search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Set inherit flag type to bool.
[Samba.git] / source4 / lib / policy / gp_ldap.c
blob3e0d37dbcce981617531246b130a1f972f4c99cb
1 /*
2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Jelmer Vernooij 2008
5 * Copyright (C) Wilco Baan Hofman 2008-2010
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
11 *
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
16 *
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
19 */
20 #include "includes.h"
21 #include "param/param.h"
22 #include "lib/ldb/include/ldb.h"
23 #include "lib/ldb_wrap.h"
24 #include "auth/credentials/credentials.h"
25 #include "../librpc/gen_ndr/nbt.h"
26 #include "libcli/libcli.h"
27 #include "libnet/libnet.h"
28 #include "../librpc/gen_ndr/ndr_security.h"
29 #include "../libcli/security/dom_sid.h"
30 #include "libcli/security/security.h"
31 #include "../lib/talloc/talloc.h"
32 #include "lib/policy/policy.h"
33
34 struct gpo_stringmap {
35 const char *str;
36 uint32_t flags;
37 };
38 static const struct gpo_stringmap gplink_options [] = {
39 { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE },
40 { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE },
41 { NULL, 0 }
42 };
43 static const struct gpo_stringmap gpo_flags [] = {
44 { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE },
45 { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE },
46 { NULL, 0 }
47 };
48 static const struct gpo_stringmap gpo_inheritance [] = {
49 { "GPO_INHERIT", GPO_INHERIT },
50 { "GPO_BLOCK_INHERITANCE", GPO_BLOCK_INHERITANCE },
51 { NULL, 0 }
52 };
53
54
55 static NTSTATUS parse_gpo(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct gp_object **ret)
56 {
57 struct gp_object *gpo = talloc(mem_ctx, struct gp_object);
58 enum ndr_err_code ndr_err;
59 const DATA_BLOB *data;
60
61 gpo->dn = talloc_strdup(mem_ctx, ldb_dn_get_linearized(msg->dn));
62
63 DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo->dn));
64
65 gpo->display_name = ldb_msg_find_attr_as_string(msg, "displayName", "");
66 gpo->name = ldb_msg_find_attr_as_string(msg, "name", "");
67 gpo->flags = ldb_msg_find_attr_as_uint(msg, "name", 0);
68 gpo->version = ldb_msg_find_attr_as_uint(msg, "version", 0);
69 gpo->file_sys_path = ldb_msg_find_attr_as_string(msg, "gPCFileSysPath", "");
70
71 if (gpo->display_name[0] != '\0')
72 gpo->display_name = talloc_strdup(mem_ctx, gpo->display_name);
73 if (gpo->name[0] != '\0')
74 gpo->name = talloc_strdup(mem_ctx, gpo->name);
75 if (gpo->file_sys_path[0] != '\0')
76 gpo->file_sys_path = talloc_strdup(mem_ctx, gpo->file_sys_path);
77
78 /* Pull the security descriptor through the NDR library */
79 data = ldb_msg_find_ldb_val(msg, "nTSecurityDescriptor");
80 gpo->security_descriptor = talloc(mem_ctx, struct security_descriptor);
81 ndr_err = ndr_pull_struct_blob(data,
82 mem_ctx,
83 gpo->security_descriptor,
84 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
85 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
86 return ndr_map_error2ntstatus(ndr_err);
87 }
88
89 *ret = gpo;
90 return NT_STATUS_OK;
91 }
92
93 NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret)
94 {
95 unsigned int i, count=0;
96 const char **flag_strs = talloc_array(mem_ctx, const char *, 1);
97
98 flag_strs[0] = NULL;
99
100 for (i = 0; gpo_flags[i].str != NULL; i++) {
101 if (flags & gpo_flags[i].flags) {
102 flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2);
103 flag_strs[count] = gpo_flags[i].str;
104 flag_strs[count+1] = NULL;
105 count++;
106 }
107 }
108 *ret = flag_strs;
109 return NT_STATUS_OK;
110 }
111
112 NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t options, const char ***ret)
113 {
114 unsigned int i, count=0;
115 const char **flag_strs = talloc_array(mem_ctx, const char *, 1);
116
117 flag_strs[0] = NULL;
118
119 for (i = 0; gplink_options[i].str != NULL; i++) {
120 if (options & gplink_options[i].flags) {
121 flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2);
122 flag_strs[count] = gplink_options[i].str;
123 flag_strs[count+1] = NULL;
124 count++;
125 }
126 }
127 *ret = flag_strs;
128 return NT_STATUS_OK;
129 }
130
131 NTSTATUS gp_init(TALLOC_CTX *mem_ctx,
132 struct loadparm_context *lp_ctx,
133 struct cli_credentials *credentials,
134 struct tevent_context *ev_ctx,
135 struct gp_context **gp_ctx)
136 {
137
138 struct libnet_LookupDCs *io;
139 char *url;
140 struct libnet_context *net_ctx;
141 struct ldb_context *ldb_ctx;
142 NTSTATUS rv;
143
144 /* Initialise the libnet context */
145 net_ctx = libnet_context_init(ev_ctx, lp_ctx);
146 net_ctx->cred = credentials;
147
148 /* Prepare libnet lookup structure for looking a DC (PDC is correct). */
149 io = talloc_zero(mem_ctx, struct libnet_LookupDCs);
150 io->in.name_type = NBT_NAME_PDC;
151 io->in.domain_name = lp_workgroup(lp_ctx);
152
153 /* Find Active DC's */
154 rv = libnet_LookupDCs(net_ctx, mem_ctx, io);
155 if (!NT_STATUS_IS_OK(rv)) {
156 DEBUG(0, ("Failed to lookup DCs in domain\n"));
157 return rv;
158 }
159
160 /* Connect to ldap://DC_NAME with all relevant contexts*/
161 url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name);
162 ldb_ctx = ldb_wrap_connect(mem_ctx, net_ctx->event_ctx, lp_ctx,
163 url, NULL, net_ctx->cred, 0);
164 if (ldb_ctx == NULL) {
165 DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url));
166 return NT_STATUS_UNSUCCESSFUL;
167 }
168
169
170 *gp_ctx = talloc_zero(mem_ctx, struct gp_context);
171 (*gp_ctx)->lp_ctx = lp_ctx;
172 (*gp_ctx)->credentials = credentials;
173 (*gp_ctx)->ev_ctx = ev_ctx;
174 (*gp_ctx)->ldb_ctx = ldb_ctx;
175 (*gp_ctx)->active_dc = io->out.dcs[0];
176
177 /* We don't need to keep the libnet context */
178 talloc_free(net_ctx);
179 return NT_STATUS_OK;
180 }
181
182 NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret)
183 {
184 struct ldb_result *result;
185 int rv;
186 NTSTATUS status;
187 TALLOC_CTX *mem_ctx;
188 struct ldb_dn *dn;
189 struct gp_object **gpo;
190 unsigned int i; /* same as in struct ldb_result */
191 const char **attrs;
192
193 /* Create a forked memory context, as a base for everything here */
194 mem_ctx = talloc_new(gp_ctx);
195
196 /* Create full ldb dn of the policies base object */
197 dn = ldb_get_default_basedn(gp_ctx->ldb_ctx);
198 rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System"));
199 if (!rv) {
200 DEBUG(0, ("Can't append subtree to DN\n"));
201 talloc_free(mem_ctx);
202 return NT_STATUS_UNSUCCESSFUL;
203 }
204
205 DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn)));
206
207 attrs = talloc_array(mem_ctx, const char *, 7);
208 attrs[0] = "nTSecurityDescriptor";
209 attrs[1] = "versionNumber";
210 attrs[2] = "flags";
211 attrs[3] = "name";
212 attrs[4] = "displayName";
213 attrs[5] = "gPCFileSysPath";
214 attrs[6] = NULL;
215
216 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_ONELEVEL, attrs, "(objectClass=groupPolicyContainer)");
217 if (rv != LDB_SUCCESS) {
218 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx)));
219 talloc_free(mem_ctx);
220 return NT_STATUS_UNSUCCESSFUL;
221 }
222
223 gpo = talloc_array(gp_ctx, struct gp_object *, result->count+1);
224 gpo[result->count] = NULL;
225
226 for (i = 0; i < result->count; i++) {
227 status = parse_gpo(gp_ctx, result->msgs[i], &gpo[i]);
228 if (!NT_STATUS_IS_OK(status)) {
229 DEBUG(0, ("Failed to parse GPO.\n"));
230 talloc_free(mem_ctx);
231 return status;
232 }
233 }
234
235 talloc_free(mem_ctx);
236
237 *ret = gpo;
238 return NT_STATUS_OK;
239 }
240
241 NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *dn_str, struct gp_object **ret)
242 {
243 struct ldb_result *result;
244 struct ldb_dn *dn;
245 struct gp_object *gpo;
246 int rv;
247 NTSTATUS status;
248 TALLOC_CTX *mem_ctx;
249 const char **attrs;
250
251 /* Create a forked memory context, as a base for everything here */
252 mem_ctx = talloc_new(gp_ctx);
253
254 /* Create an ldb dn struct for the dn string */
255 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
256
257 attrs = talloc_array(mem_ctx, const char *, 7);
258 attrs[0] = "nTSecurityDescriptor";
259 attrs[1] = "versionNumber";
260 attrs[2] = "flags";
261 attrs[3] = "name";
262 attrs[4] = "displayName";
263 attrs[5] = "gPCFileSysPath";
264 attrs[6] = NULL;
265
266 rv = ldb_search(gp_ctx->ldb_ctx,
267 mem_ctx,
268 &result,
269 dn,
270 LDB_SCOPE_BASE,
271 attrs,
272 "objectClass=groupPolicyContainer");
273 if (rv != LDB_SUCCESS) {
274 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx)));
275 talloc_free(mem_ctx);
276 return NT_STATUS_UNSUCCESSFUL;
277 }
278
279 /* We expect exactly one record */
280 if (result->count != 1) {
281 DEBUG(0, ("Could not find GPC with dn %s\n", dn_str));
282 talloc_free(mem_ctx);
283 return NT_STATUS_NOT_FOUND;
284 }
285
286 status = parse_gpo(gp_ctx, result->msgs[0], &gpo);
287 if (!NT_STATUS_IS_OK(status)) {
288 DEBUG(0, ("Failed to parse GPO.\n"));
289 talloc_free(mem_ctx);
290 return status;
291 }
292
293 talloc_free(mem_ctx);
294
295 *ret = gpo;
296 return NT_STATUS_OK;
297 }
298
299 static NTSTATUS parse_gplink (TALLOC_CTX *mem_ctx, const char *gplink_str, struct gp_link ***ret)
300 {
301 int start, idx=0;
302 int pos;
303 struct gp_link **gplinks;
304 char *buf, *end;
305 const char *gplink_start = "[LDAP://";
306
307 gplinks = talloc_array(mem_ctx, struct gp_link *, 1);
308 gplinks[0] = NULL;
309
310 /* Assuming every gPLink starts with "[LDAP://" */
311 start = strlen(gplink_start);
312
313 for (pos = start; pos < strlen(gplink_str); pos++) {
314 if (gplink_str[pos] == ';') {
315 gplinks = talloc_realloc(mem_ctx, gplinks, struct gp_link *, idx+2);
316 gplinks[idx] = talloc(mem_ctx, struct gp_link);
317 gplinks[idx]->dn = talloc_strndup(mem_ctx,
318 gplink_str + start,
319 pos - start);
320
321 for (start = pos + 1; gplink_str[pos] != ']'; pos++);
322
323 buf = talloc_strndup(gplinks, gplink_str + start, pos - start);
324 gplinks[idx]->options = (uint32_t) strtoll(buf, &end, 0);
325 talloc_free(buf);
326
327 /* Set the last entry in the array to be NULL */
328 gplinks[idx + 1] = NULL;
329
330 /* Increment the array index, the string position past
331 the next "[LDAP://", and set the start reference */
332 idx++;
333 pos += strlen(gplink_start)+1;
334 start = pos;
335 }
336 }
337
338 *ret = gplinks;
339 return NT_STATUS_OK;
340 }
341
342
343 NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *dn_str, struct gp_link ***ret)
344 {
345 TALLOC_CTX *mem_ctx;
346 struct ldb_dn *dn;
347 struct ldb_result *result;
348 struct gp_link **gplinks;
349 char *gplink_str;
350 int rv;
351 unsigned int i, j;
352 NTSTATUS status;
353
354 /* Create a forked memory context, as a base for everything here */
355 mem_ctx = talloc_new(gp_ctx);
356
357 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
358
359 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, NULL, "(objectclass=*)");
360 if (rv != LDB_SUCCESS) {
361 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
362 talloc_free(mem_ctx);
363 return NT_STATUS_UNSUCCESSFUL;
364 }
365
366 for (i = 0; i < result->count; i++) {
367 for (j = 0; j < result->msgs[i]->num_elements; j++) {
368 struct ldb_message_element *element = &result->msgs[i]->elements[j];
369
370 if (strcmp(element->name, "gPLink") == 0) {
371 SMB_ASSERT(element->num_values > 0);
372 gplink_str = talloc_strdup(mem_ctx, (char *) element->values[0].data);
373 goto found;
374 }
375 }
376 }
377 gplink_str = talloc_strdup(mem_ctx, "");
378
379 found:
380
381 status = parse_gplink(gp_ctx, gplink_str, &gplinks);
382 if (!NT_STATUS_IS_OK(status)) {
383 DEBUG(0, ("Failed to parse gPLink\n"));
384 return status;
385 }
386
387 talloc_free(mem_ctx);
388
389 *ret = gplinks;
390 return NT_STATUS_OK;
391 }
392
393 NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret)
394 {
395 TALLOC_CTX *mem_ctx;
396 const char **gpos;
397 struct ldb_result *result;
398 const char *sid;
399 struct ldb_dn *dn;
400 struct ldb_message_element *element;
401 bool inherit;
402 const char *attrs[] = { "objectClass", NULL };
403 int rv;
404 NTSTATUS status;
405 unsigned int count = 0;
406 unsigned int i;
407 enum {
408 ACCOUNT_TYPE_USER = 0,
409 ACCOUNT_TYPE_MACHINE = 1
410 } account_type;
411
412 /* Create a forked memory context, as a base for everything here */
413 mem_ctx = talloc_new(gp_ctx);
414
415 sid = dom_sid_string(mem_ctx, token->user_sid);
416
417 /* Find the user DN and objectclass via the sid from the security token */
418 rv = ldb_search(gp_ctx->ldb_ctx,
419 mem_ctx,
420 &result,
421 ldb_get_default_basedn(gp_ctx->ldb_ctx),
422 LDB_SCOPE_SUBTREE,
423 attrs,
424 "(&(objectclass=user)(objectSid=%s))", sid);
425 if (rv != LDB_SUCCESS) {
426 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),
427 ldb_errstring(gp_ctx->ldb_ctx)));
428 talloc_free(mem_ctx);
429 return NT_STATUS_UNSUCCESSFUL;
430 }
431 if (result->count != 1) {
432 DEBUG(0, ("Could not find user with sid %s.\n", sid));
433 talloc_free(mem_ctx);
434 return NT_STATUS_UNSUCCESSFUL;
435 }
436 DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result->msgs[0]->dn)));
437
438 element = ldb_msg_find_element(result->msgs[0], "objectClass");
439
440 /* We need to know if this account is a user or machine. */
441 account_type = ACCOUNT_TYPE_USER;
442 for (i = 0; i < element->num_values; i++) {
443 if (strcmp((char *)element->values[i].data, "computer") == 0) {
444 account_type = ACCOUNT_TYPE_MACHINE;
445 DEBUG(10, ("This user is a machine\n"));
446 }
447 }
448
449 gpos = talloc_array(gp_ctx, const char *, 1);
450 gpos[0] = NULL;
451
452 /* Walk through the containers until we hit the root */
453 inherit = 1;
454 dn = ldb_dn_get_parent(mem_ctx, result->msgs[0]->dn);
455 while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx->ldb_ctx), dn) == 0) {
456 const char *gpo_attrs[] = { "gPLink", "gPOptions", NULL };
457 struct gp_link **gplinks;
458 enum gpo_inheritance gpoptions;
459
460 DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn)));
461
462 /* Get the gPLink and gPOptions attributes from the container */
463 rv = ldb_search(gp_ctx->ldb_ctx,
464 mem_ctx,
465 &result,
466 dn,
467 LDB_SCOPE_BASE,
468 gpo_attrs,
469 "objectclass=*");
470 if (rv != LDB_SUCCESS) {
471 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),
472 ldb_errstring(gp_ctx->ldb_ctx)));
473 talloc_free(mem_ctx);
474 return NT_STATUS_UNSUCCESSFUL;
475 }
476
477 /* Parse the gPLink attribute, put it into a nice struct array */
478 status = parse_gplink(mem_ctx, ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", ""), &gplinks);
479 if (!NT_STATUS_IS_OK(status)) {
480 DEBUG(0, ("Failed to parse gPLink\n"));
481 talloc_free(mem_ctx);
482 return status;
483 }
484
485 /* Check all group policy links on this container */
486 for (i = 0; gplinks[i] != NULL; i++) {
487 struct gp_object *gpo;
488 uint32_t access_granted;
489
490 /* If inheritance was blocked at a higher level and this
491 * gplink is not enforced, it should not be applied */
492 if (!inherit && !(gplinks[i]->options & GPLINK_OPT_ENFORCE))
493 continue;
494
495 /* Don't apply disabled links */
496 if (gplinks[i]->options & GPLINK_OPT_DISABLE)
497 continue;
498
499 /* Get GPO information */
500 status = gp_get_gpo_info(gp_ctx, gplinks[i]->dn, &gpo);
501 if (!NT_STATUS_IS_OK(status)) {
502 DEBUG(0, ("Failed to get gpo information for %s\n", gplinks[i]->dn));
503 talloc_free(mem_ctx);
504 return status;
505 }
506
507 /* If the account does not have read access, this GPO does not apply
508 * to this account */
509 status = sec_access_check(gpo->security_descriptor,
510 token,
511 (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP),
512 &access_granted);
513 if (!NT_STATUS_IS_OK(status)) {
514 continue;
515 }
516
517 /* If the account is a user and the GPO has user disabled flag, or
518 * a machine and the GPO has machine disabled flag, this GPO does
519 * not apply to this account */
520 if ((account_type == ACCOUNT_TYPE_USER &&
521 (gpo->flags & GPO_FLAG_USER_DISABLE)) ||
522 (account_type == ACCOUNT_TYPE_MACHINE &&
523 (gpo->flags & GPO_FLAG_MACHINE_DISABLE))) {
524 continue;
525 }
526
527 /* Add the GPO to the list */
528 gpos = talloc_realloc(gp_ctx, gpos, const char *, count+2);
529 gpos[count] = talloc_strdup(gp_ctx, gplinks[i]->dn);
530 gpos[count+1] = NULL;
531 count++;
532
533 /* Clean up */
534 talloc_free(gpo);
535 }
536
537 /* If inheritance is blocked, then we should only add enforced gPLinks
538 * higher up */
539 gpoptions = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
540 if (gpoptions == GPO_BLOCK_INHERITANCE) {
541 inherit = 0;
542 }
543 dn = ldb_dn_get_parent(mem_ctx, dn);
544 }
545
546 talloc_free(mem_ctx);
547
548 *ret = gpos;
549 return NT_STATUS_OK;
550 }
551
552 NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink)
553 {
554 TALLOC_CTX *mem_ctx;
555 struct ldb_result *result;
556 struct ldb_dn *dn;
557 struct ldb_message *msg;
558 const char *attrs[] = { "gPLink", NULL };
559 const char *gplink_str;
560 int rv;
561 char *start;
562
563 /* Create a forked memory context, as a base for everything here */
564 mem_ctx = talloc_new(gp_ctx);
565
566 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
567
568 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
569 if (rv != LDB_SUCCESS) {
570 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
571 talloc_free(mem_ctx);
572 return NT_STATUS_UNSUCCESSFUL;
573 }
574
575 if (result->count != 1) {
576 talloc_free(mem_ctx);
577 return NT_STATUS_NOT_FOUND;
578 }
579
580 gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", "");
581
582 /* If this GPO link already exists, alter the options, else add it */
583 if ((start = strcasestr(gplink_str, gplink->dn)) != NULL) {
584 start += strlen(gplink->dn);
585 *start = '\0';
586 start++;
587 while (*start != ']' && *start != '\0') {
588 start++;
589 }
590 gplink_str = talloc_asprintf(mem_ctx, "%s;%d%s", gplink_str, gplink->options, start);
591
592 } else {
593 /* Prepend the new GPO link to the string. This list is backwards in priority. */
594 gplink_str = talloc_asprintf(mem_ctx, "[LDAP://%s;%d]%s", gplink->dn, gplink->options, gplink_str);
595 }
596
597
598
599 msg = ldb_msg_new(mem_ctx);
600 msg->dn = dn;
601
602 rv = ldb_msg_add_string(msg, "gPLink", gplink_str);
603 if (rv != 0) {
604 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
605 talloc_free(mem_ctx);
606 return NT_STATUS_UNSUCCESSFUL;
607 }
608 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
609
610 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
611 if (rv != 0) {
612 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
613 talloc_free(mem_ctx);
614 return NT_STATUS_UNSUCCESSFUL;
615 }
616
617 talloc_free(mem_ctx);
618 return NT_STATUS_OK;
619 }
620
621 NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gplink_dn)
622 {
623 TALLOC_CTX *mem_ctx;
624 struct ldb_result *result;
625 struct ldb_dn *dn;
626 struct ldb_message *msg;
627 const char *attrs[] = { "gPLink", NULL };
628 const char *gplink_str;
629 int rv;
630 char *p;
631
632 /* Create a forked memory context, as a base for everything here */
633 mem_ctx = talloc_new(gp_ctx);
634
635 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
636
637 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
638 if (rv != LDB_SUCCESS) {
639 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
640 talloc_free(mem_ctx);
641 return NT_STATUS_UNSUCCESSFUL;
642 }
643
644 if (result->count != 1) {
645 talloc_free(mem_ctx);
646 return NT_STATUS_NOT_FOUND;
647 }
648
649 gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", "");
650
651 /* If this GPO link already exists, alter the options, else add it */
652 p = strcasestr(gplink_str, talloc_asprintf(mem_ctx, "[LDAP://%s", gplink_dn));
653 if (p == NULL) {
654 talloc_free(mem_ctx);
655 return NT_STATUS_NOT_FOUND;
656 }
657
658 *p = '\0';
659 p++;
660 while (*p != ']' && *p != '\0') {
661 p++;
662 }
663 p++;
664 gplink_str = talloc_asprintf(mem_ctx, "%s%s", gplink_str, p);
665
666
667 msg = ldb_msg_new(mem_ctx);
668 msg->dn = dn;
669
670 if (strcmp(gplink_str, "") == 0) {
671 rv = ldb_msg_add_empty(msg, "gPLink", LDB_FLAG_MOD_DELETE, NULL);
672 if (rv != 0) {
673 DEBUG(0, ("LDB message add empty element failed: %s\n", ldb_strerror(rv)));
674 talloc_free(mem_ctx);
675 return NT_STATUS_UNSUCCESSFUL;
676 }
677 } else {
678 rv = ldb_msg_add_string(msg, "gPLink", gplink_str);
679 if (rv != 0) {
680 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
681 talloc_free(mem_ctx);
682 return NT_STATUS_UNSUCCESSFUL;
683 }
684 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
685 }
686 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
687 if (rv != 0) {
688 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
689 talloc_free(mem_ctx);
690 return NT_STATUS_UNSUCCESSFUL;
691 }
692
693 talloc_free(mem_ctx);
694 return NT_STATUS_OK;
695 }
696
697 NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance)
698 {
699 TALLOC_CTX *mem_ctx;
700 struct ldb_result *result;
701 struct ldb_dn *dn;
702 const char *attrs[] = { "gPOptions", NULL };
703 int rv;
704
705 /* Create a forked memory context, as a base for everything here */
706 mem_ctx = talloc_new(gp_ctx);
707
708 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
709
710 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
711 if (rv != LDB_SUCCESS) {
712 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
713 talloc_free(mem_ctx);
714 return NT_STATUS_UNSUCCESSFUL;
715 }
716
717 if (result->count != 1) {
718 talloc_free(mem_ctx);
719 return NT_STATUS_NOT_FOUND;
720 }
721
722 *inheritance = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
723
724 talloc_free(mem_ctx);
725 return NT_STATUS_OK;
726 }
727
728 NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance)
729 {
730 char *inheritance_string;
731 struct ldb_message *msg;
732 int rv;
733
734 msg = ldb_msg_new(gp_ctx);
735 msg->dn = ldb_dn_new(msg, gp_ctx->ldb_ctx, dn_str);
736
737 inheritance_string = talloc_asprintf(msg, "%d", inheritance);
738
739 rv = ldb_msg_add_string(msg, "gPOptions", inheritance_string);
740 if (rv != 0) {
741 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
742 talloc_free(msg);
743 return NT_STATUS_UNSUCCESSFUL;
744 }
745 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
746
747 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
748 if (rv != 0) {
749 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
750 talloc_free(msg);
751 return NT_STATUS_UNSUCCESSFUL;
752 }
753
754 talloc_free(msg);
755 return NT_STATUS_OK;
756 }
757
758 NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo)
759 {
760 struct ldb_message *msg;
761 TALLOC_CTX *mem_ctx;
762 int rv;
763 char *dn_str;
764 struct ldb_dn *child_dn, *gpo_dn;
765
766 mem_ctx = talloc_new(gp_ctx);
767
768 /* CN={GUID} */
769 msg = ldb_msg_new(mem_ctx);
770
771 msg->dn = ldb_get_default_basedn(gp_ctx->ldb_ctx);
772 dn_str = talloc_asprintf(mem_ctx, "CN=%s,CN=Policies,CN=System", gpo->name);
773 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
774 rv = ldb_dn_add_child(msg->dn, child_dn);
775 if (!rv) goto ldb_msg_add_error;
776
777 rv = ldb_msg_add_string(msg, "objectClass", "top");
778 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
779 rv = ldb_msg_add_string(msg, "objectClass", "container");
780 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
781 rv = ldb_msg_add_string(msg, "objectClass", "groupPolicyContainer");
782 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
783 rv = ldb_msg_add_string(msg, "displayName", gpo->display_name);
784 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
785 rv = ldb_msg_add_string(msg, "name", gpo->name);
786 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
787 rv = ldb_msg_add_string(msg, "CN", gpo->name);
788 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
789 rv = ldb_msg_add_string(msg, "gPCFileSysPath", gpo->file_sys_path);
790 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
791 rv = ldb_msg_add_string(msg, "flags",
792 talloc_asprintf(mem_ctx, "%d", gpo->flags));
793 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
794 rv = ldb_msg_add_string(msg, "versionNumber",
795 talloc_asprintf(mem_ctx, "%d", gpo->version));
796 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
797 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
798 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
799 rv = ldb_msg_add_string(msg, "gpCFunctionalityVersion", "2");
800 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
801
802 rv = ldb_add(gp_ctx->ldb_ctx, msg);
803 if (rv != LDB_SUCCESS) {
804 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
805 talloc_free(mem_ctx);
806 return NT_STATUS_UNSUCCESSFUL;
807 }
808
809 gpo_dn = msg->dn;
810
811 /* CN=User */
812 msg = ldb_msg_new(mem_ctx);
813 msg->dn = ldb_dn_copy(mem_ctx, gpo_dn);
814 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=User");
815 rv = ldb_dn_add_child(msg->dn, child_dn);
816 if (!rv) goto ldb_msg_add_error;
817
818 rv = ldb_msg_add_string(msg, "objectClass", "top");
819 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
820 rv = ldb_msg_add_string(msg, "objectClass", "container");
821 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
822 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
823 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
824 rv = ldb_msg_add_string(msg, "CN", "User");
825 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
826 rv = ldb_msg_add_string(msg, "name", "User");
827 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
828
829 rv = ldb_add(gp_ctx->ldb_ctx, msg);
830 if (rv != LDB_SUCCESS) {
831 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
832 talloc_free(mem_ctx);
833 return NT_STATUS_UNSUCCESSFUL;
834 }
835
836 /* CN=Machine */
837 msg = ldb_msg_new(mem_ctx);
838 msg->dn = ldb_dn_copy(mem_ctx, gpo_dn);
839 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Machine");
840 rv = ldb_dn_add_child(msg->dn, child_dn);
841 if (!rv) goto ldb_msg_add_error;
842
843 rv = ldb_msg_add_string(msg, "objectClass", "top");
844 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
845 rv = ldb_msg_add_string(msg, "objectClass", "container");
846 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
847 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
848 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
849 rv = ldb_msg_add_string(msg, "CN", "Machine");
850 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
851 rv = ldb_msg_add_string(msg, "name", "Machine");
852 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
853
854 rv = ldb_add(gp_ctx->ldb_ctx, msg);
855 if (rv != LDB_SUCCESS) {
856 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
857 talloc_free(mem_ctx);
858 return NT_STATUS_UNSUCCESSFUL;
859 }
860
861 gpo->dn = talloc_strdup(gpo, ldb_dn_get_linearized(gpo_dn));
862
863 talloc_free(mem_ctx);
864 return NT_STATUS_OK;
865
866 ldb_msg_add_error:
867 DEBUG(0, ("LDB Error adding element to ldb message\n"));
868 talloc_free(mem_ctx);
869 return NT_STATUS_UNSUCCESSFUL;
870 }
871
872 NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
873 {
874 TALLOC_CTX *mem_ctx;
875 DATA_BLOB data;
876 enum ndr_err_code ndr_err;
877 struct ldb_message *msg;
878 int rv;
879
880 /* Create a forked memory context to clean up easily */
881 mem_ctx = talloc_new(gp_ctx);
882
883 /* Push the security descriptor through the NDR library */
884 ndr_err = ndr_push_struct_blob(&data,
885 mem_ctx,
886 sd,
887 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
888 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
889 return ndr_map_error2ntstatus(ndr_err);
890 }
891
892
893 /* Create a LDB message */
894 msg = ldb_msg_new(mem_ctx);
895 msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
896
897 rv = ldb_msg_add_value(msg, "nTSecurityDescriptor", &data, NULL);
898 if (rv != 0) {
899 DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv)));
900 talloc_free(mem_ctx);
901 return NT_STATUS_UNSUCCESSFUL;
902 }
903 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
904
905 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
906 if (rv != 0) {
907 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
908 talloc_free(mem_ctx);
909 return NT_STATUS_UNSUCCESSFUL;
910 }
911
912 talloc_free(mem_ctx);
913 return NT_STATUS_OK;
914 }
Samba GIT mirror