summaryrefslogtreecommitdiff
path: root/source3
diff options
context:
space:
mode:
Diffstat (limited to 'source3')
-rw-r--r--source3/include/gpo.h27
-rw-r--r--source3/libgpo/gpo_ldap.c374
-rw-r--r--source3/libgpo/gpo_parse.c222
-rw-r--r--source3/libgpo/gpo_sec.c36
-rw-r--r--source3/libgpo/gpo_util.c426
-rw-r--r--source3/utils/net_ads_gpo.c20
6 files changed, 473 insertions, 632 deletions
diff --git a/source3/include/gpo.h b/source3/include/gpo.h
index 85a0b82d65..6ca159149f 100644
--- a/source3/include/gpo.h
+++ b/source3/include/gpo.h
@@ -1,23 +1,22 @@
-/*
+/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
- * Copyright (C) Guenther Deschner 2005
- *
+ * Copyright (C) Guenther Deschner 2005-2007
+ *
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
-
enum GPO_LINK_TYPE {
GP_LINK_UNKOWN = 0,
GP_LINK_MACHINE = 1,
@@ -38,8 +37,8 @@ enum GPO_LINK_TYPE {
#define GPO_VERSION_MACHINE(x) (x & 0xffff)
struct GROUP_POLICY_OBJECT {
- uint32 options; /* GPFLAGS_* */
- uint32 version;
+ uint32_t options; /* GPFLAGS_* */
+ uint32_t version;
const char *ds_path;
const char *file_sys_path;
const char *display_name;
@@ -76,15 +75,15 @@ enum GPO_INHERIT {
struct GP_LINK {
const char *gp_link; /* raw link name */
- uint32 gp_opts; /* inheritance options GPO_INHERIT */
- uint32 num_links; /* number of links */
+ uint32_t gp_opts; /* inheritance options GPO_INHERIT */
+ uint32_t num_links; /* number of links */
char **link_names; /* array of parsed link names */
- uint32 *link_opts; /* array of parsed link opts GPO_LINK_OPT_* */
+ uint32_t *link_opts; /* array of parsed link opts GPO_LINK_OPT_* */
};
struct GP_EXT {
const char *gp_extension; /* raw extension name */
- uint32 num_exts;
+ uint32_t num_exts;
char **extensions;
char **extensions_guid;
char **snapins;
@@ -93,3 +92,7 @@ struct GP_EXT {
#define GPO_CACHE_DIR "gpo_cache"
#define GPT_INI "GPT.INI"
+
+#define GP_EXT_SECURITY "827D319E-6EAC-11D2-A4EA-00C04F79F83A"
+#define GP_EXT_REGISTRY "35378EAC-683F-11D2-A89A-00C04FBBCFA2"
+#define GP_EXT_SCRIPTS "42B5FAAE-6536-11D2-AE5A-0000F87571E3"
diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c
index e32522ab5c..856bcd4e68 100644
--- a/source3/libgpo/gpo_ldap.c
+++ b/source3/libgpo/gpo_ldap.c
@@ -25,13 +25,13 @@
parse the raw extension string into a GP_EXT structure
****************************************************************/
-ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
- const char *extension_raw,
- struct GP_EXT **gp_ext)
+BOOL ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
+ const char *extension_raw,
+ struct GP_EXT **gp_ext)
{
- ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
+ BOOL ret = False;
struct GP_EXT *ext = NULL;
- char **ext_list;
+ char **ext_list = NULL;
char **ext_strings = NULL;
int i;
@@ -47,7 +47,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
}
ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]");
- if (ext_list == NULL) {
+ if (!ext_list) {
goto parse_error;
}
@@ -56,24 +56,23 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
}
ext->num_exts = i;
-
+
if (ext->num_exts) {
- ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
- ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
- ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
- ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, ext->num_exts);
- } else {
- ext->extensions = NULL;
- ext->extensions_guid = NULL;
- ext->snapins = NULL;
- ext->snapins_guid = NULL;
+ ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ ext->num_exts);
+ ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ ext->num_exts);
+ ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ ext->num_exts);
+ ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ ext->num_exts);
}
ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
- if (ext->extensions == NULL || ext->extensions_guid == NULL ||
- ext->snapins == NULL || ext->snapins_guid == NULL ||
- ext->gp_extension == NULL) {
+ if (!ext->extensions || !ext->extensions_guid ||
+ !ext->snapins || !ext->snapins_guid ||
+ !ext->gp_extension) {
goto parse_error;
}
@@ -81,7 +80,7 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
int k;
char *p, *q;
-
+
DEBUGADD(10,("extension #%d\n", i));
p = ext_list[i];
@@ -105,14 +104,15 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
q++;
}
- ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q));
+ ext->extensions[i] = talloc_strdup(mem_ctx,
+ cse_gpo_guid_string_to_name(q));
ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
/* we might have no name for the guid */
if (ext->extensions_guid[i] == NULL) {
goto parse_error;
}
-
+
for (k = 1; ext_strings[k] != NULL; k++) {
char *m = ext_strings[k];
@@ -121,8 +121,10 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
m++;
}
- /* FIXME: theoretically there could be more than one snapin per extension */
- ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m));
+ /* FIXME: theoretically there could be more than one
+ * snapin per extension */
+ ext->snapins[i] = talloc_strdup(mem_ctx,
+ cse_snapin_gpo_guid_string_to_name(m));
ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
/* we might have no name for the guid */
@@ -134,35 +136,38 @@ ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
*gp_ext = ext;
- status = ADS_ERROR_NT(NT_STATUS_OK);
+ ret = True;
-parse_error:
+ parse_error:
if (ext_list) {
- str_list_free_talloc(mem_ctx, &ext_list);
+ str_list_free_talloc(mem_ctx, &ext_list);
}
if (ext_strings) {
- str_list_free_talloc(mem_ctx, &ext_strings);
+ str_list_free_talloc(mem_ctx, &ext_strings);
}
- return status;
+ return ret;
}
/****************************************************************
parse the raw link string into a GP_LINK structure
****************************************************************/
-static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
+static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
const char *gp_link_raw,
- uint32 options,
+ uint32_t options,
struct GP_LINK *gp_link)
{
+ ADS_STATUS status = ADS_ERROR(LDAP_NO_MEMORY);
char **link_list;
int i;
-
+
+ ZERO_STRUCTP(gp_link);
+
DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]");
- if (link_list == NULL) {
+ if (!link_list) {
goto parse_error;
}
@@ -172,18 +177,17 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
gp_link->gp_opts = options;
gp_link->num_links = i;
-
+
if (gp_link->num_links) {
- gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links);
- gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links);
- } else {
- gp_link->link_names = NULL;
- gp_link->link_opts = NULL;
+ gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *,
+ gp_link->num_links);
+ gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t,
+ gp_link->num_links);
}
-
+
gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
- if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) {
+ if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
goto parse_error;
}
@@ -199,7 +203,7 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
};
p = strchr(q, ';');
-
+
if (p == NULL) {
goto parse_error;
}
@@ -212,23 +216,22 @@ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
gp_link->link_opts[i] = atoi(p + 1);
- DEBUGADD(10,("gpo_parse_gplink: link: %s\n", gp_link->link_names[i]));
- DEBUGADD(10,("gpo_parse_gplink: opt: %d\n", gp_link->link_opts[i]));
+ DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
+ gp_link->link_names[i]));
+ DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
+ gp_link->link_opts[i]));
}
- if (link_list) {
- str_list_free_talloc(mem_ctx, &link_list);
- }
+ status = ADS_SUCCESS;
- return ADS_ERROR(LDAP_SUCCESS);
+ parse_error:
-parse_error:
if (link_list) {
str_list_free_talloc(mem_ctx, &link_list);
}
- return ADS_ERROR(LDAP_NO_MEMORY);
+ return status;
}
/****************************************************************
@@ -244,13 +247,14 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
const char *attrs[] = {"gPLink", "gPOptions", NULL};
LDAPMessage *res = NULL;
const char *gp_link;
- uint32 gp_options;
+ uint32_t gp_options;
ZERO_STRUCTP(gp_link_struct);
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
- DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status)));
+ DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
+ ads_errstr(status)));
return status;
}
@@ -260,33 +264,34 @@ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
- gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
+ gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) {
DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
ads_msgfree(ads, res);
- return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+ return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
}
/* perfectly legal to have no options */
if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
- DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n"));
+ DEBUG(10,("ads_get_gpo_link: "
+ "no 'gPOptions' attribute found\n"));
gp_options = 0;
}
ads_msgfree(ads, res);
- return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
+ return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
}
/****************************************************************
helper call to add a gp link
****************************************************************/
-ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- const char *link_dn,
- const char *gpo_dn,
- uint32 gpo_opt)
+ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *link_dn,
+ const char *gpo_dn,
+ uint32_t gpo_opt)
{
ADS_STATUS status;
const char *attrs[] = {"gPLink", NULL};
@@ -298,12 +303,13 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
* the gpo_dn is sane */
if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
- return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
+ return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
}
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
- DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status)));
+ DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
+ ads_errstr(status)));
return status;
}
@@ -313,11 +319,13 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
- gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
+ gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) {
- gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt);
+ gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
+ gpo_dn, gpo_opt);
} else {
- gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt);
+ gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
+ gp_link, gpo_dn, gpo_opt);
}
ads_msgfree(ads, res);
@@ -331,7 +339,7 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
return status;
}
- return ads_gen_mod(ads, link_dn, mods);
+ return ads_gen_mod(ads, link_dn, mods);
}
/****************************************************************
@@ -339,9 +347,9 @@ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
****************************************************************/
/* untested & broken */
-ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- const char *link_dn,
+ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ const char *link_dn,
const char *gpo_dn)
{
ADS_STATUS status;
@@ -355,7 +363,7 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
}
-
+
if (gpo_dn[strlen(gpo_dn)] != ']') {
DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
@@ -363,7 +371,8 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
status = ads_search_dn(ads, &res, link_dn, attrs);
if (!ADS_ERR_OK(status)) {
- DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status)));
+ DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
+ ads_errstr(status)));
return status;
}
@@ -373,13 +382,14 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
}
- gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
+ gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
if (gp_link == NULL) {
return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
}
/* find link to delete */
- /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */
+ /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
+ gpo_dn, gpo_opt); */
ads_msgfree(ads, res);
ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
@@ -392,7 +402,7 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return status;
}
- return ads_gen_mod(ads, link_dn, mods);
+ return ads_gen_mod(ads, link_dn, mods);
}
/****************************************************************
@@ -425,19 +435,25 @@ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
return ADS_ERROR(LDAP_NO_MEMORY);
}
- gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath");
+ gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
+ "gPCFileSysPath");
ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
- gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName");
+ gpo->display_name = ads_pull_string(ads, mem_ctx, res,
+ "displayName");
ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
- gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
+ gpo->name = ads_pull_string(ads, mem_ctx, res,
+ "name");
ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
- gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
- gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
+ gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
+ "gPCMachineExtensionNames");
+ gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
+ "gPCUserExtensionNames");
- ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", &gpo->security_descriptor);
+ ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
+ &gpo->security_descriptor);
ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
return ADS_ERROR(LDAP_SUCCESS);
@@ -458,11 +474,20 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
LDAPMessage *res = NULL;
char *dn;
const char *filter;
- const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath",
- "gPCFunctionalityVersion", "gPCMachineExtensionNames",
- "gPCUserExtensionNames", "gPCWQLFilter", "name",
- "versionNumber", "ntSecurityDescriptor", NULL};
- uint32 sd_flags = DACL_SECURITY_INFORMATION;
+ const char *attrs[] = {
+ "cn",
+ "displayName",
+ "flags",
+ "gPCFileSysPath",
+ "gPCFunctionalityVersion",
+ "gPCMachineExtensionNames",
+ "gPCUserExtensionNames",
+ "gPCWQLFilter",
+ "name",
+ "ntSecurityDescriptor",
+ "versionNumber",
+ NULL};
+ uint32_t sd_flags = DACL_SECURITY_INFORMATION;
ZERO_STRUCTP(gpo);
@@ -471,30 +496,31 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
}
if (gpo_dn) {
-
+
if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
gpo_dn = gpo_dn + strlen("LDAP://");
}
- status = ads_search_retry_dn_sd_flags(ads, &res,
+ status = ads_search_retry_dn_sd_flags(ads, &res,
sd_flags,
gpo_dn, attrs);
-
+
} else if (display_name || guid_name) {
- filter = talloc_asprintf(mem_ctx,
- "(&(objectclass=groupPolicyContainer)(%s=%s))",
- display_name ? "displayName" : "name",
- display_name ? display_name : guid_name);
+ filter = talloc_asprintf(mem_ctx,
+ "(&(objectclass=groupPolicyContainer)(%s=%s))",
+ display_name ? "displayName" : "name",
+ display_name ? display_name : guid_name);
ADS_ERROR_HAVE_NO_MEMORY(filter);
status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
- LDAP_SCOPE_SUBTREE, filter,
+ LDAP_SCOPE_SUBTREE, filter,
attrs, sd_flags, &res);
}
if (!ADS_ERR_OK(status)) {
- DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status)));
+ DEBUG(10,("ads_get_gpo: search failed with %s\n",
+ ads_errstr(status)));
return status;
}
@@ -509,7 +535,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
ads_msgfree(ads, res);
return ADS_ERROR(LDAP_NO_MEMORY);
}
-
+
status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
ads_msgfree(ads, res);
ads_memfree(ads, dn);
@@ -522,7 +548,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
****************************************************************/
static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
+ TALLOC_CTX *mem_ctx,
struct GROUP_POLICY_OBJECT **gpo_list,
const char *link_dn,
struct GP_LINK *gp_link,
@@ -543,39 +569,47 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
}
if (only_add_forced_gpos) {
-
- if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
- DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
+
+ if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
+ DEBUG(10,("skipping nonenforced GPO link "
+ "because GPOPTIONS_BLOCK_INHERITANCE "
+ "has been set\n"));
continue;
} else {
- DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
+ DEBUG(10,("adding enforced GPO link although "
+ "the GPOPTIONS_BLOCK_INHERITANCE "
+ "has been set\n"));
}
}
new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
- status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo);
+ status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
+ NULL, NULL, new_gpo);
if (!ADS_ERR_OK(status)) {
- DEBUG(10,("failed to get gpo: %s\n", gp_link->link_names[i]));
+ DEBUG(10,("failed to get gpo: %s\n",
+ gp_link->link_names[i]));
return status;
}
- status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo, token));
+ status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
+ token));
if (!ADS_ERR_OK(status)) {
- DEBUG(10,("skipping GPO \"%s\" as object has no access to it\n",
+ DEBUG(10,("skipping GPO \"%s\" as object "
+ "has no access to it\n",
new_gpo->display_name));
TALLOC_FREE(new_gpo);
continue;
}
new_gpo->link = link_dn;
- new_gpo->link_type = link_type;
+ new_gpo->link_type = link_type;
DLIST_ADD(*gpo_list, new_gpo);
- DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n",
- i, gp_link->link_names[i]));
+ DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
+ "to GPO list\n", i, gp_link->link_names[i]));
}
return ADS_ERROR(LDAP_SUCCESS);
@@ -599,7 +633,7 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
struct nt_user_token *new_token = NULL;
int i;
- status = ads_get_tokensids(ads, mem_ctx, dn,
+ status = ads_get_tokensids(ads, mem_ctx, dn,
&object_sid, &primary_group_sid,
&ad_token_sids, &num_ad_token_sids);
if (!ADS_ERR_OK(status)) {
@@ -609,24 +643,24 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
ADS_ERROR_HAVE_NO_MEMORY(token_sids);
- if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
+ if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
&num_token_sids)) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
for (i = 0; i < num_ad_token_sids; i++) {
-
+
if (sid_check_is_in_builtin(&ad_token_sids[i])) {
continue;
}
- if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i],
+ if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i],
&token_sids, &num_token_sids)) {
return ADS_ERROR(LDAP_NO_MEMORY);
}
}
- new_token = create_local_nt_token(mem_ctx, &object_sid, False,
+ new_token = create_local_nt_token(mem_ctx, &object_sid, False,
num_token_sids, token_sids);
ADS_ERROR_HAVE_NO_MEMORY(new_token);
@@ -638,20 +672,47 @@ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
}
/****************************************************************
+****************************************************************/
+
+static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT **gpo_list,
+ enum GPO_LINK_TYPE link_type)
+{
+ struct GROUP_POLICY_OBJECT *gpo = NULL;
+
+ ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
+
+ gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
+ ADS_ERROR_HAVE_NO_MEMORY(gpo);
+
+ gpo->name = talloc_strdup(mem_ctx, "Local Policy");
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
+
+ gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
+ ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
+
+ gpo->link_type = link_type;
+
+ DLIST_ADD(*gpo_list, gpo);
+
+ return ADS_ERROR_NT(NT_STATUS_OK);
+}
+
+/****************************************************************
get the full list of GROUP_POLICY_OBJECTs for a given dn
****************************************************************/
-ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
+ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
const char *dn,
- uint32 flags,
+ uint32_t flags,
+ const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT **gpo_list)
{
/* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
-
+
ADS_STATUS status;
struct GP_LINK gp_link;
- struct nt_user_token *token = NULL;
const char *parent_dn, *site_dn, *tmp_dn;
BOOL add_only_forced_gpos = False;
@@ -663,25 +724,27 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
- status = ads_get_sid_token(ads, mem_ctx, dn, &token);
+ /* (L)ocal */
+ status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
+ GP_LINK_UNKOWN);
if (!ADS_ERR_OK(status)) {
return status;
}
- /* (L)ocal */
- /* not yet... */
-
/* (S)ite */
/* are site GPOs valid for users as well ??? */
if (flags & GPO_LIST_FLAG_MACHINE) {
- status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn);
+ status = ads_site_dn_for_machine(ads, mem_ctx,
+ ads->config.ldap_server_name,
+ &site_dn);
if (!ADS_ERR_OK(status)) {
return status;
}
- DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn));
+ DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
+ site_dn));
status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
if (ADS_ERR_OK(status)) {
@@ -690,8 +753,9 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
dump_gplink(ads, mem_ctx, &gp_link);
}
- status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
- site_dn, &gp_link, GP_LINK_SITE,
+ status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
+ site_dn, &gp_link,
+ GP_LINK_SITE,
add_only_forced_gpos,
token);
if (!ADS_ERR_OK(status)) {
@@ -708,33 +772,39 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
tmp_dn = dn;
- while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
- (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
+ while ((parent_dn = ads_parent_dn(tmp_dn)) &&
+ (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
/* (D)omain */
/* An account can just be a member of one domain */
if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
- DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn));
+ DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
+ parent_dn));
- status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
+ status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
+ &gp_link);
if (ADS_ERR_OK(status)) {
-
+
if (DEBUGLEVEL >= 100) {
dump_gplink(ads, mem_ctx, &gp_link);
}
/* block inheritance from now on */
- if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
+ if (gp_link.gp_opts &
+ GPOPTIONS_BLOCK_INHERITANCE) {
add_only_forced_gpos = True;
}
- status = add_gplink_to_gpo_list(ads, mem_ctx,
- gpo_list, parent_dn,
- &gp_link, GP_LINK_DOMAIN,
- add_only_forced_gpos,
- token);
+ status = add_gplink_to_gpo_list(ads,
+ mem_ctx,
+ gpo_list,
+ parent_dn,
+ &gp_link,
+ GP_LINK_DOMAIN,
+ add_only_forced_gpos,
+ token);
if (!ADS_ERR_OK(status)) {
return status;
}
@@ -746,19 +816,21 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
/* reset dn again */
tmp_dn = dn;
-
- while ( (parent_dn = ads_parent_dn(tmp_dn)) &&
- (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
+
+ while ((parent_dn = ads_parent_dn(tmp_dn)) &&
+ (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
/* (O)rganizational(U)nit */
/* An account can be a member of more OUs */
if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
-
- DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn));
- status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
+ DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
+ parent_dn));
+
+ status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
+ &gp_link);
if (ADS_ERR_OK(status)) {
if (DEBUGLEVEL >= 100) {
@@ -766,15 +838,19 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
}
/* block inheritance from now on */
- if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
+ if (gp_link.gp_opts &
+ GPOPTIONS_BLOCK_INHERITANCE) {
add_only_forced_gpos = True;
}
- status = add_gplink_to_gpo_list(ads, mem_ctx,
- gpo_list, parent_dn,
- &gp_link, GP_LINK_OU,
- add_only_forced_gpos,
- token);
+ status = add_gplink_to_gpo_list(ads,
+ mem_ctx,
+ gpo_list,
+ parent_dn,
+ &gp_link,
+ GP_LINK_OU,
+ add_only_forced_gpos,
+ token);
if (!ADS_ERR_OK(status)) {
return status;
}
diff --git a/source3/libgpo/gpo_parse.c b/source3/libgpo/gpo_parse.c
index 5430fde01d..8118ed7213 100644
--- a/source3/libgpo/gpo_parse.c
+++ b/source3/libgpo/gpo_parse.c
@@ -74,225 +74,3 @@ NTSTATUS parse_gpt_ini(TALLOC_CTX *mem_ctx, const char *filename, uint32 *versio
return result;
}
-
-#if 0 /* not yet */
-
-/****************************************************************
- parse the Version section from gpttmpl file
-****************************************************************/
-
-#define GPTTMPL_SECTION_VERSION "Version"
-#define GPTTMPL_PARAMETER_REVISION "Revision"
-#define GPTTMPL_PARAMETER_SIGNATURE "signature"
-#define GPTTMPL_CHICAGO "$CHICAGO$" /* whatever this is good for... */
-#define GPTTMPL_SECTION_UNICODE "Unicode"
-#define GPTTMPL_PARAMETER_UNICODE "Unicode"
-
-static NTSTATUS parse_gpttmpl(dictionary *d, uint32 *version_out)
-{
- const char *signature = NULL;
- uint32 version;
-
- if ((signature = iniparser_getstring(d, GPTTMPL_SECTION_VERSION
- ":"GPTTMPL_PARAMETER_SIGNATURE, NULL)) == NULL) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- if (!strequal(signature, GPTTMPL_CHICAGO)) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- if ((version = iniparser_getint(d, GPTTMPL_SECTION_VERSION
- ":"GPTTMPL_PARAMETER_REVISION, Undefined)) == Undefined) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- if (version_out) {
- *version_out = version;
- }
-
- /* treat that as boolean */
- if ((!iniparser_getboolean(d, GPTTMPL_SECTION_UNICODE
- ":"GPTTMPL_PARAMETER_UNICODE, Undefined)) == Undefined) {
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
- }
-
- return NT_STATUS_OK;
-}
-
-/****************************************************************
- parse the "System Access" section from gpttmpl file
-****************************************************************/
-
-#define GPTTMPL_SECTION_SYSTEM_ACCESS "System Access"
-#define GPTTMPL_PARAMETER_MINPWDAGE "MinimumPasswordAge"
-#define GPTTMPL_PARAMETER_MAXPWDAGE "MaximumPasswordAge"
-#define GPTTMPL_PARAMETER_MINPWDLEN "MinimumPasswordLength"
-#define GPTTMPL_PARAMETER_PWDCOMPLEX "PasswordComplexity"
-#define GPTTMPL_PARAMETER_PWDHISTORY "PasswordHistorySize"
-#define GPTTMPL_PARAMETER_LOCKOUTCOUNT "LockoutBadCount"
-
-static NTSTATUS parse_gpttmpl_system_access(const char *filename)
-{
- NTSTATUS status;
- dictionary *d = NULL;
- uint32 pwd_min_age, pwd_max_age, pwd_min_len, pwd_history;
- uint32 lockout_count;
- BOOL pwd_complex;
- uint32 version;
-
- d = iniparser_load(filename);
- if (d == NULL) {
- return NT_STATUS_NO_SUCH_FILE;
- }
-
- status = parse_gpttmpl(d, &version);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
-
- status = NT_STATUS_INVALID_PARAMETER;
-
- if ((pwd_min_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
- ":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) {
- goto out;
- }
-
- if ((pwd_max_age = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
- ":"GPTTMPL_PARAMETER_MINPWDAGE, Undefined)) == Undefined) {
- goto out;
- }
-
- if ((pwd_min_len = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
- ":"GPTTMPL_PARAMETER_MINPWDLEN, Undefined)) == Undefined) {
- goto out;
- }
-
- if ((pwd_complex = iniparser_getboolean(d, GPTTMPL_SECTION_SYSTEM_ACCESS
- ":"GPTTMPL_PARAMETER_PWDCOMPLEX, Undefined)) == Undefined) {
- goto out;
- }
-
- if ((pwd_history = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
- ":"GPTTMPL_PARAMETER_PWDHISTORY, Undefined)) == Undefined) {
- goto out;
- }
-
- if ((lockout_count = iniparser_getint(d, GPTTMPL_SECTION_SYSTEM_ACCESS
- ":"GPTTMPL_PARAMETER_LOCKOUTCOUNT, Undefined)) == Undefined) {
- goto out;
- }
-
- /* TODO ?
- RequireLogonToChangePassword = 0
- ForceLogoffWhenHourExpire = 0
- ClearTextPassword = 0
- */
-
- status = NT_STATUS_OK;
-
- out:
- if (d) {
- iniparser_freedict(d);
- }
-
- return status;
-}
-
-/****************************************************************
- parse the "Kerberos Policy" section from gpttmpl file
-****************************************************************/
-
-#define GPTTMPL_SECTION_KERBEROS_POLICY "Kerberos Policy"
-#define GPTTMPL_PARAMETER_MAXTKTAGE "MaxTicketAge"
-#define GPTTMPL_PARAMETER_MAXRENEWAGE "MaxRenewAge"
-#define GPTTMPL_PARAMETER_MAXTGSAGE "MaxServiceAge"
-#define GPTTMPL_PARAMETER_MAXCLOCKSKEW "MaxClockSkew"
-#define GPTTMPL_PARAMETER_TKTVALIDATECLIENT "TicketValidateClient"
-
-static NTSTATUS parse_gpttmpl_kerberos_policy(const char *filename)
-{
- NTSTATUS status;
- dictionary *d = NULL;
- uint32 tkt_max_age, tkt_max_renew, tgs_max_age, max_clock_skew;
- BOOL tkt_validate;
- uint32 version;
-
- d = iniparser_load(filename);
- if (d == NULL) {
- return NT_STATUS_NO_SUCH_FILE;
- }
-
- status = parse_gpttmpl(d, &version);
- if (!NT_STATUS_IS_OK(status)) {
- goto out;
- }
-
- status = NT_STATUS_INVALID_PARAMETER;
-
- if ((tkt_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
- ":"GPTTMPL_PARAMETER_MAXTKTAGE, Undefined)) != Undefined) {
- goto out;
- }
-
- if ((tkt_max_renew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
- ":"GPTTMPL_PARAMETER_MAXRENEWAGE, Undefined)) != Undefined) {
- goto out;
- }
-
- if ((tgs_max_age = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
- ":"GPTTMPL_PARAMETER_MAXTGSAGE, Undefined)) != Undefined) {
- goto out;
- }
-
- if ((max_clock_skew = iniparser_getint(d, GPTTMPL_SECTION_KERBEROS_POLICY
- ":"GPTTMPL_PARAMETER_MAXCLOCKSKEW, Undefined)) != Undefined) {
- goto out;
- }
-
- if ((tkt_validate = iniparser_getboolean(d, GPTTMPL_SECTION_KERBEROS_POLICY
- ":"GPTTMPL_PARAMETER_TKTVALIDATECLIENT, Undefined)) != Undefined) {
- goto out;
- }
-
- status = NT_STATUS_OK;
-
- out:
- if (d) {
- iniparser_freedict(d);
- }
-
- return status;
-}
-
-#endif
-
-/*
-
-perfectly parseable with iniparser:
-
-{GUID}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf
-
-
-[Unicode]
-Unicode=yes
-[System Access]
-MinimumPasswordAge = 1
-MaximumPasswordAge = 42
-MinimumPasswordLength = 7
-PasswordComplexity = 1
-PasswordHistorySize = 24
-LockoutBadCount = 0
-RequireLogonToChangePassword = 0
-ForceLogoffWhenHourExpire = 0
-ClearTextPassword = 0
-[Kerberos Policy]
-MaxTicketAge = 10
-MaxRenewAge = 7
-MaxServiceAge = 600
-MaxClockSkew = 5
-TicketValidateClient = 1
-[Version]
-signature="$CHICAGO$"
-Revision=1
-*/
diff --git a/source3/libgpo/gpo_sec.c b/source3/libgpo/gpo_sec.c
index 3f104df299..54811c1123 100644
--- a/source3/libgpo/gpo_sec.c
+++ b/source3/libgpo/gpo_sec.c
@@ -1,18 +1,18 @@
-/*
+/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
* Copyright (C) Guenther Deschner 2007
- *
+ *
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
@@ -70,7 +70,7 @@ static BOOL gpo_sd_check_agp_object(const SEC_ACE *ace)
/****************************************************************
****************************************************************/
-static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
+static BOOL gpo_sd_check_agp_access_bits(uint32_t access_mask)
{
return (access_mask & SEC_RIGHTS_EXTENDED);
}
@@ -79,9 +79,9 @@ static BOOL gpo_sd_check_agp_access_bits(uint32 access_mask)
/****************************************************************
****************************************************************/
-static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
+static BOOL gpo_sd_check_read_access_bits(uint32_t access_mask)
{
- uint32 read_bits = SEC_RIGHTS_LIST_CONTENTS |
+ uint32_t read_bits = SEC_RIGHTS_LIST_CONTENTS |
SEC_RIGHTS_READ_ALL_PROP |
SEC_RIGHTS_READ_PERMS;
@@ -92,13 +92,14 @@ static BOOL gpo_sd_check_read_access_bits(uint32 access_mask)
/****************************************************************
****************************************************************/
-static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
- const struct nt_user_token *token)
+static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
+ const struct nt_user_token *token)
{
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
- DEBUG(10,("gpo_sd_check_ace_denied_object: Access denied as of ace for %s\n",
+ DEBUG(10,("gpo_sd_check_ace_denied_object: "
+ "Access denied as of ace for %s\n",
sid_string_static(&ace->trustee)));
return NT_STATUS_ACCESS_DENIED;
}
@@ -109,13 +110,14 @@ static NTSTATUS gpo_sd_check_ace_denied_object(const SEC_ACE *ace,
/****************************************************************
****************************************************************/
-static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
- const struct nt_user_token *token)
+static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
+ const struct nt_user_token *token)
{
if (gpo_sd_check_agp_object(ace) &&
- gpo_sd_check_agp_access_bits(ace->access_mask) &&
+ gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
- DEBUG(10,("gpo_sd_check_ace_allowed_object: Access granted as of ace for %s\n",
+ DEBUG(10,("gpo_sd_check_ace_allowed_object: "
+ "Access granted as of ace for %s\n",
sid_string_static(&ace->trustee)));
return NT_STATUS_OK;
}
@@ -126,8 +128,8 @@ static NTSTATUS gpo_sd_check_ace_allowed_object(const SEC_ACE *ace,
/****************************************************************
****************************************************************/
-static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
- const struct nt_user_token *token)
+static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
+ const struct nt_user_token *token)
{
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
@@ -142,7 +144,7 @@ static NTSTATUS gpo_sd_check_ace(const SEC_ACE *ace,
/****************************************************************
****************************************************************/
-NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
+NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
const struct nt_user_token *token)
{
SEC_DESC *sd = gpo->security_descriptor;
diff --git a/source3/libgpo/gpo_util.c b/source3/libgpo/gpo_util.c
index 385d6bd53a..c6e1b71885 100644
--- a/source3/libgpo/gpo_util.c
+++ b/source3/libgpo/gpo_util.c
@@ -1,18 +1,18 @@
-/*
+/*
* Unix SMB/CIFS implementation.
* Group Policy Object Support
- * Copyright (C) Guenther Deschner 2005-2006
- *
+ * Copyright (C) Guenther Deschner 2005-2007
+ *
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
- *
+ *
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
- *
+ *
* You should have received a copy of the GNU General Public License
* along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
@@ -25,88 +25,88 @@
#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy"
/* should we store a parsed guid ? */
-struct gpo_table {
+struct gp_table {
const char *name;
const char *guid_string;
};
-struct snapin_table {
- const char *name;
- const char *guid_string;
- ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx,
- struct GROUP_POLICY_OBJECT *gpo,
- const char *, const char *);
-};
-
#if 0 /* unused */
-static struct gpo_table gpo_default_policy[] = {
- { DEFAULT_DOMAIN_POLICY,
+static struct gp_table gpo_default_policy[] = {
+ { DEFAULT_DOMAIN_POLICY,
"31B2F340-016D-11D2-945F-00C04FB984F9" },
- { DEFAULT_DOMAIN_CONTROLLERS_POLICY,
+ { DEFAULT_DOMAIN_CONTROLLERS_POLICY,
"6AC1786C-016F-11D2-945F-00C04fB984F9" },
{ NULL, NULL }
};
#endif
-/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */
+/* the following is seen in gPCMachineExtensionNames / gPCUserExtensionNames */
-static struct gpo_table gpo_cse_extensions[] = {
- { "Administrative Templates Extension",
- "35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */
- { "Microsoft Disc Quota",
+static struct gp_table gpo_cse_extensions[] = {
+ /* used to be "Administrative Templates Extension" */
+ /* "Registry Settings"
+ (http://support.microsoft.com/kb/216357/EN-US/) */
+ { "Registry Settings",
+ GP_EXT_REGISTRY },
+ { "Microsoft Disc Quota",
"3610EDA5-77EF-11D2-8DC5-00C04FA31A66" },
- { "EFS recovery",
+ { "EFS recovery",
"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
- { "Folder Redirection",
+ { "Folder Redirection",
"25537BA6-77A8-11D2-9B6C-0000F8080861" },
- { "IP Security",
+ { "IP Security",
"E437BC1C-AA7D-11D2-A382-00C04F991E27" },
- { "Internet Explorer Branding",
+ { "Internet Explorer Branding",
"A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" },
- { "QoS Packet Scheduler",
+ { "QoS Packet Scheduler",
"426031c0-0b47-4852-b0ca-ac3d37bfcb39" },
- { "Scripts",
- "42B5FAAE-6536-11D2-AE5A-0000F87571E3" },
- { "Security",
- "827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
- { "Software Installation",
+ { "Scripts",
+ GP_EXT_SCRIPTS },
+ { "Security",
+ GP_EXT_SECURITY },
+ { "Software Installation",
"C6DC5466-785A-11D2-84D0-00C04FB169F7" },
- { "Wireless Group Policy",
+ { "Wireless Group Policy",
"0ACDD40C-75AC-BAA0-BF6DE7E7FE63" },
+ { "Application Management",
+ "C6DC5466-785A-11D2-84D0-00C04FB169F7" },
+ { "unknown",
+ "3060E8D0-7020-11D2-842D-00C04FA372D4" },
{ NULL, NULL }
};
/* guess work */
-static struct snapin_table gpo_cse_snapin_extensions[] = {
- { "Administrative Templates",
- "0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none },
- { "Certificates",
- "53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
- { "EFS recovery policy processing",
- "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none },
- { "Folder Redirection policy processing",
- "25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none },
- { "Folder Redirection",
- "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none },
- { "Registry policy processing",
- "35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none },
- { "Remote Installation Services",
- "3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
- { "Security Settings",
- "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings },
- { "Security policy processing",
- "827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings },
- { "unknown",
- "3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
- { "unknown2",
- "53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
- { NULL, NULL, NULL }
+static struct gp_table gpo_cse_snapin_extensions[] = {
+ { "Administrative Templates",
+ "0F6B957D-509E-11D1-A7CC-0000F87571E3" },
+ { "Certificates",
+ "53D6AB1D-2488-11D1-A28C-00C04FB94F17" },
+ { "EFS recovery policy processing",
+ "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
+ { "Folder Redirection policy processing",
+ "25537BA6-77A8-11D2-9B6C-0000F8080861" },
+ { "Folder Redirection",
+ "88E729D6-BDC1-11D1-BD2A-00C04FB9603F" },
+ { "Registry policy processing",
+ "35378EAC-683F-11D2-A89A-00C04FBBCFA2" },
+ { "Remote Installation Services",
+ "3060E8CE-7020-11D2-842D-00C04FA372D4" },
+ { "Security Settings",
+ "803E14A0-B4FB-11D0-A0D0-00A0C90F574B" },
+ { "Security policy processing",
+ "827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
+ { "unknown",
+ "3060E8D0-7020-11D2-842D-00C04FA372D4" },
+ { "unknown2",
+ "53D6AB1B-2488-11D1-A28C-00C04FB94F17" },
+ { NULL, NULL }
};
/****************************************************************
****************************************************************/
-static const char *name_to_guid_string(const char *name, struct gpo_table *table)
+static const char *name_to_guid_string(const char *name,
+ struct gp_table *table)
{
int i;
@@ -115,14 +115,15 @@ static const char *name_to_guid_string(const char *name, struct gpo_table *table
return table[i].guid_string;
}
}
-
+
return NULL;
}
/****************************************************************
****************************************************************/
-static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table)
+static const char *guid_string_to_name(const char *guid_string,
+ struct gp_table *table)
{
int i;
@@ -131,15 +132,15 @@ static const char *guid_string_to_name(const char *guid_string, struct gpo_table
return table[i].name;
}
}
-
+
return NULL;
}
/****************************************************************
****************************************************************/
-static const char *snapin_guid_string_to_name(const char *guid_string,
- struct snapin_table *table)
+static const char *snapin_guid_string_to_name(const char *guid_string,
+ struct gp_table *table)
{
int i;
for (i = 0; table[i].guid_string; i++) {
@@ -203,18 +204,25 @@ void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel)
for (i=0; i< gp_ext->num_exts; i++) {
- DEBUGADD(lvl,("\textension:\t\t\t%s\n", gp_ext->extensions_guid[i]));
- DEBUGADD(lvl,("\textension (name):\t\t\t%s\n", gp_ext->extensions[i]));
-
- DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n", gp_ext->snapins_guid[i]));
- DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n", gp_ext->snapins[i]));
+ DEBUGADD(lvl,("\textension:\t\t\t%s\n",
+ gp_ext->extensions_guid[i]));
+ DEBUGADD(lvl,("\textension (name):\t\t\t%s\n",
+ gp_ext->extensions[i]));
+
+ DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n",
+ gp_ext->snapins_guid[i]));
+ DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n",
+ gp_ext->snapins[i]));
}
}
/****************************************************************
****************************************************************/
-void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo, int debuglevel)
+void dump_gpo(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT *gpo,
+ int debuglevel)
{
int lvl = debuglevel;
@@ -227,10 +235,12 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name));
DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name));
DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version));
- DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", GPO_VERSION_USER(gpo->version),
- GPO_VERSION_USER(gpo->version)));
- DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", GPO_VERSION_MACHINE(gpo->version),
- GPO_VERSION_MACHINE(gpo->version)));
+ DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n",
+ GPO_VERSION_USER(gpo->version),
+ GPO_VERSION_USER(gpo->version)));
+ DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n",
+ GPO_VERSION_MACHINE(gpo->version),
+ GPO_VERSION_MACHINE(gpo->version)));
DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path));
DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path));
@@ -280,24 +290,22 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
if (gpo->machine_extensions) {
struct GP_EXT *gp_ext = NULL;
- ADS_STATUS status;
- status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
- if (!ADS_ERR_OK(status)) {
+ if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
+ &gp_ext)) {
return;
}
dump_gp_ext(gp_ext, lvl);
}
-
+
DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions));
if (gpo->user_extensions) {
-
+
struct GP_EXT *gp_ext = NULL;
- ADS_STATUS status;
-
- status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
- if (!ADS_ERR_OK(status)) {
+
+ if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
+ &gp_ext)) {
return;
}
dump_gp_ext(gp_ext, lvl);
@@ -311,9 +319,9 @@ void dump_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *
/****************************************************************
****************************************************************/
-void dump_gpo_list(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- struct GROUP_POLICY_OBJECT *gpo_list,
+void dump_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ struct GROUP_POLICY_OBJECT *gpo_list,
int debuglevel)
{
struct GROUP_POLICY_OBJECT *gpo = NULL;
@@ -354,9 +362,9 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
DEBUGADD(lvl,("num links: %d\n", gp_link->num_links));
for (i = 0; i < gp_link->num_links; i++) {
-
+
DEBUGADD(lvl,("---------------------\n\n"));
-
+
DEBUGADD(lvl,("link: #%d\n", i + 1));
DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i]));
@@ -373,9 +381,13 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
struct GROUP_POLICY_OBJECT gpo;
- status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo);
+ status = ads_get_gpo(ads, mem_ctx,
+ gp_link->link_names[i],
+ NULL, NULL, &gpo);
if (!ADS_ERR_OK(status)) {
- DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status)));
+ DEBUG(lvl,("get gpo for %s failed: %s\n",
+ gp_link->link_names[i],
+ ads_errstr(status)));
return;
}
dump_gpo(ads, mem_ctx, &gpo, lvl);
@@ -386,27 +398,21 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
/****************************************************************
****************************************************************/
-ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- struct GROUP_POLICY_OBJECT *gpo,
- const char *extension_guid,
- const char *snapin_guid)
+NTSTATUS process_extension(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
+ const struct nt_user_token *token,
+ struct GROUP_POLICY_OBJECT *gpo,
+ const char *extension_guid,
+ const char *snapin_guid)
{
- int i;
-
- for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) {
-
- if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) {
-
- return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, gpo,
- extension_guid, snapin_guid);
- }
- }
-
- DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n",
- extension_guid, snapin_guid));
+ DEBUG(0,("process_extension: no extension available for:\n"));
+ DEBUGADD(0,("%s (%s) (snapin: %s)\n",
+ extension_guid,
+ cse_gpo_guid_string_to_name(extension_guid),
+ snapin_guid));
- return ADS_SUCCESS;
+ return NT_STATUS_OK;
}
/****************************************************************
@@ -414,37 +420,42 @@ ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
+ const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid_filter,
- uint32 flags)
+ uint32_t flags)
{
- ADS_STATUS status;
struct GP_EXT *gp_ext = NULL;
int i;
-
+
+ DEBUG(10,("gpo_process_a_gpo: processing gpo %s (%s)\n",
+ gpo->name, gpo->display_name));
+ if (extension_guid_filter) {
+ DEBUGADD(10,("gpo_process_a_gpo: using filter %s\n",
+ extension_guid_filter));
+ }
+
if (flags & GPO_LIST_FLAG_MACHINE) {
if (gpo->machine_extensions) {
- status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
-
- if (!ADS_ERR_OK(status)) {
- return status;
+ if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions,
+ &gp_ext)) {
+ return ADS_ERROR(LDAP_PARAM_ERROR);
}
} else {
/* nothing to apply */
return ADS_SUCCESS;
}
-
+
} else {
if (gpo->user_extensions) {
-
- status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
- if (!ADS_ERR_OK(status)) {
- return status;
+ if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions,
+ &gp_ext)) {
+ return ADS_ERROR(LDAP_PARAM_ERROR);
}
} else {
/* nothing to apply */
@@ -454,15 +465,20 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
for (i=0; i<gp_ext->num_exts; i++) {
- if (extension_guid_filter && !strequal(extension_guid_filter, gp_ext->extensions_guid[i])) {
+ NTSTATUS ntstatus;
+
+ if (extension_guid_filter &&
+ !strequal(extension_guid_filter,
+ gp_ext->extensions_guid[i])) {
continue;
}
- status = process_extension_with_snapin(ads, mem_ctx, gpo,
- gp_ext->extensions_guid[i],
- gp_ext->snapins_guid[i]);
- if (!ADS_ERR_OK(status)) {
- return status;
+ ntstatus = process_extension(ads, mem_ctx,
+ flags, token, gpo,
+ gp_ext->extensions_guid[i],
+ gp_ext->snapins_guid[i]);
+ if (!NT_STATUS_IS_OK(ntstatus)) {
+ ADS_ERROR_NT(ntstatus);
}
}
@@ -474,19 +490,27 @@ ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
+ const struct nt_user_token *token,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extensions_guid,
- uint32 flags)
+ uint32_t flags)
{
ADS_STATUS status;
struct GROUP_POLICY_OBJECT *gpo;
+ /* FIXME: ok, this is wrong, windows does process the extensions and
+ * hands the list of gpos to each extension and not process each gpo
+ * with all extensions (this is how the extension can store the list
+ * gplist in the registry) */
+
for (gpo = gpo_list; gpo; gpo = gpo->next) {
-
- status = gpo_process_a_gpo(ads, mem_ctx, gpo,
+
+ status = gpo_process_a_gpo(ads, mem_ctx, token, gpo,
extensions_guid, flags);
-
+
if (!ADS_ERR_OK(status)) {
+ DEBUG(0,("failed to process gpo: %s\n",
+ ads_errstr(status)));
return status;
}
@@ -495,80 +519,14 @@ ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
return ADS_SUCCESS;
}
-ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- struct GROUP_POLICY_OBJECT *gpo,
- const char *extension_guid,
- const char *snapin_guid)
-{
- DEBUG(10,("gpo_snapin_handler_none\n"));
-
- return ADS_SUCCESS;
-}
-
-ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- struct GROUP_POLICY_OBJECT *gpo,
- const char *extension_guid,
- const char *snapin_guid)
-{
- DEBUG(10,("gpo_snapin_handler_security_settings\n"));
-
- return ADS_SUCCESS;
-}
-
-ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- const char *hostname,
- SAM_UNK_INFO_12 *lockout_policy)
-{
- return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED);
-}
-
-/****************************************************************
-****************************************************************/
-
-ADS_STATUS gpo_password_policy(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
- const char *hostname,
- SAM_UNK_INFO_1 *password_policy)
-{
- ADS_STATUS status;
- struct GROUP_POLICY_OBJECT *gpo_list;
- const char *dn = NULL;
- uint32 uac = 0;
-
- status = ads_find_samaccount(ads, mem_ctx, hostname, &uac, &dn);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
-
- if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) {
- return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
- }
-
- status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
-
- status = gpo_process_gpo_list(ads, mem_ctx, gpo_list,
- cse_gpo_name_to_guid_string("Security"),
- GPO_LIST_FLAG_MACHINE);
- if (!ADS_ERR_OK(status)) {
- return status;
- }
-
- return ADS_SUCCESS;
-}
-
/****************************************************************
check wether the version number in a GROUP_POLICY_OBJECT match those of the
locally stored version. If not, fetch the required policy via CIFS
****************************************************************/
-NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
+NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
+ uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo,
struct cli_state **cli_out)
{
@@ -577,43 +535,54 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
char *share = NULL;
char *nt_path = NULL;
char *unix_path = NULL;
- uint32 sysvol_gpt_version = 0;
+ uint32_t sysvol_gpt_version = 0;
char *display_name = NULL;
struct cli_state *cli = NULL;
- result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
+ result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
&server, &share, &nt_path, &unix_path);
if (!NT_STATUS_IS_OK(result)) {
goto out;
}
- result = gpo_get_sysvol_gpt_version(mem_ctx,
+ result = gpo_get_sysvol_gpt_version(mem_ctx,
unix_path,
&sysvol_gpt_version,
&display_name);
- if (!NT_STATUS_IS_OK(result) &&
+ if (!NT_STATUS_IS_OK(result) &&
!NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) {
- DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
+ DEBUG(10,("check_refresh_gpo: "
+ "failed to get local gpt version: %s\n",
nt_errstr(result)));
goto out;
}
+ DEBUG(10,("check_refresh_gpo: versions gpo %d sysvol %d\n",
+ gpo->version, sysvol_gpt_version));
+
+ /* FIXME: handle GPO_INFO_FLAG_FORCED_REFRESH from flags */
+
while (gpo->version > sysvol_gpt_version) {
DEBUG(1,("check_refresh_gpo: need to refresh GPO\n"));
if (*cli_out == NULL) {
- result = cli_full_connection(&cli, global_myname(),
- server, /* ads->config.ldap_server_name, */
- NULL, 0,
- share, "A:",
- ads->auth.user_name, NULL, ads->auth.password,
- CLI_FULL_CONNECTION_USE_KERBEROS,
- Undefined, NULL);
+ result = cli_full_connection(&cli,
+ global_myname(),
+ ads->config.ldap_server_name,
+ /* server */
+ NULL, 0,
+ share, "A:",
+ ads->auth.user_name, NULL,
+ ads->auth.password,
+ CLI_FULL_CONNECTION_USE_KERBEROS,
+ Undefined, NULL);
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("check_refresh_gpo: failed to connect: %s\n", nt_errstr(result)));
+ DEBUG(10,("check_refresh_gpo: "
+ "failed to connect: %s\n",
+ nt_errstr(result)));
goto out;
}
@@ -625,27 +594,28 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
goto out;
}
- result = gpo_get_sysvol_gpt_version(mem_ctx,
- unix_path,
+ result = gpo_get_sysvol_gpt_version(mem_ctx,
+ unix_path,
&sysvol_gpt_version,
- &display_name);
+ &display_name);
if (!NT_STATUS_IS_OK(result)) {
- DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
+ DEBUG(10,("check_refresh_gpo: "
+ "failed to get local gpt version: %s\n",
nt_errstr(result)));
goto out;
}
-
+
if (gpo->version == sysvol_gpt_version) {
break;
}
- }
-
- DEBUG(10,("Name:\t\t\t%s\n", gpo->display_name));
- DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
- sysvol_gpt_version,
- GPO_VERSION_USER(sysvol_gpt_version),
- GPO_VERSION_MACHINE(sysvol_gpt_version)));
- DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
+ }
+
+ DEBUG(10,("Name:\t\t\t%s (%s)\n", gpo->display_name, gpo->name));
+ DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
+ sysvol_gpt_version,
+ GPO_VERSION_USER(sysvol_gpt_version),
+ GPO_VERSION_MACHINE(sysvol_gpt_version)));
+ DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
gpo->version,
GPO_VERSION_USER(gpo->version),
GPO_VERSION_MACHINE(gpo->version)));
@@ -662,8 +632,9 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
not, go and get each required GPO via CIFS
****************************************************************/
-NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
- TALLOC_CTX *mem_ctx,
+NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
+ TALLOC_CTX *mem_ctx,
+ uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo_list)
{
NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
@@ -676,7 +647,7 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
for (gpo = gpo_list; gpo; gpo = gpo->next) {
- result = check_refresh_gpo(ads, mem_ctx, gpo, &cli);
+ result = check_refresh_gpo(ads, mem_ctx, flags, gpo, &cli);
if (!NT_STATUS_IS_OK(result)) {
goto out;
}
@@ -691,5 +662,4 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
return result;
}
-
#endif /* HAVE_LDAP */
diff --git a/source3/utils/net_ads_gpo.c b/source3/utils/net_ads_gpo.c
index 180e2d509e..5f53982da9 100644
--- a/source3/utils/net_ads_gpo.c
+++ b/source3/utils/net_ads_gpo.c
@@ -52,7 +52,8 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo;
NTSTATUS result;
-
+ struct nt_user_token *token = NULL;
+
if (argc < 1) {
printf("usage: net ads gpo refresh <username|machinename>\n");
return -1;
@@ -82,12 +83,17 @@ static int net_ads_gpo_refresh(int argc, const char **argv)
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
- status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
+ status = ads_get_sid_token(ads, mem_ctx, dn, &token);
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
+
+ status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}
- if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, gpo_list))) {
+ if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, flags, gpo_list))) {
printf("failed to refresh GPOs: %s\n", nt_errstr(result));
goto out;
}
@@ -206,6 +212,7 @@ static int net_ads_gpo_list(int argc, const char **argv)
uint32 uac = 0;
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo_list;
+ struct nt_user_token *token = NULL;
if (argc < 1) {
printf("usage: net ads gpo list <username|machinename>\n");
@@ -235,7 +242,12 @@ static int net_ads_gpo_list(int argc, const char **argv)
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
- status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
+ status = ads_get_sid_token(ads, mem_ctx, dn, &token);
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
+
+ status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}