2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Jelmer Vernooij 2008
5 * Copyright (C) Wilco Baan Hofman 2008-2010
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "param/param.h"
22 #include "lib/ldb/include/ldb.h"
23 #include "lib/ldb_wrap.h"
24 #include "auth/credentials/credentials.h"
25 #include "../librpc/gen_ndr/nbt.h"
26 #include "libcli/libcli.h"
27 #include "libnet/libnet.h"
28 #include "../librpc/gen_ndr/ndr_security.h"
29 #include "../libcli/security/dom_sid.h"
30 #include "libcli/security/security.h"
31 #include "../lib/talloc/talloc.h"
32 #include "lib/policy/policy.h"
34 struct gpo_stringmap
{
38 static const struct gpo_stringmap gplink_options
[] = {
39 { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE
},
40 { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE
},
43 static const struct gpo_stringmap gpo_flags
[] = {
44 { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE
},
45 { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE
},
48 static const struct gpo_stringmap gpo_inheritance
[] = {
49 { "GPO_INHERIT", GPO_INHERIT
},
50 { "GPO_BLOCK_INHERITANCE", GPO_BLOCK_INHERITANCE
},
55 static NTSTATUS
parse_gpo(TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
, struct gp_object
**ret
)
57 struct gp_object
*gpo
= talloc(mem_ctx
, struct gp_object
);
58 enum ndr_err_code ndr_err
;
59 const DATA_BLOB
*data
;
61 gpo
->dn
= talloc_strdup(mem_ctx
, ldb_dn_get_linearized(msg
->dn
));
63 DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo
->dn
));
65 gpo
->display_name
= ldb_msg_find_attr_as_string(msg
, "displayName", "");
66 gpo
->name
= ldb_msg_find_attr_as_string(msg
, "name", "");
67 gpo
->flags
= ldb_msg_find_attr_as_uint(msg
, "name", 0);
68 gpo
->version
= ldb_msg_find_attr_as_uint(msg
, "version", 0);
69 gpo
->file_sys_path
= ldb_msg_find_attr_as_string(msg
, "gPCFileSysPath", "");
71 if (gpo
->display_name
[0] != '\0')
72 gpo
->display_name
= talloc_strdup(mem_ctx
, gpo
->display_name
);
73 if (gpo
->name
[0] != '\0')
74 gpo
->name
= talloc_strdup(mem_ctx
, gpo
->name
);
75 if (gpo
->file_sys_path
[0] != '\0')
76 gpo
->file_sys_path
= talloc_strdup(mem_ctx
, gpo
->file_sys_path
);
78 /* Pull the security descriptor through the NDR library */
79 data
= ldb_msg_find_ldb_val(msg
, "nTSecurityDescriptor");
80 gpo
->security_descriptor
= talloc(mem_ctx
, struct security_descriptor
);
81 ndr_err
= ndr_pull_struct_blob(data
,
83 gpo
->security_descriptor
,
84 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
85 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
86 return ndr_map_error2ntstatus(ndr_err
);
93 NTSTATUS
gp_get_gpo_flags(TALLOC_CTX
*mem_ctx
, uint32_t flags
, const char ***ret
)
95 unsigned int i
, count
=0;
96 const char **flag_strs
= talloc_array(mem_ctx
, const char *, 1);
100 for (i
= 0; gpo_flags
[i
].str
!= NULL
; i
++) {
101 if (flags
& gpo_flags
[i
].flags
) {
102 flag_strs
= talloc_realloc(mem_ctx
, flag_strs
, const char *, count
+2);
103 flag_strs
[count
] = gpo_flags
[i
].str
;
104 flag_strs
[count
+1] = NULL
;
112 NTSTATUS
gp_get_gplink_options(TALLOC_CTX
*mem_ctx
, uint32_t options
, const char ***ret
)
114 unsigned int i
, count
=0;
115 const char **flag_strs
= talloc_array(mem_ctx
, const char *, 1);
119 for (i
= 0; gplink_options
[i
].str
!= NULL
; i
++) {
120 if (options
& gplink_options
[i
].flags
) {
121 flag_strs
= talloc_realloc(mem_ctx
, flag_strs
, const char *, count
+2);
122 flag_strs
[count
] = gplink_options
[i
].str
;
123 flag_strs
[count
+1] = NULL
;
131 NTSTATUS
gp_init(TALLOC_CTX
*mem_ctx
,
132 struct loadparm_context
*lp_ctx
,
133 struct cli_credentials
*credentials
,
134 struct tevent_context
*ev_ctx
,
135 struct gp_context
**gp_ctx
)
138 struct libnet_LookupDCs
*io
;
140 struct libnet_context
*net_ctx
;
141 struct ldb_context
*ldb_ctx
;
144 /* Initialise the libnet context */
145 net_ctx
= libnet_context_init(ev_ctx
, lp_ctx
);
146 net_ctx
->cred
= credentials
;
148 /* Prepare libnet lookup structure for looking a DC (PDC is correct). */
149 io
= talloc_zero(mem_ctx
, struct libnet_LookupDCs
);
150 io
->in
.name_type
= NBT_NAME_PDC
;
151 io
->in
.domain_name
= lp_workgroup(lp_ctx
);
153 /* Find Active DC's */
154 rv
= libnet_LookupDCs(net_ctx
, mem_ctx
, io
);
155 if (!NT_STATUS_IS_OK(rv
)) {
156 DEBUG(0, ("Failed to lookup DCs in domain\n"));
160 /* Connect to ldap://DC_NAME with all relevant contexts*/
161 url
= talloc_asprintf(mem_ctx
, "ldap://%s", io
->out
.dcs
[0].name
);
162 ldb_ctx
= ldb_wrap_connect(mem_ctx
, net_ctx
->event_ctx
, lp_ctx
,
163 url
, NULL
, net_ctx
->cred
, 0);
164 if (ldb_ctx
== NULL
) {
165 DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url
));
166 return NT_STATUS_UNSUCCESSFUL
;
170 *gp_ctx
= talloc_zero(mem_ctx
, struct gp_context
);
171 (*gp_ctx
)->lp_ctx
= lp_ctx
;
172 (*gp_ctx
)->credentials
= credentials
;
173 (*gp_ctx
)->ev_ctx
= ev_ctx
;
174 (*gp_ctx
)->ldb_ctx
= ldb_ctx
;
175 (*gp_ctx
)->active_dc
= io
->out
.dcs
[0];
177 /* We don't need to keep the libnet context */
178 talloc_free(net_ctx
);
182 NTSTATUS
gp_list_all_gpos(struct gp_context
*gp_ctx
, struct gp_object
***ret
)
184 struct ldb_result
*result
;
189 struct gp_object
**gpo
;
190 unsigned int i
; /* same as in struct ldb_result */
193 /* Create a forked memory context, as a base for everything here */
194 mem_ctx
= talloc_new(gp_ctx
);
196 /* Create full ldb dn of the policies base object */
197 dn
= ldb_get_default_basedn(gp_ctx
->ldb_ctx
);
198 rv
= ldb_dn_add_child(dn
, ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, "CN=Policies,CN=System"));
200 DEBUG(0, ("Can't append subtree to DN\n"));
201 talloc_free(mem_ctx
);
202 return NT_STATUS_UNSUCCESSFUL
;
205 DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn
)));
207 attrs
= talloc_array(mem_ctx
, const char *, 7);
208 attrs
[0] = "nTSecurityDescriptor";
209 attrs
[1] = "versionNumber";
212 attrs
[4] = "displayName";
213 attrs
[5] = "gPCFileSysPath";
216 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_ONELEVEL
, attrs
, "(objectClass=groupPolicyContainer)");
217 if (rv
!= LDB_SUCCESS
) {
218 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),ldb_errstring(gp_ctx
->ldb_ctx
)));
219 talloc_free(mem_ctx
);
220 return NT_STATUS_UNSUCCESSFUL
;
223 gpo
= talloc_array(gp_ctx
, struct gp_object
*, result
->count
+1);
224 gpo
[result
->count
] = NULL
;
226 for (i
= 0; i
< result
->count
; i
++) {
227 status
= parse_gpo(gp_ctx
, result
->msgs
[i
], &gpo
[i
]);
228 if (!NT_STATUS_IS_OK(status
)) {
229 DEBUG(0, ("Failed to parse GPO.\n"));
230 talloc_free(mem_ctx
);
235 talloc_free(mem_ctx
);
241 NTSTATUS
gp_get_gpo_info(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_object
**ret
)
243 struct ldb_result
*result
;
245 struct gp_object
*gpo
;
251 /* Create a forked memory context, as a base for everything here */
252 mem_ctx
= talloc_new(gp_ctx
);
254 /* Create an ldb dn struct for the dn string */
255 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
257 attrs
= talloc_array(mem_ctx
, const char *, 7);
258 attrs
[0] = "nTSecurityDescriptor";
259 attrs
[1] = "versionNumber";
262 attrs
[4] = "displayName";
263 attrs
[5] = "gPCFileSysPath";
266 rv
= ldb_search(gp_ctx
->ldb_ctx
,
272 "objectClass=groupPolicyContainer");
273 if (rv
!= LDB_SUCCESS
) {
274 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),ldb_errstring(gp_ctx
->ldb_ctx
)));
275 talloc_free(mem_ctx
);
276 return NT_STATUS_UNSUCCESSFUL
;
279 /* We expect exactly one record */
280 if (result
->count
!= 1) {
281 DEBUG(0, ("Could not find GPC with dn %s\n", dn_str
));
282 talloc_free(mem_ctx
);
283 return NT_STATUS_NOT_FOUND
;
286 status
= parse_gpo(gp_ctx
, result
->msgs
[0], &gpo
);
287 if (!NT_STATUS_IS_OK(status
)) {
288 DEBUG(0, ("Failed to parse GPO.\n"));
289 talloc_free(mem_ctx
);
293 talloc_free(mem_ctx
);
299 static NTSTATUS
parse_gplink (TALLOC_CTX
*mem_ctx
, const char *gplink_str
, struct gp_link
***ret
)
303 struct gp_link
**gplinks
;
305 const char *gplink_start
= "[LDAP://";
307 gplinks
= talloc_array(mem_ctx
, struct gp_link
*, 1);
310 /* Assuming every gPLink starts with "[LDAP://" */
311 start
= strlen(gplink_start
);
313 for (pos
= start
; pos
< strlen(gplink_str
); pos
++) {
314 if (gplink_str
[pos
] == ';') {
315 gplinks
= talloc_realloc(mem_ctx
, gplinks
, struct gp_link
*, idx
+2);
316 gplinks
[idx
] = talloc(mem_ctx
, struct gp_link
);
317 gplinks
[idx
]->dn
= talloc_strndup(mem_ctx
,
321 for (start
= pos
+ 1; gplink_str
[pos
] != ']'; pos
++);
323 buf
= talloc_strndup(gplinks
, gplink_str
+ start
, pos
- start
);
324 gplinks
[idx
]->options
= (uint32_t) strtoll(buf
, &end
, 0);
327 /* Set the last entry in the array to be NULL */
328 gplinks
[idx
+ 1] = NULL
;
330 /* Increment the array index, the string position past
331 the next "[LDAP://", and set the start reference */
333 pos
+= strlen(gplink_start
)+1;
343 NTSTATUS
gp_get_gplinks(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_link
***ret
)
347 struct ldb_result
*result
;
348 struct gp_link
**gplinks
;
354 /* Create a forked memory context, as a base for everything here */
355 mem_ctx
= talloc_new(gp_ctx
);
357 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
359 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, NULL
, "(objectclass=*)");
360 if (rv
!= LDB_SUCCESS
) {
361 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
362 talloc_free(mem_ctx
);
363 return NT_STATUS_UNSUCCESSFUL
;
366 for (i
= 0; i
< result
->count
; i
++) {
367 for (j
= 0; j
< result
->msgs
[i
]->num_elements
; j
++) {
368 struct ldb_message_element
*element
= &result
->msgs
[i
]->elements
[j
];
370 if (strcmp(element
->name
, "gPLink") == 0) {
371 SMB_ASSERT(element
->num_values
> 0);
372 gplink_str
= talloc_strdup(mem_ctx
, (char *) element
->values
[0].data
);
377 gplink_str
= talloc_strdup(mem_ctx
, "");
381 status
= parse_gplink(gp_ctx
, gplink_str
, &gplinks
);
382 if (!NT_STATUS_IS_OK(status
)) {
383 DEBUG(0, ("Failed to parse gPLink\n"));
387 talloc_free(mem_ctx
);
393 NTSTATUS
gp_list_gpos(struct gp_context
*gp_ctx
, struct security_token
*token
, const char ***ret
)
397 struct ldb_result
*result
;
400 struct ldb_message_element
*element
;
402 const char *attrs
[] = { "objectClass", NULL
};
405 unsigned int count
= 0;
408 ACCOUNT_TYPE_USER
= 0,
409 ACCOUNT_TYPE_MACHINE
= 1
412 /* Create a forked memory context, as a base for everything here */
413 mem_ctx
= talloc_new(gp_ctx
);
415 sid
= dom_sid_string(mem_ctx
, token
->user_sid
);
417 /* Find the user DN and objectclass via the sid from the security token */
418 rv
= ldb_search(gp_ctx
->ldb_ctx
,
421 ldb_get_default_basedn(gp_ctx
->ldb_ctx
),
424 "(&(objectclass=user)(objectSid=%s))", sid
);
425 if (rv
!= LDB_SUCCESS
) {
426 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),
427 ldb_errstring(gp_ctx
->ldb_ctx
)));
428 talloc_free(mem_ctx
);
429 return NT_STATUS_UNSUCCESSFUL
;
431 if (result
->count
!= 1) {
432 DEBUG(0, ("Could not find user with sid %s.\n", sid
));
433 talloc_free(mem_ctx
);
434 return NT_STATUS_UNSUCCESSFUL
;
436 DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result
->msgs
[0]->dn
)));
438 element
= ldb_msg_find_element(result
->msgs
[0], "objectClass");
440 /* We need to know if this account is a user or machine. */
441 account_type
= ACCOUNT_TYPE_USER
;
442 for (i
= 0; i
< element
->num_values
; i
++) {
443 if (strcmp((char *)element
->values
[i
].data
, "computer") == 0) {
444 account_type
= ACCOUNT_TYPE_MACHINE
;
445 DEBUG(10, ("This user is a machine\n"));
449 gpos
= talloc_array(gp_ctx
, const char *, 1);
452 /* Walk through the containers until we hit the root */
454 dn
= ldb_dn_get_parent(mem_ctx
, result
->msgs
[0]->dn
);
455 while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx
->ldb_ctx
), dn
) == 0) {
456 const char *gpo_attrs
[] = { "gPLink", "gPOptions", NULL
};
457 struct gp_link
**gplinks
;
458 enum gpo_inheritance gpoptions
;
460 DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn
)));
462 /* Get the gPLink and gPOptions attributes from the container */
463 rv
= ldb_search(gp_ctx
->ldb_ctx
,
470 if (rv
!= LDB_SUCCESS
) {
471 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),
472 ldb_errstring(gp_ctx
->ldb_ctx
)));
473 talloc_free(mem_ctx
);
474 return NT_STATUS_UNSUCCESSFUL
;
477 /* Parse the gPLink attribute, put it into a nice struct array */
478 status
= parse_gplink(mem_ctx
, ldb_msg_find_attr_as_string(result
->msgs
[0], "gPLink", ""), &gplinks
);
479 if (!NT_STATUS_IS_OK(status
)) {
480 DEBUG(0, ("Failed to parse gPLink\n"));
481 talloc_free(mem_ctx
);
485 /* Check all group policy links on this container */
486 for (i
= 0; gplinks
[i
] != NULL
; i
++) {
487 struct gp_object
*gpo
;
488 uint32_t access_granted
;
490 /* If inheritance was blocked at a higher level and this
491 * gplink is not enforced, it should not be applied */
492 if (!inherit
&& !(gplinks
[i
]->options
& GPLINK_OPT_ENFORCE
))
495 /* Don't apply disabled links */
496 if (gplinks
[i
]->options
& GPLINK_OPT_DISABLE
)
499 /* Get GPO information */
500 status
= gp_get_gpo_info(gp_ctx
, gplinks
[i
]->dn
, &gpo
);
501 if (!NT_STATUS_IS_OK(status
)) {
502 DEBUG(0, ("Failed to get gpo information for %s\n", gplinks
[i
]->dn
));
503 talloc_free(mem_ctx
);
507 /* If the account does not have read access, this GPO does not apply
509 status
= sec_access_check(gpo
->security_descriptor
,
511 (SEC_STD_READ_CONTROL
| SEC_ADS_LIST
| SEC_ADS_READ_PROP
),
513 if (!NT_STATUS_IS_OK(status
)) {
517 /* If the account is a user and the GPO has user disabled flag, or
518 * a machine and the GPO has machine disabled flag, this GPO does
519 * not apply to this account */
520 if ((account_type
== ACCOUNT_TYPE_USER
&&
521 (gpo
->flags
& GPO_FLAG_USER_DISABLE
)) ||
522 (account_type
== ACCOUNT_TYPE_MACHINE
&&
523 (gpo
->flags
& GPO_FLAG_MACHINE_DISABLE
))) {
527 /* Add the GPO to the list */
528 gpos
= talloc_realloc(gp_ctx
, gpos
, const char *, count
+2);
529 gpos
[count
] = talloc_strdup(gp_ctx
, gplinks
[i
]->dn
);
530 gpos
[count
+1] = NULL
;
537 /* If inheritance is blocked, then we should only add enforced gPLinks
539 gpoptions
= ldb_msg_find_attr_as_uint(result
->msgs
[0], "gPOptions", 0);
540 if (gpoptions
== GPO_BLOCK_INHERITANCE
) {
543 dn
= ldb_dn_get_parent(mem_ctx
, dn
);
546 talloc_free(mem_ctx
);
552 NTSTATUS
gp_set_gplink(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_link
*gplink
)
555 struct ldb_result
*result
;
557 struct ldb_message
*msg
;
558 const char *attrs
[] = { "gPLink", NULL
};
559 const char *gplink_str
;
563 /* Create a forked memory context, as a base for everything here */
564 mem_ctx
= talloc_new(gp_ctx
);
566 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
568 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, attrs
, "(objectclass=*)");
569 if (rv
!= LDB_SUCCESS
) {
570 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
571 talloc_free(mem_ctx
);
572 return NT_STATUS_UNSUCCESSFUL
;
575 if (result
->count
!= 1) {
576 talloc_free(mem_ctx
);
577 return NT_STATUS_NOT_FOUND
;
580 gplink_str
= ldb_msg_find_attr_as_string(result
->msgs
[0], "gPLink", "");
582 /* If this GPO link already exists, alter the options, else add it */
583 if ((start
= strcasestr(gplink_str
, gplink
->dn
)) != NULL
) {
584 start
+= strlen(gplink
->dn
);
587 while (*start
!= ']' && *start
!= '\0') {
590 gplink_str
= talloc_asprintf(mem_ctx
, "%s;%d%s", gplink_str
, gplink
->options
, start
);
593 /* Prepend the new GPO link to the string. This list is backwards in priority. */
594 gplink_str
= talloc_asprintf(mem_ctx
, "[LDAP://%s;%d]%s", gplink
->dn
, gplink
->options
, gplink_str
);
599 msg
= ldb_msg_new(mem_ctx
);
602 rv
= ldb_msg_add_string(msg
, "gPLink", gplink_str
);
604 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv
)));
605 talloc_free(mem_ctx
);
606 return NT_STATUS_UNSUCCESSFUL
;
608 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
610 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
612 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
613 talloc_free(mem_ctx
);
614 return NT_STATUS_UNSUCCESSFUL
;
617 talloc_free(mem_ctx
);
621 NTSTATUS
gp_del_gplink(struct gp_context
*gp_ctx
, const char *dn_str
, const char *gplink_dn
)
624 struct ldb_result
*result
;
626 struct ldb_message
*msg
;
627 const char *attrs
[] = { "gPLink", NULL
};
628 const char *gplink_str
;
632 /* Create a forked memory context, as a base for everything here */
633 mem_ctx
= talloc_new(gp_ctx
);
635 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
637 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, attrs
, "(objectclass=*)");
638 if (rv
!= LDB_SUCCESS
) {
639 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
640 talloc_free(mem_ctx
);
641 return NT_STATUS_UNSUCCESSFUL
;
644 if (result
->count
!= 1) {
645 talloc_free(mem_ctx
);
646 return NT_STATUS_NOT_FOUND
;
649 gplink_str
= ldb_msg_find_attr_as_string(result
->msgs
[0], "gPLink", "");
651 /* If this GPO link already exists, alter the options, else add it */
652 p
= strcasestr(gplink_str
, talloc_asprintf(mem_ctx
, "[LDAP://%s", gplink_dn
));
654 talloc_free(mem_ctx
);
655 return NT_STATUS_NOT_FOUND
;
660 while (*p
!= ']' && *p
!= '\0') {
664 gplink_str
= talloc_asprintf(mem_ctx
, "%s%s", gplink_str
, p
);
667 msg
= ldb_msg_new(mem_ctx
);
670 if (strcmp(gplink_str
, "") == 0) {
671 rv
= ldb_msg_add_empty(msg
, "gPLink", LDB_FLAG_MOD_DELETE
, NULL
);
673 DEBUG(0, ("LDB message add empty element failed: %s\n", ldb_strerror(rv
)));
674 talloc_free(mem_ctx
);
675 return NT_STATUS_UNSUCCESSFUL
;
678 rv
= ldb_msg_add_string(msg
, "gPLink", gplink_str
);
680 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv
)));
681 talloc_free(mem_ctx
);
682 return NT_STATUS_UNSUCCESSFUL
;
684 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
686 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
688 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
689 talloc_free(mem_ctx
);
690 return NT_STATUS_UNSUCCESSFUL
;
693 talloc_free(mem_ctx
);
697 NTSTATUS
gp_get_inheritance(struct gp_context
*gp_ctx
, const char *dn_str
, enum gpo_inheritance
*inheritance
)
700 struct ldb_result
*result
;
702 const char *attrs
[] = { "gPOptions", NULL
};
705 /* Create a forked memory context, as a base for everything here */
706 mem_ctx
= talloc_new(gp_ctx
);
708 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
710 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, attrs
, "(objectclass=*)");
711 if (rv
!= LDB_SUCCESS
) {
712 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
713 talloc_free(mem_ctx
);
714 return NT_STATUS_UNSUCCESSFUL
;
717 if (result
->count
!= 1) {
718 talloc_free(mem_ctx
);
719 return NT_STATUS_NOT_FOUND
;
722 *inheritance
= ldb_msg_find_attr_as_uint(result
->msgs
[0], "gPOptions", 0);
724 talloc_free(mem_ctx
);
728 NTSTATUS
gp_set_inheritance(struct gp_context
*gp_ctx
, const char *dn_str
, enum gpo_inheritance inheritance
)
730 char *inheritance_string
;
731 struct ldb_message
*msg
;
734 msg
= ldb_msg_new(gp_ctx
);
735 msg
->dn
= ldb_dn_new(msg
, gp_ctx
->ldb_ctx
, dn_str
);
737 inheritance_string
= talloc_asprintf(msg
, "%d", inheritance
);
739 rv
= ldb_msg_add_string(msg
, "gPOptions", inheritance_string
);
741 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv
)));
743 return NT_STATUS_UNSUCCESSFUL
;
745 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
747 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
749 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
751 return NT_STATUS_UNSUCCESSFUL
;
758 NTSTATUS
gp_create_ldap_gpo(struct gp_context
*gp_ctx
, struct gp_object
*gpo
)
760 struct ldb_message
*msg
;
764 struct ldb_dn
*child_dn
, *gpo_dn
;
766 mem_ctx
= talloc_new(gp_ctx
);
769 msg
= ldb_msg_new(mem_ctx
);
771 msg
->dn
= ldb_get_default_basedn(gp_ctx
->ldb_ctx
);
772 dn_str
= talloc_asprintf(mem_ctx
, "CN=%s,CN=Policies,CN=System", gpo
->name
);
773 child_dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
774 rv
= ldb_dn_add_child(msg
->dn
, child_dn
);
775 if (!rv
) goto ldb_msg_add_error
;
777 rv
= ldb_msg_add_string(msg
, "objectClass", "top");
778 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
779 rv
= ldb_msg_add_string(msg
, "objectClass", "container");
780 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
781 rv
= ldb_msg_add_string(msg
, "objectClass", "groupPolicyContainer");
782 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
783 rv
= ldb_msg_add_string(msg
, "displayName", gpo
->display_name
);
784 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
785 rv
= ldb_msg_add_string(msg
, "name", gpo
->name
);
786 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
787 rv
= ldb_msg_add_string(msg
, "CN", gpo
->name
);
788 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
789 rv
= ldb_msg_add_string(msg
, "gPCFileSysPath", gpo
->file_sys_path
);
790 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
791 rv
= ldb_msg_add_string(msg
, "flags",
792 talloc_asprintf(mem_ctx
, "%d", gpo
->flags
));
793 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
794 rv
= ldb_msg_add_string(msg
, "versionNumber",
795 talloc_asprintf(mem_ctx
, "%d", gpo
->version
));
796 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
797 rv
= ldb_msg_add_string(msg
, "showInAdvancedViewOnly", "TRUE");
798 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
799 rv
= ldb_msg_add_string(msg
, "gpCFunctionalityVersion", "2");
800 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
802 rv
= ldb_add(gp_ctx
->ldb_ctx
, msg
);
803 if (rv
!= LDB_SUCCESS
) {
804 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx
->ldb_ctx
)));
805 talloc_free(mem_ctx
);
806 return NT_STATUS_UNSUCCESSFUL
;
812 msg
= ldb_msg_new(mem_ctx
);
813 msg
->dn
= ldb_dn_copy(mem_ctx
, gpo_dn
);
814 child_dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, "CN=User");
815 rv
= ldb_dn_add_child(msg
->dn
, child_dn
);
816 if (!rv
) goto ldb_msg_add_error
;
818 rv
= ldb_msg_add_string(msg
, "objectClass", "top");
819 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
820 rv
= ldb_msg_add_string(msg
, "objectClass", "container");
821 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
822 rv
= ldb_msg_add_string(msg
, "showInAdvancedViewOnly", "TRUE");
823 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
824 rv
= ldb_msg_add_string(msg
, "CN", "User");
825 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
826 rv
= ldb_msg_add_string(msg
, "name", "User");
827 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
829 rv
= ldb_add(gp_ctx
->ldb_ctx
, msg
);
830 if (rv
!= LDB_SUCCESS
) {
831 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx
->ldb_ctx
)));
832 talloc_free(mem_ctx
);
833 return NT_STATUS_UNSUCCESSFUL
;
837 msg
= ldb_msg_new(mem_ctx
);
838 msg
->dn
= ldb_dn_copy(mem_ctx
, gpo_dn
);
839 child_dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, "CN=Machine");
840 rv
= ldb_dn_add_child(msg
->dn
, child_dn
);
841 if (!rv
) goto ldb_msg_add_error
;
843 rv
= ldb_msg_add_string(msg
, "objectClass", "top");
844 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
845 rv
= ldb_msg_add_string(msg
, "objectClass", "container");
846 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
847 rv
= ldb_msg_add_string(msg
, "showInAdvancedViewOnly", "TRUE");
848 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
849 rv
= ldb_msg_add_string(msg
, "CN", "Machine");
850 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
851 rv
= ldb_msg_add_string(msg
, "name", "Machine");
852 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
854 rv
= ldb_add(gp_ctx
->ldb_ctx
, msg
);
855 if (rv
!= LDB_SUCCESS
) {
856 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx
->ldb_ctx
)));
857 talloc_free(mem_ctx
);
858 return NT_STATUS_UNSUCCESSFUL
;
861 gpo
->dn
= talloc_strdup(gpo
, ldb_dn_get_linearized(gpo_dn
));
863 talloc_free(mem_ctx
);
867 DEBUG(0, ("LDB Error adding element to ldb message\n"));
868 talloc_free(mem_ctx
);
869 return NT_STATUS_UNSUCCESSFUL
;
872 NTSTATUS
gp_set_ads_acl (struct gp_context
*gp_ctx
, const char *dn_str
, const struct security_descriptor
*sd
)
876 enum ndr_err_code ndr_err
;
877 struct ldb_message
*msg
;
880 /* Create a forked memory context to clean up easily */
881 mem_ctx
= talloc_new(gp_ctx
);
883 /* Push the security descriptor through the NDR library */
884 ndr_err
= ndr_push_struct_blob(&data
,
887 (ndr_push_flags_fn_t
)ndr_push_security_descriptor
);
888 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
889 return ndr_map_error2ntstatus(ndr_err
);
893 /* Create a LDB message */
894 msg
= ldb_msg_new(mem_ctx
);
895 msg
->dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
897 rv
= ldb_msg_add_value(msg
, "nTSecurityDescriptor", &data
, NULL
);
899 DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv
)));
900 talloc_free(mem_ctx
);
901 return NT_STATUS_UNSUCCESSFUL
;
903 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
905 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
907 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
908 talloc_free(mem_ctx
);
909 return NT_STATUS_UNSUCCESSFUL
;
912 talloc_free(mem_ctx
);