From 73f4ac012aaebfe4f778f6971ce59049c242be7b Mon Sep 17 00:00:00 2001 From: Günther Deschner Date: Thu, 28 Sep 2006 21:33:54 +0000 Subject: r18982: Move the gpo related functions to "libgpo". Guenther (This used to be commit 1308a842716bc3bd1a9853b9b206dc7308a8c1dd) --- source3/Makefile.in | 13 +- source3/libads/gpo.c | 682 --------------------------------------------- source3/libads/gpo_util.c | 523 ---------------------------------- source3/libgpo/gpo_ldap.c | 682 +++++++++++++++++++++++++++++++++++++++++++++ source3/libgpo/gpo_parse.c | 171 ++++++++++++ source3/libgpo/gpo_util.c | 523 ++++++++++++++++++++++++++++++++++ source3/libsmb/gpo.c | 171 ------------ 7 files changed, 1383 insertions(+), 1382 deletions(-) delete mode 100644 source3/libads/gpo.c delete mode 100644 source3/libads/gpo_util.c create mode 100644 source3/libgpo/gpo_ldap.c create mode 100644 source3/libgpo/gpo_parse.c create mode 100644 source3/libgpo/gpo_util.c delete mode 100644 source3/libsmb/gpo.c (limited to 'source3') diff --git a/source3/Makefile.in b/source3/Makefile.in index 68c37dc04a..0e4a9308de 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -267,12 +267,14 @@ LIBADDNS_OBJ0 = libaddns/dnsrecord.o libaddns/dnsrequest.o libaddns/dnsresponse. libaddns/dnsupresp.o libaddns/dnsupdate.o libaddns/dnsgss.o LIBADDNS_OBJ = $(LIBADDNS_OBJ0) $(TALLOC_OBJ) +LIBGPO_OBJ0 = libgpo/gpo_ldap.o libgpo/gpo_parse.o libgpo/gpo_util.o +LIBGPO_OBJ = $(LIBGPO_OBJ0) + LIBADS_OBJ = libads/ldap.o libads/ldap_printer.o libads/sasl.o \ libads/krb5_setpw.o libads/ldap_user.o \ libads/ads_struct.o libads/kerberos_keytab.o \ libads/disp_sec.o libads/ads_utils.o libads/ldap_utils.o \ - libads/authdata.o libads/cldap.o \ - libads/gpo.o libads/gpo_util.o + libads/authdata.o libads/cldap.o LIBADS_SERVER_OBJ = libads/util.o libads/kerberos_verify.o \ libads/ldap_schema.o sam/nss_info.o @@ -295,8 +297,7 @@ LIBSMB_OBJ = libsmb/clientgen.o libsmb/cliconnect.o libsmb/clifile.o \ libsmb/smberr.o libsmb/credentials.o libsmb/pwd_cache.o \ libsmb/clioplock.o $(ERRORMAP_OBJ) libsmb/clirap2.o \ $(DOSERR_OBJ) \ - $(RPC_PARSE_OBJ1) $(LIBSAMBA_OBJ) $(LIBNMB_OBJ) \ - libsmb/gpo.o + $(RPC_PARSE_OBJ1) $(LIBSAMBA_OBJ) $(LIBNMB_OBJ) LIBMSRPC_OBJ = rpc_client/cli_lsarpc.o rpc_client/cli_samr.o \ rpc_client/cli_netlogon.o rpc_client/cli_reg.o $(RPC_CLIENT_OBJ) \ @@ -614,7 +615,7 @@ NET_OBJ = $(NET_OBJ1) $(PARAM_OBJ) $(SECRETS_OBJ) $(LIBSMB_OBJ) \ $(LIBADS_OBJ) $(LIBADS_SERVER_OBJ) $(POPT_LIB_OBJ) \ $(SMBLDAP_OBJ) $(DCUTIL_OBJ) $(SERVER_MUTEX_OBJ) \ $(AFS_OBJ) $(AFS_SETTOKEN_OBJ) $(REGFIO_OBJ) $(READLINE_OBJ) \ - $(LDB_OBJ) lib/display_sec.o + $(LDB_OBJ) $(LIBGPO_OBJ) lib/display_sec.o CUPS_OBJ = client/smbspool.o $(PARAM_OBJ) $(LIBSMB_OBJ) \ $(LIB_NONSMBD_OBJ) $(KRBCLIENT_OBJ) $(SECRETS_OBJ) @@ -722,7 +723,7 @@ PROTO_OBJ = $(SMBD_OBJ_MAIN) $(LIBNDR_OBJ) $(LIBNDR_GEN_OBJ) \ $(RPC_SVC_OBJ) $(RPC_WKS_OBJ) $(RPC_DFS_OBJ) $(RPC_SPOOLSS_OBJ) \ $(RPC_ECHO_OBJ) $(RPC_SVCCTL_OBJ) $(RPC_EVENTLOG_OBJ) $(SMBLDAP_OBJ) \ $(IDMAP_OBJ) libsmb/spnego.o $(PASSCHANGE_OBJ) $(RPC_UNIXINFO_OBJ) \ - $(RPC_NTSVCS_OBJ) $(RPC_INITSHUTDOWN_OBJ) utils/passwd_util.o + $(RPC_NTSVCS_OBJ) $(RPC_INITSHUTDOWN_OBJ) utils/passwd_util.o $(LIBGPO_OBJ) WINBIND_WINS_NSS_OBJ = nsswitch/wins.o $(PARAM_OBJ) \ $(LIBSMB_OBJ) $(LIB_NONSMBD_OBJ) $(NSSWINS_OBJ) $(KRBCLIENT_OBJ) $(SECRETS_OBJ) diff --git a/source3/libads/gpo.c b/source3/libads/gpo.c deleted file mode 100644 index 4a121e9f6a..0000000000 --- a/source3/libads/gpo.c +++ /dev/null @@ -1,682 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" - -#ifdef HAVE_LDAP - -ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, - const char *extension_raw, - struct GP_EXT *gp_ext) -{ - char **ext_list; - char **ext_strings; - int i; - - DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw)); - - ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]"); - if (ext_list == NULL) { - goto parse_error; - } - - for (i = 0; ext_list[i] != NULL; i++) { - /* no op */ - } - - gp_ext->num_exts = i; - - gp_ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); - gp_ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); - gp_ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); - gp_ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); - - gp_ext->gp_extension = talloc_strdup(mem_ctx, extension_raw); - - if (gp_ext->extensions == NULL || gp_ext->extensions_guid == NULL || - gp_ext->snapins == NULL || gp_ext->snapins_guid == NULL || - gp_ext->gp_extension == NULL) { - goto parse_error; - } - - for (i = 0; ext_list[i] != NULL; i++) { - - int k; - char *p, *q; - - DEBUGADD(10,("extension #%d\n", i)); - - p = ext_list[i]; - - if (p[0] == '[') { - p++; - } - - ext_strings = str_list_make_talloc(mem_ctx, p, "}"); - if (ext_strings == NULL) { - goto parse_error; - } - - for (k = 0; ext_strings[k] != NULL; k++) { - /* no op */ - } - - q = ext_strings[0]; - - if (q[0] == '{') { - q++; - } - - gp_ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q)); - gp_ext->extensions_guid[i] = talloc_strdup(mem_ctx, q); - - /* we might have no name for the guid */ - if (gp_ext->extensions_guid[i] == NULL) { - goto parse_error; - } - - for (k = 1; ext_strings[k] != NULL; k++) { - - char *m = ext_strings[k]; - - if (m[0] == '{') { - m++; - } - - /* FIXME: theoretically there could be more than one snapin per extension */ - gp_ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m)); - gp_ext->snapins_guid[i] = talloc_strdup(mem_ctx, m); - - /* we might have no name for the guid */ - if (gp_ext->snapins_guid[i] == NULL) { - goto parse_error; - } - } - } - - if (ext_list) { - str_list_free_talloc(mem_ctx, &ext_list); - } - if (ext_strings) { - str_list_free_talloc(mem_ctx, &ext_strings); - } - - return ADS_ERROR(LDAP_SUCCESS); - -parse_error: - if (ext_list) { - str_list_free_talloc(mem_ctx, &ext_list); - } - if (ext_strings) { - str_list_free_talloc(mem_ctx, &ext_strings); - } - - return ADS_ERROR(LDAP_NO_MEMORY); -} - -ADS_STATUS ads_parse_gplink(TALLOC_CTX *mem_ctx, - const char *gp_link_raw, - uint32 options, - struct GP_LINK *gp_link) -{ - char **link_list; - int i; - - DEBUG(10,("ads_parse_gplink: gPLink: %s\n", gp_link_raw)); - - link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]"); - if (link_list == NULL) { - goto parse_error; - } - - for (i = 0; link_list[i] != NULL; i++) { - /* no op */ - } - - gp_link->gp_opts = options; - gp_link->num_links = i; - - gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links); - gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links); - - gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw); - - if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) { - goto parse_error; - } - - for (i = 0; link_list[i] != NULL; i++) { - - char *p, *q; - - DEBUGADD(10,("ads_parse_gplink: processing link #%d\n", i)); - - q = link_list[i]; - if (q[0] == '[') { - q++; - }; - - p = strchr(q, ';'); - - if (p == NULL) { - goto parse_error; - } - - gp_link->link_names[i] = talloc_strdup(mem_ctx, q); - if (gp_link->link_names[i] == NULL) { - goto parse_error; - } - gp_link->link_names[i][PTR_DIFF(p, q)] = 0; - - gp_link->link_opts[i] = atoi(p + 1); - - DEBUGADD(10,("ads_parse_gplink: link: %s\n", gp_link->link_names[i])); - DEBUGADD(10,("ads_parse_gplink: opt: %d\n", gp_link->link_opts[i])); - - } - - if (link_list) { - str_list_free_talloc(mem_ctx, &link_list); - } - - return ADS_ERROR(LDAP_SUCCESS); - -parse_error: - if (link_list) { - str_list_free_talloc(mem_ctx, &link_list); - } - - return ADS_ERROR(LDAP_NO_MEMORY); -} - -ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - struct GP_LINK *gp_link_struct) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", "gPOptions", NULL}; - LDAPMessage *res = NULL; - const char *gp_link; - uint32 gp_options; - - ZERO_STRUCTP(gp_link_struct); - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_get_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); - } - - if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) { - DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n")); - gp_options = 0; - } - - ads_msgfree(ads, res); - - return ads_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); -} - -ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - const char *gpo_dn, - uint32 gpo_opt) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", NULL}; - LDAPMessage *res = NULL; - const char *gp_link, *gp_link_new; - ADS_MODLIST mods; - - - /* although ADS allows to set anything here, we better check here if - * the gpo_dn is sane */ - - if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) { - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_add_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt); - } else { - gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); - } - - ads_msgfree(ads, res); - if (gp_link_new == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - mods = ads_init_mods(mem_ctx); - if (mods == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ads_gen_mod(ads, link_dn, mods); -} - -/* untested & broken */ -ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *link_dn, - const char *gpo_dn) -{ - ADS_STATUS status; - const char *attrs[] = {"gPLink", NULL}; - LDAPMessage *res = NULL; - const char *gp_link, *gp_link_new = NULL; - ADS_MODLIST mods; - - /* check for a sane gpo_dn */ - if (gpo_dn[0] != '[') { - DEBUG(10,("ads_delete_gpo_link: first char not: [\n")); - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - if (gpo_dn[strlen(gpo_dn)] != ']') { - DEBUG(10,("ads_delete_gpo_link: last char not: ]\n")); - return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); - } - - status = ads_search_dn(ads, &res, link_dn, attrs); - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_delete_gpo_link: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); - if (gp_link == NULL) { - return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); - } - - /* find link to delete */ - /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */ - - ads_msgfree(ads, res); - if (gp_link_new == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - mods = ads_init_mods(mem_ctx); - if (mods == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ads_gen_mod(ads, link_dn, mods); -} - - ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - LDAPMessage *res, - const char *gpo_dn, - struct GROUP_POLICY_OBJECT *gpo) -{ - ZERO_STRUCTP(gpo); - - if (res == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - if (gpo_dn) { - gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn); - } else { - gpo->ds_path = ads_get_dn(ads, res); - } - if (gpo->ds_path == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - /* split here for convenience */ - gpo->version_user = GPO_VERSION_USER(gpo->version); - gpo->version_machine = GPO_VERSION_MACHINE(gpo->version); - - /* sure ??? */ - if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath"); - if (gpo->file_sys_path == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName"); - if (gpo->display_name == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - gpo->name = ads_pull_string(ads, mem_ctx, res, "name"); - if (gpo->name == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - /* ???, this is optional to have and what does it depend on, the 'flags' ?) */ - gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames"); - gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames"); - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *gpo_dn, - const char *display_name, - const char *guid_name, - struct GROUP_POLICY_OBJECT *gpo) -{ - ADS_STATUS status; - LDAPMessage *res = NULL; - char *dn; - const char *filter; - const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath", - "gPCFunctionalityVersion", "gPCMachineExtensionNames", - "gPCUserExtensionNames", "gPCWQLFilter", "name", - "versionNumber", NULL}; - - ZERO_STRUCTP(gpo); - - if (!gpo_dn && !display_name && !guid_name) { - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - if (gpo_dn) { - - if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) { - gpo_dn = gpo_dn + strlen("LDAP://"); - } - - status = ads_search_dn(ads, &res, gpo_dn, attrs); - - } else if (display_name || guid_name) { - - filter = talloc_asprintf(mem_ctx, - "(&(objectclass=groupPolicyContainer)(%s=%s))", - display_name ? "displayName" : "name", - display_name ? display_name : guid_name); - if (filter == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_do_search_all(ads, ads->config.bind_path, - LDAP_SCOPE_SUBTREE, filter, - attrs, &res); - } - - if (!ADS_ERR_OK(status)) { - DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status))); - return status; - } - - if (ads_count_replies(ads, res) != 1) { - DEBUG(10,("ads_get_gpo: no result\n")); - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - dn = ads_get_dn(ads, res); - if (dn == NULL) { - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo); - ads_msgfree(ads, res); - ads_memfree(ads, dn); - - return status; -} - -ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT **gpo_list, - const char *link_dn, - struct GP_LINK *gp_link, - enum GPO_LINK_TYPE link_type, - BOOL only_add_forced_gpos) -{ - ADS_STATUS status; - int i; - - for (i = 0; i < gp_link->num_links; i++) { - - struct GROUP_POLICY_OBJECT *new_gpo = NULL; - - if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { - DEBUG(10,("skipping disabled GPO\n")); - continue; - } - - if (only_add_forced_gpos) { - - if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) { - DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n")); - continue; - } else { - DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n")); - } - } - - new_gpo = TALLOC_P(mem_ctx, struct GROUP_POLICY_OBJECT); - if (new_gpo == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - ZERO_STRUCTP(new_gpo); - - status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo); - if (!ADS_ERR_OK(status)) { - return status; - } - - new_gpo->link = link_dn; - new_gpo->link_type = link_type; - - DLIST_ADD(*gpo_list, new_gpo); - - DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n", - i, gp_link->link_names[i])); - } - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *dn, - uint32 flags, - struct GROUP_POLICY_OBJECT **gpo_list) -{ - /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */ - - ADS_STATUS status; - struct GP_LINK gp_link; - const char *parent_dn, *site_dn, *tmp_dn; - BOOL add_only_forced_gpos = False; - - ZERO_STRUCTP(gpo_list); - - DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn)); - - /* (L)ocal */ - /* not yet... */ - - /* (S)ite */ - - /* are site GPOs valid for users as well ??? */ - if (flags & GPO_LIST_FLAG_MACHINE) { - - status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn); - if (!ADS_ERR_OK(status)) { - return status; - } - - DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, - site_dn, &gp_link, GP_LINK_SITE, - add_only_forced_gpos); - if (!ADS_ERR_OK(status)) { - return status; - } - - if (flags & GPO_LIST_FLAG_SITEONLY) { - return ADS_ERROR(LDAP_SUCCESS); - } - - /* inheritance can't be blocked at the site level */ - } - } - - tmp_dn = dn; - - while ( (parent_dn = ads_parent_dn(tmp_dn)) && - (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { - - /* (D)omain */ - - /* An account can just be a member of one domain */ - if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) { - - DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - /* block inheritance from now on */ - if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { - add_only_forced_gpos = True; - } - - status = add_gplink_to_gpo_list(ads, mem_ctx, - gpo_list, parent_dn, - &gp_link, GP_LINK_DOMAIN, - add_only_forced_gpos); - if (!ADS_ERR_OK(status)) { - return status; - } - } - } - - tmp_dn = parent_dn; - } - - /* reset dn again */ - tmp_dn = dn; - - while ( (parent_dn = ads_parent_dn(tmp_dn)) && - (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { - - - /* (O)rganizational(U)nit */ - - /* An account can be a member of more OUs */ - if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) { - - DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn)); - - status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); - if (ADS_ERR_OK(status)) { - - if (DEBUGLEVEL >= 100) { - dump_gplink(ads, mem_ctx, &gp_link); - } - - /* block inheritance from now on */ - if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { - add_only_forced_gpos = True; - } - - status = add_gplink_to_gpo_list(ads, mem_ctx, - gpo_list, parent_dn, - &gp_link, GP_LINK_OU, - add_only_forced_gpos); - if (!ADS_ERR_OK(status)) { - return status; - } - } - } - - tmp_dn = parent_dn; - - }; - - return ADS_ERROR(LDAP_SUCCESS); -} - -#endif /* HAVE_LDAP */ diff --git a/source3/libads/gpo_util.c b/source3/libads/gpo_util.c deleted file mode 100644 index a30df6e9eb..0000000000 --- a/source3/libads/gpo_util.c +++ /dev/null @@ -1,523 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" - -#ifdef HAVE_LDAP - -#define DEFAULT_DOMAIN_POLICY "Default Domain Policy" -#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy" - -/* should we store a parsed guid ? */ -struct gpo_table { - const char *name; - const char *guid_string; -}; - -struct snapin_table { - const char *name; - const char *guid_string; - ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx, const char *, const char *); -}; - -#if 0 /* unused */ -static struct gpo_table gpo_default_policy[] = { - { DEFAULT_DOMAIN_POLICY, - "31B2F340-016D-11D2-945F-00C04FB984F9" }, - { DEFAULT_DOMAIN_CONTROLLERS_POLICY, - "6AC1786C-016F-11D2-945F-00C04fB984F9" }, - { NULL, NULL } -}; -#endif - -/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */ - -static struct gpo_table gpo_cse_extensions[] = { - { "Administrative Templates Extension", - "35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */ - { "Microsoft Disc Quota", - "3610EDA5-77EF-11D2-8DC5-00C04FA31A66" }, - { "EFS recovery", - "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" }, - { "Folder Redirection", - "25537BA6-77A8-11D2-9B6C-0000F8080861" }, - { "IP Security", - "E437BC1C-AA7D-11D2-A382-00C04F991E27" }, - { "Internet Explorer Branding", - "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" }, - { "QoS Packet Scheduler", - "426031c0-0b47-4852-b0ca-ac3d37bfcb39" }, - { "Scripts", - "42B5FAAE-6536-11D2-AE5A-0000F87571E3" }, - { "Security", - "827D319E-6EAC-11D2-A4EA-00C04F79F83A" }, - { "Software Installation", - "C6DC5466-785A-11D2-84D0-00C04FB169F7" }, - { "Wireless Group Policy", - "0ACDD40C-75AC-BAA0-BF6DE7E7FE63" }, - { NULL, NULL } -}; - -/* guess work */ -static struct snapin_table gpo_cse_snapin_extensions[] = { - { "Administrative Templates", - "0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none }, - { "Certificates", - "53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, - { "EFS recovery policy processing", - "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none }, - { "Folder Redirection policy processing", - "25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none }, - { "Folder Redirection", - "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none }, - { "Registry policy processing", - "35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none }, - { "Remote Installation Services", - "3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, - { "Security Settings", - "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings }, - { "Security policy processing", - "827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings }, - { "unknown", - "3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, - { "unknown2", - "53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, - { NULL, NULL, NULL } -}; - -static const char *name_to_guid_string(const char *name, struct gpo_table *table) -{ - int i; - - for (i = 0; table[i].name; i++) { - if (strequal(name, table[i].name)) { - return table[i].guid_string; - } - } - - return NULL; -} - -static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table) -{ - int i; - - for (i = 0; table[i].guid_string; i++) { - if (strequal(guid_string, table[i].guid_string)) { - return table[i].name; - } - } - - return NULL; -} - -static const char *snapin_guid_string_to_name(const char *guid_string, - struct snapin_table *table) -{ - int i; - for (i = 0; table[i].guid_string; i++) { - if (strequal(guid_string, table[i].guid_string)) { - return table[i].name; - } - } - return NULL; -} - -#if 0 /* unused */ -static const char *default_gpo_name_to_guid_string(const char *name) -{ - return name_to_guid_string(name, gpo_default_policy); -} - -static const char *default_gpo_guid_string_to_name(const char *guid) -{ - return guid_string_to_name(guid, gpo_default_policy); -} -#endif - -const char *cse_gpo_guid_string_to_name(const char *guid) -{ - return guid_string_to_name(guid, gpo_cse_extensions); -} - -static const char *cse_gpo_name_to_guid_string(const char *name) -{ - return name_to_guid_string(name, gpo_cse_extensions); -} - -const char *cse_snapin_gpo_guid_string_to_name(const char *guid) -{ - return snapin_guid_string_to_name(guid, gpo_cse_snapin_extensions); -} - -void dump_gp_ext(struct GP_EXT *gp_ext) -{ - int lvl = 10; - int i; - - if (gp_ext == NULL) { - return; - } - - DEBUG(lvl,("---------------------\n\n")); - DEBUGADD(lvl,("name:\t\t\t%s\n", gp_ext->gp_extension)); - - for (i=0; i< gp_ext->num_exts; i++) { - - DEBUGADD(lvl,("extension:\t\t\t%s\n", gp_ext->extensions_guid[i])); - DEBUGADD(lvl,("extension (name):\t\t\t%s\n", gp_ext->extensions[i])); - - DEBUGADD(lvl,("snapin:\t\t\t%s\n", gp_ext->snapins_guid[i])); - DEBUGADD(lvl,("snapin (name):\t\t\t%s\n", gp_ext->snapins[i])); - } -} - -void dump_gpo(TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo) -{ - int lvl = 1; - - if (gpo == NULL) { - return; - } - - DEBUG(lvl,("---------------------\n\n")); - - DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name)); - DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name)); - DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version)); - DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", gpo->version_user, gpo->version_user)); - DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", gpo->version_machine, gpo->version_machine)); - DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path)); - DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path)); - - DEBUGADD(lvl,("options:\t\t%d ", gpo->options)); - if (gpo->options & GPFLAGS_USER_SETTINGS_DISABLED) { - DEBUGADD(lvl,("GPFLAGS_USER_SETTINGS_DISABLED ")); - } - if (gpo->options & GPFLAGS_MACHINE_SETTINGS_DISABLED) { - DEBUGADD(lvl,("GPFLAGS_MACHINE_SETTINGS_DISABLED")); - } - DEBUGADD(lvl,("\n")); - - DEBUGADD(lvl,("link:\t\t\t%s\n", gpo->link)); - DEBUGADD(lvl,("link_type:\t\t%d ", gpo->link_type)); - switch (gpo->link_type) { - case GP_LINK_UNKOWN: - DEBUGADD(lvl,("GP_LINK_UNKOWN\n")); - break; - case GP_LINK_OU: - DEBUGADD(lvl,("GP_LINK_OU\n")); - break; - case GP_LINK_DOMAIN: - DEBUGADD(lvl,("GP_LINK_DOMAIN\n")); - break; - case GP_LINK_SITE: - DEBUGADD(lvl,("GP_LINK_SITE\n")); - break; - case GP_LINK_MACHINE: - DEBUGADD(lvl,("GP_LINK_MACHINE\n")); - break; - default: - break; - } - - if (gpo->machine_extensions) { - - struct GP_EXT gp_ext; - ADS_STATUS status; - - DEBUGADD(lvl,("machine_extensions:\t%s\n", gpo->machine_extensions)); - - status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); - if (!ADS_ERR_OK(status)) { - return; - } - dump_gp_ext(&gp_ext); - } - - if (gpo->user_extensions) { - - struct GP_EXT gp_ext; - ADS_STATUS status; - - DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions)); - - status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); - if (!ADS_ERR_OK(status)) { - return; - } - dump_gp_ext(&gp_ext); - } -}; - -void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) -{ - ADS_STATUS status; - int i; - int lvl = 10; - - if (gp_link == NULL) { - return; - } - - DEBUG(lvl,("---------------------\n\n")); - - DEBUGADD(lvl,("gplink: %s\n", gp_link->gp_link)); - DEBUGADD(lvl,("gpopts: %d ", gp_link->gp_opts)); - switch (gp_link->gp_opts) { - case GPOPTIONS_INHERIT: - DEBUGADD(lvl,("GPOPTIONS_INHERIT\n")); - break; - case GPOPTIONS_BLOCK_INHERITANCE: - DEBUGADD(lvl,("GPOPTIONS_BLOCK_INHERITANCE\n")); - break; - default: - break; - } - - DEBUGADD(lvl,("num links: %d\n", gp_link->num_links)); - - for (i = 0; i < gp_link->num_links; i++) { - - DEBUGADD(lvl,("---------------------\n\n")); - - DEBUGADD(lvl,("link: #%d\n", i + 1)); - DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i])); - - DEBUGADD(lvl,("opt: %d ", gp_link->link_opts[i])); - if (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) { - DEBUGADD(lvl,("GPO_LINK_OPT_ENFORCED ")); - } - if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { - DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED")); - } - DEBUGADD(lvl,("\n")); - - if (ads != NULL && mem_ctx != NULL) { - - struct GROUP_POLICY_OBJECT gpo; - - status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo); - if (!ADS_ERR_OK(status)) { - DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status))); - return; - } - dump_gpo(mem_ctx, &gpo); - } - } -} - -ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *extension_guid, - const char *snapin_guid) -{ - int i; - - for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) { - - if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) { - - return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, - extension_guid, snapin_guid); - } - } - - DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n", - extension_guid, snapin_guid)); - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo, - const char *extension_guid, - uint32 flags) -{ - ADS_STATUS status; - struct GP_EXT gp_ext; - int i; - - if (flags & GPO_LIST_FLAG_MACHINE) { - - if (gpo->machine_extensions) { - - status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); - - if (!ADS_ERR_OK(status)) { - return status; - } - - } else { - /* nothing to apply */ - return ADS_ERROR(LDAP_SUCCESS); - } - - } else { - - if (gpo->user_extensions) { - - status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); - - if (!ADS_ERR_OK(status)) { - return status; - } - } else { - /* nothing to apply */ - return ADS_ERROR(LDAP_SUCCESS); - } - } - - for (i=0; inext) { - - status = gpo_process_a_gpo(ads, mem_ctx, gpo, - extensions_guid, flags); - - if (!ADS_ERR_OK(status)) { - return status; - } - - } - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *extension_guid, - const char *snapin_guid) -{ - DEBUG(10,("gpo_snapin_handler_none\n")); - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *extension_guid, - const char *snapin_guid) -{ - DEBUG(10,("gpo_snapin_handler_security_settings\n")); - - return ADS_ERROR(LDAP_SUCCESS); -} - -ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *hostname, - SAM_UNK_INFO_12 *lockout_policy) -{ - return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED); -} - -ADS_STATUS gpo_password_policy(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *hostname, - SAM_UNK_INFO_1 *password_policy) -{ - ADS_STATUS status; - struct GROUP_POLICY_OBJECT *gpo_list; - const char *attrs[] = {"distinguishedName", "userAccountControl", NULL}; - char *filter, *dn; - LDAPMessage *res = NULL; - uint32 uac; - - filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", hostname); - if (filter == NULL) { - return ADS_ERROR(LDAP_NO_MEMORY); - } - - status = ads_do_search_all(ads, ads->config.bind_path, - LDAP_SCOPE_SUBTREE, - filter, attrs, &res); - - if (!ADS_ERR_OK(status)) { - return status; - } - - if (ads_count_replies(ads, res) != 1) { - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - dn = ads_get_dn(ads, res); - if (dn == NULL) { - ads_msgfree(ads, res); - return ADS_ERROR(LDAP_NO_MEMORY); - } - - if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) { - ads_msgfree(ads, res); - ads_memfree(ads, dn); - return ADS_ERROR(LDAP_NO_MEMORY); - } - - ads_msgfree(ads, res); - - if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) { - ads_memfree(ads, dn); - return ADS_ERROR(LDAP_NO_SUCH_OBJECT); - } - - status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list); - if (!ADS_ERR_OK(status)) { - ads_memfree(ads, dn); - return status; - } - - ads_memfree(ads, dn); - - status = gpo_process_gpo_list(ads, mem_ctx, &gpo_list, - cse_gpo_name_to_guid_string("Security"), - GPO_LIST_FLAG_MACHINE); - if (!ADS_ERR_OK(status)) { - return status; - } - - return ADS_ERROR(LDAP_SUCCESS); -} - -#endif /* HAVE_LDAP */ diff --git a/source3/libgpo/gpo_ldap.c b/source3/libgpo/gpo_ldap.c new file mode 100644 index 0000000000..4a121e9f6a --- /dev/null +++ b/source3/libgpo/gpo_ldap.c @@ -0,0 +1,682 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Guenther Deschner 2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#ifdef HAVE_LDAP + +ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx, + const char *extension_raw, + struct GP_EXT *gp_ext) +{ + char **ext_list; + char **ext_strings; + int i; + + DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw)); + + ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]"); + if (ext_list == NULL) { + goto parse_error; + } + + for (i = 0; ext_list[i] != NULL; i++) { + /* no op */ + } + + gp_ext->num_exts = i; + + gp_ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); + gp_ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); + gp_ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); + gp_ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts); + + gp_ext->gp_extension = talloc_strdup(mem_ctx, extension_raw); + + if (gp_ext->extensions == NULL || gp_ext->extensions_guid == NULL || + gp_ext->snapins == NULL || gp_ext->snapins_guid == NULL || + gp_ext->gp_extension == NULL) { + goto parse_error; + } + + for (i = 0; ext_list[i] != NULL; i++) { + + int k; + char *p, *q; + + DEBUGADD(10,("extension #%d\n", i)); + + p = ext_list[i]; + + if (p[0] == '[') { + p++; + } + + ext_strings = str_list_make_talloc(mem_ctx, p, "}"); + if (ext_strings == NULL) { + goto parse_error; + } + + for (k = 0; ext_strings[k] != NULL; k++) { + /* no op */ + } + + q = ext_strings[0]; + + if (q[0] == '{') { + q++; + } + + gp_ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q)); + gp_ext->extensions_guid[i] = talloc_strdup(mem_ctx, q); + + /* we might have no name for the guid */ + if (gp_ext->extensions_guid[i] == NULL) { + goto parse_error; + } + + for (k = 1; ext_strings[k] != NULL; k++) { + + char *m = ext_strings[k]; + + if (m[0] == '{') { + m++; + } + + /* FIXME: theoretically there could be more than one snapin per extension */ + gp_ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m)); + gp_ext->snapins_guid[i] = talloc_strdup(mem_ctx, m); + + /* we might have no name for the guid */ + if (gp_ext->snapins_guid[i] == NULL) { + goto parse_error; + } + } + } + + if (ext_list) { + str_list_free_talloc(mem_ctx, &ext_list); + } + if (ext_strings) { + str_list_free_talloc(mem_ctx, &ext_strings); + } + + return ADS_ERROR(LDAP_SUCCESS); + +parse_error: + if (ext_list) { + str_list_free_talloc(mem_ctx, &ext_list); + } + if (ext_strings) { + str_list_free_talloc(mem_ctx, &ext_strings); + } + + return ADS_ERROR(LDAP_NO_MEMORY); +} + +ADS_STATUS ads_parse_gplink(TALLOC_CTX *mem_ctx, + const char *gp_link_raw, + uint32 options, + struct GP_LINK *gp_link) +{ + char **link_list; + int i; + + DEBUG(10,("ads_parse_gplink: gPLink: %s\n", gp_link_raw)); + + link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]"); + if (link_list == NULL) { + goto parse_error; + } + + for (i = 0; link_list[i] != NULL; i++) { + /* no op */ + } + + gp_link->gp_opts = options; + gp_link->num_links = i; + + gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links); + gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links); + + gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw); + + if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) { + goto parse_error; + } + + for (i = 0; link_list[i] != NULL; i++) { + + char *p, *q; + + DEBUGADD(10,("ads_parse_gplink: processing link #%d\n", i)); + + q = link_list[i]; + if (q[0] == '[') { + q++; + }; + + p = strchr(q, ';'); + + if (p == NULL) { + goto parse_error; + } + + gp_link->link_names[i] = talloc_strdup(mem_ctx, q); + if (gp_link->link_names[i] == NULL) { + goto parse_error; + } + gp_link->link_names[i][PTR_DIFF(p, q)] = 0; + + gp_link->link_opts[i] = atoi(p + 1); + + DEBUGADD(10,("ads_parse_gplink: link: %s\n", gp_link->link_names[i])); + DEBUGADD(10,("ads_parse_gplink: opt: %d\n", gp_link->link_opts[i])); + + } + + if (link_list) { + str_list_free_talloc(mem_ctx, &link_list); + } + + return ADS_ERROR(LDAP_SUCCESS); + +parse_error: + if (link_list) { + str_list_free_talloc(mem_ctx, &link_list); + } + + return ADS_ERROR(LDAP_NO_MEMORY); +} + +ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *link_dn, + struct GP_LINK *gp_link_struct) +{ + ADS_STATUS status; + const char *attrs[] = {"gPLink", "gPOptions", NULL}; + LDAPMessage *res = NULL; + const char *gp_link; + uint32 gp_options; + + ZERO_STRUCTP(gp_link_struct); + + status = ads_search_dn(ads, &res, link_dn, attrs); + if (!ADS_ERR_OK(status)) { + DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status))); + return status; + } + + if (ads_count_replies(ads, res) != 1) { + DEBUG(10,("ads_get_gpo_link: no result\n")); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); + if (gp_link == NULL) { + DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n")); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); + } + + if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) { + DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n")); + gp_options = 0; + } + + ads_msgfree(ads, res); + + return ads_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); +} + +ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *link_dn, + const char *gpo_dn, + uint32 gpo_opt) +{ + ADS_STATUS status; + const char *attrs[] = {"gPLink", NULL}; + LDAPMessage *res = NULL; + const char *gp_link, *gp_link_new; + ADS_MODLIST mods; + + + /* although ADS allows to set anything here, we better check here if + * the gpo_dn is sane */ + + if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) { + return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); + } + + status = ads_search_dn(ads, &res, link_dn, attrs); + if (!ADS_ERR_OK(status)) { + DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status))); + return status; + } + + if (ads_count_replies(ads, res) != 1) { + DEBUG(10,("ads_add_gpo_link: no result\n")); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); + if (gp_link == NULL) { + gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt); + } else { + gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); + } + + ads_msgfree(ads, res); + if (gp_link_new == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + mods = ads_init_mods(mem_ctx); + if (mods == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); + if (!ADS_ERR_OK(status)) { + return status; + } + + return ads_gen_mod(ads, link_dn, mods); +} + +/* untested & broken */ +ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *link_dn, + const char *gpo_dn) +{ + ADS_STATUS status; + const char *attrs[] = {"gPLink", NULL}; + LDAPMessage *res = NULL; + const char *gp_link, *gp_link_new = NULL; + ADS_MODLIST mods; + + /* check for a sane gpo_dn */ + if (gpo_dn[0] != '[') { + DEBUG(10,("ads_delete_gpo_link: first char not: [\n")); + return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); + } + + if (gpo_dn[strlen(gpo_dn)] != ']') { + DEBUG(10,("ads_delete_gpo_link: last char not: ]\n")); + return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); + } + + status = ads_search_dn(ads, &res, link_dn, attrs); + if (!ADS_ERR_OK(status)) { + DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status))); + return status; + } + + if (ads_count_replies(ads, res) != 1) { + DEBUG(10,("ads_delete_gpo_link: no result\n")); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); + if (gp_link == NULL) { + return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); + } + + /* find link to delete */ + /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */ + + ads_msgfree(ads, res); + if (gp_link_new == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + mods = ads_init_mods(mem_ctx); + if (mods == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); + if (!ADS_ERR_OK(status)) { + return status; + } + + return ads_gen_mod(ads, link_dn, mods); +} + + ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + LDAPMessage *res, + const char *gpo_dn, + struct GROUP_POLICY_OBJECT *gpo) +{ + ZERO_STRUCTP(gpo); + + if (res == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (gpo_dn) { + gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn); + } else { + gpo->ds_path = ads_get_dn(ads, res); + } + if (gpo->ds_path == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + /* split here for convenience */ + gpo->version_user = GPO_VERSION_USER(gpo->version); + gpo->version_machine = GPO_VERSION_MACHINE(gpo->version); + + /* sure ??? */ + if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath"); + if (gpo->file_sys_path == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName"); + if (gpo->display_name == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + gpo->name = ads_pull_string(ads, mem_ctx, res, "name"); + if (gpo->name == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + /* ???, this is optional to have and what does it depend on, the 'flags' ?) */ + gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames"); + gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames"); + + return ADS_ERROR(LDAP_SUCCESS); +} + +ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *gpo_dn, + const char *display_name, + const char *guid_name, + struct GROUP_POLICY_OBJECT *gpo) +{ + ADS_STATUS status; + LDAPMessage *res = NULL; + char *dn; + const char *filter; + const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath", + "gPCFunctionalityVersion", "gPCMachineExtensionNames", + "gPCUserExtensionNames", "gPCWQLFilter", "name", + "versionNumber", NULL}; + + ZERO_STRUCTP(gpo); + + if (!gpo_dn && !display_name && !guid_name) { + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + if (gpo_dn) { + + if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) { + gpo_dn = gpo_dn + strlen("LDAP://"); + } + + status = ads_search_dn(ads, &res, gpo_dn, attrs); + + } else if (display_name || guid_name) { + + filter = talloc_asprintf(mem_ctx, + "(&(objectclass=groupPolicyContainer)(%s=%s))", + display_name ? "displayName" : "name", + display_name ? display_name : guid_name); + if (filter == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_do_search_all(ads, ads->config.bind_path, + LDAP_SCOPE_SUBTREE, filter, + attrs, &res); + } + + if (!ADS_ERR_OK(status)) { + DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status))); + return status; + } + + if (ads_count_replies(ads, res) != 1) { + DEBUG(10,("ads_get_gpo: no result\n")); + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + dn = ads_get_dn(ads, res); + if (dn == NULL) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo); + ads_msgfree(ads, res); + ads_memfree(ads, dn); + + return status; +} + +ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + struct GROUP_POLICY_OBJECT **gpo_list, + const char *link_dn, + struct GP_LINK *gp_link, + enum GPO_LINK_TYPE link_type, + BOOL only_add_forced_gpos) +{ + ADS_STATUS status; + int i; + + for (i = 0; i < gp_link->num_links; i++) { + + struct GROUP_POLICY_OBJECT *new_gpo = NULL; + + if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { + DEBUG(10,("skipping disabled GPO\n")); + continue; + } + + if (only_add_forced_gpos) { + + if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) { + DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n")); + continue; + } else { + DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n")); + } + } + + new_gpo = TALLOC_P(mem_ctx, struct GROUP_POLICY_OBJECT); + if (new_gpo == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + ZERO_STRUCTP(new_gpo); + + status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo); + if (!ADS_ERR_OK(status)) { + return status; + } + + new_gpo->link = link_dn; + new_gpo->link_type = link_type; + + DLIST_ADD(*gpo_list, new_gpo); + + DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n", + i, gp_link->link_names[i])); + } + + return ADS_ERROR(LDAP_SUCCESS); +} + +ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *dn, + uint32 flags, + struct GROUP_POLICY_OBJECT **gpo_list) +{ + /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */ + + ADS_STATUS status; + struct GP_LINK gp_link; + const char *parent_dn, *site_dn, *tmp_dn; + BOOL add_only_forced_gpos = False; + + ZERO_STRUCTP(gpo_list); + + DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn)); + + /* (L)ocal */ + /* not yet... */ + + /* (S)ite */ + + /* are site GPOs valid for users as well ??? */ + if (flags & GPO_LIST_FLAG_MACHINE) { + + status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn); + if (!ADS_ERR_OK(status)) { + return status; + } + + DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn)); + + status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link); + if (ADS_ERR_OK(status)) { + + if (DEBUGLEVEL >= 100) { + dump_gplink(ads, mem_ctx, &gp_link); + } + + status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, + site_dn, &gp_link, GP_LINK_SITE, + add_only_forced_gpos); + if (!ADS_ERR_OK(status)) { + return status; + } + + if (flags & GPO_LIST_FLAG_SITEONLY) { + return ADS_ERROR(LDAP_SUCCESS); + } + + /* inheritance can't be blocked at the site level */ + } + } + + tmp_dn = dn; + + while ( (parent_dn = ads_parent_dn(tmp_dn)) && + (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { + + /* (D)omain */ + + /* An account can just be a member of one domain */ + if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) { + + DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn)); + + status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); + if (ADS_ERR_OK(status)) { + + if (DEBUGLEVEL >= 100) { + dump_gplink(ads, mem_ctx, &gp_link); + } + + /* block inheritance from now on */ + if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { + add_only_forced_gpos = True; + } + + status = add_gplink_to_gpo_list(ads, mem_ctx, + gpo_list, parent_dn, + &gp_link, GP_LINK_DOMAIN, + add_only_forced_gpos); + if (!ADS_ERR_OK(status)) { + return status; + } + } + } + + tmp_dn = parent_dn; + } + + /* reset dn again */ + tmp_dn = dn; + + while ( (parent_dn = ads_parent_dn(tmp_dn)) && + (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) { + + + /* (O)rganizational(U)nit */ + + /* An account can be a member of more OUs */ + if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) { + + DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn)); + + status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); + if (ADS_ERR_OK(status)) { + + if (DEBUGLEVEL >= 100) { + dump_gplink(ads, mem_ctx, &gp_link); + } + + /* block inheritance from now on */ + if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { + add_only_forced_gpos = True; + } + + status = add_gplink_to_gpo_list(ads, mem_ctx, + gpo_list, parent_dn, + &gp_link, GP_LINK_OU, + add_only_forced_gpos); + if (!ADS_ERR_OK(status)) { + return status; + } + } + } + + tmp_dn = parent_dn; + + }; + + return ADS_ERROR(LDAP_SUCCESS); +} + +#endif /* HAVE_LDAP */ diff --git a/source3/libgpo/gpo_parse.c b/source3/libgpo/gpo_parse.c new file mode 100644 index 0000000000..6be2ce2f79 --- /dev/null +++ b/source3/libgpo/gpo_parse.c @@ -0,0 +1,171 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Guenther Deschner 2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#ifdef HAVE_LDAP + +#define GPT_INI_SECTION_GENERAL "General" +#define GPT_INI_PARAMETER_VERSION "Version" +#define GPT_INI_PARAMETER_DISPLAYNAME "displayName" + +struct gpt_ini { + uint32 version; + const char *display_name; +}; + +static uint32 version; + +static BOOL do_section(const char *section) +{ + DEBUG(10,("do_section: %s\n", section)); + + return True; +} + +static BOOL do_parameter(const char *parameter, const char *value) +{ + DEBUG(10,("do_parameter: %s, %s\n", parameter, value)); + + if (strequal(parameter, GPT_INI_PARAMETER_VERSION)) { + version = atoi(value); + } + return True; +} + +NTSTATUS ads_gpo_get_sysvol_gpt_version(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *filesyspath, + uint32 *sysvol_version) +{ + NTSTATUS status; + const char *path; + struct cli_state *cli; + int fnum; + fstring tok; + static int io_bufsize = 64512; + int read_size = io_bufsize; + char *data = NULL; + off_t start = 0; + off_t nread = 0; + int handle = 0; + const char *local_file; + + *sysvol_version = 0; + + next_token(&filesyspath, tok, "\\", sizeof(tok)); + next_token(&filesyspath, tok, "\\", sizeof(tok)); + + path = talloc_asprintf(mem_ctx, "\\%s\\gpt.ini", filesyspath); + if (path == NULL) { + return NT_STATUS_NO_MEMORY; + } + + local_file = talloc_asprintf(mem_ctx, "%s/%s", lock_path("gpo_cache"), "gpt.ini"); + if (local_file == NULL) { + return NT_STATUS_NO_MEMORY; + } + + /* FIXME: walk down the dfs tree instead */ + status = cli_full_connection(&cli, global_myname(), + ads->config.ldap_server_name, + NULL, 0, + "SYSVOL", "A:", + ads->auth.user_name, NULL, ads->auth.password, + CLI_FULL_CONNECTION_USE_KERBEROS, + Undefined, NULL); + if (!NT_STATUS_IS_OK(status)) { + return status; + } + + fnum = cli_open(cli, path, O_RDONLY, DENY_NONE); + if (fnum == -1) { + return NT_STATUS_NO_SUCH_FILE; + } + + + data = (char *)SMB_MALLOC(read_size); + if (data == NULL) { + return NT_STATUS_NO_MEMORY; + } + + handle = sys_open(local_file, O_WRONLY|O_CREAT|O_TRUNC, 0644); + + if (handle == -1) { + return NT_STATUS_NO_SUCH_FILE; + } + + while (1) { + + int n = cli_read(cli, fnum, data, nread + start, read_size); + + if (n <= 0) + break; + + if (write(handle, data, n) != n) { + break; + } + + nread += n; + } + + cli_close(cli, fnum); + + if (!pm_process(local_file, do_section, do_parameter)) { + return NT_STATUS_INVALID_PARAMETER; + } + + *sysvol_version = version; + + SAFE_FREE(data); + + cli_shutdown(cli); + + return NT_STATUS_OK; +} + +/* + +perfectly parseable with pm_process() :)) + +[Unicode] +Unicode=yes +[System Access] +MinimumPasswordAge = 1 +MaximumPasswordAge = 42 +MinimumPasswordLength = 7 +PasswordComplexity = 1 +PasswordHistorySize = 24 +LockoutBadCount = 0 +RequireLogonToChangePassword = 0 +ForceLogoffWhenHourExpire = 0 +ClearTextPassword = 0 +[Kerberos Policy] +MaxTicketAge = 10 +MaxRenewAge = 7 +MaxServiceAge = 600 +MaxClockSkew = 5 +TicketValidateClient = 1 +[Version] +signature="$CHICAGO$" +Revision=1 +*/ + +#endif /* HAVE_LDAP */ diff --git a/source3/libgpo/gpo_util.c b/source3/libgpo/gpo_util.c new file mode 100644 index 0000000000..a30df6e9eb --- /dev/null +++ b/source3/libgpo/gpo_util.c @@ -0,0 +1,523 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Guenther Deschner 2005 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. + */ + +#include "includes.h" + +#ifdef HAVE_LDAP + +#define DEFAULT_DOMAIN_POLICY "Default Domain Policy" +#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy" + +/* should we store a parsed guid ? */ +struct gpo_table { + const char *name; + const char *guid_string; +}; + +struct snapin_table { + const char *name; + const char *guid_string; + ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx, const char *, const char *); +}; + +#if 0 /* unused */ +static struct gpo_table gpo_default_policy[] = { + { DEFAULT_DOMAIN_POLICY, + "31B2F340-016D-11D2-945F-00C04FB984F9" }, + { DEFAULT_DOMAIN_CONTROLLERS_POLICY, + "6AC1786C-016F-11D2-945F-00C04fB984F9" }, + { NULL, NULL } +}; +#endif + +/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */ + +static struct gpo_table gpo_cse_extensions[] = { + { "Administrative Templates Extension", + "35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */ + { "Microsoft Disc Quota", + "3610EDA5-77EF-11D2-8DC5-00C04FA31A66" }, + { "EFS recovery", + "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" }, + { "Folder Redirection", + "25537BA6-77A8-11D2-9B6C-0000F8080861" }, + { "IP Security", + "E437BC1C-AA7D-11D2-A382-00C04F991E27" }, + { "Internet Explorer Branding", + "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" }, + { "QoS Packet Scheduler", + "426031c0-0b47-4852-b0ca-ac3d37bfcb39" }, + { "Scripts", + "42B5FAAE-6536-11D2-AE5A-0000F87571E3" }, + { "Security", + "827D319E-6EAC-11D2-A4EA-00C04F79F83A" }, + { "Software Installation", + "C6DC5466-785A-11D2-84D0-00C04FB169F7" }, + { "Wireless Group Policy", + "0ACDD40C-75AC-BAA0-BF6DE7E7FE63" }, + { NULL, NULL } +}; + +/* guess work */ +static struct snapin_table gpo_cse_snapin_extensions[] = { + { "Administrative Templates", + "0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none }, + { "Certificates", + "53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, + { "EFS recovery policy processing", + "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none }, + { "Folder Redirection policy processing", + "25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none }, + { "Folder Redirection", + "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none }, + { "Registry policy processing", + "35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none }, + { "Remote Installation Services", + "3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, + { "Security Settings", + "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings }, + { "Security policy processing", + "827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings }, + { "unknown", + "3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none }, + { "unknown2", + "53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none }, + { NULL, NULL, NULL } +}; + +static const char *name_to_guid_string(const char *name, struct gpo_table *table) +{ + int i; + + for (i = 0; table[i].name; i++) { + if (strequal(name, table[i].name)) { + return table[i].guid_string; + } + } + + return NULL; +} + +static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table) +{ + int i; + + for (i = 0; table[i].guid_string; i++) { + if (strequal(guid_string, table[i].guid_string)) { + return table[i].name; + } + } + + return NULL; +} + +static const char *snapin_guid_string_to_name(const char *guid_string, + struct snapin_table *table) +{ + int i; + for (i = 0; table[i].guid_string; i++) { + if (strequal(guid_string, table[i].guid_string)) { + return table[i].name; + } + } + return NULL; +} + +#if 0 /* unused */ +static const char *default_gpo_name_to_guid_string(const char *name) +{ + return name_to_guid_string(name, gpo_default_policy); +} + +static const char *default_gpo_guid_string_to_name(const char *guid) +{ + return guid_string_to_name(guid, gpo_default_policy); +} +#endif + +const char *cse_gpo_guid_string_to_name(const char *guid) +{ + return guid_string_to_name(guid, gpo_cse_extensions); +} + +static const char *cse_gpo_name_to_guid_string(const char *name) +{ + return name_to_guid_string(name, gpo_cse_extensions); +} + +const char *cse_snapin_gpo_guid_string_to_name(const char *guid) +{ + return snapin_guid_string_to_name(guid, gpo_cse_snapin_extensions); +} + +void dump_gp_ext(struct GP_EXT *gp_ext) +{ + int lvl = 10; + int i; + + if (gp_ext == NULL) { + return; + } + + DEBUG(lvl,("---------------------\n\n")); + DEBUGADD(lvl,("name:\t\t\t%s\n", gp_ext->gp_extension)); + + for (i=0; i< gp_ext->num_exts; i++) { + + DEBUGADD(lvl,("extension:\t\t\t%s\n", gp_ext->extensions_guid[i])); + DEBUGADD(lvl,("extension (name):\t\t\t%s\n", gp_ext->extensions[i])); + + DEBUGADD(lvl,("snapin:\t\t\t%s\n", gp_ext->snapins_guid[i])); + DEBUGADD(lvl,("snapin (name):\t\t\t%s\n", gp_ext->snapins[i])); + } +} + +void dump_gpo(TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo) +{ + int lvl = 1; + + if (gpo == NULL) { + return; + } + + DEBUG(lvl,("---------------------\n\n")); + + DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name)); + DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name)); + DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version)); + DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", gpo->version_user, gpo->version_user)); + DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", gpo->version_machine, gpo->version_machine)); + DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path)); + DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path)); + + DEBUGADD(lvl,("options:\t\t%d ", gpo->options)); + if (gpo->options & GPFLAGS_USER_SETTINGS_DISABLED) { + DEBUGADD(lvl,("GPFLAGS_USER_SETTINGS_DISABLED ")); + } + if (gpo->options & GPFLAGS_MACHINE_SETTINGS_DISABLED) { + DEBUGADD(lvl,("GPFLAGS_MACHINE_SETTINGS_DISABLED")); + } + DEBUGADD(lvl,("\n")); + + DEBUGADD(lvl,("link:\t\t\t%s\n", gpo->link)); + DEBUGADD(lvl,("link_type:\t\t%d ", gpo->link_type)); + switch (gpo->link_type) { + case GP_LINK_UNKOWN: + DEBUGADD(lvl,("GP_LINK_UNKOWN\n")); + break; + case GP_LINK_OU: + DEBUGADD(lvl,("GP_LINK_OU\n")); + break; + case GP_LINK_DOMAIN: + DEBUGADD(lvl,("GP_LINK_DOMAIN\n")); + break; + case GP_LINK_SITE: + DEBUGADD(lvl,("GP_LINK_SITE\n")); + break; + case GP_LINK_MACHINE: + DEBUGADD(lvl,("GP_LINK_MACHINE\n")); + break; + default: + break; + } + + if (gpo->machine_extensions) { + + struct GP_EXT gp_ext; + ADS_STATUS status; + + DEBUGADD(lvl,("machine_extensions:\t%s\n", gpo->machine_extensions)); + + status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); + if (!ADS_ERR_OK(status)) { + return; + } + dump_gp_ext(&gp_ext); + } + + if (gpo->user_extensions) { + + struct GP_EXT gp_ext; + ADS_STATUS status; + + DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions)); + + status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); + if (!ADS_ERR_OK(status)) { + return; + } + dump_gp_ext(&gp_ext); + } +}; + +void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) +{ + ADS_STATUS status; + int i; + int lvl = 10; + + if (gp_link == NULL) { + return; + } + + DEBUG(lvl,("---------------------\n\n")); + + DEBUGADD(lvl,("gplink: %s\n", gp_link->gp_link)); + DEBUGADD(lvl,("gpopts: %d ", gp_link->gp_opts)); + switch (gp_link->gp_opts) { + case GPOPTIONS_INHERIT: + DEBUGADD(lvl,("GPOPTIONS_INHERIT\n")); + break; + case GPOPTIONS_BLOCK_INHERITANCE: + DEBUGADD(lvl,("GPOPTIONS_BLOCK_INHERITANCE\n")); + break; + default: + break; + } + + DEBUGADD(lvl,("num links: %d\n", gp_link->num_links)); + + for (i = 0; i < gp_link->num_links; i++) { + + DEBUGADD(lvl,("---------------------\n\n")); + + DEBUGADD(lvl,("link: #%d\n", i + 1)); + DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i])); + + DEBUGADD(lvl,("opt: %d ", gp_link->link_opts[i])); + if (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) { + DEBUGADD(lvl,("GPO_LINK_OPT_ENFORCED ")); + } + if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { + DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED")); + } + DEBUGADD(lvl,("\n")); + + if (ads != NULL && mem_ctx != NULL) { + + struct GROUP_POLICY_OBJECT gpo; + + status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo); + if (!ADS_ERR_OK(status)) { + DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status))); + return; + } + dump_gpo(mem_ctx, &gpo); + } + } +} + +ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *extension_guid, + const char *snapin_guid) +{ + int i; + + for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) { + + if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) { + + return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, + extension_guid, snapin_guid); + } + } + + DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n", + extension_guid, snapin_guid)); + + return ADS_ERROR(LDAP_SUCCESS); +} + +ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + struct GROUP_POLICY_OBJECT *gpo, + const char *extension_guid, + uint32 flags) +{ + ADS_STATUS status; + struct GP_EXT gp_ext; + int i; + + if (flags & GPO_LIST_FLAG_MACHINE) { + + if (gpo->machine_extensions) { + + status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext); + + if (!ADS_ERR_OK(status)) { + return status; + } + + } else { + /* nothing to apply */ + return ADS_ERROR(LDAP_SUCCESS); + } + + } else { + + if (gpo->user_extensions) { + + status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext); + + if (!ADS_ERR_OK(status)) { + return status; + } + } else { + /* nothing to apply */ + return ADS_ERROR(LDAP_SUCCESS); + } + } + + for (i=0; inext) { + + status = gpo_process_a_gpo(ads, mem_ctx, gpo, + extensions_guid, flags); + + if (!ADS_ERR_OK(status)) { + return status; + } + + } + + return ADS_ERROR(LDAP_SUCCESS); +} + +ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *extension_guid, + const char *snapin_guid) +{ + DEBUG(10,("gpo_snapin_handler_none\n")); + + return ADS_ERROR(LDAP_SUCCESS); +} + +ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *extension_guid, + const char *snapin_guid) +{ + DEBUG(10,("gpo_snapin_handler_security_settings\n")); + + return ADS_ERROR(LDAP_SUCCESS); +} + +ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *hostname, + SAM_UNK_INFO_12 *lockout_policy) +{ + return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED); +} + +ADS_STATUS gpo_password_policy(ADS_STRUCT *ads, + TALLOC_CTX *mem_ctx, + const char *hostname, + SAM_UNK_INFO_1 *password_policy) +{ + ADS_STATUS status; + struct GROUP_POLICY_OBJECT *gpo_list; + const char *attrs[] = {"distinguishedName", "userAccountControl", NULL}; + char *filter, *dn; + LDAPMessage *res = NULL; + uint32 uac; + + filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", hostname); + if (filter == NULL) { + return ADS_ERROR(LDAP_NO_MEMORY); + } + + status = ads_do_search_all(ads, ads->config.bind_path, + LDAP_SCOPE_SUBTREE, + filter, attrs, &res); + + if (!ADS_ERR_OK(status)) { + return status; + } + + if (ads_count_replies(ads, res) != 1) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + dn = ads_get_dn(ads, res); + if (dn == NULL) { + ads_msgfree(ads, res); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) { + ads_msgfree(ads, res); + ads_memfree(ads, dn); + return ADS_ERROR(LDAP_NO_MEMORY); + } + + ads_msgfree(ads, res); + + if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) { + ads_memfree(ads, dn); + return ADS_ERROR(LDAP_NO_SUCH_OBJECT); + } + + status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list); + if (!ADS_ERR_OK(status)) { + ads_memfree(ads, dn); + return status; + } + + ads_memfree(ads, dn); + + status = gpo_process_gpo_list(ads, mem_ctx, &gpo_list, + cse_gpo_name_to_guid_string("Security"), + GPO_LIST_FLAG_MACHINE); + if (!ADS_ERR_OK(status)) { + return status; + } + + return ADS_ERROR(LDAP_SUCCESS); +} + +#endif /* HAVE_LDAP */ diff --git a/source3/libsmb/gpo.c b/source3/libsmb/gpo.c deleted file mode 100644 index 6be2ce2f79..0000000000 --- a/source3/libsmb/gpo.c +++ /dev/null @@ -1,171 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. - */ - -#include "includes.h" - -#ifdef HAVE_LDAP - -#define GPT_INI_SECTION_GENERAL "General" -#define GPT_INI_PARAMETER_VERSION "Version" -#define GPT_INI_PARAMETER_DISPLAYNAME "displayName" - -struct gpt_ini { - uint32 version; - const char *display_name; -}; - -static uint32 version; - -static BOOL do_section(const char *section) -{ - DEBUG(10,("do_section: %s\n", section)); - - return True; -} - -static BOOL do_parameter(const char *parameter, const char *value) -{ - DEBUG(10,("do_parameter: %s, %s\n", parameter, value)); - - if (strequal(parameter, GPT_INI_PARAMETER_VERSION)) { - version = atoi(value); - } - return True; -} - -NTSTATUS ads_gpo_get_sysvol_gpt_version(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const char *filesyspath, - uint32 *sysvol_version) -{ - NTSTATUS status; - const char *path; - struct cli_state *cli; - int fnum; - fstring tok; - static int io_bufsize = 64512; - int read_size = io_bufsize; - char *data = NULL; - off_t start = 0; - off_t nread = 0; - int handle = 0; - const char *local_file; - - *sysvol_version = 0; - - next_token(&filesyspath, tok, "\\", sizeof(tok)); - next_token(&filesyspath, tok, "\\", sizeof(tok)); - - path = talloc_asprintf(mem_ctx, "\\%s\\gpt.ini", filesyspath); - if (path == NULL) { - return NT_STATUS_NO_MEMORY; - } - - local_file = talloc_asprintf(mem_ctx, "%s/%s", lock_path("gpo_cache"), "gpt.ini"); - if (local_file == NULL) { - return NT_STATUS_NO_MEMORY; - } - - /* FIXME: walk down the dfs tree instead */ - status = cli_full_connection(&cli, global_myname(), - ads->config.ldap_server_name, - NULL, 0, - "SYSVOL", "A:", - ads->auth.user_name, NULL, ads->auth.password, - CLI_FULL_CONNECTION_USE_KERBEROS, - Undefined, NULL); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - fnum = cli_open(cli, path, O_RDONLY, DENY_NONE); - if (fnum == -1) { - return NT_STATUS_NO_SUCH_FILE; - } - - - data = (char *)SMB_MALLOC(read_size); - if (data == NULL) { - return NT_STATUS_NO_MEMORY; - } - - handle = sys_open(local_file, O_WRONLY|O_CREAT|O_TRUNC, 0644); - - if (handle == -1) { - return NT_STATUS_NO_SUCH_FILE; - } - - while (1) { - - int n = cli_read(cli, fnum, data, nread + start, read_size); - - if (n <= 0) - break; - - if (write(handle, data, n) != n) { - break; - } - - nread += n; - } - - cli_close(cli, fnum); - - if (!pm_process(local_file, do_section, do_parameter)) { - return NT_STATUS_INVALID_PARAMETER; - } - - *sysvol_version = version; - - SAFE_FREE(data); - - cli_shutdown(cli); - - return NT_STATUS_OK; -} - -/* - -perfectly parseable with pm_process() :)) - -[Unicode] -Unicode=yes -[System Access] -MinimumPasswordAge = 1 -MaximumPasswordAge = 42 -MinimumPasswordLength = 7 -PasswordComplexity = 1 -PasswordHistorySize = 24 -LockoutBadCount = 0 -RequireLogonToChangePassword = 0 -ForceLogoffWhenHourExpire = 0 -ClearTextPassword = 0 -[Kerberos Policy] -MaxTicketAge = 10 -MaxRenewAge = 7 -MaxServiceAge = 600 -MaxClockSkew = 5 -TicketValidateClient = 1 -[Version] -signature="$CHICAGO$" -Revision=1 -*/ - -#endif /* HAVE_LDAP */ -- cgit