/* * Unix SMB/CIFS implementation. * Group Policy Object Support * Copyright (C) Guenther Deschner 2005,2007 * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, see <http://www.gnu.org/licenses/>. */ #include "includes.h" #include "libgpo/gpo.h" #if _SAMBA_BUILD_ == 4 #include "libgpo/gpo_s4.h" #include "source4/libgpo/ads_convenience.h" #endif /**************************************************************** parse the raw extension string into a GP_EXT structure ****************************************************************/ bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx, const char *extension_raw, struct GP_EXT **gp_ext) { bool ret = false; struct GP_EXT *ext = NULL; char **ext_list = NULL; char **ext_strings = NULL; int i; if (!extension_raw) { goto parse_error; } DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw)); ext = talloc_zero(mem_ctx, struct GP_EXT); if (!ext) { goto parse_error; } ext_list = str_list_make(mem_ctx, extension_raw, "]"); if (!ext_list) { goto parse_error; } for (i = 0; ext_list[i] != NULL; i++) { /* no op */ } ext->num_exts = i; if (ext->num_exts) { ext->extensions = talloc_zero_array(mem_ctx, char *, ext->num_exts); ext->extensions_guid = talloc_zero_array(mem_ctx, char *, ext->num_exts); ext->snapins = talloc_zero_array(mem_ctx, char *, ext->num_exts); ext->snapins_guid = talloc_zero_array(mem_ctx, char *, ext->num_exts); } ext->gp_extension = talloc_strdup(mem_ctx, extension_raw); if (!ext->extensions || !ext->extensions_guid || !ext->snapins || !ext->snapins_guid || !ext->gp_extension) { goto parse_error; } for (i = 0; ext_list[i] != NULL; i++) { int k; char *p, *q; DEBUGADD(10,("extension #%d\n", i)); p = ext_list[i]; if (p[0] == '[') { p++; } ext_strings = str_list_make(mem_ctx, p, "}"); if (ext_strings == NULL) { goto parse_error; } for (k = 0; ext_strings[k] != NULL; k++) { /* no op */ } q = ext_strings[0]; if (q[0] == '{') { q++; } ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q)); ext->extensions_guid[i] = talloc_strdup(mem_ctx, q); /* we might have no name for the guid */ if (ext->extensions_guid[i] == NULL) { goto parse_error; } for (k = 1; ext_strings[k] != NULL; k++) { char *m = ext_strings[k]; if (m[0] == '{') { m++; } /* FIXME: theoretically there could be more than one * snapin per extension */ ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m)); ext->snapins_guid[i] = talloc_strdup(mem_ctx, m); /* we might have no name for the guid */ if (ext->snapins_guid[i] == NULL) { goto parse_error; } } } *gp_ext = ext; ret = true; parse_error: talloc_free(ext_list); talloc_free(ext_strings); return ret; } #ifdef HAVE_LDAP /**************************************************************** parse the raw link string into a GP_LINK structure ****************************************************************/ static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx, const char *gp_link_raw, uint32_t options, struct GP_LINK *gp_link) { ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); char **link_list; int i; ZERO_STRUCTP(gp_link); DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw)); link_list = str_list_make_v3(mem_ctx, gp_link_raw, "]"); if (!link_list) { goto parse_error; } for (i = 0; link_list[i] != NULL; i++) { /* no op */ } gp_link->gp_opts = options; gp_link->num_links = i; if (gp_link->num_links) { gp_link->link_names = talloc_zero_array(mem_ctx, char *, gp_link->num_links); gp_link->link_opts = talloc_zero_array(mem_ctx, uint32_t, gp_link->num_links); } gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw); if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) { goto parse_error; } for (i = 0; link_list[i] != NULL; i++) { char *p, *q; DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i)); q = link_list[i]; if (q[0] == '[') { q++; }; p = strchr(q, ';'); if (p == NULL) { goto parse_error; } gp_link->link_names[i] = talloc_strdup(mem_ctx, q); if (gp_link->link_names[i] == NULL) { goto parse_error; } gp_link->link_names[i][PTR_DIFF(p, q)] = 0; gp_link->link_opts[i] = atoi(p + 1); DEBUGADD(10,("gpo_parse_gplink: link: %s\n", gp_link->link_names[i])); DEBUGADD(10,("gpo_parse_gplink: opt: %d\n", gp_link->link_opts[i])); } status = ADS_SUCCESS; parse_error: talloc_free(link_list); return status; } /**************************************************************** helper call to get a GP_LINK structure from a linkdn ****************************************************************/ ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *link_dn, struct GP_LINK *gp_link_struct) { ADS_STATUS status; const char *attrs[] = {"gPLink", "gPOptions", NULL}; LDAPMessage *res = NULL; const char *gp_link; uint32_t gp_options; ZERO_STRUCTP(gp_link_struct); status = ads_search_dn(ads, &res, link_dn, attrs); if (!ADS_ERR_OK(status)) { DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status))); return status; } if (ads_count_replies(ads, res) != 1) { DEBUG(10,("ads_get_gpo_link: no result\n")); ads_msgfree(ads, res); return ADS_ERROR(LDAP_NO_SUCH_OBJECT); } gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); if (gp_link == NULL) { DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n")); ads_msgfree(ads, res); return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); } /* perfectly legal to have no options */ if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) { DEBUG(10,("ads_get_gpo_link: " "no 'gPOptions' attribute found\n")); gp_options = 0; } ads_msgfree(ads, res); return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); } /**************************************************************** helper call to add a gp link ****************************************************************/ ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *link_dn, const char *gpo_dn, uint32_t gpo_opt) { ADS_STATUS status; const char *attrs[] = {"gPLink", NULL}; LDAPMessage *res = NULL; const char *gp_link, *gp_link_new; ADS_MODLIST mods; /* although ADS allows to set anything here, we better check here if * the gpo_dn is sane */ if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) { return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); } status = ads_search_dn(ads, &res, link_dn, attrs); if (!ADS_ERR_OK(status)) { DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status))); return status; } if (ads_count_replies(ads, res) != 1) { DEBUG(10,("ads_add_gpo_link: no result\n")); ads_msgfree(ads, res); return ADS_ERROR(LDAP_NO_SUCH_OBJECT); } gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); if (gp_link == NULL) { gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt); } else { gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); } ads_msgfree(ads, res); ADS_ERROR_HAVE_NO_MEMORY(gp_link_new); mods = ads_init_mods(mem_ctx); ADS_ERROR_HAVE_NO_MEMORY(mods); status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); if (!ADS_ERR_OK(status)) { return status; } return ads_gen_mod(ads, link_dn, mods); } /**************************************************************** helper call to delete add a gp link ****************************************************************/ /* untested & broken */ ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *link_dn, const char *gpo_dn) { ADS_STATUS status; const char *attrs[] = {"gPLink", NULL}; LDAPMessage *res = NULL; const char *gp_link, *gp_link_new = NULL; ADS_MODLIST mods; /* check for a sane gpo_dn */ if (gpo_dn[0] != '[') { DEBUG(10,("ads_delete_gpo_link: first char not: [\n")); return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); } if (gpo_dn[strlen(gpo_dn)] != ']') { DEBUG(10,("ads_delete_gpo_link: last char not: ]\n")); return ADS_ERROR(LDAP_INVALID_DN_SYNTAX); } status = ads_search_dn(ads, &res, link_dn, attrs); if (!ADS_ERR_OK(status)) { DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status))); return status; } if (ads_count_replies(ads, res) != 1) { DEBUG(10,("ads_delete_gpo_link: no result\n")); ads_msgfree(ads, res); return ADS_ERROR(LDAP_NO_SUCH_OBJECT); } gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); if (gp_link == NULL) { return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE); } /* find link to delete */ /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt); */ ads_msgfree(ads, res); ADS_ERROR_HAVE_NO_MEMORY(gp_link_new); mods = ads_init_mods(mem_ctx); ADS_ERROR_HAVE_NO_MEMORY(mods); status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new); if (!ADS_ERR_OK(status)) { return status; } return ads_gen_mod(ads, link_dn, mods); } /**************************************************************** parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result ****************************************************************/ ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, LDAPMessage *res, const char *gpo_dn, struct GROUP_POLICY_OBJECT *gpo) { ZERO_STRUCTP(gpo); ADS_ERROR_HAVE_NO_MEMORY(res); if (gpo_dn) { gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn); } else { gpo->ds_path = ads_get_dn(ads, mem_ctx, res); } ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path); if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) { return ADS_ERROR(LDAP_NO_MEMORY); } if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) { return ADS_ERROR(LDAP_NO_MEMORY); } gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath"); ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path); gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName"); ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name); gpo->name = ads_pull_string(ads, mem_ctx, res, "name"); ADS_ERROR_HAVE_NO_MEMORY(gpo->name); gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames"); gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames"); ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor", &gpo->security_descriptor); ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor); return ADS_ERROR(LDAP_SUCCESS); } /**************************************************************** get a GROUP_POLICY_OBJECT structure based on different input parameters ****************************************************************/ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *gpo_dn, const char *display_name, const char *guid_name, struct GROUP_POLICY_OBJECT *gpo) { ADS_STATUS status; LDAPMessage *res = NULL; char *dn; const char *filter; const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath", "gPCFunctionalityVersion", "gPCMachineExtensionNames", "gPCUserExtensionNames", "gPCWQLFilter", "name", "ntSecurityDescriptor", "versionNumber", NULL}; uint32_t sd_flags = SECINFO_DACL; ZERO_STRUCTP(gpo); if (!gpo_dn && !display_name && !guid_name) { return ADS_ERROR(LDAP_NO_SUCH_OBJECT); } if (gpo_dn) { if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) { gpo_dn = gpo_dn + strlen("LDAP://"); } status = ads_search_retry_dn_sd_flags(ads, &res, sd_flags, gpo_dn, attrs); } else if (display_name || guid_name) { filter = talloc_asprintf(mem_ctx, "(&(objectclass=groupPolicyContainer)(%s=%s))", display_name ? "displayName" : "name", display_name ? display_name : guid_name); ADS_ERROR_HAVE_NO_MEMORY(filter); status = ads_do_search_all_sd_flags(ads, ads->config.bind_path, LDAP_SCOPE_SUBTREE, filter, attrs, sd_flags, &res); } if (!ADS_ERR_OK(status)) { DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status))); return status; } if (ads_count_replies(ads, res) != 1) { DEBUG(10,("ads_get_gpo: no result\n")); ads_msgfree(ads, res); return ADS_ERROR(LDAP_NO_SUCH_OBJECT); } dn = ads_get_dn(ads, mem_ctx, res); if (dn == NULL) { ads_msgfree(ads, res); return ADS_ERROR(LDAP_NO_MEMORY); } status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo); ads_msgfree(ads, res); TALLOC_FREE(dn); return status; } /**************************************************************** add a gplink to the GROUP_POLICY_OBJECT linked list ****************************************************************/ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT **gpo_list, const char *link_dn, struct GP_LINK *gp_link, enum GPO_LINK_TYPE link_type, bool only_add_forced_gpos, const NT_USER_TOKEN *token) { ADS_STATUS status; int i; for (i = 0; i < gp_link->num_links; i++) { struct GROUP_POLICY_OBJECT *new_gpo = NULL; if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) { DEBUG(10,("skipping disabled GPO\n")); continue; } if (only_add_forced_gpos) { if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) { DEBUG(10,("skipping nonenforced GPO link " "because GPOPTIONS_BLOCK_INHERITANCE " "has been set\n")); continue; } else { DEBUG(10,("adding enforced GPO link although " "the GPOPTIONS_BLOCK_INHERITANCE " "has been set\n")); } } new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT); ADS_ERROR_HAVE_NO_MEMORY(new_gpo); status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo); if (!ADS_ERR_OK(status)) { DEBUG(10,("failed to get gpo: %s\n", gp_link->link_names[i])); return status; } status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo, token)); if (!ADS_ERR_OK(status)) { DEBUG(10,("skipping GPO \"%s\" as object " "has no access to it\n", new_gpo->display_name)); talloc_free(new_gpo); continue; } new_gpo->link = link_dn; new_gpo->link_type = link_type; DLIST_ADD(*gpo_list, new_gpo); DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s " "to GPO list\n", i, gp_link->link_names[i])); } return ADS_ERROR(LDAP_SUCCESS); } /**************************************************************** ****************************************************************/ ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *dn, NT_USER_TOKEN **token) { ADS_STATUS status; struct dom_sid object_sid; struct dom_sid primary_group_sid; struct dom_sid *ad_token_sids; size_t num_ad_token_sids = 0; struct dom_sid *token_sids; size_t num_token_sids = 0; NT_USER_TOKEN *new_token = NULL; int i; status = ads_get_tokensids(ads, mem_ctx, dn, &object_sid, &primary_group_sid, &ad_token_sids, &num_ad_token_sids); if (!ADS_ERR_OK(status)) { return status; } token_sids = TALLOC_ARRAY(mem_ctx, struct dom_sid, 1); ADS_ERROR_HAVE_NO_MEMORY(token_sids); status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids, &num_token_sids)); if (!ADS_ERR_OK(status)) { return status; } for (i = 0; i < num_ad_token_sids; i++) { if (sid_check_is_in_builtin(&ad_token_sids[i])) { continue; } status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx, &ad_token_sids[i], &token_sids, &num_token_sids)); if (!ADS_ERR_OK(status)) { return status; } } new_token = create_local_nt_token(mem_ctx, &object_sid, false, num_token_sids, token_sids); ADS_ERROR_HAVE_NO_MEMORY(new_token); *token = new_token; debug_nt_user_token(DBGC_CLASS, 5, *token); return ADS_ERROR_LDAP(LDAP_SUCCESS); } /**************************************************************** ****************************************************************/ static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT **gpo_list, enum GPO_LINK_TYPE link_type) { struct GROUP_POLICY_OBJECT *gpo = NULL; ADS_ERROR_HAVE_NO_MEMORY(gpo_list); gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT); ADS_ERROR_HAVE_NO_MEMORY(gpo); gpo->name = talloc_strdup(mem_ctx, "Local Policy"); ADS_ERROR_HAVE_NO_MEMORY(gpo->name); gpo->display_name = talloc_strdup(mem_ctx, "Local Policy"); ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name); gpo->link_type = link_type; DLIST_ADD(*gpo_list, gpo); return ADS_ERROR_NT(NT_STATUS_OK); } /**************************************************************** get the full list of GROUP_POLICY_OBJECTs for a given dn ****************************************************************/ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *dn, uint32_t flags, const NT_USER_TOKEN *token, struct GROUP_POLICY_OBJECT **gpo_list) { /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */ ADS_STATUS status; struct GP_LINK gp_link; const char *parent_dn, *site_dn, *tmp_dn; bool add_only_forced_gpos = false; ZERO_STRUCTP(gpo_list); if (!dn) { return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); } if (!ads_set_sasl_wrap_flags(ads, ADS_AUTH_SASL_SIGN)) { return ADS_ERROR(LDAP_INVALID_CREDENTIALS); } DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn)); /* (L)ocal */ status = add_local_policy_to_gpo_list(mem_ctx, gpo_list, GP_LINK_LOCAL); if (!ADS_ERR_OK(status)) { return status; } /* (S)ite */ /* are site GPOs valid for users as well ??? */ if (flags & GPO_LIST_FLAG_MACHINE) { status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn); if (!ADS_ERR_OK(status)) { return status; } DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn)); status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link); if (ADS_ERR_OK(status)) { if (DEBUGLEVEL >= 100) { dump_gplink(ads, mem_ctx, &gp_link); } status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, site_dn, &gp_link, GP_LINK_SITE, add_only_forced_gpos, token); if (!ADS_ERR_OK(status)) { return status; } if (flags & GPO_LIST_FLAG_SITEONLY) { return ADS_ERROR(LDAP_SUCCESS); } /* inheritance can't be blocked at the site level */ } } tmp_dn = dn; while ((parent_dn = ads_parent_dn(tmp_dn)) && (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { /* (D)omain */ /* An account can just be a member of one domain */ if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) { DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn)); status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); if (ADS_ERR_OK(status)) { if (DEBUGLEVEL >= 100) { dump_gplink(ads, mem_ctx, &gp_link); } /* block inheritance from now on */ if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { add_only_forced_gpos = true; } status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, parent_dn, &gp_link, GP_LINK_DOMAIN, add_only_forced_gpos, token); if (!ADS_ERR_OK(status)) { return status; } } } tmp_dn = parent_dn; } /* reset dn again */ tmp_dn = dn; while ((parent_dn = ads_parent_dn(tmp_dn)) && (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) { /* (O)rganizational(U)nit */ /* An account can be a member of more OUs */ if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) { DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn)); status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link); if (ADS_ERR_OK(status)) { if (DEBUGLEVEL >= 100) { dump_gplink(ads, mem_ctx, &gp_link); } /* block inheritance from now on */ if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) { add_only_forced_gpos = true; } status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, parent_dn, &gp_link, GP_LINK_OU, add_only_forced_gpos, token); if (!ADS_ERR_OK(status)) { return status; } } } tmp_dn = parent_dn; }; return ADS_ERROR(LDAP_SUCCESS); } #endif /* HAVE_LDAP */