From 6478a1edb70a60cfd318292478781a665b022887 Mon Sep 17 00:00:00 2001 From: Wilco Baan Hofman Date: Wed, 7 Apr 2010 21:22:36 +0200 Subject: Add gPLink and getgpo functionality to net gpo. Signed-off-by: Jelmer Vernooij --- source4/libgpo/gpo.h | 29 ++++- source4/libgpo/gpo_ldap.c | 323 +++++++++++++++++++++++++++++++++++++++------- 2 files changed, 299 insertions(+), 53 deletions(-) (limited to 'source4/libgpo') diff --git a/source4/libgpo/gpo.h b/source4/libgpo/gpo.h index 808718ea49..1e51e5250a 100644 --- a/source4/libgpo/gpo.h +++ b/source4/libgpo/gpo.h @@ -22,9 +22,13 @@ #define __GPO_H__ -/* GPO_OPTIONS */ -#define GPO_FLAG_DISABLE 0x00000001 -#define GPO_FLAG_FORCE 0x00000002 +#define GPLINK_OPT_DISABLE (1 << 0) +#define GPLINK_OPT_ENFORCE (1 << 1) + + +#define GPO_FLAG_USER_DISABLE (1 << 0) +#define GPO_FLAG_MACHINE_DISABLE (1 << 1) + struct gp_context { struct ldb_context *ldb_ctx; @@ -43,6 +47,19 @@ struct gp_object { struct security_descriptor *security_descriptor; }; +struct gp_hierarchy_object { + enum { + GPO_INHERIT = 0, + GPO_BLOCK_INHERITANCE = 1, + } inheritance; + struct gp_link **gplinks; +}; + +struct gp_link { + uint32_t options; + const char *dn; +}; + NTSTATUS gp_fetch_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); NTSTATUS gp_apply_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); NTSTATUS gp_check_refresh_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); @@ -53,4 +70,10 @@ NTSTATUS gp_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev_ctx, struct gp_context **gp_ctx); NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret); +NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *name, struct gp_object **ret); +NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *req_dn, struct gp_link ***ret); + +NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret); +NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret); + #endif diff --git a/source4/libgpo/gpo_ldap.c b/source4/libgpo/gpo_ldap.c index dd8a26bfc1..96a746c72b 100644 --- a/source4/libgpo/gpo_ldap.c +++ b/source4/libgpo/gpo_ldap.c @@ -27,15 +27,118 @@ #include "libnet/libnet.h" #include "gpo.h" +struct gpo_stringmap { + const char *str; + uint32_t flags; +}; +static const struct gpo_stringmap gplink_options [] = { + { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE }, + { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE }, + { NULL, 0 } +}; +static const struct gpo_stringmap gpo_flags [] = { + { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE }, + { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE }, + { NULL, 0 } +}; +static const struct gpo_stringmap gpo_inheritance [] = { + { "GPO_INHERIT", GPO_INHERIT }, + { "GPO_BLOCK_INHERITANCE", GPO_BLOCK_INHERITANCE }, + { NULL, 0 } +}; + +static NTSTATUS parse_gpo(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct gp_object **ret) +{ + unsigned int i; + struct gp_object *gpo = talloc(mem_ctx, struct gp_object); + gpo->dn = ldb_dn_get_linearized(msg->dn); + + DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo->dn)); + for (i = 0; i < msg->num_elements; i++) { + struct ldb_message_element *element = &msg->elements[i]; + + if (strcmp(element->name, "displayName") == 0) { + SMB_ASSERT(element->num_values > 0); + gpo->display_name = talloc_strdup(gpo, (char *)element->values[0].data); + DEBUG(10, ("Found displayname: %s\n", gpo->display_name)); + } + if (strcmp(element->name, "name") == 0) { + SMB_ASSERT(element->num_values > 0); + gpo->name = talloc_strdup(gpo, (char *)element->values[0].data); + DEBUG(10, ("Found name: %s\n", gpo->name)); + } + if (strcmp(element->name, "flags") == 0) { + char *end; + SMB_ASSERT(element->num_values > 0); + gpo->flags = (uint32_t) strtoll((char *)element->values[0].data, &end, 0); + SMB_ASSERT(*end == 0); + DEBUG(10, ("Found flags: %d\n", gpo->flags)); + } + if (strcmp(element->name, "versionNumber") == 0) { + char *end; + SMB_ASSERT(element->num_values > 0); + gpo->version = (uint32_t) strtoll((char *)element->values[0].data, &end, 0); + SMB_ASSERT(*end == 0); + DEBUG(10, ("Found version: %d\n", gpo->version)); + } + if (strcmp(element->name, "gPCFileSysPath") == 0) { + SMB_ASSERT(element->num_values > 0); + gpo->file_sys_path = talloc_strdup(gpo, (char *)element->values[0].data); + DEBUG(10, ("Found file system path: %s\n", gpo->file_sys_path)); + } + } + + *ret = gpo; + return NT_STATUS_OK; +} + +NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret) +{ + unsigned int i, count=0; + const char **flag_strs = talloc_array(mem_ctx, const char *, 1); + + flag_strs[0] = NULL; + + for (i = 0; gpo_flags[i].str != NULL; i++) { + if (flags & gpo_flags[i].flags) { + flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2); + flag_strs[count] = gpo_flags[i].str; + flag_strs[count+1] = NULL; + count++; + } + } + *ret = flag_strs; + return NT_STATUS_OK; +} + +NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t options, const char ***ret) +{ + unsigned int i, count=0; + const char **flag_strs = talloc_array(mem_ctx, const char *, 1); + + flag_strs[0] = NULL; + + for (i = 0; gplink_options[i].str != NULL; i++) { + if (options & gplink_options[i].flags) { + flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2); + flag_strs[count] = gplink_options[i].str; + flag_strs[count+1] = NULL; + count++; + } + } + *ret = flag_strs; + return NT_STATUS_OK; +} + NTSTATUS gp_init(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, - struct cli_credentials *credentials, - struct tevent_context *ev_ctx, - struct gp_context **gp_ctx) + struct loadparm_context *lp_ctx, + struct cli_credentials *credentials, + struct tevent_context *ev_ctx, + struct gp_context **gp_ctx) { - struct libnet_LookupDCs *io; - char *url; + struct libnet_LookupDCs *io; + char *url; struct libnet_context *net_ctx; struct ldb_context *ldb_ctx; NTSTATUS rv; @@ -44,26 +147,27 @@ NTSTATUS gp_init(TALLOC_CTX *mem_ctx, net_ctx = libnet_context_init(ev_ctx, lp_ctx); net_ctx->cred = credentials; - /* Prepare libnet lookup structure for looking a DC (PDC is correct). */ - io = talloc_zero(mem_ctx, struct libnet_LookupDCs); - io->in.name_type = NBT_NAME_PDC; - io->in.domain_name = lp_workgroup(lp_ctx); + /* Prepare libnet lookup structure for looking a DC (PDC is correct). */ + io = talloc_zero(mem_ctx, struct libnet_LookupDCs); + io->in.name_type = NBT_NAME_PDC; + io->in.domain_name = lp_workgroup(lp_ctx); /* Find Active DC's */ - rv = libnet_LookupDCs(net_ctx, mem_ctx, io); + rv = libnet_LookupDCs(net_ctx, mem_ctx, io); if (!NT_STATUS_IS_OK(rv)) { DEBUG(0, ("Failed to lookup DCs in domain\n")); return rv; } /* Connect to ldap://DC_NAME with all relevant contexts*/ - url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name); + url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name); ldb_ctx = ldb_wrap_connect(mem_ctx, net_ctx->event_ctx, lp_ctx, url, NULL, net_ctx->cred, 0); - if (ldb_ctx == NULL) { - return NT_STATUS_UNSUCCESSFUL; - } + if (ldb_ctx == NULL) { + return NT_STATUS_UNSUCCESSFUL; + } + /* We don't need to keep the libnet context */ talloc_free(net_ctx); *gp_ctx = talloc_zero(mem_ctx, struct gp_context); @@ -71,25 +175,28 @@ NTSTATUS gp_init(TALLOC_CTX *mem_ctx, (*gp_ctx)->credentials = credentials; (*gp_ctx)->ev_ctx = ev_ctx; (*gp_ctx)->ldb_ctx = ldb_ctx; - return NT_STATUS_OK; - + return NT_STATUS_OK; } NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret) { struct ldb_result *result; int rv; + NTSTATUS status; TALLOC_CTX *mem_ctx; struct ldb_dn *dn; struct gp_object **gpo; - unsigned int i, j; /* same as in struct ldb_result */ + unsigned int i; /* same as in struct ldb_result */ /* Create a forked memory context, as a base for everything here */ mem_ctx = talloc_new(gp_ctx); + + /* Create full ldb dn of the policies base object */ dn = ldb_get_default_basedn(gp_ctx->ldb_ctx); rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System")); if (!rv) { DEBUG(0, ("Can't append subtree to DN\n")); + talloc_free(mem_ctx); return NT_STATUS_UNSUCCESSFUL; } @@ -98,6 +205,7 @@ NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret) rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_ONELEVEL, NULL, "(objectClass=groupPolicyContainer)"); if (rv != LDB_SUCCESS) { DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); return NT_STATUS_UNSUCCESSFUL; } @@ -105,46 +213,161 @@ NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret) gpo[result->count] = NULL; for (i = 0; i < result->count; i++) { - gpo[i] = talloc(gp_ctx, struct gp_object); + status = parse_gpo(gp_ctx, result->msgs[i], &gpo[i]); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to parse GPO.\n")); + talloc_free(mem_ctx); + return status; + } + } + + talloc_free(mem_ctx); + + *ret = gpo; + return NT_STATUS_OK; +} + +NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *name, struct gp_object **ret) +{ + struct ldb_result *result; + struct ldb_dn *dn; + struct gp_object *gpo; + int rv; + NTSTATUS status; + TALLOC_CTX *mem_ctx; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + + /* Create full ldb dn of the policies base object */ + dn = ldb_get_default_basedn(gp_ctx->ldb_ctx); + rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System")); + if (!rv) { + DEBUG(0, ("Can't append subtree to DN\n")); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + rv = ldb_search(gp_ctx->ldb_ctx, + mem_ctx, + &result, + dn, + LDB_SCOPE_ONELEVEL, + NULL, + "(&(objectClass=groupPolicyContainer)(name=%s))", + name); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + /* We expect exactly one record */ + if (result->count != 1) { + DEBUG(0, ("Could not find GPC with name %s\n", name)); + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + status = parse_gpo(gp_ctx, result->msgs[0], &gpo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to parse GPO.\n")); + talloc_free(mem_ctx); + return status; + } + + talloc_free(mem_ctx); + + *ret = gpo; + return NT_STATUS_OK; +} + +static NTSTATUS parse_gplink (TALLOC_CTX *mem_ctx, const char *gplink_str, struct gp_link ***ret) +{ + int start, idx=0; + int pos; + struct gp_link **gplinks; + char *buf, *end; + + gplinks = talloc_array(mem_ctx, struct gp_link *, 1); + + /* Assuming every gPLink starts with "[LDAP://" */ + start = 8; + + for (pos = start; pos < strlen(gplink_str); pos++) { + if (gplink_str[pos] == ';') { + gplinks = talloc_realloc(mem_ctx, gplinks, struct gp_link *, idx+2); + gplinks[idx] = talloc(mem_ctx, struct gp_link); + gplinks[idx]->dn = talloc_strndup(mem_ctx, + gplink_str + start, + pos - start); + + for (start = pos + 1; gplink_str[pos] != ']'; pos++); + + buf = talloc_strndup(mem_ctx, gplink_str + start, pos - start); + + gplinks[idx]->options = (uint32_t) strtoll(buf, &end, 0); + + /* Set the last entry in the array to be NULL */ + gplinks[idx + 1] = NULL; + + /* Increment the array index, the string position, and the start reference */ + idx++; + pos += 9; + start = pos; + } + } + + *ret = gplinks; + return NT_STATUS_OK; +} - gpo[i]->dn = ldb_dn_get_linearized(result->msgs[i]->dn); - DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo[i]->dn)); +NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *req_dn, struct gp_link ***ret) +{ + TALLOC_CTX *mem_ctx; + struct ldb_dn *dn; + struct ldb_result *result; + struct gp_link **gplinks; + char *gplink_str; + int rv; + unsigned int i, j; + NTSTATUS status; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + + dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, req_dn); + + rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, NULL, "(objectclass=*)"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + for (i = 0; i < result->count; i++) { for (j = 0; j < result->msgs[i]->num_elements; j++) { struct ldb_message_element *element = &result->msgs[i]->elements[j]; - if (strcmp(element->name, "displayName") == 0) { - SMB_ASSERT(element->num_values > 0); - gpo[i]->display_name = talloc_strdup(gp_ctx, (char *)element->values[0].data); - DEBUG(10, ("Found displayname: %s\n", gpo[i]->display_name)); - } - if (strcmp(element->name, "name") == 0) { - SMB_ASSERT(element->num_values > 0); - gpo[i]->name = talloc_strdup(gp_ctx, (char *)element->values[0].data); - DEBUG(10, ("Found name: %s\n", gpo[i]->name)); - } - if (strcmp(element->name, "flags") == 0) { - char *end; - SMB_ASSERT(element->num_values > 0); - gpo[i]->flags = (uint32_t) strtoll((char *)element->values[0].data, &end, 0); - SMB_ASSERT(*end == 0); - DEBUG(10, ("Found flags: %d\n", gpo[i]->flags)); - } - if (strcmp(element->name, "versionNumber") == 0) { - char *end; + if (strcmp(element->name, "gPLink") == 0) { SMB_ASSERT(element->num_values > 0); - gpo[i]->version = (uint32_t) strtoll((char *)element->values[0].data, &end, 0); - SMB_ASSERT(*end == 0); - DEBUG(10, ("Found version: %d\n", gpo[i]->version)); - } - if (strcmp(element->name, "gPCFileSysPath") == 0) { - SMB_ASSERT(element->num_values > 0); - gpo[i]->file_sys_path = talloc_strdup(gp_ctx, (char *)element->values[0].data); - DEBUG(10, ("Found file system path: %s\n", gpo[i]->file_sys_path)); + gplink_str = talloc_strdup(mem_ctx, (char *) element->values[0].data); + goto found; } } } - *ret = gpo; - talloc_free(mem_ctx); + DEBUG(0, ("Object or gPLink attribute not found.\n")); + return NT_STATUS_NOT_FOUND; + + found: + + status = parse_gplink(gp_ctx, gplink_str, &gplinks); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to parse gPLinks\n")); + return status; + } + + *ret = gplinks; return NT_STATUS_OK; } -- cgit