s3-auth: fix c++ buildwarnings.
[Samba.git] / libgpo / gpo_ldap.c
blob66e90fb0c9aaf6cd82c9357397815a259a7d6590
1 /*
2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005,2007
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
20 #include "includes.h"
21 #include "libgpo/gpo.h"
22 #if _SAMBA_BUILD_ == 4
23 #include "libgpo/gpo_s4.h"
24 #include "source4/libgpo/ads_convenience.h"
25 #endif
27 /****************************************************************
28 parse the raw extension string into a GP_EXT structure
29 ****************************************************************/
31 bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
32 const char *extension_raw,
33 struct GP_EXT **gp_ext)
35 bool ret = false;
36 struct GP_EXT *ext = NULL;
37 char **ext_list = NULL;
38 char **ext_strings = NULL;
39 int i;
41 if (!extension_raw) {
42 goto parse_error;
45 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw));
47 ext = talloc_zero(mem_ctx, struct GP_EXT);
48 if (!ext) {
49 goto parse_error;
52 ext_list = str_list_make(mem_ctx, extension_raw, "]");
53 if (!ext_list) {
54 goto parse_error;
57 for (i = 0; ext_list[i] != NULL; i++) {
58 /* no op */
61 ext->num_exts = i;
63 if (ext->num_exts) {
64 ext->extensions = talloc_zero_array(mem_ctx, char *,
65 ext->num_exts);
66 ext->extensions_guid = talloc_zero_array(mem_ctx, char *,
67 ext->num_exts);
68 ext->snapins = talloc_zero_array(mem_ctx, char *,
69 ext->num_exts);
70 ext->snapins_guid = talloc_zero_array(mem_ctx, char *,
71 ext->num_exts);
74 ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
76 if (!ext->extensions || !ext->extensions_guid ||
77 !ext->snapins || !ext->snapins_guid ||
78 !ext->gp_extension) {
79 goto parse_error;
82 for (i = 0; ext_list[i] != NULL; i++) {
84 int k;
85 char *p, *q;
87 DEBUGADD(10,("extension #%d\n", i));
89 p = ext_list[i];
91 if (p[0] == '[') {
92 p++;
95 ext_strings = str_list_make(mem_ctx, p, "}");
96 if (ext_strings == NULL) {
97 goto parse_error;
100 for (k = 0; ext_strings[k] != NULL; k++) {
101 /* no op */
104 q = ext_strings[0];
106 if (q[0] == '{') {
107 q++;
110 ext->extensions[i] = talloc_strdup(mem_ctx,
111 cse_gpo_guid_string_to_name(q));
112 ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
114 /* we might have no name for the guid */
115 if (ext->extensions_guid[i] == NULL) {
116 goto parse_error;
119 for (k = 1; ext_strings[k] != NULL; k++) {
121 char *m = ext_strings[k];
123 if (m[0] == '{') {
124 m++;
127 /* FIXME: theoretically there could be more than one
128 * snapin per extension */
129 ext->snapins[i] = talloc_strdup(mem_ctx,
130 cse_snapin_gpo_guid_string_to_name(m));
131 ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
133 /* we might have no name for the guid */
134 if (ext->snapins_guid[i] == NULL) {
135 goto parse_error;
140 *gp_ext = ext;
142 ret = true;
144 parse_error:
145 talloc_free(ext_list);
146 talloc_free(ext_strings);
148 return ret;
151 #ifdef HAVE_LDAP
153 /****************************************************************
154 parse the raw link string into a GP_LINK structure
155 ****************************************************************/
157 static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
158 const char *gp_link_raw,
159 uint32_t options,
160 struct GP_LINK *gp_link)
162 ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
163 char **link_list;
164 int i;
166 ZERO_STRUCTP(gp_link);
168 DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
170 link_list = str_list_make_v3(mem_ctx, gp_link_raw, "]");
171 if (!link_list) {
172 goto parse_error;
175 for (i = 0; link_list[i] != NULL; i++) {
176 /* no op */
179 gp_link->gp_opts = options;
180 gp_link->num_links = i;
182 if (gp_link->num_links) {
183 gp_link->link_names = talloc_zero_array(mem_ctx, char *,
184 gp_link->num_links);
185 gp_link->link_opts = talloc_zero_array(mem_ctx, uint32_t,
186 gp_link->num_links);
189 gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
191 if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
192 goto parse_error;
195 for (i = 0; link_list[i] != NULL; i++) {
197 char *p, *q;
199 DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i));
201 q = link_list[i];
202 if (q[0] == '[') {
203 q++;
206 p = strchr(q, ';');
208 if (p == NULL) {
209 goto parse_error;
212 gp_link->link_names[i] = talloc_strdup(mem_ctx, q);
213 if (gp_link->link_names[i] == NULL) {
214 goto parse_error;
216 gp_link->link_names[i][PTR_DIFF(p, q)] = 0;
218 gp_link->link_opts[i] = atoi(p + 1);
220 DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
221 gp_link->link_names[i]));
222 DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
223 gp_link->link_opts[i]));
227 status = ADS_SUCCESS;
229 parse_error:
230 talloc_free(link_list);
232 return status;
235 /****************************************************************
236 helper call to get a GP_LINK structure from a linkdn
237 ****************************************************************/
239 ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
240 TALLOC_CTX *mem_ctx,
241 const char *link_dn,
242 struct GP_LINK *gp_link_struct)
244 ADS_STATUS status;
245 const char *attrs[] = {"gPLink", "gPOptions", NULL};
246 LDAPMessage *res = NULL;
247 const char *gp_link;
248 uint32_t gp_options;
250 ZERO_STRUCTP(gp_link_struct);
252 status = ads_search_dn(ads, &res, link_dn, attrs);
253 if (!ADS_ERR_OK(status)) {
254 DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
255 ads_errstr(status)));
256 return status;
259 if (ads_count_replies(ads, res) != 1) {
260 DEBUG(10,("ads_get_gpo_link: no result\n"));
261 ads_msgfree(ads, res);
262 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
265 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
266 if (gp_link == NULL) {
267 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
268 ads_msgfree(ads, res);
269 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
272 /* perfectly legal to have no options */
273 if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
274 DEBUG(10,("ads_get_gpo_link: "
275 "no 'gPOptions' attribute found\n"));
276 gp_options = 0;
279 ads_msgfree(ads, res);
281 return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
284 /****************************************************************
285 helper call to add a gp link
286 ****************************************************************/
288 ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
289 TALLOC_CTX *mem_ctx,
290 const char *link_dn,
291 const char *gpo_dn,
292 uint32_t gpo_opt)
294 ADS_STATUS status;
295 const char *attrs[] = {"gPLink", NULL};
296 LDAPMessage *res = NULL;
297 const char *gp_link, *gp_link_new;
298 ADS_MODLIST mods;
300 /* although ADS allows to set anything here, we better check here if
301 * the gpo_dn is sane */
303 if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
304 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
307 status = ads_search_dn(ads, &res, link_dn, attrs);
308 if (!ADS_ERR_OK(status)) {
309 DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
310 ads_errstr(status)));
311 return status;
314 if (ads_count_replies(ads, res) != 1) {
315 DEBUG(10,("ads_add_gpo_link: no result\n"));
316 ads_msgfree(ads, res);
317 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
320 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
321 if (gp_link == NULL) {
322 gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
323 gpo_dn, gpo_opt);
324 } else {
325 gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
326 gp_link, gpo_dn, gpo_opt);
329 ads_msgfree(ads, res);
330 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
332 mods = ads_init_mods(mem_ctx);
333 ADS_ERROR_HAVE_NO_MEMORY(mods);
335 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
336 if (!ADS_ERR_OK(status)) {
337 return status;
340 return ads_gen_mod(ads, link_dn, mods);
343 /****************************************************************
344 helper call to delete add a gp link
345 ****************************************************************/
347 /* untested & broken */
348 ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
349 TALLOC_CTX *mem_ctx,
350 const char *link_dn,
351 const char *gpo_dn)
353 ADS_STATUS status;
354 const char *attrs[] = {"gPLink", NULL};
355 LDAPMessage *res = NULL;
356 const char *gp_link, *gp_link_new = NULL;
357 ADS_MODLIST mods;
359 /* check for a sane gpo_dn */
360 if (gpo_dn[0] != '[') {
361 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
362 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
365 if (gpo_dn[strlen(gpo_dn)] != ']') {
366 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
367 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
370 status = ads_search_dn(ads, &res, link_dn, attrs);
371 if (!ADS_ERR_OK(status)) {
372 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
373 ads_errstr(status)));
374 return status;
377 if (ads_count_replies(ads, res) != 1) {
378 DEBUG(10,("ads_delete_gpo_link: no result\n"));
379 ads_msgfree(ads, res);
380 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
383 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
384 if (gp_link == NULL) {
385 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
388 /* find link to delete */
389 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
390 gpo_dn, gpo_opt); */
392 ads_msgfree(ads, res);
393 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
395 mods = ads_init_mods(mem_ctx);
396 ADS_ERROR_HAVE_NO_MEMORY(mods);
398 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
399 if (!ADS_ERR_OK(status)) {
400 return status;
403 return ads_gen_mod(ads, link_dn, mods);
406 /****************************************************************
407 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
408 ****************************************************************/
410 ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
411 TALLOC_CTX *mem_ctx,
412 LDAPMessage *res,
413 const char *gpo_dn,
414 struct GROUP_POLICY_OBJECT *gpo)
416 ZERO_STRUCTP(gpo);
418 ADS_ERROR_HAVE_NO_MEMORY(res);
420 if (gpo_dn) {
421 gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn);
422 } else {
423 gpo->ds_path = ads_get_dn(ads, mem_ctx, res);
426 ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path);
428 if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
429 return ADS_ERROR(LDAP_NO_MEMORY);
432 if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
433 return ADS_ERROR(LDAP_NO_MEMORY);
436 gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
437 "gPCFileSysPath");
438 ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
440 gpo->display_name = ads_pull_string(ads, mem_ctx, res,
441 "displayName");
442 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
444 gpo->name = ads_pull_string(ads, mem_ctx, res,
445 "name");
446 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
448 gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
449 "gPCMachineExtensionNames");
450 gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
451 "gPCUserExtensionNames");
453 ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
454 &gpo->security_descriptor);
455 ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
457 return ADS_ERROR(LDAP_SUCCESS);
460 /****************************************************************
461 get a GROUP_POLICY_OBJECT structure based on different input parameters
462 ****************************************************************/
464 ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
465 TALLOC_CTX *mem_ctx,
466 const char *gpo_dn,
467 const char *display_name,
468 const char *guid_name,
469 struct GROUP_POLICY_OBJECT *gpo)
471 ADS_STATUS status;
472 LDAPMessage *res = NULL;
473 char *dn;
474 const char *filter;
475 const char *attrs[] = {
476 "cn",
477 "displayName",
478 "flags",
479 "gPCFileSysPath",
480 "gPCFunctionalityVersion",
481 "gPCMachineExtensionNames",
482 "gPCUserExtensionNames",
483 "gPCWQLFilter",
484 "name",
485 "ntSecurityDescriptor",
486 "versionNumber",
487 NULL};
488 uint32_t sd_flags = DACL_SECURITY_INFORMATION;
490 ZERO_STRUCTP(gpo);
492 if (!gpo_dn && !display_name && !guid_name) {
493 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
496 if (gpo_dn) {
498 if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
499 gpo_dn = gpo_dn + strlen("LDAP://");
502 status = ads_search_retry_dn_sd_flags(ads, &res,
503 sd_flags,
504 gpo_dn, attrs);
506 } else if (display_name || guid_name) {
508 filter = talloc_asprintf(mem_ctx,
509 "(&(objectclass=groupPolicyContainer)(%s=%s))",
510 display_name ? "displayName" : "name",
511 display_name ? display_name : guid_name);
512 ADS_ERROR_HAVE_NO_MEMORY(filter);
514 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
515 LDAP_SCOPE_SUBTREE, filter,
516 attrs, sd_flags, &res);
519 if (!ADS_ERR_OK(status)) {
520 DEBUG(10,("ads_get_gpo: search failed with %s\n",
521 ads_errstr(status)));
522 return status;
525 if (ads_count_replies(ads, res) != 1) {
526 DEBUG(10,("ads_get_gpo: no result\n"));
527 ads_msgfree(ads, res);
528 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
531 dn = ads_get_dn(ads, mem_ctx, res);
532 if (dn == NULL) {
533 ads_msgfree(ads, res);
534 return ADS_ERROR(LDAP_NO_MEMORY);
537 status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
538 ads_msgfree(ads, res);
539 TALLOC_FREE(dn);
541 return status;
544 /****************************************************************
545 add a gplink to the GROUP_POLICY_OBJECT linked list
546 ****************************************************************/
548 static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
549 TALLOC_CTX *mem_ctx,
550 struct GROUP_POLICY_OBJECT **gpo_list,
551 const char *link_dn,
552 struct GP_LINK *gp_link,
553 enum GPO_LINK_TYPE link_type,
554 bool only_add_forced_gpos,
555 const NT_USER_TOKEN *token)
557 ADS_STATUS status;
558 int i;
560 for (i = 0; i < gp_link->num_links; i++) {
562 struct GROUP_POLICY_OBJECT *new_gpo = NULL;
564 if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
565 DEBUG(10,("skipping disabled GPO\n"));
566 continue;
569 if (only_add_forced_gpos) {
571 if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
572 DEBUG(10,("skipping nonenforced GPO link "
573 "because GPOPTIONS_BLOCK_INHERITANCE "
574 "has been set\n"));
575 continue;
576 } else {
577 DEBUG(10,("adding enforced GPO link although "
578 "the GPOPTIONS_BLOCK_INHERITANCE "
579 "has been set\n"));
583 new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
584 ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
586 status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
587 NULL, NULL, new_gpo);
588 if (!ADS_ERR_OK(status)) {
589 DEBUG(10,("failed to get gpo: %s\n",
590 gp_link->link_names[i]));
591 return status;
594 status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
595 token));
596 if (!ADS_ERR_OK(status)) {
597 DEBUG(10,("skipping GPO \"%s\" as object "
598 "has no access to it\n",
599 new_gpo->display_name));
600 talloc_free(new_gpo);
601 continue;
604 new_gpo->link = link_dn;
605 new_gpo->link_type = link_type;
607 DLIST_ADD(*gpo_list, new_gpo);
609 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
610 "to GPO list\n", i, gp_link->link_names[i]));
613 return ADS_ERROR(LDAP_SUCCESS);
616 /****************************************************************
617 ****************************************************************/
619 ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
620 TALLOC_CTX *mem_ctx,
621 const char *dn,
622 NT_USER_TOKEN **token)
624 ADS_STATUS status;
625 struct dom_sid object_sid;
626 struct dom_sid primary_group_sid;
627 struct dom_sid *ad_token_sids;
628 size_t num_ad_token_sids = 0;
629 struct dom_sid *token_sids;
630 size_t num_token_sids = 0;
631 NT_USER_TOKEN *new_token = NULL;
632 int i;
634 status = ads_get_tokensids(ads, mem_ctx, dn,
635 &object_sid, &primary_group_sid,
636 &ad_token_sids, &num_ad_token_sids);
637 if (!ADS_ERR_OK(status)) {
638 return status;
641 token_sids = TALLOC_ARRAY(mem_ctx, struct dom_sid, 1);
642 ADS_ERROR_HAVE_NO_MEMORY(token_sids);
644 status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx,
645 &primary_group_sid,
646 &token_sids,
647 &num_token_sids));
648 if (!ADS_ERR_OK(status)) {
649 return status;
652 for (i = 0; i < num_ad_token_sids; i++) {
654 if (sid_check_is_in_builtin(&ad_token_sids[i])) {
655 continue;
658 status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx,
659 &ad_token_sids[i],
660 &token_sids,
661 &num_token_sids));
662 if (!ADS_ERR_OK(status)) {
663 return status;
667 new_token = create_local_nt_token(mem_ctx, &object_sid, false,
668 num_token_sids, token_sids);
669 ADS_ERROR_HAVE_NO_MEMORY(new_token);
671 *token = new_token;
673 debug_nt_user_token(DBGC_CLASS, 5, *token);
675 return ADS_ERROR_LDAP(LDAP_SUCCESS);
678 /****************************************************************
679 ****************************************************************/
681 static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
682 struct GROUP_POLICY_OBJECT **gpo_list,
683 enum GPO_LINK_TYPE link_type)
685 struct GROUP_POLICY_OBJECT *gpo = NULL;
687 ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
689 gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
690 ADS_ERROR_HAVE_NO_MEMORY(gpo);
692 gpo->name = talloc_strdup(mem_ctx, "Local Policy");
693 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
695 gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
696 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
698 gpo->link_type = link_type;
700 DLIST_ADD(*gpo_list, gpo);
702 return ADS_ERROR_NT(NT_STATUS_OK);
705 /****************************************************************
706 get the full list of GROUP_POLICY_OBJECTs for a given dn
707 ****************************************************************/
709 ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
710 TALLOC_CTX *mem_ctx,
711 const char *dn,
712 uint32_t flags,
713 const NT_USER_TOKEN *token,
714 struct GROUP_POLICY_OBJECT **gpo_list)
716 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
718 ADS_STATUS status;
719 struct GP_LINK gp_link;
720 const char *parent_dn, *site_dn, *tmp_dn;
721 bool add_only_forced_gpos = false;
723 ZERO_STRUCTP(gpo_list);
725 if (!dn) {
726 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
729 if (!ads_set_sasl_wrap_flags(ads, ADS_AUTH_SASL_SIGN)) {
730 return ADS_ERROR(LDAP_INVALID_CREDENTIALS);
733 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
735 /* (L)ocal */
736 status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
737 GP_LINK_LOCAL);
738 if (!ADS_ERR_OK(status)) {
739 return status;
742 /* (S)ite */
744 /* are site GPOs valid for users as well ??? */
745 if (flags & GPO_LIST_FLAG_MACHINE) {
747 status = ads_site_dn_for_machine(ads, mem_ctx,
748 ads->config.ldap_server_name,
749 &site_dn);
750 if (!ADS_ERR_OK(status)) {
751 return status;
754 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
755 site_dn));
757 status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
758 if (ADS_ERR_OK(status)) {
760 if (DEBUGLEVEL >= 100) {
761 dump_gplink(ads, mem_ctx, &gp_link);
764 status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
765 site_dn, &gp_link,
766 GP_LINK_SITE,
767 add_only_forced_gpos,
768 token);
769 if (!ADS_ERR_OK(status)) {
770 return status;
773 if (flags & GPO_LIST_FLAG_SITEONLY) {
774 return ADS_ERROR(LDAP_SUCCESS);
777 /* inheritance can't be blocked at the site level */
781 tmp_dn = dn;
783 while ((parent_dn = ads_parent_dn(tmp_dn)) &&
784 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
786 /* (D)omain */
788 /* An account can just be a member of one domain */
789 if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
791 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
792 parent_dn));
794 status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
795 &gp_link);
796 if (ADS_ERR_OK(status)) {
798 if (DEBUGLEVEL >= 100) {
799 dump_gplink(ads, mem_ctx, &gp_link);
802 /* block inheritance from now on */
803 if (gp_link.gp_opts &
804 GPOPTIONS_BLOCK_INHERITANCE) {
805 add_only_forced_gpos = true;
808 status = add_gplink_to_gpo_list(ads,
809 mem_ctx,
810 gpo_list,
811 parent_dn,
812 &gp_link,
813 GP_LINK_DOMAIN,
814 add_only_forced_gpos,
815 token);
816 if (!ADS_ERR_OK(status)) {
817 return status;
822 tmp_dn = parent_dn;
825 /* reset dn again */
826 tmp_dn = dn;
828 while ((parent_dn = ads_parent_dn(tmp_dn)) &&
829 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
832 /* (O)rganizational(U)nit */
834 /* An account can be a member of more OUs */
835 if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
837 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
838 parent_dn));
840 status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
841 &gp_link);
842 if (ADS_ERR_OK(status)) {
844 if (DEBUGLEVEL >= 100) {
845 dump_gplink(ads, mem_ctx, &gp_link);
848 /* block inheritance from now on */
849 if (gp_link.gp_opts &
850 GPOPTIONS_BLOCK_INHERITANCE) {
851 add_only_forced_gpos = true;
854 status = add_gplink_to_gpo_list(ads,
855 mem_ctx,
856 gpo_list,
857 parent_dn,
858 &gp_link,
859 GP_LINK_OU,
860 add_only_forced_gpos,
861 token);
862 if (!ADS_ERR_OK(status)) {
863 return status;
868 tmp_dn = parent_dn;
872 return ADS_ERROR(LDAP_SUCCESS);
875 #endif /* HAVE_LDAP */