2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005,2007
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "libgpo/gpo.h"
22 #if _SAMBA_BUILD_ == 4
23 #include "libgpo/gpo_s4.h"
24 #include "source4/libgpo/ads_convenience.h"
27 /****************************************************************
28 parse the raw extension string into a GP_EXT structure
29 ****************************************************************/
31 bool ads_parse_gp_ext(TALLOC_CTX
*mem_ctx
,
32 const char *extension_raw
,
33 struct GP_EXT
**gp_ext
)
36 struct GP_EXT
*ext
= NULL
;
37 char **ext_list
= NULL
;
38 char **ext_strings
= NULL
;
45 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw
));
47 ext
= talloc_zero(mem_ctx
, struct GP_EXT
);
52 ext_list
= str_list_make(mem_ctx
, extension_raw
, "]");
57 for (i
= 0; ext_list
[i
] != NULL
; i
++) {
64 ext
->extensions
= talloc_zero_array(mem_ctx
, char *,
66 ext
->extensions_guid
= talloc_zero_array(mem_ctx
, char *,
68 ext
->snapins
= talloc_zero_array(mem_ctx
, char *,
70 ext
->snapins_guid
= talloc_zero_array(mem_ctx
, char *,
74 ext
->gp_extension
= talloc_strdup(mem_ctx
, extension_raw
);
76 if (!ext
->extensions
|| !ext
->extensions_guid
||
77 !ext
->snapins
|| !ext
->snapins_guid
||
82 for (i
= 0; ext_list
[i
] != NULL
; i
++) {
87 DEBUGADD(10,("extension #%d\n", i
));
95 ext_strings
= str_list_make(mem_ctx
, p
, "}");
96 if (ext_strings
== NULL
) {
100 for (k
= 0; ext_strings
[k
] != NULL
; k
++) {
110 ext
->extensions
[i
] = talloc_strdup(mem_ctx
,
111 cse_gpo_guid_string_to_name(q
));
112 ext
->extensions_guid
[i
] = talloc_strdup(mem_ctx
, q
);
114 /* we might have no name for the guid */
115 if (ext
->extensions_guid
[i
] == NULL
) {
119 for (k
= 1; ext_strings
[k
] != NULL
; k
++) {
121 char *m
= ext_strings
[k
];
127 /* FIXME: theoretically there could be more than one
128 * snapin per extension */
129 ext
->snapins
[i
] = talloc_strdup(mem_ctx
,
130 cse_snapin_gpo_guid_string_to_name(m
));
131 ext
->snapins_guid
[i
] = talloc_strdup(mem_ctx
, m
);
133 /* we might have no name for the guid */
134 if (ext
->snapins_guid
[i
] == NULL
) {
145 talloc_free(ext_list
);
146 talloc_free(ext_strings
);
153 /****************************************************************
154 parse the raw link string into a GP_LINK structure
155 ****************************************************************/
157 static ADS_STATUS
gpo_parse_gplink(TALLOC_CTX
*mem_ctx
,
158 const char *gp_link_raw
,
160 struct GP_LINK
*gp_link
)
162 ADS_STATUS status
= ADS_ERROR_NT(NT_STATUS_NO_MEMORY
);
166 ZERO_STRUCTP(gp_link
);
168 DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw
));
170 link_list
= str_list_make_v3(mem_ctx
, gp_link_raw
, "]");
175 for (i
= 0; link_list
[i
] != NULL
; i
++) {
179 gp_link
->gp_opts
= options
;
180 gp_link
->num_links
= i
;
182 if (gp_link
->num_links
) {
183 gp_link
->link_names
= talloc_zero_array(mem_ctx
, char *,
185 gp_link
->link_opts
= talloc_zero_array(mem_ctx
, uint32_t,
189 gp_link
->gp_link
= talloc_strdup(mem_ctx
, gp_link_raw
);
191 if (!gp_link
->link_names
|| !gp_link
->link_opts
|| !gp_link
->gp_link
) {
195 for (i
= 0; link_list
[i
] != NULL
; i
++) {
199 DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i
));
212 gp_link
->link_names
[i
] = talloc_strdup(mem_ctx
, q
);
213 if (gp_link
->link_names
[i
] == NULL
) {
216 gp_link
->link_names
[i
][PTR_DIFF(p
, q
)] = 0;
218 gp_link
->link_opts
[i
] = atoi(p
+ 1);
220 DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
221 gp_link
->link_names
[i
]));
222 DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
223 gp_link
->link_opts
[i
]));
227 status
= ADS_SUCCESS
;
230 talloc_free(link_list
);
235 /****************************************************************
236 helper call to get a GP_LINK structure from a linkdn
237 ****************************************************************/
239 ADS_STATUS
ads_get_gpo_link(ADS_STRUCT
*ads
,
242 struct GP_LINK
*gp_link_struct
)
245 const char *attrs
[] = {"gPLink", "gPOptions", NULL
};
246 LDAPMessage
*res
= NULL
;
250 ZERO_STRUCTP(gp_link_struct
);
252 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
253 if (!ADS_ERR_OK(status
)) {
254 DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
255 ads_errstr(status
)));
259 if (ads_count_replies(ads
, res
) != 1) {
260 DEBUG(10,("ads_get_gpo_link: no result\n"));
261 ads_msgfree(ads
, res
);
262 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
265 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
266 if (gp_link
== NULL
) {
267 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
268 ads_msgfree(ads
, res
);
269 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE
);
272 /* perfectly legal to have no options */
273 if (!ads_pull_uint32(ads
, res
, "gPOptions", &gp_options
)) {
274 DEBUG(10,("ads_get_gpo_link: "
275 "no 'gPOptions' attribute found\n"));
279 ads_msgfree(ads
, res
);
281 return gpo_parse_gplink(mem_ctx
, gp_link
, gp_options
, gp_link_struct
);
284 /****************************************************************
285 helper call to add a gp link
286 ****************************************************************/
288 ADS_STATUS
ads_add_gpo_link(ADS_STRUCT
*ads
,
295 const char *attrs
[] = {"gPLink", NULL
};
296 LDAPMessage
*res
= NULL
;
297 const char *gp_link
, *gp_link_new
;
300 /* although ADS allows to set anything here, we better check here if
301 * the gpo_dn is sane */
303 if (!strnequal(gpo_dn
, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
304 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
307 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
308 if (!ADS_ERR_OK(status
)) {
309 DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
310 ads_errstr(status
)));
314 if (ads_count_replies(ads
, res
) != 1) {
315 DEBUG(10,("ads_add_gpo_link: no result\n"));
316 ads_msgfree(ads
, res
);
317 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
320 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
321 if (gp_link
== NULL
) {
322 gp_link_new
= talloc_asprintf(mem_ctx
, "[%s;%d]",
325 gp_link_new
= talloc_asprintf(mem_ctx
, "%s[%s;%d]",
326 gp_link
, gpo_dn
, gpo_opt
);
329 ads_msgfree(ads
, res
);
330 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new
);
332 mods
= ads_init_mods(mem_ctx
);
333 ADS_ERROR_HAVE_NO_MEMORY(mods
);
335 status
= ads_mod_str(mem_ctx
, &mods
, "gPLink", gp_link_new
);
336 if (!ADS_ERR_OK(status
)) {
340 return ads_gen_mod(ads
, link_dn
, mods
);
343 /****************************************************************
344 helper call to delete add a gp link
345 ****************************************************************/
347 /* untested & broken */
348 ADS_STATUS
ads_delete_gpo_link(ADS_STRUCT
*ads
,
354 const char *attrs
[] = {"gPLink", NULL
};
355 LDAPMessage
*res
= NULL
;
356 const char *gp_link
, *gp_link_new
= NULL
;
359 /* check for a sane gpo_dn */
360 if (gpo_dn
[0] != '[') {
361 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
362 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
365 if (gpo_dn
[strlen(gpo_dn
)] != ']') {
366 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
367 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX
);
370 status
= ads_search_dn(ads
, &res
, link_dn
, attrs
);
371 if (!ADS_ERR_OK(status
)) {
372 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
373 ads_errstr(status
)));
377 if (ads_count_replies(ads
, res
) != 1) {
378 DEBUG(10,("ads_delete_gpo_link: no result\n"));
379 ads_msgfree(ads
, res
);
380 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
383 gp_link
= ads_pull_string(ads
, mem_ctx
, res
, "gPLink");
384 if (gp_link
== NULL
) {
385 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE
);
388 /* find link to delete */
389 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
392 ads_msgfree(ads
, res
);
393 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new
);
395 mods
= ads_init_mods(mem_ctx
);
396 ADS_ERROR_HAVE_NO_MEMORY(mods
);
398 status
= ads_mod_str(mem_ctx
, &mods
, "gPLink", gp_link_new
);
399 if (!ADS_ERR_OK(status
)) {
403 return ads_gen_mod(ads
, link_dn
, mods
);
406 /****************************************************************
407 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
408 ****************************************************************/
410 ADS_STATUS
ads_parse_gpo(ADS_STRUCT
*ads
,
414 struct GROUP_POLICY_OBJECT
*gpo
)
418 ADS_ERROR_HAVE_NO_MEMORY(res
);
421 gpo
->ds_path
= talloc_strdup(mem_ctx
, gpo_dn
);
423 gpo
->ds_path
= ads_get_dn(ads
, mem_ctx
, res
);
426 ADS_ERROR_HAVE_NO_MEMORY(gpo
->ds_path
);
428 if (!ads_pull_uint32(ads
, res
, "versionNumber", &gpo
->version
)) {
429 return ADS_ERROR(LDAP_NO_MEMORY
);
432 if (!ads_pull_uint32(ads
, res
, "flags", &gpo
->options
)) {
433 return ADS_ERROR(LDAP_NO_MEMORY
);
436 gpo
->file_sys_path
= ads_pull_string(ads
, mem_ctx
, res
,
438 ADS_ERROR_HAVE_NO_MEMORY(gpo
->file_sys_path
);
440 gpo
->display_name
= ads_pull_string(ads
, mem_ctx
, res
,
442 ADS_ERROR_HAVE_NO_MEMORY(gpo
->display_name
);
444 gpo
->name
= ads_pull_string(ads
, mem_ctx
, res
,
446 ADS_ERROR_HAVE_NO_MEMORY(gpo
->name
);
448 gpo
->machine_extensions
= ads_pull_string(ads
, mem_ctx
, res
,
449 "gPCMachineExtensionNames");
450 gpo
->user_extensions
= ads_pull_string(ads
, mem_ctx
, res
,
451 "gPCUserExtensionNames");
453 ads_pull_sd(ads
, mem_ctx
, res
, "ntSecurityDescriptor",
454 &gpo
->security_descriptor
);
455 ADS_ERROR_HAVE_NO_MEMORY(gpo
->security_descriptor
);
457 return ADS_ERROR(LDAP_SUCCESS
);
460 /****************************************************************
461 get a GROUP_POLICY_OBJECT structure based on different input parameters
462 ****************************************************************/
464 ADS_STATUS
ads_get_gpo(ADS_STRUCT
*ads
,
467 const char *display_name
,
468 const char *guid_name
,
469 struct GROUP_POLICY_OBJECT
*gpo
)
472 LDAPMessage
*res
= NULL
;
475 const char *attrs
[] = {
480 "gPCFunctionalityVersion",
481 "gPCMachineExtensionNames",
482 "gPCUserExtensionNames",
485 "ntSecurityDescriptor",
488 uint32_t sd_flags
= DACL_SECURITY_INFORMATION
;
492 if (!gpo_dn
&& !display_name
&& !guid_name
) {
493 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
498 if (strnequal(gpo_dn
, "LDAP://", strlen("LDAP://")) != 0) {
499 gpo_dn
= gpo_dn
+ strlen("LDAP://");
502 status
= ads_search_retry_dn_sd_flags(ads
, &res
,
506 } else if (display_name
|| guid_name
) {
508 filter
= talloc_asprintf(mem_ctx
,
509 "(&(objectclass=groupPolicyContainer)(%s=%s))",
510 display_name
? "displayName" : "name",
511 display_name
? display_name
: guid_name
);
512 ADS_ERROR_HAVE_NO_MEMORY(filter
);
514 status
= ads_do_search_all_sd_flags(ads
, ads
->config
.bind_path
,
515 LDAP_SCOPE_SUBTREE
, filter
,
516 attrs
, sd_flags
, &res
);
519 if (!ADS_ERR_OK(status
)) {
520 DEBUG(10,("ads_get_gpo: search failed with %s\n",
521 ads_errstr(status
)));
525 if (ads_count_replies(ads
, res
) != 1) {
526 DEBUG(10,("ads_get_gpo: no result\n"));
527 ads_msgfree(ads
, res
);
528 return ADS_ERROR(LDAP_NO_SUCH_OBJECT
);
531 dn
= ads_get_dn(ads
, mem_ctx
, res
);
533 ads_msgfree(ads
, res
);
534 return ADS_ERROR(LDAP_NO_MEMORY
);
537 status
= ads_parse_gpo(ads
, mem_ctx
, res
, dn
, gpo
);
538 ads_msgfree(ads
, res
);
544 /****************************************************************
545 add a gplink to the GROUP_POLICY_OBJECT linked list
546 ****************************************************************/
548 static ADS_STATUS
add_gplink_to_gpo_list(ADS_STRUCT
*ads
,
550 struct GROUP_POLICY_OBJECT
**gpo_list
,
552 struct GP_LINK
*gp_link
,
553 enum GPO_LINK_TYPE link_type
,
554 bool only_add_forced_gpos
,
555 const NT_USER_TOKEN
*token
)
560 for (i
= 0; i
< gp_link
->num_links
; i
++) {
562 struct GROUP_POLICY_OBJECT
*new_gpo
= NULL
;
564 if (gp_link
->link_opts
[i
] & GPO_LINK_OPT_DISABLED
) {
565 DEBUG(10,("skipping disabled GPO\n"));
569 if (only_add_forced_gpos
) {
571 if (!(gp_link
->link_opts
[i
] & GPO_LINK_OPT_ENFORCED
)) {
572 DEBUG(10,("skipping nonenforced GPO link "
573 "because GPOPTIONS_BLOCK_INHERITANCE "
577 DEBUG(10,("adding enforced GPO link although "
578 "the GPOPTIONS_BLOCK_INHERITANCE "
583 new_gpo
= TALLOC_ZERO_P(mem_ctx
, struct GROUP_POLICY_OBJECT
);
584 ADS_ERROR_HAVE_NO_MEMORY(new_gpo
);
586 status
= ads_get_gpo(ads
, mem_ctx
, gp_link
->link_names
[i
],
587 NULL
, NULL
, new_gpo
);
588 if (!ADS_ERR_OK(status
)) {
589 DEBUG(10,("failed to get gpo: %s\n",
590 gp_link
->link_names
[i
]));
594 status
= ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo
,
596 if (!ADS_ERR_OK(status
)) {
597 DEBUG(10,("skipping GPO \"%s\" as object "
598 "has no access to it\n",
599 new_gpo
->display_name
));
600 talloc_free(new_gpo
);
604 new_gpo
->link
= link_dn
;
605 new_gpo
->link_type
= link_type
;
607 DLIST_ADD(*gpo_list
, new_gpo
);
609 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
610 "to GPO list\n", i
, gp_link
->link_names
[i
]));
613 return ADS_ERROR(LDAP_SUCCESS
);
616 /****************************************************************
617 ****************************************************************/
619 ADS_STATUS
ads_get_sid_token(ADS_STRUCT
*ads
,
622 NT_USER_TOKEN
**token
)
625 struct dom_sid object_sid
;
626 struct dom_sid primary_group_sid
;
627 struct dom_sid
*ad_token_sids
;
628 size_t num_ad_token_sids
= 0;
629 struct dom_sid
*token_sids
;
630 size_t num_token_sids
= 0;
631 NT_USER_TOKEN
*new_token
= NULL
;
634 status
= ads_get_tokensids(ads
, mem_ctx
, dn
,
635 &object_sid
, &primary_group_sid
,
636 &ad_token_sids
, &num_ad_token_sids
);
637 if (!ADS_ERR_OK(status
)) {
641 token_sids
= TALLOC_ARRAY(mem_ctx
, struct dom_sid
, 1);
642 ADS_ERROR_HAVE_NO_MEMORY(token_sids
);
644 status
= ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx
,
648 if (!ADS_ERR_OK(status
)) {
652 for (i
= 0; i
< num_ad_token_sids
; i
++) {
654 if (sid_check_is_in_builtin(&ad_token_sids
[i
])) {
658 status
= ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx
,
662 if (!ADS_ERR_OK(status
)) {
667 new_token
= create_local_nt_token(mem_ctx
, &object_sid
, false,
668 num_token_sids
, token_sids
);
669 ADS_ERROR_HAVE_NO_MEMORY(new_token
);
673 debug_nt_user_token(DBGC_CLASS
, 5, *token
);
675 return ADS_ERROR_LDAP(LDAP_SUCCESS
);
678 /****************************************************************
679 ****************************************************************/
681 static ADS_STATUS
add_local_policy_to_gpo_list(TALLOC_CTX
*mem_ctx
,
682 struct GROUP_POLICY_OBJECT
**gpo_list
,
683 enum GPO_LINK_TYPE link_type
)
685 struct GROUP_POLICY_OBJECT
*gpo
= NULL
;
687 ADS_ERROR_HAVE_NO_MEMORY(gpo_list
);
689 gpo
= TALLOC_ZERO_P(mem_ctx
, struct GROUP_POLICY_OBJECT
);
690 ADS_ERROR_HAVE_NO_MEMORY(gpo
);
692 gpo
->name
= talloc_strdup(mem_ctx
, "Local Policy");
693 ADS_ERROR_HAVE_NO_MEMORY(gpo
->name
);
695 gpo
->display_name
= talloc_strdup(mem_ctx
, "Local Policy");
696 ADS_ERROR_HAVE_NO_MEMORY(gpo
->display_name
);
698 gpo
->link_type
= link_type
;
700 DLIST_ADD(*gpo_list
, gpo
);
702 return ADS_ERROR_NT(NT_STATUS_OK
);
705 /****************************************************************
706 get the full list of GROUP_POLICY_OBJECTs for a given dn
707 ****************************************************************/
709 ADS_STATUS
ads_get_gpo_list(ADS_STRUCT
*ads
,
713 const NT_USER_TOKEN
*token
,
714 struct GROUP_POLICY_OBJECT
**gpo_list
)
716 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
719 struct GP_LINK gp_link
;
720 const char *parent_dn
, *site_dn
, *tmp_dn
;
721 bool add_only_forced_gpos
= false;
723 ZERO_STRUCTP(gpo_list
);
726 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
729 if (!ads_set_sasl_wrap_flags(ads
, ADS_AUTH_SASL_SIGN
)) {
730 return ADS_ERROR(LDAP_INVALID_CREDENTIALS
);
733 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn
));
736 status
= add_local_policy_to_gpo_list(mem_ctx
, gpo_list
,
738 if (!ADS_ERR_OK(status
)) {
744 /* are site GPOs valid for users as well ??? */
745 if (flags
& GPO_LIST_FLAG_MACHINE
) {
747 status
= ads_site_dn_for_machine(ads
, mem_ctx
,
748 ads
->config
.ldap_server_name
,
750 if (!ADS_ERR_OK(status
)) {
754 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
757 status
= ads_get_gpo_link(ads
, mem_ctx
, site_dn
, &gp_link
);
758 if (ADS_ERR_OK(status
)) {
760 if (DEBUGLEVEL
>= 100) {
761 dump_gplink(ads
, mem_ctx
, &gp_link
);
764 status
= add_gplink_to_gpo_list(ads
, mem_ctx
, gpo_list
,
767 add_only_forced_gpos
,
769 if (!ADS_ERR_OK(status
)) {
773 if (flags
& GPO_LIST_FLAG_SITEONLY
) {
774 return ADS_ERROR(LDAP_SUCCESS
);
777 /* inheritance can't be blocked at the site level */
783 while ((parent_dn
= ads_parent_dn(tmp_dn
)) &&
784 (!strequal(parent_dn
, ads_parent_dn(ads
->config
.bind_path
)))) {
788 /* An account can just be a member of one domain */
789 if (strncmp(parent_dn
, "DC=", strlen("DC=")) == 0) {
791 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
794 status
= ads_get_gpo_link(ads
, mem_ctx
, parent_dn
,
796 if (ADS_ERR_OK(status
)) {
798 if (DEBUGLEVEL
>= 100) {
799 dump_gplink(ads
, mem_ctx
, &gp_link
);
802 /* block inheritance from now on */
803 if (gp_link
.gp_opts
&
804 GPOPTIONS_BLOCK_INHERITANCE
) {
805 add_only_forced_gpos
= true;
808 status
= add_gplink_to_gpo_list(ads
,
814 add_only_forced_gpos
,
816 if (!ADS_ERR_OK(status
)) {
828 while ((parent_dn
= ads_parent_dn(tmp_dn
)) &&
829 (!strequal(parent_dn
, ads_parent_dn(ads
->config
.bind_path
)))) {
832 /* (O)rganizational(U)nit */
834 /* An account can be a member of more OUs */
835 if (strncmp(parent_dn
, "OU=", strlen("OU=")) == 0) {
837 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
840 status
= ads_get_gpo_link(ads
, mem_ctx
, parent_dn
,
842 if (ADS_ERR_OK(status
)) {
844 if (DEBUGLEVEL
>= 100) {
845 dump_gplink(ads
, mem_ctx
, &gp_link
);
848 /* block inheritance from now on */
849 if (gp_link
.gp_opts
&
850 GPOPTIONS_BLOCK_INHERITANCE
) {
851 add_only_forced_gpos
= true;
854 status
= add_gplink_to_gpo_list(ads
,
860 add_only_forced_gpos
,
862 if (!ADS_ERR_OK(status
)) {
872 return ADS_ERROR(LDAP_SUCCESS
);
875 #endif /* HAVE_LDAP */