diff options
Diffstat (limited to 'source4/lib/policy')
-rw-r--r-- | source4/lib/policy/gp_ldap.c | 47 | ||||
-rw-r--r-- | source4/lib/policy/gp_manage.c | 52 | ||||
-rw-r--r-- | source4/lib/policy/policy.h | 3 |
3 files changed, 101 insertions, 1 deletions
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c index 5ef161d12c..730c4d8e0b 100644 --- a/source4/lib/policy/gp_ldap.c +++ b/source4/lib/policy/gp_ldap.c @@ -29,7 +29,7 @@ #include "../libcli/security/dom_sid.h" #include "libcli/security/security.h" #include "../lib/talloc/talloc.h" -#include "policy.h" +#include "lib/policy/policy.h" struct gpo_stringmap { const char *str; @@ -868,3 +868,48 @@ NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo) talloc_free(mem_ctx); return NT_STATUS_UNSUCCESSFUL; } + +NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd) +{ + TALLOC_CTX *mem_ctx; + DATA_BLOB data; + enum ndr_err_code ndr_err; + struct ldb_message *msg; + int rv; + + /* Create a forked memory context to clean up easily */ + mem_ctx = talloc_new(gp_ctx); + + /* Push the security descriptor through the NDR library */ + ndr_err = ndr_push_struct_blob(&data, + mem_ctx, + lp_iconv_convenience(gp_ctx->lp_ctx), + sd, + (ndr_push_flags_fn_t)ndr_push_security_descriptor); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return ndr_map_error2ntstatus(ndr_err); + } + + + /* Create a LDB message */ + msg = ldb_msg_new(mem_ctx); + msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + + rv = ldb_msg_add_value(msg, "nTSecurityDescriptor", &data, NULL); + if (rv != 0) { + DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + rv = ldb_modify(gp_ctx->ldb_ctx, msg); + if (rv != 0) { + DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} diff --git a/source4/lib/policy/gp_manage.c b/source4/lib/policy/gp_manage.c index 580f87116d..968eaf2025 100644 --- a/source4/lib/policy/gp_manage.c +++ b/source4/lib/policy/gp_manage.c @@ -134,6 +134,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str name[i] = toupper(name[i]); } + /* Prepare the GPO struct */ gpo->dn = NULL; gpo->name = name; gpo->flags = 0; @@ -145,6 +146,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to create GPT\n")); + talloc_free(mem_ctx); return status; } @@ -153,6 +155,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str status = gp_create_ldap_gpo(gp_ctx, gpo); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to create LDAP group policy object\n")); + talloc_free(mem_ctx); return status; } @@ -160,6 +163,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to fetch LDAP group policy object\n")); + talloc_free(mem_ctx); return status; } @@ -167,6 +171,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n")); + talloc_free(mem_ctx); return status; } @@ -174,6 +179,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd); if (!NT_STATUS_IS_OK(status)) { DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n")); + talloc_free(mem_ctx); return status; } @@ -182,3 +188,49 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str *ret = gpo; return NT_STATUS_OK; } + +NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd) +{ + TALLOC_CTX *mem_ctx; + struct security_descriptor *fs_sd; + struct gp_object *gpo; + NTSTATUS status; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + + /* Set the ACL on LDAP database */ + status = gp_set_ads_acl(gp_ctx, dn_str, sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set ACL on ADS\n")); + talloc_free(mem_ctx); + return status; + } + + /* Get the group policy object information, for filesystem location and merged sd */ + status = gp_get_gpo_info(gp_ctx, dn_str, &gpo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set ACL on ADS\n")); + talloc_free(mem_ctx); + return status; + } + + /* Create matching file and DS security descriptors */ + status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &fs_sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n")); + talloc_free(mem_ctx); + return status; + } + + /* Set the security descriptor on the filesystem for this GPO */ + status = gp_set_gpt_security_descriptor(gp_ctx, gpo, fs_sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n")); + talloc_free(mem_ctx); + return status; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} diff --git a/source4/lib/policy/policy.h b/source4/lib/policy/policy.h index 264cc70da1..86ab33ee7d 100644 --- a/source4/lib/policy/policy.h +++ b/source4/lib/policy/policy.h @@ -88,6 +88,7 @@ NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance); NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo); +NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd); /* File system functions */ NTSTATUS gp_fetch_gpt (struct gp_context *gp_ctx, struct gp_object *gpo, const char **path); @@ -96,5 +97,7 @@ NTSTATUS gp_set_gpt_security_descriptor(struct gp_context *gp_ctx, struct gp_obj /* Managing functions */ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret); +NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret); +NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd); #endif |