diff options
Diffstat (limited to 'source3/utils/net_ads_gpo.c')
| -rw-r--r-- | source3/utils/net_ads_gpo.c | 695 |
1 files changed, 695 insertions, 0 deletions
diff --git a/source3/utils/net_ads_gpo.c b/source3/utils/net_ads_gpo.c new file mode 100644 index 0000000000..3c66325abe --- /dev/null +++ b/source3/utils/net_ads_gpo.c @@ -0,0 +1,695 @@ +/* + Samba Unix/Linux SMB client library + net ads commands for Group Policy + Copyright (C) 2005-2008 Guenther Deschner (gd@samba.org) + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. +*/ + +#include "includes.h" +#include "utils/net.h" + +#ifdef HAVE_ADS + +static int net_ads_gpo_refresh(struct net_context *c, int argc, const char **argv) +{ + TALLOC_CTX *mem_ctx; + ADS_STRUCT *ads; + ADS_STATUS status; + const char *dn = NULL; + struct GROUP_POLICY_OBJECT *gpo_list = NULL; + struct GROUP_POLICY_OBJECT *read_list = NULL; + uint32 uac = 0; + uint32 flags = 0; + struct GROUP_POLICY_OBJECT *gpo; + NTSTATUS result; + struct nt_user_token *token = NULL; + + if (argc < 1 || c->display_usage) { + d_printf("Usage:\n" + "net ads gpo refresh <username|machinename>\n" + " Lists all GPOs assigned to an account and " + "downloads them\n" + " username\tUser to refresh GPOs for\n" + " machinename\tMachine to refresh GPOs for\n"); + return -1; + } + + mem_ctx = talloc_init("net_ads_gpo_refresh"); + if (mem_ctx == NULL) { + return -1; + } + + status = ads_startup(c, false, &ads); + if (!ADS_ERR_OK(status)) { + d_printf("failed to connect AD server: %s\n", ads_errstr(status)); + goto out; + } + + status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn); + if (!ADS_ERR_OK(status)) { + d_printf("failed to find samaccount for %s\n", argv[0]); + goto out; + } + + if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { + flags |= GPO_LIST_FLAG_MACHINE; + } + + d_printf("\n%s: '%s' has dn: '%s'\n\n", + (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", + argv[0], dn); + + d_printf("* fetching token "); + if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { + status = gp_get_machine_token(ads, mem_ctx, dn, &token); + } else { + status = ads_get_sid_token(ads, mem_ctx, dn, &token); + } + + if (!ADS_ERR_OK(status)) { + d_printf("failed: %s\n", ads_errstr(status)); + goto out; + } + d_printf("finished\n"); + + d_printf("* fetching GPO List "); + status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list); + if (!ADS_ERR_OK(status)) { + d_printf("failed: %s\n", ads_errstr(status)); + goto out; + } + d_printf("finished\n"); + + d_printf("* refreshing Group Policy Data "); + if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, + flags, + gpo_list))) { + d_printf("failed: %s\n", nt_errstr(result)); + goto out; + } + d_printf("finished\n"); + + d_printf("* storing GPO list to registry "); + + { + WERROR werr = gp_reg_state_store(mem_ctx, flags, dn, + token, gpo_list); + if (!W_ERROR_IS_OK(werr)) { + d_printf("failed: %s\n", dos_errstr(werr)); + goto out; + } + } + + d_printf("finished\n"); + + if (c->opt_verbose) { + + d_printf("* dumping GPO list\n"); + + for (gpo = gpo_list; gpo; gpo = gpo->next) { + + dump_gpo(ads, mem_ctx, gpo, 0); +#if 0 + char *server, *share, *nt_path, *unix_path; + + d_printf("--------------------------------------\n"); + d_printf("Name:\t\t\t%s\n", gpo->display_name); + d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n", + gpo->version, + GPO_VERSION_USER(gpo->version), + GPO_VERSION_MACHINE(gpo->version)); + + result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, + &server, &share, &nt_path, + &unix_path); + if (!NT_STATUS_IS_OK(result)) { + d_printf("got: %s\n", nt_errstr(result)); + } + + d_printf("GPO stored on server: %s, share: %s\n", server, share); + d_printf("\tremote path:\t%s\n", nt_path); + d_printf("\tlocal path:\t%s\n", unix_path); +#endif + } + } + + d_printf("* re-reading GPO list from registry "); + + { + WERROR werr = gp_reg_state_read(mem_ctx, flags, + &token->user_sids[0], + &read_list); + if (!W_ERROR_IS_OK(werr)) { + d_printf("failed: %s\n", dos_errstr(werr)); + goto out; + } + } + + d_printf("finished\n"); + + if (c->opt_verbose) { + + d_printf("* dumping GPO list from registry\n"); + + for (gpo = read_list; gpo; gpo = gpo->next) { + + dump_gpo(ads, mem_ctx, gpo, 0); + +#if 0 + char *server, *share, *nt_path, *unix_path; + + d_printf("--------------------------------------\n"); + d_printf("Name:\t\t\t%s\n", gpo->display_name); + d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n", + gpo->version, + GPO_VERSION_USER(gpo->version), + GPO_VERSION_MACHINE(gpo->version)); + + result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, + &server, &share, &nt_path, + &unix_path); + if (!NT_STATUS_IS_OK(result)) { + d_printf("got: %s\n", nt_errstr(result)); + } + + d_printf("GPO stored on server: %s, share: %s\n", server, share); + d_printf("\tremote path:\t%s\n", nt_path); + d_printf("\tlocal path:\t%s\n", unix_path); +#endif + } + } + + out: + ads_destroy(&ads); + talloc_destroy(mem_ctx); + return 0; +} + +static int net_ads_gpo_list_all(struct net_context *c, int argc, const char **argv) +{ + ADS_STRUCT *ads; + ADS_STATUS status; + LDAPMessage *res = NULL; + int num_reply = 0; + LDAPMessage *msg = NULL; + struct GROUP_POLICY_OBJECT gpo; + TALLOC_CTX *mem_ctx; + char *dn; + const char *attrs[] = { + "versionNumber", + "flags", + "gPCFileSysPath", + "displayName", + "name", + "gPCMachineExtensionNames", + "gPCUserExtensionNames", + "ntSecurityDescriptor", + NULL + }; + + if (c->display_usage) { + d_printf("Usage:\n" + "net ads gpo listall\n" + " List all GPOs on the DC\n"); + return 0; + } + + mem_ctx = talloc_init("net_ads_gpo_list_all"); + if (mem_ctx == NULL) { + return -1; + } + + status = ads_startup(c, false, &ads); + if (!ADS_ERR_OK(status)) { + goto out; + } + + status = ads_do_search_all_sd_flags(ads, ads->config.bind_path, + LDAP_SCOPE_SUBTREE, + "(objectclass=groupPolicyContainer)", + attrs, + DACL_SECURITY_INFORMATION, + &res); + + if (!ADS_ERR_OK(status)) { + d_printf("search failed: %s\n", ads_errstr(status)); + goto out; + } + + num_reply = ads_count_replies(ads, res); + + d_printf("Got %d replies\n\n", num_reply); + + /* dump the results */ + for (msg = ads_first_entry(ads, res); + msg; + msg = ads_next_entry(ads, msg)) { + + if ((dn = ads_get_dn(ads, msg)) == NULL) { + goto out; + } + + status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo); + + if (!ADS_ERR_OK(status)) { + d_printf("ads_parse_gpo failed: %s\n", + ads_errstr(status)); + ads_memfree(ads, dn); + goto out; + } + + dump_gpo(ads, mem_ctx, &gpo, 0); + ads_memfree(ads, dn); + } + +out: + ads_msgfree(ads, res); + + talloc_destroy(mem_ctx); + ads_destroy(&ads); + + return 0; +} + +static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv) +{ + ADS_STRUCT *ads; + ADS_STATUS status; + LDAPMessage *res = NULL; + TALLOC_CTX *mem_ctx; + const char *dn = NULL; + uint32 uac = 0; + uint32 flags = 0; + struct GROUP_POLICY_OBJECT *gpo_list; + struct nt_user_token *token = NULL; + + if (argc < 1 || c->display_usage) { + d_printf("Usage:\n" + "net ads gpo list <username|machinename>\n" + " Lists all GPOs for machine/user\n" + " username\tUser to list GPOs for\n" + " machinename\tMachine to list GPOs for\n"); + return -1; + } + + mem_ctx = talloc_init("net_ads_gpo_list"); + if (mem_ctx == NULL) { + goto out; + } + + status = ads_startup(c, false, &ads); + if (!ADS_ERR_OK(status)) { + goto out; + } + + status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn); + if (!ADS_ERR_OK(status)) { + goto out; + } + + if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { + flags |= GPO_LIST_FLAG_MACHINE; + } + + d_printf("%s: '%s' has dn: '%s'\n", + (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", + argv[0], dn); + + if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { + status = gp_get_machine_token(ads, mem_ctx, dn, &token); + } else { + status = ads_get_sid_token(ads, mem_ctx, dn, &token); + } + + if (!ADS_ERR_OK(status)) { + goto out; + } + + status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list); + if (!ADS_ERR_OK(status)) { + goto out; + } + + dump_gpo_list(ads, mem_ctx, gpo_list, 0); + +out: + ads_msgfree(ads, res); + + talloc_destroy(mem_ctx); + ads_destroy(&ads); + + return 0; +} + +#if 0 +static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv) +{ + TALLOC_CTX *mem_ctx; + ADS_STRUCT *ads; + ADS_STATUS status; + const char *dn = NULL; + struct GROUP_POLICY_OBJECT *gpo_list; + uint32 uac = 0; + uint32 flags = 0; + struct nt_user_token *token = NULL; + const char *filter = NULL; + + if (argc < 1 || c->display_usage) { + d_printf("Usage:\n" + "net ads gpo apply <username|machinename>\n" + " Apply GPOs for machine/user\n" + " username\tUsername to apply GPOs for\n" + " machinename\tMachine to apply GPOs for\n"); + return -1; + } + + mem_ctx = talloc_init("net_ads_gpo_apply"); + if (mem_ctx == NULL) { + goto out; + } + + if (argc >= 2) { + filter = cse_gpo_name_to_guid_string(argv[1]); + } + + status = ads_startup(c, false, &ads); + if (!ADS_ERR_OK(status)) { + d_printf("got: %s\n", ads_errstr(status)); + goto out; + } + + status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn); + if (!ADS_ERR_OK(status)) { + d_printf("failed to find samaccount for %s: %s\n", + argv[0], ads_errstr(status)); + goto out; + } + + if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { + flags |= GPO_LIST_FLAG_MACHINE; + } + + if (opt_verbose) { + flags |= GPO_INFO_FLAG_VERBOSE; + } + + d_printf("%s: '%s' has dn: '%s'\n", + (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", + argv[0], dn); + + if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { + status = gp_get_machine_token(ads, mem_ctx, dn, &token); + } else { + status = ads_get_sid_token(ads, mem_ctx, dn, &token); + } + + if (!ADS_ERR_OK(status)) { + goto out; + } + + status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list); + if (!ADS_ERR_OK(status)) { + goto out; + } + + status = gpo_process_gpo_list(ads, mem_ctx, token, gpo_list, + filter, flags); + if (!ADS_ERR_OK(status)) { + d_printf("failed to process gpo list: %s\n", + ads_errstr(status)); + goto out; + } + +out: + ads_destroy(&ads); + talloc_destroy(mem_ctx); + return 0; +} +#endif + +static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv) +{ + ADS_STRUCT *ads; + ADS_STATUS status; + TALLOC_CTX *mem_ctx; + struct GP_LINK gp_link; + + if (argc < 1 || c->display_usage) { + d_printf("Usage:\n" + "net ads gpo linkget <container>\n" + " Lists gPLink of a containter\n" + " container\tContainer to get link for\n"); + return -1; + } + + mem_ctx = talloc_init("add_gpo_link"); + if (mem_ctx == NULL) { + return -1; + } + + status = ads_startup(c, false, &ads); + if (!ADS_ERR_OK(status)) { + goto out; + } + + status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link); + if (!ADS_ERR_OK(status)) { + d_printf("get link for %s failed: %s\n", argv[0], + ads_errstr(status)); + goto out; + } + + dump_gplink(ads, mem_ctx, &gp_link); + +out: + talloc_destroy(mem_ctx); + ads_destroy(&ads); + + return 0; +} + +static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv) +{ + ADS_STRUCT *ads; + ADS_STATUS status; + uint32 gpo_opt = 0; + TALLOC_CTX *mem_ctx; + + if (argc < 2 || c->display_usage) { + d_printf("Usage:\n" + "net ads gpo linkadd <linkdn> <gpodn> [options]\n" + " Link a container to a GPO\n" + " linkdn\tContainer to link to a GPO\n" + " gpodn\tGPO to link container to\n"); + d_printf("note: DNs must be provided properly escaped.\n"); + d_printf("See RFC 4514 for details\n"); + return -1; + } + + mem_ctx = talloc_init("add_gpo_link"); + if (mem_ctx == NULL) { + return -1; + } + + if (argc == 3) { + gpo_opt = atoi(argv[2]); + } + + status = ads_startup(c, false, &ads); + if (!ADS_ERR_OK(status)) { + goto out; + } + + status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt); + if (!ADS_ERR_OK(status)) { + d_printf("link add failed: %s\n", ads_errstr(status)); + goto out; + } + +out: + talloc_destroy(mem_ctx); + ads_destroy(&ads); + + return 0; +} + +#if 0 /* broken */ + +static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv) +{ + ADS_STRUCT *ads; + ADS_STATUS status; + TALLOC_CTX *mem_ctx; + + if (argc < 2 || c->display_usage) { + d_printf("Usage:\n" + "net ads gpo linkdelete <linkdn> <gpodn>\n" + " Delete a GPO link\n" + " <linkdn>\tContainer to delete GPO from\n" + " <gpodn>\tGPO to delete from container\n"); + return -1; + } + + mem_ctx = talloc_init("delete_gpo_link"); + if (mem_ctx == NULL) { + return -1; + } + + status = ads_startup(c, false, &ads); + if (!ADS_ERR_OK(status)) { + goto out; + } + + status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]); + if (!ADS_ERR_OK(status)) { + d_printf("delete link failed: %s\n", ads_errstr(status)); + goto out; + } + +out: + talloc_destroy(mem_ctx); + ads_destroy(&ads); + + return 0; +} + +#endif + +static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv) +{ + ADS_STRUCT *ads; + ADS_STATUS status; + TALLOC_CTX *mem_ctx; + struct GROUP_POLICY_OBJECT gpo; + + if (argc < 1 || c->display_usage) { + d_printf("Usage:\n" + "net ads gpo getgpo <gpo>\n" + " List speciefied GPO\n" + " gpo\t\tGPO to list\n"); + return -1; + } + + mem_ctx = talloc_init("ads_gpo_get_gpo"); + if (mem_ctx == NULL) { + return -1; + } + + status = ads_startup(c, false, &ads); + if (!ADS_ERR_OK(status)) { + goto out; + } + + if (strnequal(argv[0], "CN={", strlen("CN={"))) { + status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo); + } else { + status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo); + } + + if (!ADS_ERR_OK(status)) { + d_printf("get gpo for [%s] failed: %s\n", argv[0], + ads_errstr(status)); + goto out; + } + + dump_gpo(ads, mem_ctx, &gpo, 1); + +out: + talloc_destroy(mem_ctx); + ads_destroy(&ads); + + return 0; +} + +int net_ads_gpo(struct net_context *c, int argc, const char **argv) +{ + struct functable func[] = { +#if 0 + { + "apply", + net_ads_gpo_apply, + NET_TRANSPORT_ADS, + "Apply GPO to container", + "net ads gpo apply\n" + " Apply GPO to container" + }, +#endif + { + "getgpo", + net_ads_gpo_get_gpo, + NET_TRANSPORT_ADS, + "List specified GPO", + "net ads gpo getgpo\n" + " List specified GPO" + }, + { + "linkadd", + net_ads_gpo_link_add, + NET_TRANSPORT_ADS, + "Link a container to a GPO", + "net ads gpo linkadd\n" + " Link a container to a GPO" + }, +#if 0 + { + "linkdelete", + net_ads_gpo_link_delete, + NET_TRANSPORT_ADS, + "Delete GPO link from a container", + "net ads gpo linkdelete\n" + " Delete GPO link from a container" + }, +#endif + { + "linkget", + net_ads_gpo_link_get, + NET_TRANSPORT_ADS, + "Lists gPLink of containter", + "net ads gpo linkget\n" + " Lists gPLink of containter" + }, + { + "list", + net_ads_gpo_list, + NET_TRANSPORT_ADS, + "Lists all GPOs for machine/user", + "net ads gpo list\n" + " Lists all GPOs for machine/user" + }, + { + "listall", + net_ads_gpo_list_all, + NET_TRANSPORT_ADS, + "Lists all GPOs on a DC", + "net ads gpo listall\n" + " Lists all GPOs on a DC" + }, + { + "refresh", + net_ads_gpo_refresh, + NET_TRANSPORT_ADS, + "Lists all GPOs assigned to an account and downloads " + "them", + "net ads gpo refresh\n" + " Lists all GPOs assigned to an account and " + "downloads them" + }, + {NULL, NULL, 0, NULL, NULL} + }; + + return net_run_function(c, argc, argv, "net ads gpo", func); +} + +#endif /* HAVE_ADS */ |