2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Wilco Baan Hofman 2010
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 #include "../libcli/security/dom_sid.h"
21 #include "../libcli/security/security_descriptor.h"
22 #include "../librpc/ndr/libndr.h"
23 #include "../lib/util/charset/charset.h"
24 #include "param/param.h"
25 #include "lib/policy/policy.h"
27 static uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask
)
31 /* Copy the standard access mask */
32 fs_mask
= access_mask
& 0x001F0000;
34 /* When READ_PROP and LIST_CONTENTS are set, read access is granted on the GPT */
35 if (access_mask
& SEC_ADS_READ_PROP
&& access_mask
& SEC_ADS_LIST
) {
36 fs_mask
|= SEC_STD_SYNCHRONIZE
| SEC_DIR_LIST
| SEC_DIR_READ_ATTRIBUTE
|
37 SEC_DIR_READ_EA
| SEC_DIR_TRAVERSE
;
40 /* When WRITE_PROP is set, full write access is granted on the GPT */
41 if (access_mask
& SEC_ADS_WRITE_PROP
) {
42 fs_mask
|= SEC_STD_SYNCHRONIZE
| SEC_DIR_WRITE_ATTRIBUTE
|
43 SEC_DIR_WRITE_EA
| SEC_DIR_ADD_FILE
|
47 /* Map CREATE_CHILD to add file and add subdir */
48 if (access_mask
& SEC_ADS_CREATE_CHILD
)
49 fs_mask
|= SEC_DIR_ADD_FILE
| SEC_DIR_ADD_SUBDIR
;
51 /* Map ADS delete child to dir delete child */
52 if (access_mask
& SEC_ADS_DELETE_CHILD
)
53 fs_mask
|= SEC_DIR_DELETE_CHILD
;
58 NTSTATUS
gp_create_gpt_security_descriptor (TALLOC_CTX
*mem_ctx
, struct security_descriptor
*ds_sd
, struct security_descriptor
**ret
)
60 struct security_descriptor
*fs_sd
;
64 /* Allocate the file system security descriptor */
65 fs_sd
= talloc(mem_ctx
, struct security_descriptor
);
66 NT_STATUS_HAVE_NO_MEMORY(fs_sd
);
68 /* Copy the basic information from the directory server security descriptor */
69 fs_sd
->owner_sid
= talloc_memdup(fs_sd
, ds_sd
->owner_sid
, sizeof(struct dom_sid
));
70 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd
->owner_sid
, fs_sd
);
72 fs_sd
->group_sid
= talloc_memdup(fs_sd
, ds_sd
->group_sid
, sizeof(struct dom_sid
));
73 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd
->group_sid
, fs_sd
);
75 fs_sd
->type
= ds_sd
->type
;
76 fs_sd
->revision
= ds_sd
->revision
;
79 fs_sd
->sacl
= security_acl_dup(fs_sd
, ds_sd
->sacl
);
80 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd
->sacl
, fs_sd
);
83 fs_sd
->dacl
= talloc_zero(fs_sd
, struct security_acl
);
84 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd
->dacl
, fs_sd
);
86 for (i
= 0; i
< ds_sd
->dacl
->num_aces
; i
++) {
87 char *trustee
= dom_sid_string(fs_sd
, &ds_sd
->dacl
->aces
[i
].trustee
);
88 struct security_ace
*ace
;
90 /* Don't add the allow for SID_BUILTIN_PREW2K */
91 if (!(ds_sd
->dacl
->aces
[i
].type
& SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT
) &&
92 strcmp(trustee
, SID_BUILTIN_PREW2K
) == 0) {
97 /* Copy the ace from the directory server security descriptor */
98 ace
= talloc_memdup(fs_sd
, &ds_sd
->dacl
->aces
[i
], sizeof(struct security_ace
));
99 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ace
, fs_sd
);
101 /* Set specific inheritance flags for within the GPO */
102 ace
->flags
|= SEC_ACE_FLAG_OBJECT_INHERIT
| SEC_ACE_FLAG_CONTAINER_INHERIT
;
103 if (strcmp(trustee
, SID_CREATOR_OWNER
) == 0) {
104 ace
->flags
|= SEC_ACE_FLAG_INHERIT_ONLY
;
107 /* Get a directory access mask from the assigned access mask on the LDAP object */
108 ace
->access_mask
= gp_ads_to_dir_access_mask(ace
->access_mask
);
110 /* Add the ace to the security descriptor DACL */
111 status
= security_descriptor_dacl_add(fs_sd
, ace
);
112 if (!NT_STATUS_IS_OK(status
)) {
113 DEBUG(0, ("Failed to add a dacl to file system security descriptor\n"));
117 /* Clean up the allocated data in this iteration */
118 talloc_free(trustee
);
126 NTSTATUS
gp_create_gpo (struct gp_context
*gp_ctx
, const char *display_name
, struct gp_object
**ret
)
128 struct GUID guid_struct
;
131 struct security_descriptor
*sd
;
133 struct gp_object
*gpo
;
136 /* Create a forked memory context, as a base for everything here */
137 mem_ctx
= talloc_new(gp_ctx
);
138 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
140 /* Create the gpo struct to return later */
141 gpo
= talloc(gp_ctx
, struct gp_object
);
142 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo
, mem_ctx
);
144 /* Generate a GUID */
145 guid_struct
= GUID_random();
146 guid_str
= GUID_string2(mem_ctx
, &guid_struct
);
147 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(guid_str
, mem_ctx
);
148 name
= strupper_talloc(mem_ctx
, guid_str
);
149 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(name
, mem_ctx
);
151 /* Prepare the GPO struct */
156 gpo
->display_name
= talloc_strdup(gpo
, display_name
);
157 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo
->display_name
, mem_ctx
);
159 gpo
->file_sys_path
= talloc_asprintf(gpo
, "\\\\%s\\sysvol\\%s\\Policies\\%s", lpcfg_dnsdomain(gp_ctx
->lp_ctx
), lpcfg_dnsdomain(gp_ctx
->lp_ctx
), name
);
160 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo
->file_sys_path
, mem_ctx
);
163 status
= gp_create_gpt(gp_ctx
, name
, gpo
->file_sys_path
);
164 if (!NT_STATUS_IS_OK(status
)) {
165 DEBUG(0, ("Failed to create GPT\n"));
166 talloc_free(mem_ctx
);
171 /* Create the LDAP GPO, including CN=User and CN=Machine */
172 status
= gp_create_ldap_gpo(gp_ctx
, gpo
);
173 if (!NT_STATUS_IS_OK(status
)) {
174 DEBUG(0, ("Failed to create LDAP group policy object\n"));
175 talloc_free(mem_ctx
);
179 /* Get the new security descriptor */
180 status
= gp_get_gpo_info(gp_ctx
, gpo
->dn
, &gpo
);
181 if (!NT_STATUS_IS_OK(status
)) {
182 DEBUG(0, ("Failed to fetch LDAP group policy object\n"));
183 talloc_free(mem_ctx
);
187 /* Create matching file and DS security descriptors */
188 status
= gp_create_gpt_security_descriptor(mem_ctx
, gpo
->security_descriptor
, &sd
);
189 if (!NT_STATUS_IS_OK(status
)) {
190 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
191 talloc_free(mem_ctx
);
195 /* Set the security descriptor on the filesystem for this GPO */
196 status
= gp_set_gpt_security_descriptor(gp_ctx
, gpo
, sd
);
197 if (!NT_STATUS_IS_OK(status
)) {
198 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
199 talloc_free(mem_ctx
);
203 talloc_free(mem_ctx
);
209 NTSTATUS
gp_set_acl (struct gp_context
*gp_ctx
, const char *dn_str
, const struct security_descriptor
*sd
)
212 struct security_descriptor
*fs_sd
;
213 struct gp_object
*gpo
;
216 /* Create a forked memory context, as a base for everything here */
217 mem_ctx
= talloc_new(gp_ctx
);
218 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
220 /* Set the ACL on LDAP database */
221 status
= gp_set_ads_acl(gp_ctx
, dn_str
, sd
);
222 if (!NT_STATUS_IS_OK(status
)) {
223 DEBUG(0, ("Failed to set ACL on ADS\n"));
224 talloc_free(mem_ctx
);
228 /* Get the group policy object information, for filesystem location and merged sd */
229 status
= gp_get_gpo_info(gp_ctx
, dn_str
, &gpo
);
230 if (!NT_STATUS_IS_OK(status
)) {
231 DEBUG(0, ("Failed to set ACL on ADS\n"));
232 talloc_free(mem_ctx
);
236 /* Create matching file and DS security descriptors */
237 status
= gp_create_gpt_security_descriptor(mem_ctx
, gpo
->security_descriptor
, &fs_sd
);
238 if (!NT_STATUS_IS_OK(status
)) {
239 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
240 talloc_free(mem_ctx
);
244 /* Set the security descriptor on the filesystem for this GPO */
245 status
= gp_set_gpt_security_descriptor(gp_ctx
, gpo
, fs_sd
);
246 if (!NT_STATUS_IS_OK(status
)) {
247 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
248 talloc_free(mem_ctx
);
252 talloc_free(mem_ctx
);
256 NTSTATUS
gp_push_gpo (struct gp_context
*gp_ctx
, const char *local_path
, struct gp_object
*gpo
)
260 struct gp_ini_context
*ini
;
263 mem_ctx
= talloc_new(gp_ctx
);
264 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
266 /* Get version from ini file */
267 /* FIXME: The local file system may be case sensitive */
268 filename
= talloc_asprintf(mem_ctx
, "%s/%s", local_path
, "GPT.INI");
269 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filename
, mem_ctx
);
270 status
= gp_parse_ini(mem_ctx
, gp_ctx
, local_path
, &ini
);
271 if (!NT_STATUS_IS_OK(status
)) {
272 DEBUG(0, ("Failed to parse GPT.INI.\n"));
273 talloc_free(mem_ctx
);
277 /* Push the GPT to the remote sysvol */
278 status
= gp_push_gpt(gp_ctx
, local_path
, gpo
->file_sys_path
);
279 if (!NT_STATUS_IS_OK(status
)) {
280 DEBUG(0, ("Failed to push GPT to DC's sysvol share.\n"));
281 talloc_free(mem_ctx
);
285 /* Write version to LDAP */
286 status
= gp_set_ldap_gpo(gp_ctx
, gpo
);
287 if (!NT_STATUS_IS_OK(status
)) {
288 DEBUG(0, ("Failed to set GPO options in DC's LDAP.\n"));
289 talloc_free(mem_ctx
);
293 talloc_free(mem_ctx
);