From b02571541998f2698a92be8729f4f0da869a0f99 Mon Sep 17 00:00:00 2001 From: Wilco Baan Hofman Date: Fri, 23 Apr 2010 11:53:04 +0200 Subject: Rename libgpo to lib/policy to avoid confusion with samba3 and add waf build Signed-off-by: Jelmer Vernooij --- source4/libgpo/config.mk | 4 - source4/libgpo/gpo.h | 78 ------- source4/libgpo/gpo_ldap.c | 568 ---------------------------------------------- 3 files changed, 650 deletions(-) delete mode 100644 source4/libgpo/config.mk delete mode 100644 source4/libgpo/gpo.h delete mode 100644 source4/libgpo/gpo_ldap.c (limited to 'source4/libgpo') diff --git a/source4/libgpo/config.mk b/source4/libgpo/config.mk deleted file mode 100644 index 77eb3073ac..0000000000 --- a/source4/libgpo/config.mk +++ /dev/null @@ -1,4 +0,0 @@ -[SUBSYSTEM::LIBGPO] -PRIVATE_DEPENDENCIES = LIBLDB LIBSAMBA-NET - -LIBGPO_OBJ_FILES = $(libgpodir)/gpo_ldap.o diff --git a/source4/libgpo/gpo.h b/source4/libgpo/gpo.h deleted file mode 100644 index 2e58094608..0000000000 --- a/source4/libgpo/gpo.h +++ /dev/null @@ -1,78 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Guenther Deschner 2005-2008 (from samba 3 gpo.h) - * Copyright (C) Wilco Baan Hofman 2010 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#ifndef __GPO_H__ -#define __GPO_H__ - - -#define GPLINK_OPT_DISABLE (1 << 0) -#define GPLINK_OPT_ENFORCE (1 << 1) - - -#define GPO_FLAG_USER_DISABLE (1 << 0) -#define GPO_FLAG_MACHINE_DISABLE (1 << 1) - -enum gpo_inheritance { - GPO_INHERIT = 0, - GPO_BLOCK_INHERITANCE = 1, -}; - -struct gp_context { - struct ldb_context *ldb_ctx; - struct loadparm_context *lp_ctx; - struct cli_credentials *credentials; - struct tevent_context *ev_ctx; -}; - -struct gp_object { - uint32_t version; - uint32_t flags; - const char *display_name; - const char *name; - const char *dn; - const char *file_sys_path; - struct security_descriptor *security_descriptor; -}; - - -struct gp_link { - uint32_t options; - const char *dn; -}; - -NTSTATUS gp_fetch_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); -NTSTATUS gp_apply_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); -NTSTATUS gp_check_refresh_gpo(TALLOC_CTX *mem_ctx, struct ldb_context *ldb); - -NTSTATUS gp_init(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, - struct cli_credentials *creds, - struct tevent_context *ev_ctx, - struct gp_context **gp_ctx); -NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret); -NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *name, struct gp_object **ret); -NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *req_dn, struct gp_link ***ret); -NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret); - - -NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret); -NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret); - -#endif diff --git a/source4/libgpo/gpo_ldap.c b/source4/libgpo/gpo_ldap.c deleted file mode 100644 index 4c44e83cb9..0000000000 --- a/source4/libgpo/gpo_ldap.c +++ /dev/null @@ -1,568 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Object Support - * Copyright (C) Jelmer Vernooij 2008 - * Copyright (C) Wilco Baan Hofman 2008-2010 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ -#include "includes.h" -#include "param/param.h" -#include "lib/ldb/include/ldb.h" -#include "lib/ldb_wrap.h" -#include "auth/credentials/credentials.h" -#include "../librpc/gen_ndr/nbt.h" -#include "libcli/libcli.h" -#include "libnet/libnet.h" -#include "../librpc/gen_ndr/ndr_security.h" -#include "../libcli/security/dom_sid.h" -#include "libcli/security/security.h" -#include "../lib/talloc/talloc.h" -#include "gpo.h" - -struct gpo_stringmap { - const char *str; - uint32_t flags; -}; -static const struct gpo_stringmap gplink_options [] = { - { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE }, - { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE }, - { NULL, 0 } -}; -static const struct gpo_stringmap gpo_flags [] = { - { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE }, - { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE }, - { NULL, 0 } -}; -static const struct gpo_stringmap gpo_inheritance [] = { - { "GPO_INHERIT", GPO_INHERIT }, - { "GPO_BLOCK_INHERITANCE", GPO_BLOCK_INHERITANCE }, - { NULL, 0 } -}; - -static NTSTATUS parse_gpo(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct gp_object **ret) -{ - unsigned int i; - struct gp_object *gpo = talloc(mem_ctx, struct gp_object); - enum ndr_err_code ndr_err; - - gpo->dn = talloc_steal(mem_ctx, ldb_dn_get_linearized(msg->dn)); - - DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo->dn)); - for (i = 0; i < msg->num_elements; i++) { - struct ldb_message_element *element = &msg->elements[i]; - - if (strcmp(element->name, "displayName") == 0) { - SMB_ASSERT(element->num_values > 0); - gpo->display_name = talloc_strdup(gpo, (char *)element->values[0].data); - DEBUG(10, ("Found displayname: %s\n", gpo->display_name)); - } - if (strcmp(element->name, "name") == 0) { - SMB_ASSERT(element->num_values > 0); - gpo->name = talloc_strdup(gpo, (char *)element->values[0].data); - DEBUG(10, ("Found name: %s\n", gpo->name)); - } - if (strcmp(element->name, "flags") == 0) { - char *end; - SMB_ASSERT(element->num_values > 0); - gpo->flags = (uint32_t) strtoll((char *)element->values[0].data, &end, 0); - SMB_ASSERT(*end == 0); - DEBUG(10, ("Found flags: %d\n", gpo->flags)); - } - if (strcmp(element->name, "versionNumber") == 0) { - char *end; - SMB_ASSERT(element->num_values > 0); - gpo->version = (uint32_t) strtoll((char *)element->values[0].data, &end, 0); - SMB_ASSERT(*end == 0); - DEBUG(10, ("Found version: %d\n", gpo->version)); - } - if (strcmp(element->name, "gPCFileSysPath") == 0) { - SMB_ASSERT(element->num_values > 0); - gpo->file_sys_path = talloc_strdup(gpo, (char *)element->values[0].data); - DEBUG(10, ("Found file system path: %s\n", gpo->file_sys_path)); - } - if (strcmp(element->name, "nTSecurityDescriptor") == 0) { - gpo->security_descriptor = talloc(mem_ctx, struct security_descriptor); - ndr_err = ndr_pull_struct_blob(&element->values[0], - mem_ctx, - NULL, - gpo->security_descriptor, - (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - return ndr_map_error2ntstatus(ndr_err); - } - DEBUG(10, ("Found security descriptor.\n")); - } - } - - *ret = gpo; - return NT_STATUS_OK; -} - -NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret) -{ - unsigned int i, count=0; - const char **flag_strs = talloc_array(mem_ctx, const char *, 1); - - flag_strs[0] = NULL; - - for (i = 0; gpo_flags[i].str != NULL; i++) { - if (flags & gpo_flags[i].flags) { - flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2); - flag_strs[count] = gpo_flags[i].str; - flag_strs[count+1] = NULL; - count++; - } - } - *ret = flag_strs; - return NT_STATUS_OK; -} - -NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t options, const char ***ret) -{ - unsigned int i, count=0; - const char **flag_strs = talloc_array(mem_ctx, const char *, 1); - - flag_strs[0] = NULL; - - for (i = 0; gplink_options[i].str != NULL; i++) { - if (options & gplink_options[i].flags) { - flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2); - flag_strs[count] = gplink_options[i].str; - flag_strs[count+1] = NULL; - count++; - } - } - *ret = flag_strs; - return NT_STATUS_OK; -} - -NTSTATUS gp_init(TALLOC_CTX *mem_ctx, - struct loadparm_context *lp_ctx, - struct cli_credentials *credentials, - struct tevent_context *ev_ctx, - struct gp_context **gp_ctx) -{ - - struct libnet_LookupDCs *io; - char *url; - struct libnet_context *net_ctx; - struct ldb_context *ldb_ctx; - NTSTATUS rv; - - /* Initialise the libnet context */ - net_ctx = libnet_context_init(ev_ctx, lp_ctx); - net_ctx->cred = credentials; - - /* Prepare libnet lookup structure for looking a DC (PDC is correct). */ - io = talloc_zero(mem_ctx, struct libnet_LookupDCs); - io->in.name_type = NBT_NAME_PDC; - io->in.domain_name = lp_workgroup(lp_ctx); - - /* Find Active DC's */ - rv = libnet_LookupDCs(net_ctx, mem_ctx, io); - if (!NT_STATUS_IS_OK(rv)) { - DEBUG(0, ("Failed to lookup DCs in domain\n")); - return rv; - } - - /* Connect to ldap://DC_NAME with all relevant contexts*/ - url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name); - ldb_ctx = ldb_wrap_connect(mem_ctx, net_ctx->event_ctx, lp_ctx, - url, NULL, net_ctx->cred, 0); - if (ldb_ctx == NULL) { - DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url)); - return NT_STATUS_UNSUCCESSFUL; - } - - /* We don't need to keep the libnet context */ - talloc_free(net_ctx); - - *gp_ctx = talloc_zero(mem_ctx, struct gp_context); - (*gp_ctx)->lp_ctx = lp_ctx; - (*gp_ctx)->credentials = credentials; - (*gp_ctx)->ev_ctx = ev_ctx; - (*gp_ctx)->ldb_ctx = ldb_ctx; - return NT_STATUS_OK; -} - -NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret) -{ - struct ldb_result *result; - int rv; - NTSTATUS status; - TALLOC_CTX *mem_ctx; - struct ldb_dn *dn; - struct gp_object **gpo; - unsigned int i; /* same as in struct ldb_result */ - const char **attrs; - - /* Create a forked memory context, as a base for everything here */ - mem_ctx = talloc_new(gp_ctx); - - /* Create full ldb dn of the policies base object */ - dn = ldb_get_default_basedn(gp_ctx->ldb_ctx); - rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System")); - if (!rv) { - DEBUG(0, ("Can't append subtree to DN\n")); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - - DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn))); - - attrs = talloc_array(mem_ctx, const char *, 7); - attrs[0] = "nTSecurityDescriptor"; - attrs[1] = "versionNumber"; - attrs[2] = "flags"; - attrs[3] = "name"; - attrs[4] = "displayName"; - attrs[5] = "gPCFileSysPath"; - attrs[6] = NULL; - - rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_ONELEVEL, attrs, "(objectClass=groupPolicyContainer)"); - if (rv != LDB_SUCCESS) { - DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx))); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - - gpo = talloc_array(gp_ctx, struct gp_object *, result->count+1); - gpo[result->count] = NULL; - - for (i = 0; i < result->count; i++) { - status = parse_gpo(gp_ctx, result->msgs[i], &gpo[i]); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to parse GPO.\n")); - talloc_free(mem_ctx); - return status; - } - } - - talloc_free(mem_ctx); - - *ret = gpo; - return NT_STATUS_OK; -} - -NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *dn_str, struct gp_object **ret) -{ - struct ldb_result *result; - struct ldb_dn *dn; - struct gp_object *gpo; - int rv; - NTSTATUS status; - TALLOC_CTX *mem_ctx; - const char **attrs; - - /* Create a forked memory context, as a base for everything here */ - mem_ctx = talloc_new(gp_ctx); - - /* Create an ldb dn struct for the dn string */ - dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); - - attrs = talloc_array(mem_ctx, const char *, 7); - attrs[0] = "nTSecurityDescriptor"; - attrs[1] = "versionNumber"; - attrs[2] = "flags"; - attrs[3] = "name"; - attrs[4] = "displayName"; - attrs[5] = "gPCFileSysPath"; - attrs[6] = NULL; - - rv = ldb_search(gp_ctx->ldb_ctx, - mem_ctx, - &result, - dn, - LDB_SCOPE_BASE, - attrs, - "objectClass=groupPolicyContainer"); - if (rv != LDB_SUCCESS) { - DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx))); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - - /* We expect exactly one record */ - if (result->count != 1) { - DEBUG(0, ("Could not find GPC with dn %s\n", dn_str)); - talloc_free(mem_ctx); - return NT_STATUS_NOT_FOUND; - } - - status = parse_gpo(gp_ctx, result->msgs[0], &gpo); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to parse GPO.\n")); - talloc_free(mem_ctx); - return status; - } - - talloc_free(mem_ctx); - - *ret = gpo; - return NT_STATUS_OK; -} - -static NTSTATUS parse_gplink (TALLOC_CTX *mem_ctx, const char *gplink_str, struct gp_link ***ret) -{ - int start, idx=0; - int pos; - struct gp_link **gplinks; - char *buf, *end; - - gplinks = talloc_array(mem_ctx, struct gp_link *, 1); - gplinks[0] = NULL; - - /* Assuming every gPLink starts with "[LDAP://" */ - start = 8; - - for (pos = start; pos < strlen(gplink_str); pos++) { - if (gplink_str[pos] == ';') { - gplinks = talloc_realloc(mem_ctx, gplinks, struct gp_link *, idx+2); - gplinks[idx] = talloc(mem_ctx, struct gp_link); - gplinks[idx]->dn = talloc_strndup(mem_ctx, - gplink_str + start, - pos - start); - - for (start = pos + 1; gplink_str[pos] != ']'; pos++); - - buf = talloc_strndup(gplinks, gplink_str + start, pos - start); - gplinks[idx]->options = (uint32_t) strtoll(buf, &end, 0); - talloc_free(buf); - - /* Set the last entry in the array to be NULL */ - gplinks[idx + 1] = NULL; - - /* Increment the array index, the string position past - the next "[LDAP://", and set the start reference */ - idx++; - pos += 9; - start = pos; - } - } - - *ret = gplinks; - return NT_STATUS_OK; -} - - -NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *req_dn, struct gp_link ***ret) -{ - TALLOC_CTX *mem_ctx; - struct ldb_dn *dn; - struct ldb_result *result; - struct gp_link **gplinks; - char *gplink_str; - int rv; - unsigned int i, j; - NTSTATUS status; - - /* Create a forked memory context, as a base for everything here */ - mem_ctx = talloc_new(gp_ctx); - - dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, req_dn); - - rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, NULL, "(objectclass=*)"); - if (rv != LDB_SUCCESS) { - DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx))); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - - for (i = 0; i < result->count; i++) { - for (j = 0; j < result->msgs[i]->num_elements; j++) { - struct ldb_message_element *element = &result->msgs[i]->elements[j]; - - if (strcmp(element->name, "gPLink") == 0) { - SMB_ASSERT(element->num_values > 0); - gplink_str = talloc_strdup(mem_ctx, (char *) element->values[0].data); - goto found; - } - } - } - DEBUG(0, ("Object or gPLink attribute not found.\n")); - return NT_STATUS_NOT_FOUND; - - found: - - status = parse_gplink(gp_ctx, gplink_str, &gplinks); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to parse gPLink\n")); - return status; - } - - talloc_free(mem_ctx); - - *ret = gplinks; - return NT_STATUS_OK; -} - -NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret) -{ - TALLOC_CTX *mem_ctx; - const char **gpos; - struct ldb_result *result; - const char *sid; - struct ldb_dn *dn; - struct ldb_message_element *element; - int inherit; - const char *attrs[] = { "objectClass", NULL }; - int rv; - NTSTATUS status; - unsigned int count = 0; - unsigned int i; - enum { - ACCOUNT_TYPE_USER = 0, - ACCOUNT_TYPE_MACHINE = 1 - } account_type; - - /* Create a forked memory context, as a base for everything here */ - mem_ctx = talloc_new(gp_ctx); - - sid = dom_sid_string(mem_ctx, token->user_sid); - - /* Find the user DN and objectclass via the sid from the security token */ - rv = ldb_search(gp_ctx->ldb_ctx, - mem_ctx, - &result, - ldb_get_default_basedn(gp_ctx->ldb_ctx), - LDB_SCOPE_SUBTREE, - attrs, - "(&(objectclass=user)(objectSid=%s))", sid); - if (rv != LDB_SUCCESS) { - DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), - ldb_errstring(gp_ctx->ldb_ctx))); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - if (result->count != 1) { - DEBUG(0, ("Could not find user with sid %s.\n", sid)); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result->msgs[0]->dn))); - - element = ldb_msg_find_element(result->msgs[0], "objectClass"); - - /* We need to know if this account is a user or machine. */ - account_type = ACCOUNT_TYPE_USER; - for (i = 0; i < element->num_values; i++) { - if (strcmp((char *)element->values[i].data, "computer") == 0) { - account_type = ACCOUNT_TYPE_MACHINE; - DEBUG(10, ("This user is a machine\n")); - } - } - - gpos = talloc_array(gp_ctx, const char *, 1); - gpos[0] = NULL; - - /* Walk through the containers until we hit the root */ - inherit = 1; - dn = ldb_dn_get_parent(mem_ctx, result->msgs[0]->dn); - while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx->ldb_ctx), dn) == 0) { - const char *gpo_attrs[] = { "gPLink", "gPOptions", NULL }; - struct gp_link **gplinks; - enum gpo_inheritance gpoptions; - - DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn))); - - /* Get the gPLink and gPOptions attributes from the container */ - rv = ldb_search(gp_ctx->ldb_ctx, - mem_ctx, - &result, - dn, - LDB_SCOPE_BASE, - gpo_attrs, - "objectclass=*"); - if (rv != LDB_SUCCESS) { - DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), - ldb_errstring(gp_ctx->ldb_ctx))); - talloc_free(mem_ctx); - return NT_STATUS_UNSUCCESSFUL; - } - - /* Parse the gPLink attribute, put it into a nice struct array */ - status = parse_gplink(mem_ctx, ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", ""), &gplinks); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to parse gPLink\n")); - talloc_free(mem_ctx); - return status; - } - - /* Check all group policy links on this container */ - for (i = 0; gplinks[i] != NULL; i++) { - struct gp_object *gpo; - uint32_t access_granted; - - /* If inheritance was blocked at a higher level and this - * gplink is not enforced, it should not be applied */ - if (!inherit && !(gplinks[i]->options & GPLINK_OPT_ENFORCE)) - continue; - - /* Don't apply disabled links */ - if (gplinks[i]->options & GPLINK_OPT_DISABLE) - continue; - - /* Get GPO information */ - status = gp_get_gpo_info(gp_ctx, gplinks[i]->dn, &gpo); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0, ("Failed to get gpo information for %s\n", gplinks[i]->dn)); - talloc_free(mem_ctx); - return status; - } - - /* If the account does not have read access, this GPO does not apply - * to this account */ - status = sec_access_check(gpo->security_descriptor, - token, - (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP), - &access_granted); - if (!NT_STATUS_IS_OK(status)) { - continue; - } - - /* If the account is a user and the GPO has user disabled flag, or - * a machine and the GPO has machine disabled flag, this GPO does - * not apply to this account */ - if ((account_type == ACCOUNT_TYPE_USER && - (gpo->flags & GPO_FLAG_USER_DISABLE)) || - (account_type == ACCOUNT_TYPE_MACHINE && - (gpo->flags & GPO_FLAG_MACHINE_DISABLE))) { - continue; - } - - /* Add the GPO to the list */ - gpos = talloc_realloc(gp_ctx, gpos, const char *, count+2); - gpos[count] = talloc_strdup(gp_ctx, gplinks[i]->dn); - gpos[count+1] = NULL; - count++; - - /* Clean up */ - talloc_free(gpo); - } - - /* If inheritance is blocked, then we should only add enforced gPLinks - * higher up */ - gpoptions = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0); - if (gpoptions == GPO_BLOCK_INHERITANCE) { - inherit = 0; - } - dn = ldb_dn_get_parent(mem_ctx, dn); - } - - talloc_free(mem_ctx); - - *ret = gpos; - return NT_STATUS_OK; -} -- cgit