2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005,2007
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "libgpo/gpo.h"
23 #if _SAMBA_BUILD_ == 4
24 #include "libgpo/gpo_s4.h"
25 #include "source4/libgpo/ads_convenience.h"
27 #include "../libcli/security/security.h"
29 /****************************************************************
30 parse the raw extension string into a GP_EXT structure
31 ****************************************************************/
33 bool ads_parse_gp_ext(TALLOC_CTX
*mem_ctx
,
34 const char *extension_raw
,
35 struct GP_EXT
**gp_ext
)
38 struct GP_EXT
*ext
= NULL
;
39 char **ext_list
= NULL
;
40 char **ext_strings
= NULL
;
47 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw
));
49 ext
= talloc_zero(mem_ctx
, struct GP_EXT
);
54 ext_list
= str_list_make(mem_ctx
, extension_raw
, "]");
59 for (i
= 0; ext_list
[i
] != NULL
; i
++) {
66 ext
->extensions
= talloc_zero_array(mem_ctx
, char *,
68 ext
->extensions_guid
= talloc_zero_array(mem_ctx
, char *,
70 ext
->snapins
= talloc_zero_array(mem_ctx
, char *,
72 ext
->snapins_guid
= talloc_zero_array(mem_ctx
, char *,
76 ext
->gp_extension
= talloc_strdup(mem_ctx
, extension_raw
);
78 if (!ext
->extensions
|| !ext
->extensions_guid
||
79 !ext
->snapins
|| !ext
->snapins_guid
||
84 for (i
= 0; ext_list
[i
] != NULL
; i
++) {
89 DEBUGADD(10,("extension #%d\n", i
));
97 ext_strings
= str_list_make(mem_ctx
, p
, "}");
98 if (ext_strings
== NULL
) {
102 for (k
= 0; ext_strings
[k
] != NULL
; k
++) {
112 ext
->extensions
[i
] = talloc_strdup(mem_ctx
,
113 cse_gpo_guid_string_to_name(q
));
114 ext
->extensions_guid
[i
] = talloc_strdup(mem_ctx
, q
);
116 /* we might have no name for the guid */
117 if (ext
->extensions_guid
[i
] == NULL
) {
121 for (k
= 1; ext_strings
[k
] != NULL
; k
++) {
123 char *m
= ext_strings
[k
];
129 /* FIXME: theoretically there could be more than one
130 * snapin per extension */
131 ext
->snapins
[i
] = talloc_strdup(mem_ctx
,
132 cse_snapin_gpo_guid_string_to_name(m
));
133 ext
->snapins_guid
[i
] = talloc_strdup(mem_ctx
, m
);
135 /* we might have no name for the guid */
136 if (ext
->snapins_guid
[i
] == NULL
) {
147 talloc_free(ext_list
);
148 talloc_free(ext_strings
);
155 /****************************************************************
156 parse the raw link string into a GP_LINK structure
157 ****************************************************************/
159 static ADS_STATUS
gpo_parse_gplink(TALLOC_CTX
*mem_ctx
,
160 const char *gp_link_raw
,
162 struct GP_LINK
*gp_link
)
164 ADS_STATUS status
= ADS_ERROR_NT(NT_STATUS_NO_MEMORY
);
168 ZERO_STRUCTP(gp_link
);
170 DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw
));
172 link_list
= str_list_make_v3(mem_ctx
, gp_link_raw
, "]");
177 for (i
= 0; link_list
[i
] != NULL
; i
++) {
181 gp_link
->gp_opts
= options
;
182 gp_link
->num_links
= i
;
184 if (gp_link
->num_links
) {
185 gp_link
->link_names
= talloc_zero_array(mem_ctx
, char *,
187 gp_link
->link_opts
= talloc_zero_array(mem_ctx
, uint32_t,
191 gp_link
->gp_link
= talloc_strdup(mem_ctx
, gp_link_raw
);
193 if (!gp_link
->link_names
|| !gp_link
->link_opts
|| !gp_link
->gp_link
) {
197 for (i
= 0; link_list
[i
] != NULL
; i
++) {
201 DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i
));
214 gp_link
->link_names
[i
] = talloc_strdup(mem_ctx
, q
);
215 if (gp_link
->link_names
[i
] == NULL
) {
218 gp_link
->link_names
[i
][PTR_DIFF(p
, q
)] = 0;
220 gp_link
->link_opts
[i
] = atoi(p
+ 1);
222 DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
223 gp_link
->link_names
[i
]));
224 DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
225 gp_link
->link_opts
[i
]));
229 status
= ADS_SUCCESS
;
232 talloc_free(link_list
);
237 /****************************************************************
238 helper call to get a GP_LINK structure from a linkdn
239 ****************************************************************/
241 ADS_STATUS
ads_get_gpo_link(ADS_STRUCT
*ads
,
244 struct GP_LINK
*gp_link_struct
)
247 const char *attrs
[] = {"gPLink", "gPOptions", NULL
};
248 LDAPMessage
*res
= NULL
;
252 ZERO_STRUCTP(gp_link_struct
);
254 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
255 if (!ADS_ERR_OK(status
)) {
256 DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
257 ads_errstr(status
)));
261 if (ads_count_replies(ads
, res
) != 1) {
262 DEBUG(10,("ads_get_gpo_link: no result\n"));
263 ads_msgfree(ads
, res
);
264 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
267 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
268 if (gp_link
== NULL
) {
269 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
270 ads_msgfree(ads
, res
);
271 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE
);
274 /* perfectly legal to have no options */
275 if (!ads_pull_uint32(ads
, res
, "gPOptions", &gp_options
)) {
276 DEBUG(10,("ads_get_gpo_link: "
277 "no 'gPOptions' attribute found\n"));
281 ads_msgfree(ads
, res
);
283 return gpo_parse_gplink(mem_ctx
, gp_link
, gp_options
, gp_link_struct
);
286 /****************************************************************
287 helper call to add a gp link
288 ****************************************************************/
290 ADS_STATUS
ads_add_gpo_link(ADS_STRUCT
*ads
,
297 const char *attrs
[] = {"gPLink", NULL
};
298 LDAPMessage
*res
= NULL
;
299 const char *gp_link
, *gp_link_new
;
302 /* although ADS allows to set anything here, we better check here if
303 * the gpo_dn is sane */
305 if (!strnequal(gpo_dn
, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
306 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
309 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
310 if (!ADS_ERR_OK(status
)) {
311 DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
312 ads_errstr(status
)));
316 if (ads_count_replies(ads
, res
) != 1) {
317 DEBUG(10,("ads_add_gpo_link: no result\n"));
318 ads_msgfree(ads
, res
);
319 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
322 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
323 if (gp_link
== NULL
) {
324 gp_link_new
= talloc_asprintf(mem_ctx
, "[%s;%d]",
327 gp_link_new
= talloc_asprintf(mem_ctx
, "%s[%s;%d]",
328 gp_link
, gpo_dn
, gpo_opt
);
331 ads_msgfree(ads
, res
);
332 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new
);
334 mods
= ads_init_mods(mem_ctx
);
335 ADS_ERROR_HAVE_NO_MEMORY(mods
);
337 status
= ads_mod_str(mem_ctx
, &mods
, "gPLink", gp_link_new
);
338 if (!ADS_ERR_OK(status
)) {
342 return ads_gen_mod(ads
, link_dn
, mods
);
345 /****************************************************************
346 helper call to delete add a gp link
347 ****************************************************************/
349 /* untested & broken */
350 ADS_STATUS
ads_delete_gpo_link(ADS_STRUCT
*ads
,
356 const char *attrs
[] = {"gPLink", NULL
};
357 LDAPMessage
*res
= NULL
;
358 const char *gp_link
, *gp_link_new
= NULL
;
361 /* check for a sane gpo_dn */
362 if (gpo_dn
[0] != '[') {
363 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
364 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
367 if (gpo_dn
[strlen(gpo_dn
)] != ']') {
368 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
369 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
372 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
373 if (!ADS_ERR_OK(status
)) {
374 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
375 ads_errstr(status
)));
379 if (ads_count_replies(ads
, res
) != 1) {
380 DEBUG(10,("ads_delete_gpo_link: no result\n"));
381 ads_msgfree(ads
, res
);
382 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
385 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
386 if (gp_link
== NULL
) {
387 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE
);
390 /* find link to delete */
391 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
394 ads_msgfree(ads
, res
);
395 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new
);
397 mods
= ads_init_mods(mem_ctx
);
398 ADS_ERROR_HAVE_NO_MEMORY(mods
);
400 status
= ads_mod_str(mem_ctx
, &mods
, "gPLink", gp_link_new
);
401 if (!ADS_ERR_OK(status
)) {
405 return ads_gen_mod(ads
, link_dn
, mods
);
408 /****************************************************************
409 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
410 ****************************************************************/
412 ADS_STATUS
ads_parse_gpo(ADS_STRUCT
*ads
,
416 struct GROUP_POLICY_OBJECT
*gpo
)
420 ADS_ERROR_HAVE_NO_MEMORY(res
);
423 gpo
->ds_path
= talloc_strdup(mem_ctx
, gpo_dn
);
425 gpo
->ds_path
= ads_get_dn(ads
, mem_ctx
, res
);
428 ADS_ERROR_HAVE_NO_MEMORY(gpo
->ds_path
);
430 if (!ads_pull_uint32(ads
, res
, "versionNumber", &gpo
->version
)) {
431 return ADS_ERROR(LDAP_NO_MEMORY
);
434 if (!ads_pull_uint32(ads
, res
, "flags", &gpo
->options
)) {
435 return ADS_ERROR(LDAP_NO_MEMORY
);
438 gpo
->file_sys_path
= ads_pull_string(ads
, mem_ctx
, res
,
440 ADS_ERROR_HAVE_NO_MEMORY(gpo
->file_sys_path
);
442 gpo
->display_name
= ads_pull_string(ads
, mem_ctx
, res
,
444 ADS_ERROR_HAVE_NO_MEMORY(gpo
->display_name
);
446 gpo
->name
= ads_pull_string(ads
, mem_ctx
, res
,
448 ADS_ERROR_HAVE_NO_MEMORY(gpo
->name
);
450 gpo
->machine_extensions
= ads_pull_string(ads
, mem_ctx
, res
,
451 "gPCMachineExtensionNames");
452 gpo
->user_extensions
= ads_pull_string(ads
, mem_ctx
, res
,
453 "gPCUserExtensionNames");
455 ads_pull_sd(ads
, mem_ctx
, res
, "ntSecurityDescriptor",
456 &gpo
->security_descriptor
);
457 ADS_ERROR_HAVE_NO_MEMORY(gpo
->security_descriptor
);
459 return ADS_ERROR(LDAP_SUCCESS
);
462 /****************************************************************
463 get a GROUP_POLICY_OBJECT structure based on different input parameters
464 ****************************************************************/
466 ADS_STATUS
ads_get_gpo(ADS_STRUCT
*ads
,
469 const char *display_name
,
470 const char *guid_name
,
471 struct GROUP_POLICY_OBJECT
*gpo
)
474 LDAPMessage
*res
= NULL
;
477 const char *attrs
[] = {
482 "gPCFunctionalityVersion",
483 "gPCMachineExtensionNames",
484 "gPCUserExtensionNames",
487 "ntSecurityDescriptor",
490 uint32_t sd_flags
= SECINFO_DACL
;
494 if (!gpo_dn
&& !display_name
&& !guid_name
) {
495 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
500 if (strnequal(gpo_dn
, "LDAP://", strlen("LDAP://")) != 0) {
501 gpo_dn
= gpo_dn
+ strlen("LDAP://");
504 status
= ads_search_retry_dn_sd_flags(ads
, &res
,
508 } else if (display_name
|| guid_name
) {
510 filter
= talloc_asprintf(mem_ctx
,
511 "(&(objectclass=groupPolicyContainer)(%s=%s))",
512 display_name
? "displayName" : "name",
513 display_name
? display_name
: guid_name
);
514 ADS_ERROR_HAVE_NO_MEMORY(filter
);
516 status
= ads_do_search_all_sd_flags(ads
, ads
->config
.bind_path
,
517 LDAP_SCOPE_SUBTREE
, filter
,
518 attrs
, sd_flags
, &res
);
521 if (!ADS_ERR_OK(status
)) {
522 DEBUG(10,("ads_get_gpo: search failed with %s\n",
523 ads_errstr(status
)));
527 if (ads_count_replies(ads
, res
) != 1) {
528 DEBUG(10,("ads_get_gpo: no result\n"));
529 ads_msgfree(ads
, res
);
530 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
533 dn
= ads_get_dn(ads
, mem_ctx
, res
);
535 ads_msgfree(ads
, res
);
536 return ADS_ERROR(LDAP_NO_MEMORY
);
539 status
= ads_parse_gpo(ads
, mem_ctx
, res
, dn
, gpo
);
540 ads_msgfree(ads
, res
);
546 /****************************************************************
547 add a gplink to the GROUP_POLICY_OBJECT linked list
548 ****************************************************************/
550 static ADS_STATUS
add_gplink_to_gpo_list(ADS_STRUCT
*ads
,
552 struct GROUP_POLICY_OBJECT
**gpo_list
,
554 struct GP_LINK
*gp_link
,
555 enum GPO_LINK_TYPE link_type
,
556 bool only_add_forced_gpos
,
557 const struct security_token
*token
)
562 for (i
= 0; i
< gp_link
->num_links
; i
++) {
564 struct GROUP_POLICY_OBJECT
*new_gpo
= NULL
;
566 if (gp_link
->link_opts
[i
] & GPO_LINK_OPT_DISABLED
) {
567 DEBUG(10,("skipping disabled GPO\n"));
571 if (only_add_forced_gpos
) {
573 if (!(gp_link
->link_opts
[i
] & GPO_LINK_OPT_ENFORCED
)) {
574 DEBUG(10,("skipping nonenforced GPO link "
575 "because GPOPTIONS_BLOCK_INHERITANCE "
579 DEBUG(10,("adding enforced GPO link although "
580 "the GPOPTIONS_BLOCK_INHERITANCE "
585 new_gpo
= talloc_zero(mem_ctx
, struct GROUP_POLICY_OBJECT
);
586 ADS_ERROR_HAVE_NO_MEMORY(new_gpo
);
588 status
= ads_get_gpo(ads
, mem_ctx
, gp_link
->link_names
[i
],
589 NULL
, NULL
, new_gpo
);
590 if (!ADS_ERR_OK(status
)) {
591 DEBUG(10,("failed to get gpo: %s\n",
592 gp_link
->link_names
[i
]));
596 status
= ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo
,
598 if (!ADS_ERR_OK(status
)) {
599 DEBUG(10,("skipping GPO \"%s\" as object "
600 "has no access to it\n",
601 new_gpo
->display_name
));
602 talloc_free(new_gpo
);
606 new_gpo
->link
= link_dn
;
607 new_gpo
->link_type
= link_type
;
609 DLIST_ADD(*gpo_list
, new_gpo
);
611 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
612 "to GPO list\n", i
, gp_link
->link_names
[i
]));
615 return ADS_ERROR(LDAP_SUCCESS
);
618 /****************************************************************
619 ****************************************************************/
621 ADS_STATUS
ads_get_sid_token(ADS_STRUCT
*ads
,
624 struct security_token
**token
)
627 struct dom_sid object_sid
;
628 struct dom_sid primary_group_sid
;
629 struct dom_sid
*ad_token_sids
;
630 size_t num_ad_token_sids
= 0;
631 struct dom_sid
*token_sids
;
632 uint32_t num_token_sids
= 0;
633 struct security_token
*new_token
= NULL
;
636 status
= ads_get_tokensids(ads
, mem_ctx
, dn
,
637 &object_sid
, &primary_group_sid
,
638 &ad_token_sids
, &num_ad_token_sids
);
639 if (!ADS_ERR_OK(status
)) {
643 token_sids
= talloc_array(mem_ctx
, struct dom_sid
, 1);
644 ADS_ERROR_HAVE_NO_MEMORY(token_sids
);
646 status
= ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx
,
650 if (!ADS_ERR_OK(status
)) {
654 for (i
= 0; i
< num_ad_token_sids
; i
++) {
656 if (sid_check_is_in_builtin(&ad_token_sids
[i
])) {
660 status
= ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx
,
664 if (!ADS_ERR_OK(status
)) {
669 new_token
= create_local_nt_token(mem_ctx
, &object_sid
, false,
670 num_token_sids
, token_sids
);
671 ADS_ERROR_HAVE_NO_MEMORY(new_token
);
675 security_token_debug(DBGC_CLASS
, 5, *token
);
677 return ADS_ERROR_LDAP(LDAP_SUCCESS
);
680 /****************************************************************
681 ****************************************************************/
683 static ADS_STATUS
add_local_policy_to_gpo_list(TALLOC_CTX
*mem_ctx
,
684 struct GROUP_POLICY_OBJECT
**gpo_list
,
685 enum GPO_LINK_TYPE link_type
)
687 struct GROUP_POLICY_OBJECT
*gpo
= NULL
;
689 ADS_ERROR_HAVE_NO_MEMORY(gpo_list
);
691 gpo
= talloc_zero(mem_ctx
, struct GROUP_POLICY_OBJECT
);
692 ADS_ERROR_HAVE_NO_MEMORY(gpo
);
694 gpo
->name
= talloc_strdup(mem_ctx
, "Local Policy");
695 ADS_ERROR_HAVE_NO_MEMORY(gpo
->name
);
697 gpo
->display_name
= talloc_strdup(mem_ctx
, "Local Policy");
698 ADS_ERROR_HAVE_NO_MEMORY(gpo
->display_name
);
700 gpo
->link_type
= link_type
;
702 DLIST_ADD(*gpo_list
, gpo
);
704 return ADS_ERROR_NT(NT_STATUS_OK
);
707 /****************************************************************
708 get the full list of GROUP_POLICY_OBJECTs for a given dn
709 ****************************************************************/
711 ADS_STATUS
ads_get_gpo_list(ADS_STRUCT
*ads
,
715 const struct security_token
*token
,
716 struct GROUP_POLICY_OBJECT
**gpo_list
)
718 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
721 struct GP_LINK gp_link
;
722 const char *parent_dn
, *site_dn
, *tmp_dn
;
723 bool add_only_forced_gpos
= false;
725 ZERO_STRUCTP(gpo_list
);
728 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
731 if (!ads_set_sasl_wrap_flags(ads
, ADS_AUTH_SASL_SIGN
)) {
732 return ADS_ERROR(LDAP_INVALID_CREDENTIALS
);
735 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn
));
738 status
= add_local_policy_to_gpo_list(mem_ctx
, gpo_list
,
740 if (!ADS_ERR_OK(status
)) {
746 /* are site GPOs valid for users as well ??? */
747 if (flags
& GPO_LIST_FLAG_MACHINE
) {
749 status
= ads_site_dn_for_machine(ads
, mem_ctx
,
750 ads
->config
.ldap_server_name
,
752 if (!ADS_ERR_OK(status
)) {
756 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
759 status
= ads_get_gpo_link(ads
, mem_ctx
, site_dn
, &gp_link
);
760 if (ADS_ERR_OK(status
)) {
762 if (DEBUGLEVEL
>= 100) {
763 dump_gplink(ads
, mem_ctx
, &gp_link
);
766 status
= add_gplink_to_gpo_list(ads
, mem_ctx
, gpo_list
,
769 add_only_forced_gpos
,
771 if (!ADS_ERR_OK(status
)) {
775 if (flags
& GPO_LIST_FLAG_SITEONLY
) {
776 return ADS_ERROR(LDAP_SUCCESS
);
779 /* inheritance can't be blocked at the site level */
785 while ((parent_dn
= ads_parent_dn(tmp_dn
)) &&
786 (!strequal(parent_dn
, ads_parent_dn(ads
->config
.bind_path
)))) {
790 /* An account can just be a member of one domain */
791 if (strncmp(parent_dn
, "DC=", strlen("DC=")) == 0) {
793 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
796 status
= ads_get_gpo_link(ads
, mem_ctx
, parent_dn
,
798 if (ADS_ERR_OK(status
)) {
800 if (DEBUGLEVEL
>= 100) {
801 dump_gplink(ads
, mem_ctx
, &gp_link
);
804 /* block inheritance from now on */
805 if (gp_link
.gp_opts
&
806 GPOPTIONS_BLOCK_INHERITANCE
) {
807 add_only_forced_gpos
= true;
810 status
= add_gplink_to_gpo_list(ads
,
816 add_only_forced_gpos
,
818 if (!ADS_ERR_OK(status
)) {
830 while ((parent_dn
= ads_parent_dn(tmp_dn
)) &&
831 (!strequal(parent_dn
, ads_parent_dn(ads
->config
.bind_path
)))) {
834 /* (O)rganizational(U)nit */
836 /* An account can be a member of more OUs */
837 if (strncmp(parent_dn
, "OU=", strlen("OU=")) == 0) {
839 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
842 status
= ads_get_gpo_link(ads
, mem_ctx
, parent_dn
,
844 if (ADS_ERR_OK(status
)) {
846 if (DEBUGLEVEL
>= 100) {
847 dump_gplink(ads
, mem_ctx
, &gp_link
);
850 /* block inheritance from now on */
851 if (gp_link
.gp_opts
&
852 GPOPTIONS_BLOCK_INHERITANCE
) {
853 add_only_forced_gpos
= true;
856 status
= add_gplink_to_gpo_list(ads
,
862 add_only_forced_gpos
,
864 if (!ADS_ERR_OK(status
)) {
874 return ADS_ERROR(LDAP_SUCCESS
);
877 #endif /* HAVE_LDAP */