *entry = NULL;
+ status = generate_gp_registry_entry(ini_ctx->mem_ctx,
+ count,
+ GP_SCRIPTS_REG_VAL_SCRIPT,
+ REG_SZ,
+ script,
+ GP_REG_ACTION_ADD_VALUE,
+ &entry);
+ NT_STATUS_NOT_OK_RETURN(status);
+ if (!add_gp_registry_entry_to_array(ini_ctx->mem_ctx,
+ entry,
+ entries,
+ num_entries)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ {
+ struct gp_registry_entry *entry = NULL;
+ status = generate_gp_registry_entry(ini_ctx->mem_ctx,
+ count,
+ GP_SCRIPTS_REG_VAL_PARAMETERS,
+ REG_SZ,
+ parameters,
+ GP_REG_ACTION_ADD_VALUE,
+ &entry);
+ NT_STATUS_NOT_OK_RETURN(status);
+ if (!add_gp_registry_entry_to_array(ini_ctx->mem_ctx,
+ entry,
+ entries,
+ num_entries)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ {
+ struct gp_registry_entry *entry = NULL;
+ status = generate_gp_registry_entry(ini_ctx->mem_ctx,
+ count,
+ GP_SCRIPTS_REG_VAL_EXECTIME,
+ REG_QWORD,
+ 0,
+ GP_REG_ACTION_ADD_VALUE,
+ &entry);
+ NT_STATUS_NOT_OK_RETURN(status);
+ if (!add_gp_registry_entry_to_array(ini_ctx->mem_ctx,
+ entry,
+ entries,
+ num_entries)) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+ status = NT_STATUS_OK;
+ i++;
+ }
+
+ return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR scripts_store_reg_gpovals(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ struct GROUP_POLICY_OBJECT *gpo)
+{
+ WERROR werr;
+
+ if (!key || !gpo) {
+ return WERR_INVALID_PARAM;
+ }
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "DisplayName",
+ gpo->display_name);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "FileSysPath",
+ gpo->file_sys_path);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "GPO-ID",
+ gpo->ds_path);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "GPOName",
+ gpo->name);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "SOM-ID",
+ gpo->link);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR scripts_apply(TALLOC_CTX *mem_ctx,
+ const struct nt_user_token *token,
+ struct registry_key *root_key,
+ uint32_t flags,
+ const char *section,
+ struct GROUP_POLICY_OBJECT *gpo,
+ struct gp_registry_entry *entries,
+ size_t num_entries)
+{
+ struct gp_registry_context *reg_ctx = NULL;
+ WERROR werr;
+ size_t i;
+ const char *keystr = NULL;
+ int count = 0;
+
+ if (num_entries == 0) {
+ return WERR_OK;
+ }
+
+#if 0
+ if (flags & GPO_INFO_FLAG_MACHINE) {
+ struct nt_user_token *tmp_token;
+
+ tmp_token = registry_create_system_token(mem_ctx);
+ W_ERROR_HAVE_NO_MEMORY(tmp_token);
+
+ werr = gp_init_reg_ctx(mem_ctx, KEY_HKLM, REG_KEY_WRITE,
+ tmp_token,
+ &reg_ctx);
+ } else {
+ werr = gp_init_reg_ctx(mem_ctx, KEY_HKCU, REG_KEY_WRITE,
+ token,
+ &reg_ctx);
+ }
+ W_ERROR_NOT_OK_RETURN(werr);
+#endif
+
+ keystr = talloc_asprintf(mem_ctx, "%s\\%s\\%d", KEY_GP_SCRIPTS,
+ section, count++);
+ W_ERROR_HAVE_NO_MEMORY(keystr);
+
+ reg_deletekey_recursive(mem_ctx, root_key, keystr);
+
+ werr = gp_store_reg_subkey(mem_ctx, keystr,
+ root_key, &root_key);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ werr = scripts_store_reg_gpovals(mem_ctx, root_key, gpo);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ for (i=0; i<num_entries; i++) {
+
+ werr = reg_apply_registry_entry(mem_ctx, root_key, reg_ctx,
+ &(entries)[i],
+ token, flags);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("failed to apply registry: %s\n",
+ dos_errstr(werr)));
+ goto done;
+ }
+ }
+
+ done:
+ gp_free_reg_ctx(reg_ctx);
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS scripts_process_group_policy(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ struct registry_key *root_key,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT *gpo,
+ const char *extension_guid,
+ const char *snapin_guid)
+{
+ NTSTATUS status;
+ WERROR werr;
+ int i = 0;
+ char *unix_path = NULL;
+ struct gp_inifile_context *ini_ctx = NULL;
+ struct gp_registry_entry *entries = NULL;
+ size_t num_entries = 0;
+ const char *list[] = {
+ GP_SCRIPTS_INI_STARTUP,
+ GP_SCRIPTS_INI_SHUTDOWN,
+ GP_SCRIPTS_INI_LOGON,
+ GP_SCRIPTS_INI_LOGOFF
+ };
+
+ debug_gpext_header(0, "scripts_process_group_policy", flags, gpo,
+ extension_guid, snapin_guid);
+
+ status = gpo_get_unix_path(mem_ctx, gpo, &unix_path);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ status = gp_inifile_init_context(mem_ctx, flags, unix_path,
+ GP_SCRIPTS_INI, &ini_ctx);
+ NT_STATUS_NOT_OK_RETURN(status);
+
+ for (i = 0; i < ARRAY_SIZE(list); i++) {
+
+ TALLOC_FREE(entries);
+ num_entries = 0;
+
+ status = scripts_parse_ini_section(ini_ctx, flags, list[i],
+ &entries, &num_entries);
+ if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+ continue;
+ }
+
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ dump_reg_entries(flags, "READ", entries, num_entries);
+
+ werr = scripts_apply(ini_ctx->mem_ctx, token, root_key,
+ flags, list[i], gpo, entries, num_entries);
+ if (!W_ERROR_IS_OK(werr)) {
+ continue; /* FIXME: finally fix storing emtpy strings and REG_QWORD! */
+ TALLOC_FREE(ini_ctx);
+ return werror_to_ntstatus(werr);
+ }
+ }
+
+ TALLOC_FREE(ini_ctx);
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS scripts_initialize(TALLOC_CTX *mem_ctx)
+{
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS scripts_shutdown(void)
+{
+ NTSTATUS status;
+
+ status = unregister_gp_extension(GP_EXT_NAME);
+ if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ TALLOC_FREE(ctx);
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static struct gp_extension_methods scripts_methods = {
+ .initialize = scripts_initialize,
+ .process_group_policy = scripts_process_group_policy,
+ .get_reg_config = scripts_get_reg_config,
+ .shutdown = scripts_shutdown
+};
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS gpext_scripts_init(void)
+{
+ NTSTATUS status;
+
+ ctx = talloc_init("gpext_scripts_init");
+ NT_STATUS_HAVE_NO_MEMORY(ctx);
+
+ status = register_gp_extension(ctx, SMB_GPEXT_INTERFACE_VERSION,
+ GP_EXT_NAME, GP_EXT_GUID_SCRIPTS,
+ &scripts_methods);
+ if (!NT_STATUS_IS_OK(status)) {
+ TALLOC_FREE(ctx);
+ }
+
+ return status;
+}
diff --git a/source3/libgpo/gpo_fetch.c b/source3/libgpo/gpo_fetch.c
new file mode 100644
index 0000000000..2ec066425b
--- /dev/null
+++ b/source3/libgpo/gpo_fetch.c
@@ -0,0 +1,187 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Guenther Deschner 2005-2006
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/****************************************************************
+ explode the GPO CIFS URI into their components
+****************************************************************/
+
+NTSTATUS gpo_explode_filesyspath(TALLOC_CTX *mem_ctx,
+ const char *file_sys_path,
+ char **server,
+ char **service,
+ char **nt_path,
+ char **unix_path)
+{
+ char *path = NULL;
+
+ *server = NULL;
+ *service = NULL;
+ *nt_path = NULL;
+ *unix_path = NULL;
+
+ if (!file_sys_path) {
+ return NT_STATUS_OK;
+ }
+
+ if (!next_token_talloc(mem_ctx, &file_sys_path, server, "\\")) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ NT_STATUS_HAVE_NO_MEMORY(*server);
+
+ if (!next_token_talloc(mem_ctx, &file_sys_path, service, "\\")) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+ NT_STATUS_HAVE_NO_MEMORY(*service);
+
+ if ((*nt_path = talloc_asprintf(mem_ctx, "\\%s", file_sys_path))
+ == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ NT_STATUS_HAVE_NO_MEMORY(*nt_path);
+
+ if ((path = talloc_asprintf(mem_ctx,
+ "%s/%s",
+ lock_path(GPO_CACHE_DIR),
+ file_sys_path)) == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+ path = talloc_string_sub(mem_ctx, path, "\\", "/");
+ if (!path) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ *unix_path = talloc_strdup(mem_ctx, path);
+ NT_STATUS_HAVE_NO_MEMORY(*unix_path);
+
+ TALLOC_FREE(path);
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+ prepare the local disc storage for "unix_path"
+****************************************************************/
+
+static NTSTATUS gpo_prepare_local_store(TALLOC_CTX *mem_ctx,
+ const char *unix_path)
+{
+ const char *top_dir = lock_path(GPO_CACHE_DIR);
+ char *current_dir;
+ char *tok;
+
+ current_dir = talloc_strdup(mem_ctx, top_dir);
+ NT_STATUS_HAVE_NO_MEMORY(current_dir);
+
+ if ((mkdir(top_dir, 0644)) < 0 && errno != EEXIST) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ while (next_token_talloc(mem_ctx, &unix_path, &tok, "/")) {
+ if (strequal(tok, GPO_CACHE_DIR)) {
+ break;
+ }
+ }
+
+ while (next_token_talloc(mem_ctx, &unix_path, &tok, "/")) {
+ current_dir = talloc_asprintf_append_buffer(current_dir, "/%s", tok);
+ NT_STATUS_HAVE_NO_MEMORY(current_dir);
+
+ if ((mkdir(current_dir, 0644)) < 0 && errno != EEXIST) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+ download a full GPO via CIFS
+****************************************************************/
+
+NTSTATUS gpo_fetch_files(TALLOC_CTX *mem_ctx,
+ struct cli_state *cli,
+ struct GROUP_POLICY_OBJECT *gpo)
+{
+ NTSTATUS result;
+ char *server, *service, *nt_path, *unix_path;
+ char *nt_ini_path, *unix_ini_path;
+
+ result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
+ &server, &service, &nt_path,
+ &unix_path);
+ NT_STATUS_NOT_OK_RETURN(result);
+
+ result = gpo_prepare_local_store(mem_ctx, unix_path);
+ NT_STATUS_NOT_OK_RETURN(result);
+
+ unix_ini_path = talloc_asprintf(mem_ctx, "%s/%s", unix_path, GPT_INI);
+ nt_ini_path = talloc_asprintf(mem_ctx, "%s\\%s", nt_path, GPT_INI);
+ NT_STATUS_HAVE_NO_MEMORY(unix_ini_path);
+ NT_STATUS_HAVE_NO_MEMORY(nt_ini_path);
+
+ result = gpo_copy_file(mem_ctx, cli, nt_ini_path, unix_ini_path);
+ NT_STATUS_NOT_OK_RETURN(result);
+
+ result = gpo_sync_directories(mem_ctx, cli, nt_path, unix_path);
+ NT_STATUS_NOT_OK_RETURN(result);
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+ get the locally stored gpt.ini version number
+****************************************************************/
+
+NTSTATUS gpo_get_sysvol_gpt_version(TALLOC_CTX *mem_ctx,
+ const char *unix_path,
+ uint32_t *sysvol_version,
+ char **display_name)
+{
+ NTSTATUS status;
+ uint32_t version = 0;
+ char *local_path = NULL;
+ char *name = NULL;
+
+ if (!unix_path) {
+ return NT_STATUS_OK;
+ }
+
+ local_path = talloc_asprintf(mem_ctx, "%s/%s", unix_path, GPT_INI);
+ NT_STATUS_HAVE_NO_MEMORY(local_path);
+
+ status = parse_gpt_ini(mem_ctx, local_path, &version, &name);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(10,("gpo_get_sysvol_gpt_version: "
+ "failed to parse ini [%s]: %s\n",
+ local_path, nt_errstr(status)));
+ return status;
+ }
+
+ if (sysvol_version) {
+ *sysvol_version = version;
+ }
+
+ if (name && *display_name) {
+ *display_name = talloc_strdup(mem_ctx, name);
+ NT_STATUS_HAVE_NO_MEMORY(*display_name);
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/libgpo/gpo_filesync.c b/source3/libgpo/gpo_filesync.c
new file mode 100644
index 0000000000..6d64d7b968
--- /dev/null
+++ b/source3/libgpo/gpo_filesync.c
@@ -0,0 +1,238 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Guenther Deschner 2006
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+struct sync_context {
+ TALLOC_CTX *mem_ctx;
+ struct cli_state *cli;
+ char *remote_path;
+ char *local_path;
+ char *mask;
+ uint16_t attribute;
+};
+
+static void gpo_sync_func(const char *mnt,
+ file_info *info,
+ const char *mask,
+ void *state);
+
+NTSTATUS gpo_copy_file(TALLOC_CTX *mem_ctx,
+ struct cli_state *cli,
+ const char *nt_path,
+ const char *unix_path)
+{
+ NTSTATUS result;
+ int fnum;
+ int fd = 0;
+ char *data = NULL;
+ static int io_bufsize = 64512;
+ int read_size = io_bufsize;
+ off_t nread = 0;
+
+ if ((fnum = cli_open(cli, nt_path, O_RDONLY, DENY_NONE)) == -1) {
+ result = NT_STATUS_NO_SUCH_FILE;
+ goto out;
+ }
+
+ if ((fd = sys_open(unix_path, O_WRONLY|O_CREAT|O_TRUNC, 0644)) == -1) {
+ result = map_nt_error_from_unix(errno);
+ goto out;
+ }
+
+ if ((data = (char *)SMB_MALLOC(read_size)) == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ while (1) {
+
+ int n = cli_read(cli, fnum, data, nread, read_size);
+
+ if (n <= 0)
+ break;
+
+ if (write(fd, data, n) != n) {
+ break;
+ }
+
+ nread += n;
+ }
+
+ result = NT_STATUS_OK;
+
+ out:
+ SAFE_FREE(data);
+ if (fnum) {
+ cli_close(cli, fnum);
+ }
+ if (fd) {
+ close(fd);
+ }
+
+ return result;
+}
+
+/****************************************************************
+ copy dir
+****************************************************************/
+
+static NTSTATUS gpo_copy_dir(const char *unix_path)
+{
+ if ((mkdir(unix_path, 0644)) < 0 && errno != EEXIST) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return NT_STATUS_OK;
+}
+
+/****************************************************************
+ sync files
+****************************************************************/
+
+static bool gpo_sync_files(struct sync_context *ctx)
+{
+ DEBUG(3,("calling cli_list with mask: %s\n", ctx->mask));
+
+ if (cli_list(ctx->cli,
+ ctx->mask,
+ ctx->attribute,
+ gpo_sync_func,
+ ctx) == -1) {
+ DEBUG(1,("listing [%s] failed with error: %s\n",
+ ctx->mask, cli_errstr(ctx->cli)));
+ return false;
+ }
+
+ return true;
+}
+
+/****************************************************************
+ syncronisation call back
+****************************************************************/
+
+static void gpo_sync_func(const char *mnt,
+ file_info *info,
+ const char *mask,
+ void *state)
+{
+ NTSTATUS result;
+ struct sync_context *ctx;
+ fstring nt_filename, unix_filename;
+ fstring nt_dir, unix_dir;
+ char *old_nt_dir, *old_unix_dir;
+
+ ctx = (struct sync_context *)state;
+
+ if (strequal(info->name, ".") || strequal(info->name, "..")) {
+ return;
+ }
+
+ DEBUG(5,("gpo_sync_func: got mask: [%s], name: [%s]\n",
+ mask, info->name));
+
+ if (info->mode & aDIR) {
+
+ DEBUG(3,("got dir: [%s]\n", info->name));
+
+ fstrcpy(nt_dir, ctx->remote_path);
+ fstrcat(nt_dir, "\\");
+ fstrcat(nt_dir, info->name);
+
+ fstrcpy(unix_dir, ctx->local_path);
+ fstrcat(unix_dir, "/");
+ fstrcat(unix_dir, info->name);
+
+ result = gpo_copy_dir(unix_dir);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1,("failed to copy dir: %s\n",
+ nt_errstr(result)));
+ }
+
+ old_nt_dir = ctx->remote_path;
+ ctx->remote_path = talloc_strdup(ctx->mem_ctx, nt_dir);
+
+ old_unix_dir = ctx->local_path;
+ ctx->local_path = talloc_strdup(ctx->mem_ctx, unix_dir);
+
+ ctx->mask = talloc_asprintf(ctx->mem_ctx,
+ "%s\\*",
+ nt_dir);
+ if (!ctx->local_path || !ctx->mask || !ctx->remote_path) {
+ DEBUG(0,("gpo_sync_func: ENOMEM\n"));
+ return;
+ }
+ if (!gpo_sync_files(ctx)) {
+ DEBUG(0,("could not sync files\n"));
+ }
+
+ ctx->remote_path = old_nt_dir;
+ ctx->local_path = old_unix_dir;
+ return;
+ }
+
+ DEBUG(3,("got file: [%s]\n", info->name));
+
+ fstrcpy(nt_filename, ctx->remote_path);
+ fstrcat(nt_filename, "\\");
+ fstrcat(nt_filename, info->name);
+
+ fstrcpy(unix_filename, ctx->local_path);
+ fstrcat(unix_filename, "/");
+ fstrcat(unix_filename, info->name);
+
+ result = gpo_copy_file(ctx->mem_ctx, ctx->cli,
+ nt_filename, unix_filename);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(1,("failed to copy file: %s\n",
+ nt_errstr(result)));
+ }
+}
+
+
+/****************************************************************
+ list a remote directory and download recursivly
+****************************************************************/
+
+NTSTATUS gpo_sync_directories(TALLOC_CTX *mem_ctx,
+ struct cli_state *cli,
+ const char *nt_path,
+ const char *local_path)
+{
+ struct sync_context ctx;
+
+ ctx.mem_ctx = mem_ctx;
+ ctx.cli = cli;
+ ctx.remote_path = CONST_DISCARD(char *, nt_path);
+ ctx.local_path = CONST_DISCARD(char *, local_path);
+ ctx.attribute = (aSYSTEM | aHIDDEN | aDIR);
+
+ ctx.mask = talloc_asprintf(mem_ctx,
+ "%s\\*",
+ nt_path);
+ if (!ctx.mask) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ if (!gpo_sync_files(&ctx)) {
+ return NT_STATUS_NO_SUCH_FILE;
+ }
+
+ return NT_STATUS_OK;
+}
diff --git a/source3/libgpo/gpo_ini.c b/source3/libgpo/gpo_ini.c
new file mode 100644
index 0000000000..54aaffa477
--- /dev/null
+++ b/source3/libgpo/gpo_ini.c
@@ -0,0 +1,245 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Support
+ * Copyright (C) Guenther Deschner 2007
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+#include "gpo_ini.h"
+
+/****************************************************************
+****************************************************************/
+
+static int gp_inifile_free_context(struct gp_inifile_context *ctx)
+{
+ if (!ctx) {
+ return 0;
+ }
+
+ if (ctx->generated_filename) {
+ unlink(ctx->generated_filename);
+ ctx->generated_filename = NULL;
+ }
+
+ if (ctx->dict) {
+ iniparser_freedict(ctx->dict);
+ ctx->dict = NULL;
+ }
+
+ ctx = NULL;
+
+ return 0;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS convert_file_from_ucs2(TALLOC_CTX *mem_ctx,
+ const char *filename_in,
+ char **filename_out)
+{
+ int tmp_fd = -1;
+ uint8 *data_in = NULL;
+ uint8 *data_out = NULL;
+ char *tmp_name = NULL;
+ NTSTATUS status;
+ size_t n = 0;
+ size_t converted_size;
+
+ if (!filename_out) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ data_in = (uint8 *)file_load(filename_in, &n, 0);
+ if (!data_in) {
+ status = NT_STATUS_NO_SUCH_FILE;
+ goto out;
+ }
+
+ tmp_name = talloc_asprintf(mem_ctx, "%s/convert_file_from_ucs2.XXXXXX",
+ tmpdir());
+ if (!tmp_name) {
+ status = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+
+ tmp_fd = smb_mkstemp(tmp_name);
+ if (tmp_fd == -1) {
+ status = NT_STATUS_ACCESS_DENIED;
+ goto out;
+ }
+
+ if (!convert_string_talloc(mem_ctx, CH_UTF16LE, CH_UNIX, data_in, n,
+ &data_out, &converted_size, False))
+ {
+ status = NT_STATUS_INVALID_BUFFER_SIZE;
+ goto out;
+ }
+
+ /* skip utf8 BOM */
+ DEBUG(11,("convert_file_from_ucs2: "
+ "data_out[0]: 0x%x, data_out[1]: 0x%x, data_out[2]: 0x%x\n",
+ data_out[0], data_out[1], data_out[2]));
+
+ if ((data_out[0] == 0xef) && (data_out[1] == 0xbb) &&
+ (data_out[2] == 0xbf)) {
+ DEBUG(11,("convert_file_from_ucs2: "
+ "%s skipping utf8 BOM\n", tmp_name));
+ data_out += 3;
+ converted_size -= 3;
+ }
+
+ if (sys_write(tmp_fd, data_out, converted_size) != converted_size) {
+ status = map_nt_error_from_unix(errno);
+ goto out;
+ }
+
+ *filename_out = tmp_name;
+
+ status = NT_STATUS_OK;
+
+ out:
+ if (tmp_fd != -1) {
+ close(tmp_fd);
+ }
+
+ SAFE_FREE(data_in);
+
+ return status;
+}
+
+/****************************************************************
+****************************************************************/
+
+ NTSTATUS gp_inifile_init_context(TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const char *unix_path,
+ const char *suffix,
+ struct gp_inifile_context **ctx_ret)
+{
+ struct gp_inifile_context *ctx = NULL;
+ NTSTATUS status;
+ dictionary *dict = NULL;
+ char *tmp_filename = NULL;
+ const char *ini_filename = NULL;
+
+ if (!unix_path || !ctx_ret) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ ctx = TALLOC_ZERO_P(mem_ctx, struct gp_inifile_context);
+ NT_STATUS_HAVE_NO_MEMORY(ctx);
+
+ talloc_set_destructor(ctx, gp_inifile_free_context);
+
+ status = gp_find_file(mem_ctx, flags, unix_path, suffix,
+ &ini_filename);
+
+ if (!NT_STATUS_IS_OK(status)) {
+ goto failed;
+ }
+
+ status = convert_file_from_ucs2(mem_ctx, ini_filename,
+ &tmp_filename);
+ if (!NT_STATUS_IS_OK(status)) {
+ goto failed;
+ }
+
+ dict = iniparser_load(tmp_filename);
+ if (!dict) {
+ status = NT_STATUS_NO_SUCH_FILE;
+ goto failed;
+ }
+
+ ctx->generated_filename = tmp_filename;
+ ctx->dict = dict;
+ ctx->mem_ctx = mem_ctx;
+
+ *ctx_ret = ctx;
+
+ return NT_STATUS_OK;
+
+ failed:
+
+ DEBUG(1,("gp_inifile_init_context failed: %s\n",
+ nt_errstr(status)));
+
+ TALLOC_FREE(ctx);
+
+ return status;
+}
+
+/****************************************************************
+ parse the local gpt.ini file
+****************************************************************/
+
+#define GPT_INI_SECTION_GENERAL "General"
+#define GPT_INI_PARAMETER_VERSION "Version"
+#define GPT_INI_PARAMETER_DISPLAYNAME "displayName"
+
+NTSTATUS parse_gpt_ini(TALLOC_CTX *mem_ctx,
+ const char *filename,
+ uint32_t *version,
+ char **display_name)
+{
+ NTSTATUS result;
+ uint32_t v = 0;
+ char *name = NULL;
+ dictionary *dict = NULL;
+
+ if (!filename) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ dict = iniparser_load(filename);
+ if (!dict) {
+ return NT_STATUS_NO_SUCH_FILE;
+ }
+
+ if ((name = iniparser_getstring(dict, GPT_INI_SECTION_GENERAL
+ ":"GPT_INI_PARAMETER_DISPLAYNAME, NULL)) == NULL) {
+ /* the default domain policy and the default domain controller
+ * policy never have a displayname in their gpt.ini file */
+ DEBUG(10,("parse_gpt_ini: no name in %s\n", filename));
+ }
+
+ if (name && display_name) {
+ *display_name = talloc_strdup(mem_ctx, name);
+ if (*display_name == NULL) {
+ result = NT_STATUS_NO_MEMORY;
+ goto out;
+ }
+ }
+
+ if ((v = iniparser_getint(dict, GPT_INI_SECTION_GENERAL
+ ":"GPT_INI_PARAMETER_VERSION, Undefined)) == Undefined) {
+ DEBUG(10,("parse_gpt_ini: no version\n"));
+ result = NT_STATUS_INTERNAL_DB_CORRUPTION;
+ goto out;
+ }
+
+ if (version) {
+ *version = v;
+ }
+
+ result = NT_STATUS_OK;
+ out:
+ if (dict) {
+ iniparser_freedict(dict);
+ }
+
+ return result;
+}
diff --git a/source3/libgpo/gpo_ini.h b/source3/libgpo/gpo_ini.h
new file mode 100644
index 0000000000..fa03dbaaaa
--- /dev/null
+++ b/source3/libgpo/gpo_ini.h
@@ -0,0 +1,33 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Support
+ * Copyright (C) Guenther Deschner 2007
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+/* FIXME: get rid of iniparser */
+#include <iniparser.h>
+
+struct gp_inifile_context {
+ TALLOC_CTX *mem_ctx;
+ dictionary *dict;
+ const char *generated_filename;
+};
+
+/* prototypes */
+
+NTSTATUS gp_inifile_init_context(TALLOC_CTX *mem_ctx, uint32_t flags,
+ const char *unix_path, const char *suffix,
+ struct gp_inifile_context **ctx_ret);
diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c
new file mode 100644
index 0000000000..0e77f0a856
--- /dev/null
+++ b/source3/libgpo/gpo_ldap.c
@@ -0,0 +1,866 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Guenther Deschner 2005,2007
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/****************************************************************
+ parse the raw extension string into a GP_EXT structure
+****************************************************************/
+
+bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
+ const char *extension_raw,
+ struct GP_EXT **gp_ext)
+{
+ bool ret = false;
+ struct GP_EXT *ext = NULL;
+ char **ext_list = NULL;
+ char **ext_strings = NULL;
+ int i;
+
+ if (!extension_raw) {
+ goto parse_error;
+ }
+
+ DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw));
+
+ ext = TALLOC_ZERO_P(mem_ctx, struct GP_EXT);
+ if (!ext) {
+ goto parse_error;
+ }
+
+ ext_list = str_list_make(mem_ctx, extension_raw, "]");
+ if (!ext_list) {
+ goto parse_error;
+ }
+
+ for (i = 0; ext_list[i] != NULL; i++) {
+ /* no op */
+ }
+
+ ext->num_exts = i;
+
+ if (ext->num_exts) {
+ ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ ext->num_exts);
+ ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ ext->num_exts);
+ ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ ext->num_exts);
+ ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ ext->num_exts);
+ }
+
+ ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
+
+ if (!ext->extensions || !ext->extensions_guid ||
+ !ext->snapins || !ext->snapins_guid ||
+ !ext->gp_extension) {
+ goto parse_error;
+ }
+
+ for (i = 0; ext_list[i] != NULL; i++) {
+
+ int k;
+ char *p, *q;
+
+ DEBUGADD(10,("extension #%d\n", i));
+
+ p = ext_list[i];
+
+ if (p[0] == '[') {
+ p++;
+ }
+
+ ext_strings = str_list_make(mem_ctx, p, "}");
+ if (ext_strings == NULL) {
+ goto parse_error;
+ }
+
+ for (k = 0; ext_strings[k] != NULL; k++) {
+ /* no op */
+ }
+
+ q = ext_strings[0];
+
+ if (q[0] == '{') {
+ q++;
+ }
+
+ ext->extensions[i] = talloc_strdup(mem_ctx,
+ cse_gpo_guid_string_to_name(q));
+ ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
+
+ /* we might have no name for the guid */
+ if (ext->extensions_guid[i] == NULL) {
+ goto parse_error;
+ }
+
+ for (k = 1; ext_strings[k] != NULL; k++) {
+
+ char *m = ext_strings[k];
+
+ if (m[0] == '{') {
+ m++;
+ }
+
+ /* FIXME: theoretically there could be more than one
+ * snapin per extension */
+ ext->snapins[i] = talloc_strdup(mem_ctx,
+ cse_snapin_gpo_guid_string_to_name(m));
+ ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
+
+ /* we might have no name for the guid */
+ if (ext->snapins_guid[i] == NULL) {
+ goto parse_error;
+ }
+ }
+ }
+
+ *gp_ext = ext;
+
+ ret = true;
+
+ parse_error:
+ TALLOC_FREE(ext_list);
+ TALLOC_FREE(ext_strings);
+
+ return ret;
+}
+
+#ifdef HAVE_LDAP
+
+/****************************************************************
+ parse the raw link string into a GP_LINK structure
+****************************************************************/
+
+static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
+ const char *gp_link_raw,
+ uint32_t options,
+ struct GP_LINK *gp_link)
+{
+ ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ char **link_list;
+ int i;
+
+ ZERO_STRUCTP(gp_link);
+
+ DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
+
+ link_list = str_list_make(mem_ctx, gp_link_raw, "]");
+ if (!link_list) {
+ goto parse_error;
+ }
+
+ for (i = 0; link_list[i] != NULL; i++) {
+ /* no op */
+ }
+
+ gp_link->gp_opts = options;
+ gp_link->num_links = i;
+
+ if (gp_link->num_links) {
+ gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ gp_link->num_links);
+ gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t,
+ gp_link->num_links);
+ }
+
+ gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
+
+ if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
+ goto parse_error;
+ }
+
+ for (i = 0; link_list[i] != NULL; i++) {
+
+ char *p, *q;
+
+ DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i));
+
+ q = link_list[i];
+ if (q[0] == '[') {
+ q++;
+ };
+
+ p = strchr(q, ';');
+
+ if (p == NULL) {
+ goto parse_error;
+ }
+
+ gp_link->link_names[i] = talloc_strdup(mem_ctx, q);
+ if (gp_link->link_names[i] == NULL) {
+ goto parse_error;
+ }
+ gp_link->link_names[i][PTR_DIFF(p, q)] = 0;
+
+ gp_link->link_opts[i] = atoi(p + 1);
+
+ DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
+ gp_link->link_names[i]));
+ DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
+ gp_link->link_opts[i]));
+
+ }
+
+ status = ADS_SUCCESS;
+
+ parse_error:
+ TALLOC_FREE(link_list);
+
+ return status;
+}
+
+/****************************************************************
+ helper call to get a GP_LINK structure from a linkdn
+****************************************************************/
+
+ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *link_dn,
+ struct GP_LINK *gp_link_struct)
+{
+ ADS_STATUS status;
+ const char *attrs[] = {"gPLink", "gPOptions", NULL};
+ LDAPMessage *res = NULL;
+ const char *gp_link;
+ uint32_t gp_options;
+
+ ZERO_STRUCTP(gp_link_struct);
+
+ status = ads_search_dn(ads, &res, link_dn, attrs);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
+ ads_errstr(status)));
+ return status;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ DEBUG(10,("ads_get_gpo_link: no result\n"));
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+
+ gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
+ if (gp_link == NULL) {
+ DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+ }
+
+ /* perfectly legal to have no options */
+ if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
+ DEBUG(10,("ads_get_gpo_link: "
+ "no 'gPOptions' attribute found\n"));
+ gp_options = 0;
+ }
+
+ ads_msgfree(ads, res);
+
+ return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
+}
+
+/****************************************************************
+ helper call to add a gp link
+****************************************************************/
+
+ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *link_dn,
+ const char *gpo_dn,
+ uint32_t gpo_opt)
+{
+ ADS_STATUS status;
+ const char *attrs[] = {"gPLink", NULL};
+ LDAPMessage *res = NULL;
+ const char *gp_link, *gp_link_new;
+ ADS_MODLIST mods;
+
+ /* although ADS allows to set anything here, we better check here if
+ * the gpo_dn is sane */
+
+ if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
+ return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
+ }
+
+ status = ads_search_dn(ads, &res, link_dn, attrs);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
+ ads_errstr(status)));
+ return status;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ DEBUG(10,("ads_add_gpo_link: no result\n"));
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+
+ gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
+ if (gp_link == NULL) {
+ gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
+ gpo_dn, gpo_opt);
+ } else {
+ gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
+ gp_link, gpo_dn, gpo_opt);
+ }
+
+ ads_msgfree(ads, res);
+ ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
+
+ mods = ads_init_mods(mem_ctx);
+ ADS_ERROR_HAVE_NO_MEMORY(mods);
+
+ status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ return ads_gen_mod(ads, link_dn, mods);
+}
+
+/****************************************************************
+ helper call to delete add a gp link
+****************************************************************/
+
+/* untested & broken */
+ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *link_dn,
+ const char *gpo_dn)
+{
+ ADS_STATUS status;
+ const char *attrs[] = {"gPLink", NULL};
+ LDAPMessage *res = NULL;
+ const char *gp_link, *gp_link_new = NULL;
+ ADS_MODLIST mods;
+
+ /* check for a sane gpo_dn */
+ if (gpo_dn[0] != '[') {
+ DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
+ return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
+ }
+
+ if (gpo_dn[strlen(gpo_dn)] != ']') {
+ DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
+ return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
+ }
+
+ status = ads_search_dn(ads, &res, link_dn, attrs);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
+ ads_errstr(status)));
+ return status;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ DEBUG(10,("ads_delete_gpo_link: no result\n"));
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+
+ gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
+ if (gp_link == NULL) {
+ return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+ }
+
+ /* find link to delete */
+ /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
+ gpo_dn, gpo_opt); */
+
+ ads_msgfree(ads, res);
+ ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
+
+ mods = ads_init_mods(mem_ctx);
+ ADS_ERROR_HAVE_NO_MEMORY(mods);
+
+ status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ return ads_gen_mod(ads, link_dn, mods);
+}
+
+/****************************************************************
+ parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
+****************************************************************/
+
+ ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ LDAPMessage *res,
+ const char *gpo_dn,
+ struct GROUP_POLICY_OBJECT *gpo)
+{
+ ZERO_STRUCTP(gpo);
+
+ ADS_ERROR_HAVE_NO_MEMORY(res);
+
+ if (gpo_dn) {
+ gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn);
+ } else {
+ gpo->ds_path = ads_get_dn(ads, res);
+ }
+
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path);
+
+ if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
+ "gPCFileSysPath");
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
+
+ gpo->display_name = ads_pull_string(ads, mem_ctx, res,
+ "displayName");
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
+
+ gpo->name = ads_pull_string(ads, mem_ctx, res,
+ "name");
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
+
+ gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
+ "gPCMachineExtensionNames");
+ gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
+ "gPCUserExtensionNames");
+
+ ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
+ &gpo->security_descriptor);
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
+
+ return ADS_ERROR(LDAP_SUCCESS);
+}
+
+/****************************************************************
+ get a GROUP_POLICY_OBJECT structure based on different input paramters
+****************************************************************/
+
+ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *gpo_dn,
+ const char *display_name,
+ const char *guid_name,
+ struct GROUP_POLICY_OBJECT *gpo)
+{
+ ADS_STATUS status;
+ LDAPMessage *res = NULL;
+ char *dn;
+ const char *filter;
+ const char *attrs[] = {
+ "cn",
+ "displayName",
+ "flags",
+ "gPCFileSysPath",
+ "gPCFunctionalityVersion",
+ "gPCMachineExtensionNames",
+ "gPCUserExtensionNames",
+ "gPCWQLFilter",
+ "name",
+ "ntSecurityDescriptor",
+ "versionNumber",
+ NULL};
+ uint32_t sd_flags = DACL_SECURITY_INFORMATION;
+
+ ZERO_STRUCTP(gpo);
+
+ if (!gpo_dn && !display_name && !guid_name) {
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+
+ if (gpo_dn) {
+
+ if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
+ gpo_dn = gpo_dn + strlen("LDAP://");
+ }
+
+ status = ads_search_retry_dn_sd_flags(ads, &res,
+ sd_flags,
+ gpo_dn, attrs);
+
+ } else if (display_name || guid_name) {
+
+ filter = talloc_asprintf(mem_ctx,
+ "(&(objectclass=groupPolicyContainer)(%s=%s))",
+ display_name ? "displayName" : "name",
+ display_name ? display_name : guid_name);
+ ADS_ERROR_HAVE_NO_MEMORY(filter);
+
+ status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
+ LDAP_SCOPE_SUBTREE, filter,
+ attrs, sd_flags, &res);
+ }
+
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(10,("ads_get_gpo: search failed with %s\n",
+ ads_errstr(status)));
+ return status;
+ }
+
+ if (ads_count_replies(ads, res) != 1) {
+ DEBUG(10,("ads_get_gpo: no result\n"));
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+ }
+
+ dn = ads_get_dn(ads, res);
+ if (dn == NULL) {
+ ads_msgfree(ads, res);
+ return ADS_ERROR(LDAP_NO_MEMORY);
+ }
+
+ status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
+ ads_msgfree(ads, res);
+ ads_memfree(ads, dn);
+
+ return status;
+}
+
+/****************************************************************
+ add a gplink to the GROUP_POLICY_OBJECT linked list
+****************************************************************/
+
+static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT **gpo_list,
+ const char *link_dn,
+ struct GP_LINK *gp_link,
+ enum GPO_LINK_TYPE link_type,
+ bool only_add_forced_gpos,
+ const struct nt_user_token *token)
+{
+ ADS_STATUS status;
+ int i;
+
+ for (i = 0; i < gp_link->num_links; i++) {
+
+ struct GROUP_POLICY_OBJECT *new_gpo = NULL;
+
+ if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
+ DEBUG(10,("skipping disabled GPO\n"));
+ continue;
+ }
+
+ if (only_add_forced_gpos) {
+
+ if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
+ DEBUG(10,("skipping nonenforced GPO link "
+ "because GPOPTIONS_BLOCK_INHERITANCE "
+ "has been set\n"));
+ continue;
+ } else {
+ DEBUG(10,("adding enforced GPO link although "
+ "the GPOPTIONS_BLOCK_INHERITANCE "
+ "has been set\n"));
+ }
+ }
+
+ new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
+ ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
+
+ status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
+ NULL, NULL, new_gpo);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(10,("failed to get gpo: %s\n",
+ gp_link->link_names[i]));
+ return status;
+ }
+
+ status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
+ token));
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(10,("skipping GPO \"%s\" as object "
+ "has no access to it\n",
+ new_gpo->display_name));
+ TALLOC_FREE(new_gpo);
+ continue;
+ }
+
+ new_gpo->link = link_dn;
+ new_gpo->link_type = link_type;
+
+ DLIST_ADD(*gpo_list, new_gpo);
+
+ DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
+ "to GPO list\n", i, gp_link->link_names[i]));
+ }
+
+ return ADS_ERROR(LDAP_SUCCESS);
+}
+
+/****************************************************************
+****************************************************************/
+
+ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *dn,
+ struct nt_user_token **token)
+{
+ ADS_STATUS status;
+ DOM_SID object_sid;
+ DOM_SID primary_group_sid;
+ DOM_SID *ad_token_sids;
+ size_t num_ad_token_sids = 0;
+ DOM_SID *token_sids;
+ size_t num_token_sids = 0;
+ struct nt_user_token *new_token = NULL;
+ int i;
+
+ status = ads_get_tokensids(ads, mem_ctx, dn,
+ &object_sid, &primary_group_sid,
+ &ad_token_sids, &num_ad_token_sids);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
+ ADS_ERROR_HAVE_NO_MEMORY(token_sids);
+
+ status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx,
+ &primary_group_sid,
+ &token_sids,
+ &num_token_sids));
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ for (i = 0; i < num_ad_token_sids; i++) {
+
+ if (sid_check_is_in_builtin(&ad_token_sids[i])) {
+ continue;
+ }
+
+ status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx,
+ &ad_token_sids[i],
+ &token_sids,
+ &num_token_sids));
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+ }
+
+ new_token = create_local_nt_token(mem_ctx, &object_sid, false,
+ num_token_sids, token_sids);
+ ADS_ERROR_HAVE_NO_MEMORY(new_token);
+
+ *token = new_token;
+
+ debug_nt_user_token(DBGC_CLASS, 5, *token);
+
+ return ADS_ERROR_LDAP(LDAP_SUCCESS);
+}
+
+/****************************************************************
+****************************************************************/
+
+static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT **gpo_list,
+ enum GPO_LINK_TYPE link_type)
+{
+ struct GROUP_POLICY_OBJECT *gpo = NULL;
+
+ ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
+
+ gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
+ ADS_ERROR_HAVE_NO_MEMORY(gpo);
+
+ gpo->name = talloc_strdup(mem_ctx, "Local Policy");
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
+
+ gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
+
+ gpo->link_type = link_type;
+
+ DLIST_ADD(*gpo_list, gpo);
+
+ return ADS_ERROR_NT(NT_STATUS_OK);
+}
+
+/****************************************************************
+ get the full list of GROUP_POLICY_OBJECTs for a given dn
+****************************************************************/
+
+ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *dn,
+ uint32_t flags,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT **gpo_list)
+{
+ /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
+
+ ADS_STATUS status;
+ struct GP_LINK gp_link;
+ const char *parent_dn, *site_dn, *tmp_dn;
+ bool add_only_forced_gpos = false;
+
+ ZERO_STRUCTP(gpo_list);
+
+ if (!dn) {
+ return ADS_ERROR(LDAP_PARAM_ERROR);
+ }
+
+ DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
+
+ /* (L)ocal */
+ status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
+ GP_LINK_LOCAL);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ /* (S)ite */
+
+ /* are site GPOs valid for users as well ??? */
+ if (flags & GPO_LIST_FLAG_MACHINE) {
+
+ status = ads_site_dn_for_machine(ads, mem_ctx,
+ ads->config.ldap_server_name,
+ &site_dn);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
+ site_dn));
+
+ status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
+ if (ADS_ERR_OK(status)) {
+
+ if (DEBUGLEVEL >= 100) {
+ dump_gplink(ads, mem_ctx, &gp_link);
+ }
+
+ status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
+ site_dn, &gp_link,
+ GP_LINK_SITE,
+ add_only_forced_gpos,
+ token);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ if (flags & GPO_LIST_FLAG_SITEONLY) {
+ return ADS_ERROR(LDAP_SUCCESS);
+ }
+
+ /* inheritance can't be blocked at the site level */
+ }
+ }
+
+ tmp_dn = dn;
+
+ while ((parent_dn = ads_parent_dn(tmp_dn)) &&
+ (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
+
+ /* (D)omain */
+
+ /* An account can just be a member of one domain */
+ if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
+
+ DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
+ parent_dn));
+
+ status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
+ &gp_link);
+ if (ADS_ERR_OK(status)) {
+
+ if (DEBUGLEVEL >= 100) {
+ dump_gplink(ads, mem_ctx, &gp_link);
+ }
+
+ /* block inheritance from now on */
+ if (gp_link.gp_opts &
+ GPOPTIONS_BLOCK_INHERITANCE) {
+ add_only_forced_gpos = true;
+ }
+
+ status = add_gplink_to_gpo_list(ads,
+ mem_ctx,
+ gpo_list,
+ parent_dn,
+ &gp_link,
+ GP_LINK_DOMAIN,
+ add_only_forced_gpos,
+ token);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+ }
+ }
+
+ tmp_dn = parent_dn;
+ }
+
+ /* reset dn again */
+ tmp_dn = dn;
+
+ while ((parent_dn = ads_parent_dn(tmp_dn)) &&
+ (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
+
+
+ /* (O)rganizational(U)nit */
+
+ /* An account can be a member of more OUs */
+ if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
+
+ DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
+ parent_dn));
+
+ status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
+ &gp_link);
+ if (ADS_ERR_OK(status)) {
+
+ if (DEBUGLEVEL >= 100) {
+ dump_gplink(ads, mem_ctx, &gp_link);
+ }
+
+ /* block inheritance from now on */
+ if (gp_link.gp_opts &
+ GPOPTIONS_BLOCK_INHERITANCE) {
+ add_only_forced_gpos = true;
+ }
+
+ status = add_gplink_to_gpo_list(ads,
+ mem_ctx,
+ gpo_list,
+ parent_dn,
+ &gp_link,
+ GP_LINK_OU,
+ add_only_forced_gpos,
+ token);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+ }
+ }
+
+ tmp_dn = parent_dn;
+
+ };
+
+ return ADS_ERROR(LDAP_SUCCESS);
+}
+
+#endif /* HAVE_LDAP */
diff --git a/source3/libgpo/gpo_reg.c b/source3/libgpo/gpo_reg.c
new file mode 100644
index 0000000000..920deeb189
--- /dev/null
+++ b/source3/libgpo/gpo_reg.c
@@ -0,0 +1,1009 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Guenther Deschner 2007-2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+
+/****************************************************************
+****************************************************************/
+
+struct nt_user_token *registry_create_system_token(TALLOC_CTX *mem_ctx)
+{
+ struct nt_user_token *token = NULL;
+
+ token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token);
+ if (!token) {
+ DEBUG(1,("talloc failed\n"));
+ return NULL;
+ }
+
+ token->privileges = se_priv_all;
+
+ if (!NT_STATUS_IS_OK(add_sid_to_array(token, &global_sid_System,
+ &token->user_sids, &token->num_sids))) {
+ DEBUG(1,("Error adding nt-authority system sid to token\n"));
+ return NULL;
+ }
+
+ return token;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR gp_init_reg_ctx(TALLOC_CTX *mem_ctx,
+ const char *initial_path,
+ uint32_t desired_access,
+ const struct nt_user_token *token,
+ struct gp_registry_context **reg_ctx)
+{
+ struct gp_registry_context *tmp_ctx;
+ WERROR werr;
+
+ if (!reg_ctx) {
+ return WERR_INVALID_PARAM;
+ }
+
+ werr = registry_init_basic();
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ tmp_ctx = TALLOC_ZERO_P(mem_ctx, struct gp_registry_context);
+ W_ERROR_HAVE_NO_MEMORY(tmp_ctx);
+
+ if (token) {
+ tmp_ctx->token = token;
+ } else {
+ tmp_ctx->token = registry_create_system_token(mem_ctx);
+ }
+ if (!tmp_ctx->token) {
+ TALLOC_FREE(tmp_ctx);
+ return WERR_NOMEM;
+ }
+
+ werr = regdb_open();
+ if (!W_ERROR_IS_OK(werr)) {
+ return werr;
+ }
+
+ if (initial_path) {
+ tmp_ctx->path = talloc_strdup(mem_ctx, initial_path);
+ if (!tmp_ctx->path) {
+ TALLOC_FREE(tmp_ctx);
+ return WERR_NOMEM;
+ }
+
+ werr = reg_open_path(mem_ctx, tmp_ctx->path, desired_access,
+ tmp_ctx->token, &tmp_ctx->curr_key);
+ if (!W_ERROR_IS_OK(werr)) {
+ TALLOC_FREE(tmp_ctx);
+ return werr;
+ }
+ }
+
+ *reg_ctx = tmp_ctx;
+
+ return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+void gp_free_reg_ctx(struct gp_registry_context *reg_ctx)
+{
+ TALLOC_FREE(reg_ctx);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR gp_store_reg_subkey(TALLOC_CTX *mem_ctx,
+ const char *subkeyname,
+ struct registry_key *curr_key,
+ struct registry_key **new_key)
+{
+ enum winreg_CreateAction action = REG_ACTION_NONE;
+ WERROR werr;
+
+ werr = reg_createkey(mem_ctx, curr_key, subkeyname,
+ REG_KEY_WRITE, new_key, &action);
+ if (W_ERROR_IS_OK(werr) && (action != REG_CREATED_NEW_KEY)) {
+ return WERR_OK;
+ }
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR gp_read_reg_subkey(TALLOC_CTX *mem_ctx,
+ struct gp_registry_context *reg_ctx,
+ const char *subkeyname,
+ struct registry_key **key)
+{
+ const char *tmp = NULL;
+
+ if (!reg_ctx || !subkeyname || !key) {
+ return WERR_INVALID_PARAM;
+ }
+
+ tmp = talloc_asprintf(mem_ctx, "%s\\%s", reg_ctx->path, subkeyname);
+ W_ERROR_HAVE_NO_MEMORY(tmp);
+
+ return reg_open_path(mem_ctx, tmp, REG_KEY_READ,
+ reg_ctx->token, key);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR gp_store_reg_val_sz(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ const char *val_name,
+ const char *val)
+{
+ struct registry_value reg_val;
+ ZERO_STRUCT(reg_val);
+
+ /* FIXME: hack */
+ val = val ? val : " ";
+
+ reg_val.type = REG_SZ;
+ reg_val.v.sz.len = strlen(val);
+ reg_val.v.sz.str = talloc_strdup(mem_ctx, val);
+ W_ERROR_HAVE_NO_MEMORY(reg_val.v.sz.str);
+
+ return reg_setvalue(key, val_name, &reg_val);
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_store_reg_val_dword(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ const char *val_name,
+ uint32_t val)
+{
+ struct registry_value reg_val;
+ ZERO_STRUCT(reg_val);
+
+ reg_val.type = REG_DWORD;
+ reg_val.v.dword = val;
+
+ return reg_setvalue(key, val_name, &reg_val);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR gp_read_reg_val_sz(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ const char *val_name,
+ const char **val)
+{
+ WERROR werr;
+ struct registry_value *reg_val = NULL;
+
+ werr = reg_queryvalue(mem_ctx, key, val_name, &reg_val);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ if (reg_val->type != REG_SZ) {
+ return WERR_INVALID_DATATYPE;
+ }
+
+ *val = talloc_strdup(mem_ctx, reg_val->v.sz.str);
+ W_ERROR_HAVE_NO_MEMORY(*val);
+
+ return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_read_reg_val_dword(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ const char *val_name,
+ uint32_t *val)
+{
+ WERROR werr;
+ struct registry_value *reg_val = NULL;
+
+ werr = reg_queryvalue(mem_ctx, key, val_name, &reg_val);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ if (reg_val->type != REG_DWORD) {
+ return WERR_INVALID_DATATYPE;
+ }
+
+ *val = reg_val->v.dword;
+
+ return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_store_reg_gpovals(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ struct GROUP_POLICY_OBJECT *gpo)
+{
+ WERROR werr;
+
+ if (!key || !gpo) {
+ return WERR_INVALID_PARAM;
+ }
+
+ werr = gp_store_reg_val_dword(mem_ctx, key, "Version",
+ gpo->version);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_dword(mem_ctx, key, "WQLFilterPass",
+ true); /* fake */
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_dword(mem_ctx, key, "AccessDenied",
+ false); /* fake */
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_dword(mem_ctx, key, "GPO-Disabled",
+ (gpo->options & GPO_FLAG_DISABLE));
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_dword(mem_ctx, key, "Options",
+ gpo->options);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "GPOID",
+ gpo->name);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "SOM",
+ gpo->link);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "DisplayName",
+ gpo->display_name);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_store_reg_val_sz(mem_ctx, key, "WQL-Id",
+ NULL);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static const char *gp_reg_groupmembership_path(TALLOC_CTX *mem_ctx,
+ const DOM_SID *sid,
+ uint32_t flags)
+{
+ if (flags & GPO_LIST_FLAG_MACHINE) {
+ return "GroupMembership";
+ }
+
+ return talloc_asprintf(mem_ctx, "%s\\%s", sid_string_tos(sid),
+ "GroupMembership");
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_reg_del_groupmembership(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ const struct nt_user_token *token,
+ uint32_t flags)
+{
+ const char *path = NULL;
+
+ path = gp_reg_groupmembership_path(mem_ctx, &token->user_sids[0],
+ flags);
+ W_ERROR_HAVE_NO_MEMORY(path);
+
+ return reg_deletekey_recursive(mem_ctx, key, path);
+
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_reg_store_groupmembership(TALLOC_CTX *mem_ctx,
+ struct gp_registry_context *reg_ctx,
+ const struct nt_user_token *token,
+ uint32_t flags)
+{
+ struct registry_key *key = NULL;
+ WERROR werr;
+ int i = 0;
+ const char *valname = NULL;
+ const char *path = NULL;
+ const char *val = NULL;
+ int count = 0;
+
+ path = gp_reg_groupmembership_path(mem_ctx, &token->user_sids[0],
+ flags);
+ W_ERROR_HAVE_NO_MEMORY(path);
+
+ gp_reg_del_groupmembership(mem_ctx, reg_ctx->curr_key, token, flags);
+
+ werr = gp_store_reg_subkey(mem_ctx, path,
+ reg_ctx->curr_key, &key);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ for (i=0; i<token->num_sids; i++) {
+
+ valname = talloc_asprintf(mem_ctx, "Group%d", count++);
+ W_ERROR_HAVE_NO_MEMORY(valname);
+
+ val = sid_string_talloc(mem_ctx, &token->user_sids[i]);
+ W_ERROR_HAVE_NO_MEMORY(val);
+ werr = gp_store_reg_val_sz(mem_ctx, key, valname, val);
+ W_ERROR_NOT_OK_RETURN(werr);
+ }
+
+ werr = gp_store_reg_val_dword(mem_ctx, key, "Count", count);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+#if 0
+/* not used yet */
+static WERROR gp_reg_read_groupmembership(TALLOC_CTX *mem_ctx,
+ struct gp_registry_context *reg_ctx,
+ const DOM_SID *object_sid,
+ struct nt_user_token **token,
+ uint32_t flags)
+{
+ struct registry_key *key = NULL;
+ WERROR werr;
+ int i = 0;
+ const char *valname = NULL;
+ const char *val = NULL;
+ const char *path = NULL;
+ uint32_t count = 0;
+ int num_token_sids = 0;
+ struct nt_user_token *tmp_token = NULL;
+
+ tmp_token = TALLOC_ZERO_P(mem_ctx, struct nt_user_token);
+ W_ERROR_HAVE_NO_MEMORY(tmp_token);
+
+ path = gp_reg_groupmembership_path(mem_ctx, object_sid, flags);
+ W_ERROR_HAVE_NO_MEMORY(path);
+
+ werr = gp_read_reg_subkey(mem_ctx, reg_ctx, path, &key);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_read_reg_val_dword(mem_ctx, key, "Count", &count);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ for (i=0; i<count; i++) {
+
+ valname = talloc_asprintf(mem_ctx, "Group%d", i);
+ W_ERROR_HAVE_NO_MEMORY(valname);
+
+ werr = gp_read_reg_val_sz(mem_ctx, key, valname, &val);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ if (!string_to_sid(&tmp_token->user_sids[num_token_sids++],
+ val)) {
+ return WERR_INSUFFICIENT_BUFFER;
+ }
+ }
+
+ tmp_token->num_sids = num_token_sids;
+
+ *token = tmp_token;
+
+ return WERR_OK;
+}
+#endif
+/****************************************************************
+****************************************************************/
+
+static const char *gp_req_state_path(TALLOC_CTX *mem_ctx,
+ const DOM_SID *sid,
+ uint32_t flags)
+{
+ if (flags & GPO_LIST_FLAG_MACHINE) {
+ return GPO_REG_STATE_MACHINE;
+ }
+
+ return talloc_asprintf(mem_ctx, "%s\\%s", "State", sid_string_tos(sid));
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_del_reg_state(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ const char *path)
+{
+ return reg_deletesubkeys_recursive(mem_ctx, key, path);
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR gp_reg_state_store(TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const char *dn,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT *gpo_list)
+{
+ struct gp_registry_context *reg_ctx = NULL;
+ WERROR werr = WERR_GENERAL_FAILURE;
+ const char *subkeyname = NULL;
+ struct GROUP_POLICY_OBJECT *gpo;
+ int count = 0;
+ struct registry_key *key;
+
+ werr = gp_init_reg_ctx(mem_ctx, KEY_GROUP_POLICY, REG_KEY_WRITE,
+ token, &reg_ctx);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_secure_key(mem_ctx, flags, reg_ctx->curr_key,
+ &token->user_sids[0]);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("failed to secure key: %s\n", dos_errstr(werr)));
+ goto done;
+ }
+
+ werr = gp_reg_store_groupmembership(mem_ctx, reg_ctx, token, flags);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("failed to store group membership: %s\n", dos_errstr(werr)));
+ goto done;
+ }
+
+ subkeyname = gp_req_state_path(mem_ctx, &token->user_sids[0], flags);
+ if (!subkeyname) {
+ werr = WERR_NOMEM;
+ goto done;
+ }
+
+ werr = gp_del_reg_state(mem_ctx, reg_ctx->curr_key, subkeyname);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("failed to delete old state: %s\n", dos_errstr(werr)));
+ /* goto done; */
+ }
+
+ werr = gp_store_reg_subkey(mem_ctx, subkeyname,
+ reg_ctx->curr_key, &reg_ctx->curr_key);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ werr = gp_store_reg_val_sz(mem_ctx, reg_ctx->curr_key,
+ "Distinguished-Name", dn);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ /* store link list */
+
+ werr = gp_store_reg_subkey(mem_ctx, "GPLink-List",
+ reg_ctx->curr_key, &key);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ /* store gpo list */
+
+ werr = gp_store_reg_subkey(mem_ctx, "GPO-List",
+ reg_ctx->curr_key, &reg_ctx->curr_key);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ for (gpo = gpo_list; gpo; gpo = gpo->next) {
+
+ subkeyname = talloc_asprintf(mem_ctx, "%d", count++);
+ if (!subkeyname) {
+ werr = WERR_NOMEM;
+ goto done;
+ }
+
+ werr = gp_store_reg_subkey(mem_ctx, subkeyname,
+ reg_ctx->curr_key, &key);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ werr = gp_store_reg_gpovals(mem_ctx, key, gpo);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("gp_reg_state_store: "
+ "gpo_store_reg_gpovals failed for %s: %s\n",
+ gpo->display_name, dos_errstr(werr)));
+ goto done;
+ }
+ }
+ done:
+ gp_free_reg_ctx(reg_ctx);
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_read_reg_gpovals(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ struct GROUP_POLICY_OBJECT *gpo)
+{
+ WERROR werr;
+
+ if (!key || !gpo) {
+ return WERR_INVALID_PARAM;
+ }
+
+ werr = gp_read_reg_val_dword(mem_ctx, key, "Version",
+ &gpo->version);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_read_reg_val_dword(mem_ctx, key, "Options",
+ &gpo->options);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_read_reg_val_sz(mem_ctx, key, "GPOID",
+ &gpo->name);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_read_reg_val_sz(mem_ctx, key, "SOM",
+ &gpo->link);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ werr = gp_read_reg_val_sz(mem_ctx, key, "DisplayName",
+ &gpo->display_name);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_read_reg_gpo(TALLOC_CTX *mem_ctx,
+ struct registry_key *key,
+ struct GROUP_POLICY_OBJECT **gpo_ret)
+{
+ struct GROUP_POLICY_OBJECT *gpo = NULL;
+ WERROR werr;
+
+ if (!gpo_ret || !key) {
+ return WERR_INVALID_PARAM;
+ }
+
+ gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
+ W_ERROR_HAVE_NO_MEMORY(gpo);
+
+ werr = gp_read_reg_gpovals(mem_ctx, key, gpo);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ *gpo_ret = gpo;
+
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR gp_reg_state_read(TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const DOM_SID *sid,
+ struct GROUP_POLICY_OBJECT **gpo_list)
+{
+ struct gp_registry_context *reg_ctx = NULL;
+ WERROR werr = WERR_GENERAL_FAILURE;
+ const char *subkeyname = NULL;
+ struct GROUP_POLICY_OBJECT *gpo = NULL;
+ int count = 0;
+ struct registry_key *key = NULL;
+ const char *path = NULL;
+ const char *gp_state_path = NULL;
+
+ if (!gpo_list) {
+ return WERR_INVALID_PARAM;
+ }
+
+ ZERO_STRUCTP(gpo_list);
+
+ gp_state_path = gp_req_state_path(mem_ctx, sid, flags);
+ if (!gp_state_path) {
+ werr = WERR_NOMEM;
+ goto done;
+ }
+
+ path = talloc_asprintf(mem_ctx, "%s\\%s\\%s",
+ KEY_GROUP_POLICY,
+ gp_state_path,
+ "GPO-List");
+ if (!path) {
+ werr = WERR_NOMEM;
+ goto done;
+ }
+
+ werr = gp_init_reg_ctx(mem_ctx, path, REG_KEY_READ, NULL, &reg_ctx);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ while (1) {
+
+ subkeyname = talloc_asprintf(mem_ctx, "%d", count++);
+ if (!subkeyname) {
+ werr = WERR_NOMEM;
+ goto done;
+ }
+
+ werr = gp_read_reg_subkey(mem_ctx, reg_ctx, subkeyname, &key);
+ if (W_ERROR_EQUAL(werr, WERR_BADFILE)) {
+ werr = WERR_OK;
+ break;
+ }
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("gp_reg_state_read: "
+ "gp_read_reg_subkey gave: %s\n",
+ dos_errstr(werr)));
+ goto done;
+ }
+
+ werr = gp_read_reg_gpo(mem_ctx, key, &gpo);
+ if (!W_ERROR_IS_OK(werr)) {
+ goto done;
+ }
+
+ DLIST_ADD(*gpo_list, gpo);
+ }
+
+ done:
+ gp_free_reg_ctx(reg_ctx);
+ return werr;
+}
+
+/****************************************************************
+****************************************************************/
+
+static WERROR gp_reg_generate_sd(TALLOC_CTX *mem_ctx,
+ const DOM_SID *sid,
+ struct security_descriptor **sd,
+ size_t *sd_size)
+{
+ SEC_ACE ace[6];
+ SEC_ACCESS mask;
+
+ SEC_ACL *acl = NULL;
+
+ uint8_t inherit_flags;
+
+ init_sec_access(&mask, REG_KEY_ALL);
+ init_sec_ace(&ace[0],
+ &global_sid_System,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ mask, 0);
+
+ init_sec_access(&mask, REG_KEY_ALL);
+ init_sec_ace(&ace[1],
+ &global_sid_Builtin_Administrators,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ mask, 0);
+
+ init_sec_access(&mask, REG_KEY_READ);
+ init_sec_ace(&ace[2],
+ sid ? sid : &global_sid_Authenticated_Users,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ mask, 0);
+
+ inherit_flags = SEC_ACE_FLAG_OBJECT_INHERIT |
+ SEC_ACE_FLAG_CONTAINER_INHERIT |
+ SEC_ACE_FLAG_INHERIT_ONLY;
+
+ init_sec_access(&mask, REG_KEY_ALL);
+ init_sec_ace(&ace[3],
+ &global_sid_System,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ mask, inherit_flags);
+
+ init_sec_access(&mask, REG_KEY_ALL);
+ init_sec_ace(&ace[4],
+ &global_sid_Builtin_Administrators,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ mask, inherit_flags);
+
+ init_sec_access(&mask, REG_KEY_READ);
+ init_sec_ace(&ace[5],
+ sid ? sid : &global_sid_Authenticated_Users,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ mask, inherit_flags);
+
+ acl = make_sec_acl(mem_ctx, NT4_ACL_REVISION, 6, ace);
+ W_ERROR_HAVE_NO_MEMORY(acl);
+
+ *sd = make_sec_desc(mem_ctx, SEC_DESC_REVISION,
+ SEC_DESC_SELF_RELATIVE |
+ SEC_DESC_DACL_AUTO_INHERITED | /* really ? */
+ SEC_DESC_DACL_AUTO_INHERIT_REQ, /* really ? */
+ NULL, NULL, NULL,
+ acl, sd_size);
+ W_ERROR_HAVE_NO_MEMORY(*sd);
+
+ return WERR_OK;
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR gp_secure_key(TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ struct registry_key *key,
+ const DOM_SID *sid)
+{
+ struct security_descriptor *sd = NULL;
+ size_t sd_size = 0;
+ const DOM_SID *sd_sid = NULL;
+ WERROR werr;
+
+ if (!(flags & GPO_LIST_FLAG_MACHINE)) {
+ sd_sid = sid;
+ }
+
+ werr = gp_reg_generate_sd(mem_ctx, sd_sid, &sd, &sd_size);
+ W_ERROR_NOT_OK_RETURN(werr);
+
+ return reg_setkeysecurity(key, sd);
+}
+
+/****************************************************************
+****************************************************************/
+
+void dump_reg_val(int lvl, const char *direction,
+ const char *key, const char *subkey,
+ struct registry_value *val)
+{
+ int i = 0;
+ const char *type_str = NULL;
+
+ if (!val) {
+ DEBUG(lvl,("no val!\n"));
+ return;
+ }
+
+ type_str = reg_type_lookup(val->type);
+
+ DEBUG(lvl,("\tdump_reg_val:\t%s '%s'\n\t\t\t'%s' %s: ",
+ direction, key, subkey, type_str));
+
+ switch (val->type) {
+ case REG_DWORD:
+ DEBUG(lvl,("%d (0x%08x)\n",
+ (int)val->v.dword, val->v.dword));
+ break;
+ case REG_QWORD:
+ DEBUG(lvl,("%d (0x%016llx)\n",
+ (int)val->v.qword,
+ (unsigned long long)val->v.qword));
+ break;
+ case REG_SZ:
+ DEBUG(lvl,("%s (length: %d)\n",
+ val->v.sz.str,
+ (int)val->v.sz.len));
+ break;
+ case REG_MULTI_SZ:
+ DEBUG(lvl,("(num_strings: %d)\n",
+ val->v.multi_sz.num_strings));
+ for (i=0; i < val->v.multi_sz.num_strings; i++) {
+ DEBUGADD(lvl,("\t%s\n",
+ val->v.multi_sz.strings[i]));
+ }
+ break;
+ case REG_NONE:
+ DEBUG(lvl,("\n"));
+ break;
+ case REG_BINARY:
+ dump_data(lvl, val->v.binary.data,
+ val->v.binary.length);
+ break;
+ default:
+ DEBUG(lvl,("unsupported type: %d\n", val->type));
+ break;
+ }
+}
+
+/****************************************************************
+****************************************************************/
+
+void dump_reg_entry(uint32_t flags,
+ const char *dir,
+ struct gp_registry_entry *entry)
+{
+ if (!(flags & GPO_INFO_FLAG_VERBOSE))
+ return;
+
+ dump_reg_val(1, dir,
+ entry->key,
+ entry->value,
+ entry->data);
+}
+
+/****************************************************************
+****************************************************************/
+
+void dump_reg_entries(uint32_t flags,
+ const char *dir,
+ struct gp_registry_entry *entries,
+ size_t num_entries)
+{
+ size_t i;
+
+ if (!(flags & GPO_INFO_FLAG_VERBOSE))
+ return;
+
+ for (i=0; i < num_entries; i++) {
+ dump_reg_entry(flags, dir, &entries[i]);
+ }
+}
+
+/****************************************************************
+****************************************************************/
+
+bool add_gp_registry_entry_to_array(TALLOC_CTX *mem_ctx,
+ struct gp_registry_entry *entry,
+ struct gp_registry_entry **entries,
+ size_t *num)
+{
+ *entries = TALLOC_REALLOC_ARRAY(mem_ctx, *entries,
+ struct gp_registry_entry,
+ (*num)+1);
+
+ if (*entries == NULL) {
+ *num = 0;
+ return false;
+ }
+
+ (*entries)[*num].action = entry->action;
+ (*entries)[*num].key = entry->key;
+ (*entries)[*num].value = entry->value;
+ (*entries)[*num].data = entry->data;
+
+ *num += 1;
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+static const char *gp_reg_action_str(enum gp_reg_action action)
+{
+ switch (action) {
+ case GP_REG_ACTION_NONE:
+ return "GP_REG_ACTION_NONE";
+ case GP_REG_ACTION_ADD_VALUE:
+ return "GP_REG_ACTION_ADD_VALUE";
+ case GP_REG_ACTION_ADD_KEY:
+ return "GP_REG_ACTION_ADD_KEY";
+ case GP_REG_ACTION_DEL_VALUES:
+ return "GP_REG_ACTION_DEL_VALUES";
+ case GP_REG_ACTION_DEL_VALUE:
+ return "GP_REG_ACTION_DEL_VALUE";
+ case GP_REG_ACTION_DEL_ALL_VALUES:
+ return "GP_REG_ACTION_DEL_ALL_VALUES";
+ case GP_REG_ACTION_DEL_KEYS:
+ return "GP_REG_ACTION_DEL_KEYS";
+ case GP_REG_ACTION_SEC_KEY_SET:
+ return "GP_REG_ACTION_SEC_KEY_SET";
+ case GP_REG_ACTION_SEC_KEY_RESET:
+ return "GP_REG_ACTION_SEC_KEY_RESET";
+ default:
+ return "unknown";
+ }
+}
+
+/****************************************************************
+****************************************************************/
+
+WERROR reg_apply_registry_entry(TALLOC_CTX *mem_ctx,
+ struct registry_key *root_key,
+ struct gp_registry_context *reg_ctx,
+ struct gp_registry_entry *entry,
+ const struct nt_user_token *token,
+ uint32_t flags)
+{
+ WERROR werr;
+ struct registry_key *key = NULL;
+
+ if (flags & GPO_INFO_FLAG_VERBOSE) {
+ printf("about to store key: [%s]\n", entry->key);
+ printf(" value: [%s]\n", entry->value);
+ printf(" data: [%s]\n", reg_type_lookup(entry->data->type));
+ printf(" action: [%s]\n", gp_reg_action_str(entry->action));
+ }
+
+ werr = gp_store_reg_subkey(mem_ctx, entry->key,
+ root_key, &key);
+ /* reg_ctx->curr_key, &key); */
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("gp_store_reg_subkey failed: %s\n", dos_errstr(werr)));
+ return werr;
+ }
+
+ switch (entry->action) {
+ case GP_REG_ACTION_NONE:
+ case GP_REG_ACTION_ADD_KEY:
+ return WERR_OK;
+
+ case GP_REG_ACTION_SEC_KEY_SET:
+ werr = gp_secure_key(mem_ctx, flags,
+ key,
+ &token->user_sids[0]);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("reg_apply_registry_entry: "
+ "gp_secure_key failed: %s\n",
+ dos_errstr(werr)));
+ return werr;
+ }
+ break;
+ case GP_REG_ACTION_ADD_VALUE:
+ werr = reg_setvalue(key, entry->value, entry->data);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("reg_apply_registry_entry: "
+ "reg_setvalue failed: %s\n",
+ dos_errstr(werr)));
+ dump_reg_entry(flags, "STORE", entry);
+ return werr;
+ }
+ break;
+ case GP_REG_ACTION_DEL_VALUE:
+ werr = reg_deletevalue(key, entry->value);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("reg_apply_registry_entry: "
+ "reg_deletevalue failed: %s\n",
+ dos_errstr(werr)));
+ dump_reg_entry(flags, "STORE", entry);
+ return werr;
+ }
+ break;
+ case GP_REG_ACTION_DEL_ALL_VALUES:
+ werr = reg_deleteallvalues(key);
+ if (!W_ERROR_IS_OK(werr)) {
+ DEBUG(0,("reg_apply_registry_entry: "
+ "reg_deleteallvalues failed: %s\n",
+ dos_errstr(werr)));
+ dump_reg_entry(flags, "STORE", entry);
+ return werr;
+ }
+ break;
+ case GP_REG_ACTION_DEL_VALUES:
+ case GP_REG_ACTION_DEL_KEYS:
+ case GP_REG_ACTION_SEC_KEY_RESET:
+ DEBUG(0,("reg_apply_registry_entry: "
+ "not yet supported: %s (%d)\n",
+ gp_reg_action_str(entry->action),
+ entry->action));
+ return WERR_NOT_SUPPORTED;
+ default:
+ DEBUG(0,("invalid action: %d\n", entry->action));
+ return WERR_INVALID_PARAM;
+ }
+
+ return werr;
+}
+
diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c
new file mode 100644
index 0000000000..42ab72a99b
--- /dev/null
+++ b/source3/libgpo/gpo_sec.c
@@ -0,0 +1,186 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Guenther Deschner 2007
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+/****************************************************************
+****************************************************************/
+
+static bool gpo_sd_check_agp_object_guid(const struct security_ace_object *object)
+{
+ struct GUID ext_right_apg_guid;
+ NTSTATUS status;
+
+ if (!object) {
+ return false;
+ }
+
+ status = GUID_from_string(ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY,
+ &ext_right_apg_guid);
+ if (!NT_STATUS_IS_OK(status)) {
+ return false;
+ }
+
+ switch (object->flags) {
+ case SEC_ACE_OBJECT_PRESENT:
+ if (GUID_equal(&object->type.type,
+ &ext_right_apg_guid)) {
+ return True;
+ }
+ case SEC_ACE_OBJECT_INHERITED_PRESENT:
+ if (GUID_equal(&object->inherited_type.inherited_type,
+ &ext_right_apg_guid)) {
+ return True;
+ }
+ default:
+ break;
+ }
+
+ return false;
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool gpo_sd_check_agp_object(const SEC_ACE *ace)
+{
+ if (!sec_ace_object(ace->type)) {
+ return false;
+ }
+
+ return gpo_sd_check_agp_object_guid(&ace->object.object);
+}
+
+/****************************************************************
+****************************************************************/
+
+static bool gpo_sd_check_agp_access_bits(uint32_t access_mask)
+{
+ return (access_mask & SEC_RIGHTS_EXTENDED);
+}
+
+#if 0
+/****************************************************************
+****************************************************************/
+
+static bool gpo_sd_check_read_access_bits(uint32_t access_mask)
+{
+ uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS |
+ SEC_RIGHTS_READ_ALL_PROP |
+ SEC_RIGHTS_READ_PERMS;
+
+ return (read_bits == (access_mask & read_bits));
+}
+#endif
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
+ const struct nt_user_token *token)
+{
+ if (gpo_sd_check_agp_object(ace) &&
+ gpo_sd_check_agp_access_bits(ace->access_mask) &&
+ nt_token_check_sid(&ace->trustee, token)) {
+ DEBUG(10,("gpo_sd_check_ace_denied_object: "
+ "Access denied as of ace for %s\n",
+ sid_string_dbg(&ace->trustee)));
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ return STATUS_MORE_ENTRIES;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
+ const struct nt_user_token *token)
+{
+ if (gpo_sd_check_agp_object(ace) &&
+ gpo_sd_check_agp_access_bits(ace->access_mask) &&
+ nt_token_check_sid(&ace->trustee, token)) {
+ DEBUG(10,("gpo_sd_check_ace_allowed_object: "
+ "Access granted as of ace for %s\n",
+ sid_string_dbg(&ace->trustee)));
+ return NT_STATUS_OK;
+ }
+
+ return STATUS_MORE_ENTRIES;
+}
+
+/****************************************************************
+****************************************************************/
+
+static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
+ const struct nt_user_token *token)
+{
+ switch (ace->type) {
+ case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
+ return gpo_sd_check_ace_denied_object(ace, token);
+ case SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT:
+ return gpo_sd_check_ace_allowed_object(ace, token);
+ default:
+ return STATUS_MORE_ENTRIES;
+ }
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
+ const struct nt_user_token *token)
+{
+ SEC_DESC *sd = gpo->security_descriptor;
+ SEC_ACL *dacl = NULL;
+ NTSTATUS status = NT_STATUS_ACCESS_DENIED;
+ int i;
+
+ if (!token) {
+ return NT_STATUS_INVALID_USER_BUFFER;
+ }
+
+ if (!sd) {
+ return NT_STATUS_INVALID_SECURITY_DESCR;
+ }
+
+ dacl = sd->dacl;
+ if (!dacl) {
+ return NT_STATUS_INVALID_SECURITY_DESCR;
+ }
+
+ /* check all aces and only return NT_STATUS_OK (== Access granted) or
+ * NT_STATUS_ACCESS_DENIED ( == Access denied) - the default is to
+ * deny access */
+
+ for (i = 0; i < dacl->num_aces; i ++) {
+
+ status = gpo_sd_check_ace(&dacl->aces[i], token);
+
+ if (NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+ return status;
+ } else if (NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ continue;
+ }
+
+ return NT_STATUS_ACCESS_DENIED;
+}
diff --git a/source3/libgpo/gpo_util.c b/source3/libgpo/gpo_util.c
new file mode 100644
index 0000000000..04597b3b57
--- /dev/null
+++ b/source3/libgpo/gpo_util.c
@@ -0,0 +1,870 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Guenther Deschner 2005-2008
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include "includes.h"
+
+#define DEFAULT_DOMAIN_POLICY "Default Domain Policy"
+#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy"
+
+/* should we store a parsed guid ? */
+struct gp_table {
+ const char *name;
+ const char *guid_string;
+};
+
+#if 0 /* unused */
+static struct gp_table gpo_default_policy[] = {
+ { DEFAULT_DOMAIN_POLICY,
+ "31B2F340-016D-11D2-945F-00C04FB984F9" },
+ { DEFAULT_DOMAIN_CONTROLLERS_POLICY,
+ "6AC1786C-016F-11D2-945F-00C04fB984F9" },
+ { NULL, NULL }
+};
+#endif
+
+/* the following is seen in gPCMachineExtensionNames / gPCUserExtensionNames */
+
+static struct gp_table gpo_cse_extensions[] = {
+ /* used to be "Administrative Templates Extension" */
+ /* "Registry Settings"
+ (http://support.microsoft.com/kb/216357/EN-US/) */
+ { "Registry Settings",
+ GP_EXT_GUID_REGISTRY },
+ { "Microsoft Disc Quota",
+ "3610EDA5-77EF-11D2-8DC5-00C04FA31A66" },
+ { "EFS recovery",
+ "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
+ { "Folder Redirection",
+ "25537BA6-77A8-11D2-9B6C-0000F8080861" },
+ { "IP Security",
+ "E437BC1C-AA7D-11D2-A382-00C04F991E27" },
+ { "Internet Explorer Branding",
+ "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" },
+ { "QoS Packet Scheduler",
+ "426031c0-0b47-4852-b0ca-ac3d37bfcb39" },
+ { "Scripts",
+ GP_EXT_GUID_SCRIPTS },
+ { "Security",
+ GP_EXT_GUID_SECURITY },
+ { "Software Installation",
+ "C6DC5466-785A-11D2-84D0-00C04FB169F7" },
+ { "Wireless Group Policy",
+ "0ACDD40C-75AC-BAA0-BF6DE7E7FE63" },
+ { "Application Management",
+ "C6DC5466-785A-11D2-84D0-00C04FB169F7" },
+ { "unknown",
+ "3060E8D0-7020-11D2-842D-00C04FA372D4" },
+ { NULL, NULL }
+};
+
+/* guess work */
+static struct gp_table gpo_cse_snapin_extensions[] = {
+ { "Administrative Templates",
+ "0F6B957D-509E-11D1-A7CC-0000F87571E3" },
+ { "Certificates",
+ "53D6AB1D-2488-11D1-A28C-00C04FB94F17" },
+ { "EFS recovery policy processing",
+ "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
+ { "Folder Redirection policy processing",
+ "25537BA6-77A8-11D2-9B6C-0000F8080861" },
+ { "Folder Redirection",
+ "88E729D6-BDC1-11D1-BD2A-00C04FB9603F" },
+ { "Registry policy processing",
+ "35378EAC-683F-11D2-A89A-00C04FBBCFA2" },
+ { "Remote Installation Services",
+ "3060E8CE-7020-11D2-842D-00C04FA372D4" },
+ { "Security Settings",
+ "803E14A0-B4FB-11D0-A0D0-00A0C90F574B" },
+ { "Security policy processing",
+ "827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
+ { "unknown",
+ "3060E8D0-7020-11D2-842D-00C04FA372D4" },
+ { "unknown2",
+ "53D6AB1B-2488-11D1-A28C-00C04FB94F17" },
+ { NULL, NULL }
+};
+
+/****************************************************************
+****************************************************************/
+
+static const char *name_to_guid_string(const char *name,
+ struct gp_table *table)
+{
+ int i;
+
+ for (i = 0; table[i].name; i++) {
+ if (strequal(name, table[i].name)) {
+ return table[i].guid_string;
+ }
+ }
+
+ return NULL;
+}
+
+/****************************************************************
+****************************************************************/
+
+static const char *guid_string_to_name(const char *guid_string,
+ struct gp_table *table)
+{
+ int i;
+
+ for (i = 0; table[i].guid_string; i++) {
+ if (strequal(guid_string, table[i].guid_string)) {
+ return table[i].name;
+ }
+ }
+
+ return NULL;
+}
+
+/****************************************************************
+****************************************************************/
+
+static const char *snapin_guid_string_to_name(const char *guid_string,
+ struct gp_table *table)
+{
+ int i;
+ for (i = 0; table[i].guid_string; i++) {
+ if (strequal(guid_string, table[i].guid_string)) {
+ return table[i].name;
+ }
+ }
+ return NULL;
+}
+
+#if 0 /* unused */
+static const char *default_gpo_name_to_guid_string(const char *name)
+{
+ return name_to_guid_string(name, gpo_default_policy);
+}
+
+static const char *default_gpo_guid_string_to_name(const char *guid)
+{
+ return guid_string_to_name(guid, gpo_default_policy);
+}
+#endif
+
+/****************************************************************
+****************************************************************/
+
+const char *cse_gpo_guid_string_to_name(const char *guid)
+{
+ return guid_string_to_name(guid, gpo_cse_extensions);
+}
+
+/****************************************************************
+****************************************************************/
+
+const char *cse_gpo_name_to_guid_string(const char *name)
+{
+ return name_to_guid_string(name, gpo_cse_extensions);
+}
+
+/****************************************************************
+****************************************************************/
+
+const char *cse_snapin_gpo_guid_string_to_name(const char *guid)
+{
+ return snapin_guid_string_to_name(guid, gpo_cse_snapin_extensions);
+}
+
+/****************************************************************
+****************************************************************/
+
+void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel)
+{
+ int lvl = debuglevel;
+ int i;
+
+ if (gp_ext == NULL) {
+ return;
+ }
+
+ DEBUG(lvl,("\t---------------------\n\n"));
+ DEBUGADD(lvl,("\tname:\t\t\t%s\n", gp_ext->gp_extension));
+
+ for (i=0; i< gp_ext->num_exts; i++) {
+
+ DEBUGADD(lvl,("\textension:\t\t\t%s\n",
+ gp_ext->extensions_guid[i]));
+ DEBUGADD(lvl,("\textension (name):\t\t\t%s\n",
+ gp_ext->extensions[i]));
+
+ DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n",
+ gp_ext->snapins_guid[i]));
+ DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n",
+ gp_ext->snapins[i]));
+ }
+}
+
+#ifdef HAVE_LDAP
+
+/****************************************************************
+****************************************************************/
+
+void dump_gpo(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT *gpo,
+ int debuglevel)
+{
+ int lvl = debuglevel;
+
+ if (gpo == NULL) {
+ return;
+ }
+
+ DEBUG(lvl,("---------------------\n\n"));
+
+ DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name));
+ DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name));
+ DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version));
+ DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n",
+ GPO_VERSION_USER(gpo->version),
+ GPO_VERSION_USER(gpo->version)));
+ DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n",
+ GPO_VERSION_MACHINE(gpo->version),
+ GPO_VERSION_MACHINE(gpo->version)));
+ DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path));
+ DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path));
+
+ DEBUGADD(lvl,("options:\t\t%d ", gpo->options));
+ switch (gpo->options) {
+ case GPFLAGS_ALL_ENABLED:
+ DEBUGADD(lvl,("GPFLAGS_ALL_ENABLED\n"));
+ break;
+ case GPFLAGS_USER_SETTINGS_DISABLED:
+ DEBUGADD(lvl,("GPFLAGS_USER_SETTINGS_DISABLED\n"));
+ break;
+ case GPFLAGS_MACHINE_SETTINGS_DISABLED:
+ DEBUGADD(lvl,("GPFLAGS_MACHINE_SETTINGS_DISABLED\n"));
+ break;
+ case GPFLAGS_ALL_DISABLED:
+ DEBUGADD(lvl,("GPFLAGS_ALL_DISABLED\n"));
+ break;
+ default:
+ DEBUGADD(lvl,("unknown option: %d\n", gpo->options));
+ break;
+ }
+
+ DEBUGADD(lvl,("link:\t\t\t%s\n", gpo->link));
+ DEBUGADD(lvl,("link_type:\t\t%d ", gpo->link_type));
+ switch (gpo->link_type) {
+ case GP_LINK_UNKOWN:
+ DEBUGADD(lvl,("GP_LINK_UNKOWN\n"));
+ break;
+ case GP_LINK_OU:
+ DEBUGADD(lvl,("GP_LINK_OU\n"));
+ break;
+ case GP_LINK_DOMAIN:
+ DEBUGADD(lvl,("GP_LINK_DOMAIN\n"));
+ break;
+ case GP_LINK_SITE:
+ DEBUGADD(lvl,("GP_LINK_SITE\n"));
+ break;
+ case GP_LINK_MACHINE:
+ DEBUGADD(lvl,("GP_LINK_MACHINE\n"));
+ break;
+ default:
+ break;
+ }
+
+ DEBUGADD(lvl,("machine_extensions:\t%s\n", gpo->machine_extensions));
+
+ if (gpo->machine_extensions) {
+
+ struct GP_EXT *gp_ext = NULL;
+
+ if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
+ &gp_ext)) {
+ return;
+ }
+ dump_gp_ext(gp_ext, lvl);
+ }
+
+ DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions));
+
+ if (gpo->user_extensions) {
+
+ struct GP_EXT *gp_ext = NULL;
+
+ if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
+ &gp_ext)) {
+ return;
+ }
+ dump_gp_ext(gp_ext, lvl);
+ }
+
+ DEBUGADD(lvl,("security descriptor:\n"));
+
+ ads_disp_sd(ads, mem_ctx, gpo->security_descriptor);
+}
+
+/****************************************************************
+****************************************************************/
+
+void dump_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT *gpo_list,
+ int debuglevel)
+{
+ struct GROUP_POLICY_OBJECT *gpo = NULL;
+
+ for (gpo = gpo_list; gpo; gpo = gpo->next) {
+ dump_gpo(ads, mem_ctx, gpo, debuglevel);
+ }
+}
+
+/****************************************************************
+****************************************************************/
+
+void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
+{
+ ADS_STATUS status;
+ int i;
+ int lvl = 10;
+
+ if (gp_link == NULL) {
+ return;
+ }
+
+ DEBUG(lvl,("---------------------\n\n"));
+
+ DEBUGADD(lvl,("gplink: %s\n", gp_link->gp_link));
+ DEBUGADD(lvl,("gpopts: %d ", gp_link->gp_opts));
+ switch (gp_link->gp_opts) {
+ case GPOPTIONS_INHERIT:
+ DEBUGADD(lvl,("GPOPTIONS_INHERIT\n"));
+ break;
+ case GPOPTIONS_BLOCK_INHERITANCE:
+ DEBUGADD(lvl,("GPOPTIONS_BLOCK_INHERITANCE\n"));
+ break;
+ default:
+ break;
+ }
+
+ DEBUGADD(lvl,("num links: %d\n", gp_link->num_links));
+
+ for (i = 0; i < gp_link->num_links; i++) {
+
+ DEBUGADD(lvl,("---------------------\n\n"));
+
+ DEBUGADD(lvl,("link: #%d\n", i + 1));
+ DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i]));
+
+ DEBUGADD(lvl,("opt: %d ", gp_link->link_opts[i]));
+ if (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) {
+ DEBUGADD(lvl,("GPO_LINK_OPT_ENFORCED "));
+ }
+ if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
+ DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED"));
+ }
+ DEBUGADD(lvl,("\n"));
+
+ if (ads != NULL && mem_ctx != NULL) {
+
+ struct GROUP_POLICY_OBJECT gpo;
+
+ status = ads_get_gpo(ads, mem_ctx,
+ gp_link->link_names[i],
+ NULL, NULL, &gpo);
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(lvl,("get gpo for %s failed: %s\n",
+ gp_link->link_names[i],
+ ads_errstr(status)));
+ return;
+ }
+ dump_gpo(ads, mem_ctx, &gpo, lvl);
+ }
+ }
+}
+
+#endif /* HAVE_LDAP */
+
+/****************************************************************
+****************************************************************/
+
+static bool gpo_get_gp_ext_from_gpo(TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ struct GROUP_POLICY_OBJECT *gpo,
+ struct GP_EXT **gp_ext)
+{
+ ZERO_STRUCTP(*gp_ext);
+
+ if (flags & GPO_INFO_FLAG_MACHINE) {
+
+ if (gpo->machine_extensions) {
+
+ if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
+ gp_ext)) {
+ return false;
+ }
+ }
+ } else {
+
+ if (gpo->user_extensions) {
+
+ if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
+ gp_ext)) {
+ return false;
+ }
+ }
+ }
+
+ return true;
+}
+
+/****************************************************************
+****************************************************************/
+
+ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const struct nt_user_token *token,
+ struct registry_key *root_key,
+ struct GROUP_POLICY_OBJECT *gpo,
+ const char *extension_guid_filter,
+ uint32_t flags)
+{
+ struct GP_EXT *gp_ext = NULL;
+ int i;
+
+ DEBUG(10,("gpo_process_a_gpo: processing gpo %s (%s)\n",
+ gpo->name, gpo->display_name));
+ if (extension_guid_filter) {
+ DEBUGADD(10,("gpo_process_a_gpo: using filter %s (%s)\n",
+ extension_guid_filter,
+ cse_gpo_guid_string_to_name(extension_guid_filter)));
+ }
+
+ if (!gpo_get_gp_ext_from_gpo(mem_ctx, flags, gpo, &gp_ext)) {
+ return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
+ }
+
+ if (!gp_ext || !gp_ext->num_exts) {
+ if (flags & GPO_INFO_FLAG_VERBOSE) {
+ DEBUG(0,("gpo_process_a_gpo: "
+ "no policies in %s (%s) for this extension\n",
+ gpo->name, gpo->display_name));
+ }
+ return ADS_SUCCESS;
+ }
+
+ for (i=0; i<gp_ext->num_exts; i++) {
+
+ NTSTATUS ntstatus;
+
+ if (extension_guid_filter &&
+ !strequal(extension_guid_filter,
+ gp_ext->extensions_guid[i])) {
+ continue;
+ }
+
+ ntstatus = gpext_process_extension(ads, mem_ctx,
+ flags, token, root_key, gpo,
+ gp_ext->extensions_guid[i],
+ gp_ext->snapins_guid[i]);
+ if (!NT_STATUS_IS_OK(ntstatus)) {
+ ADS_ERROR_NT(ntstatus);
+ }
+ }
+
+ return ADS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+static ADS_STATUS gpo_process_gpo_list_by_ext(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const struct nt_user_token *token,
+ struct registry_key *root_key,
+ struct GROUP_POLICY_OBJECT *gpo_list,
+ const char *extensions_guid,
+ uint32_t flags)
+{
+ ADS_STATUS status;
+ struct GROUP_POLICY_OBJECT *gpo;
+
+ for (gpo = gpo_list; gpo; gpo = gpo->next) {
+
+ if (gpo->link_type == GP_LINK_LOCAL) {
+ continue;
+ }
+
+
+ /* FIXME: we need to pass down the *list* down to the
+ * extension, otherwise we cannot store the e.g. the *list* of
+ * logon-scripts correctly (for more then one GPO) */
+
+ status = gpo_process_a_gpo(ads, mem_ctx, token, root_key,
+ gpo, extensions_guid, flags);
+
+ if (!ADS_ERR_OK(status)) {
+ DEBUG(0,("failed to process gpo by ext: %s\n",
+ ads_errstr(status)));
+ return status;
+ }
+ }
+
+ return ADS_SUCCESS;
+}
+
+/****************************************************************
+****************************************************************/
+
+ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT *gpo_list,
+ const char *extensions_guid_filter,
+ uint32_t flags)
+{
+ ADS_STATUS status = ADS_SUCCESS;
+ struct gp_extension *gp_ext_list = NULL;
+ struct gp_extension *gp_ext = NULL;
+ struct registry_key *root_key = NULL;
+ struct gp_registry_context *reg_ctx = NULL;
+ WERROR werr;
+
+ status = ADS_ERROR_NT(init_gp_extensions(mem_ctx));
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ gp_ext_list = get_gp_extension_list();
+ if (!gp_ext_list) {
+ return ADS_ERROR_NT(NT_STATUS_DLL_INIT_FAILED);
+ }
+
+ /* get the key here */
+ if (flags & GPO_LIST_FLAG_MACHINE) {
+ werr = gp_init_reg_ctx(mem_ctx, KEY_HKLM, REG_KEY_WRITE,
+ get_system_token(),
+ &reg_ctx);
+ } else {
+ werr = gp_init_reg_ctx(mem_ctx, KEY_HKCU, REG_KEY_WRITE,
+ token,
+ &reg_ctx);
+ }
+ if (!W_ERROR_IS_OK(werr)) {
+ gp_free_reg_ctx(reg_ctx);
+ return ADS_ERROR_NT(werror_to_ntstatus(werr));
+ }
+
+ root_key = reg_ctx->curr_key;
+
+ for (gp_ext = gp_ext_list; gp_ext; gp_ext = gp_ext->next) {
+
+ const char *guid_str = NULL;
+
+ guid_str = GUID_string(mem_ctx, gp_ext->guid);
+ if (!guid_str) {
+ status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ goto done;
+ }
+
+ if (extensions_guid_filter &&
+ (!strequal(guid_str, extensions_guid_filter))) {
+ continue;
+ }
+
+ DEBUG(0,("-------------------------------------------------\n"));
+ DEBUG(0,("gpo_process_gpo_list: processing ext: %s {%s}\n",
+ gp_ext->name, guid_str));
+
+
+ status = gpo_process_gpo_list_by_ext(ads, mem_ctx, token,
+ root_key, gpo_list,
+ guid_str, flags);
+ if (!ADS_ERR_OK(status)) {
+ goto done;
+ }
+ }
+
+ done:
+ gp_free_reg_ctx(reg_ctx);
+ TALLOC_FREE(root_key);
+ free_gp_extensions();
+
+ return status;
+}
+
+
+/****************************************************************
+ check wether the version number in a GROUP_POLICY_OBJECT match those of the
+ locally stored version. If not, fetch the required policy via CIFS
+****************************************************************/
+
+NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ struct GROUP_POLICY_OBJECT *gpo,
+ struct cli_state **cli_out)
+{
+ NTSTATUS result;
+ char *server = NULL;
+ char *share = NULL;
+ char *nt_path = NULL;
+ char *unix_path = NULL;
+ uint32_t sysvol_gpt_version = 0;
+ char *display_name = NULL;
+ struct cli_state *cli = NULL;
+
+ result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
+ &server, &share, &nt_path, &unix_path);
+
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+
+ result = gpo_get_sysvol_gpt_version(mem_ctx,
+ unix_path,
+ &sysvol_gpt_version,
+ &display_name);
+ if (!NT_STATUS_IS_OK(result) &&
+ !NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) {
+ DEBUG(10,("check_refresh_gpo: "
+ "failed to get local gpt version: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+
+ DEBUG(10,("check_refresh_gpo: versions gpo %d sysvol %d\n",
+ gpo->version, sysvol_gpt_version));
+
+ /* FIXME: handle GPO_INFO_FLAG_FORCED_REFRESH from flags */
+
+ while (gpo->version > sysvol_gpt_version) {
+
+ DEBUG(1,("check_refresh_gpo: need to refresh GPO\n"));
+
+ if (*cli_out == NULL) {
+
+ result = cli_full_connection(&cli,
+ global_myname(),
+ ads->config.ldap_server_name,
+ /* server */
+ NULL, 0,
+ share, "A:",
+ ads->auth.user_name, NULL,
+ ads->auth.password,
+ CLI_FULL_CONNECTION_USE_KERBEROS |
+ CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS,
+ Undefined, NULL);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("check_refresh_gpo: "
+ "failed to connect: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+
+ *cli_out = cli;
+ }
+
+ result = gpo_fetch_files(mem_ctx, *cli_out, gpo);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+
+ result = gpo_get_sysvol_gpt_version(mem_ctx,
+ unix_path,
+ &sysvol_gpt_version,
+ &display_name);
+ if (!NT_STATUS_IS_OK(result)) {
+ DEBUG(10,("check_refresh_gpo: "
+ "failed to get local gpt version: %s\n",
+ nt_errstr(result)));
+ goto out;
+ }
+
+ if (gpo->version == sysvol_gpt_version) {
+ break;
+ }
+ }
+
+ DEBUG(10,("Name:\t\t\t%s (%s)\n", gpo->display_name, gpo->name));
+ DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
+ sysvol_gpt_version,
+ GPO_VERSION_USER(sysvol_gpt_version),
+ GPO_VERSION_MACHINE(sysvol_gpt_version)));
+ DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
+ gpo->version,
+ GPO_VERSION_USER(gpo->version),
+ GPO_VERSION_MACHINE(gpo->version)));
+ DEBUGADD(10,("LDAP GPO link:\t\t%s\n", gpo->link));
+
+ result = NT_STATUS_OK;
+
+ out:
+ return result;
+
+}
+
+/****************************************************************
+ check wether the version numbers in the gpo_list match the locally stored, if
+ not, go and get each required GPO via CIFS
+ ****************************************************************/
+
+NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ struct GROUP_POLICY_OBJECT *gpo_list)
+{
+ NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
+ struct cli_state *cli = NULL;
+ struct GROUP_POLICY_OBJECT *gpo;
+
+ if (!gpo_list) {
+ return NT_STATUS_INVALID_PARAMETER;
+ }
+
+ for (gpo = gpo_list; gpo; gpo = gpo->next) {
+
+ result = check_refresh_gpo(ads, mem_ctx, flags, gpo, &cli);
+ if (!NT_STATUS_IS_OK(result)) {
+ goto out;
+ }
+ }
+
+ result = NT_STATUS_OK;
+
+ out:
+ if (cli) {
+ cli_shutdown(cli);
+ }
+
+ return result;
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS gpo_get_unix_path(TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT *gpo,
+ char **unix_path)
+{
+ char *server, *share, *nt_path;
+ return gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
+ &server, &share, &nt_path, unix_path);
+}
+
+/****************************************************************
+****************************************************************/
+
+char *gpo_flag_str(uint32_t flags)
+{
+ fstring str = "";
+
+ if (flags == 0) {
+ return NULL;
+ }
+
+ if (flags & GPO_INFO_FLAG_SLOWLINK)
+ fstrcat(str, "GPO_INFO_FLAG_SLOWLINK ");
+ if (flags & GPO_INFO_FLAG_VERBOSE)
+ fstrcat(str, "GPO_INFO_FLAG_VERBOSE ");
+ if (flags & GPO_INFO_FLAG_SAFEMODE_BOOT)
+ fstrcat(str, "GPO_INFO_FLAG_SAFEMODE_BOOT ");
+ if (flags & GPO_INFO_FLAG_NOCHANGES)
+ fstrcat(str, "GPO_INFO_FLAG_NOCHANGES ");
+ if (flags & GPO_INFO_FLAG_MACHINE)
+ fstrcat(str, "GPO_INFO_FLAG_MACHINE ");
+ if (flags & GPO_INFO_FLAG_LOGRSOP_TRANSITION)
+ fstrcat(str, "GPO_INFO_FLAG_LOGRSOP_TRANSITION ");
+ if (flags & GPO_INFO_FLAG_LINKTRANSITION)
+ fstrcat(str, "GPO_INFO_FLAG_LINKTRANSITION ");
+ if (flags & GPO_INFO_FLAG_FORCED_REFRESH)
+ fstrcat(str, "GPO_INFO_FLAG_FORCED_REFRESH ");
+ if (flags & GPO_INFO_FLAG_BACKGROUND)
+ fstrcat(str, "GPO_INFO_FLAG_BACKGROUND ");
+
+ return SMB_STRDUP(str);
+}
+
+/****************************************************************
+****************************************************************/
+
+NTSTATUS gp_find_file(TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const char *filename,
+ const char *suffix,
+ const char **filename_out)
+{
+ const char *tmp = NULL;
+ SMB_STRUCT_STAT sbuf;
+ const char *path = NULL;
+
+ if (flags & GPO_LIST_FLAG_MACHINE) {
+ path = "Machine";
+ } else {
+ path = "User";
+ }
+
+ tmp = talloc_asprintf(mem_ctx, "%s/%s/%s", filename,
+ path, suffix);
+ NT_STATUS_HAVE_NO_MEMORY(tmp);
+
+ if (sys_stat(tmp, &sbuf) == 0) {
+ *filename_out = tmp;
+ return NT_STATUS_OK;
+ }
+
+ path = talloc_strdup_upper(mem_ctx, path);
+ NT_STATUS_HAVE_NO_MEMORY(path);
+
+ tmp = talloc_asprintf(mem_ctx, "%s/%s/%s", filename,
+ path, suffix);
+ NT_STATUS_HAVE_NO_MEMORY(tmp);
+
+ if (sys_stat(tmp, &sbuf) == 0) {
+ *filename_out = tmp;
+ return NT_STATUS_OK;
+ }
+
+ return NT_STATUS_NO_SUCH_FILE;
+}
+
+/****************************************************************
+****************************************************************/
+
+ADS_STATUS gp_get_machine_token(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *dn,
+ struct nt_user_token **token)
+{
+ struct nt_user_token *ad_token = NULL;
+ ADS_STATUS status;
+ NTSTATUS ntstatus;
+
+#ifndef HAVE_ADS
+ return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
+#endif
+ status = ads_get_sid_token(ads, mem_ctx, dn, &ad_token);
+ if (!ADS_ERR_OK(status)) {
+ return status;
+ }
+
+ ntstatus = merge_nt_token(mem_ctx, ad_token, get_system_token(),
+ token);
+ if (!NT_STATUS_IS_OK(ntstatus)) {
+ return ADS_ERROR_NT(ntstatus);
+ }
+
+ return ADS_SUCCESS;
+}
generated by cgit (git 2.34.1) at 2025-01-15 07:47:25 +0000