summaryrefslogtreecommitdiff
path: root/source4/lib/policy
diff options
context:
space:
mode:
Diffstat (limited to 'source4/lib/policy')
-rw-r--r--source4/lib/policy/gp_ldap.c47
-rw-r--r--source4/lib/policy/gp_manage.c52
-rw-r--r--source4/lib/policy/policy.h3
3 files changed, 101 insertions, 1 deletions
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c
index 5ef161d12c..730c4d8e0b 100644
--- a/source4/lib/policy/gp_ldap.c
+++ b/source4/lib/policy/gp_ldap.c
@@ -29,7 +29,7 @@
#include "../libcli/security/dom_sid.h"
#include "libcli/security/security.h"
#include "../lib/talloc/talloc.h"
-#include "policy.h"
+#include "lib/policy/policy.h"
struct gpo_stringmap {
const char *str;
@@ -868,3 +868,48 @@ NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo)
talloc_free(mem_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
+
+NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
+{
+ TALLOC_CTX *mem_ctx;
+ DATA_BLOB data;
+ enum ndr_err_code ndr_err;
+ struct ldb_message *msg;
+ int rv;
+
+ /* Create a forked memory context to clean up easily */
+ mem_ctx = talloc_new(gp_ctx);
+
+ /* Push the security descriptor through the NDR library */
+ ndr_err = ndr_push_struct_blob(&data,
+ mem_ctx,
+ lp_iconv_convenience(gp_ctx->lp_ctx),
+ sd,
+ (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+
+ /* Create a LDB message */
+ msg = ldb_msg_new(mem_ctx);
+ msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+
+ rv = ldb_msg_add_value(msg, "nTSecurityDescriptor", &data, NULL);
+ if (rv != 0) {
+ DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
+
+ rv = ldb_modify(gp_ctx->ldb_ctx, msg);
+ if (rv != 0) {
+ DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
diff --git a/source4/lib/policy/gp_manage.c b/source4/lib/policy/gp_manage.c
index 580f87116d..968eaf2025 100644
--- a/source4/lib/policy/gp_manage.c
+++ b/source4/lib/policy/gp_manage.c
@@ -134,6 +134,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str
name[i] = toupper(name[i]);
}
+ /* Prepare the GPO struct */
gpo->dn = NULL;
gpo->name = name;
gpo->flags = 0;
@@ -145,6 +146,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str
status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to create GPT\n"));
+ talloc_free(mem_ctx);
return status;
}
@@ -153,6 +155,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str
status = gp_create_ldap_gpo(gp_ctx, gpo);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to create LDAP group policy object\n"));
+ talloc_free(mem_ctx);
return status;
}
@@ -160,6 +163,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str
status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to fetch LDAP group policy object\n"));
+ talloc_free(mem_ctx);
return status;
}
@@ -167,6 +171,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str
status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
+ talloc_free(mem_ctx);
return status;
}
@@ -174,6 +179,7 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str
status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
+ talloc_free(mem_ctx);
return status;
}
@@ -182,3 +188,49 @@ NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, str
*ret = gpo;
return NT_STATUS_OK;
}
+
+NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
+{
+ TALLOC_CTX *mem_ctx;
+ struct security_descriptor *fs_sd;
+ struct gp_object *gpo;
+ NTSTATUS status;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+
+ /* Set the ACL on LDAP database */
+ status = gp_set_ads_acl(gp_ctx, dn_str, sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set ACL on ADS\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Get the group policy object information, for filesystem location and merged sd */
+ status = gp_get_gpo_info(gp_ctx, dn_str, &gpo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set ACL on ADS\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Create matching file and DS security descriptors */
+ status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &fs_sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Set the security descriptor on the filesystem for this GPO */
+ status = gp_set_gpt_security_descriptor(gp_ctx, gpo, fs_sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
diff --git a/source4/lib/policy/policy.h b/source4/lib/policy/policy.h
index 264cc70da1..86ab33ee7d 100644
--- a/source4/lib/policy/policy.h
+++ b/source4/lib/policy/policy.h
@@ -88,6 +88,7 @@ NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum
NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance);
NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo);
+NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd);
/* File system functions */
NTSTATUS gp_fetch_gpt (struct gp_context *gp_ctx, struct gp_object *gpo, const char **path);
@@ -96,5 +97,7 @@ NTSTATUS gp_set_gpt_security_descriptor(struct gp_context *gp_ctx, struct gp_obj
/* Managing functions */
NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret);
+NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret);
+NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd);
#endif