2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Jelmer Vernooij 2008
5 * Copyright (C) Wilco Baan Hofman 2008-2010
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "param/param.h"
23 #include "lib/ldb-samba/ldb_wrap.h"
24 #include "auth/credentials/credentials.h"
25 #include "../librpc/gen_ndr/nbt.h"
26 #include "libcli/libcli.h"
27 #include "libnet/libnet.h"
28 #include "../librpc/gen_ndr/ndr_security.h"
29 #include "../libcli/security/security.h"
30 #include "libcli/ldap/ldap_ndr.h"
31 #include "../lib/talloc/talloc.h"
32 #include "lib/policy/policy.h"
34 struct gpo_stringmap
{
38 static const struct gpo_stringmap gplink_options
[] = {
39 { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE
},
40 { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE
},
43 static const struct gpo_stringmap gpo_flags
[] = {
44 { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE
},
45 { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE
},
48 static const struct gpo_stringmap gpo_inheritance
[] = {
49 { "GPO_INHERIT", GPO_INHERIT
},
50 { "GPO_BLOCK_INHERITANCE", GPO_BLOCK_INHERITANCE
},
55 static NTSTATUS
parse_gpo(TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
, struct gp_object
**ret
)
57 struct gp_object
*gpo
= talloc(mem_ctx
, struct gp_object
);
58 enum ndr_err_code ndr_err
;
59 const DATA_BLOB
*data
;
61 NT_STATUS_HAVE_NO_MEMORY(gpo
);
63 gpo
->dn
= talloc_strdup(mem_ctx
, ldb_dn_get_linearized(msg
->dn
));
64 if (gpo
->dn
== NULL
) {
66 return NT_STATUS_NO_MEMORY
;
69 DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo
->dn
));
71 gpo
->display_name
= talloc_strdup(gpo
, ldb_msg_find_attr_as_string(msg
, "displayName", ""));
72 if (gpo
->display_name
== NULL
) {
74 return NT_STATUS_NO_MEMORY
;
77 gpo
->name
= talloc_strdup(gpo
, ldb_msg_find_attr_as_string(msg
, "name", ""));
78 if (gpo
->name
== NULL
) {
80 return NT_STATUS_NO_MEMORY
;
83 gpo
->flags
= ldb_msg_find_attr_as_uint(msg
, "flags", 0);
84 gpo
->version
= ldb_msg_find_attr_as_uint(msg
, "versionNumber", 0);
86 gpo
->file_sys_path
= talloc_strdup(gpo
, ldb_msg_find_attr_as_string(msg
, "gPCFileSysPath", ""));
87 if (gpo
->file_sys_path
== NULL
) {
89 return NT_STATUS_NO_MEMORY
;
92 /* Pull the security descriptor through the NDR library */
93 data
= ldb_msg_find_ldb_val(msg
, "nTSecurityDescriptor");
94 gpo
->security_descriptor
= talloc(gpo
, struct security_descriptor
);
95 if (gpo
->security_descriptor
== NULL
) {
97 return NT_STATUS_NO_MEMORY
;
100 ndr_err
= ndr_pull_struct_blob(data
,
102 gpo
->security_descriptor
,
103 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
104 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
105 return ndr_map_error2ntstatus(ndr_err
);
112 NTSTATUS
gp_get_gpo_flags(TALLOC_CTX
*mem_ctx
, uint32_t flags
, const char ***ret
)
114 unsigned int i
, count
=0;
115 const char **flag_strs
= talloc_array(mem_ctx
, const char *, 1);
117 NT_STATUS_HAVE_NO_MEMORY(flag_strs
);
121 for (i
= 0; gpo_flags
[i
].str
!= NULL
; i
++) {
122 if (flags
& gpo_flags
[i
].flags
) {
123 flag_strs
= talloc_realloc(mem_ctx
, flag_strs
, const char *, count
+2);
124 NT_STATUS_HAVE_NO_MEMORY(flag_strs
);
125 flag_strs
[count
] = gpo_flags
[i
].str
;
126 flag_strs
[count
+1] = NULL
;
134 NTSTATUS
gp_get_gplink_options(TALLOC_CTX
*mem_ctx
, uint32_t options
, const char ***ret
)
136 unsigned int i
, count
=0;
137 const char **flag_strs
= talloc_array(mem_ctx
, const char *, 1);
139 NT_STATUS_HAVE_NO_MEMORY(flag_strs
);
142 for (i
= 0; gplink_options
[i
].str
!= NULL
; i
++) {
143 if (options
& gplink_options
[i
].flags
) {
144 flag_strs
= talloc_realloc(mem_ctx
, flag_strs
, const char *, count
+2);
145 NT_STATUS_HAVE_NO_MEMORY(flag_strs
);
146 flag_strs
[count
] = gplink_options
[i
].str
;
147 flag_strs
[count
+1] = NULL
;
155 NTSTATUS
gp_init(TALLOC_CTX
*mem_ctx
,
156 struct loadparm_context
*lp_ctx
,
157 struct cli_credentials
*credentials
,
158 struct tevent_context
*ev_ctx
,
159 struct gp_context
**gp_ctx
)
162 struct libnet_LookupDCs
*io
;
164 struct libnet_context
*net_ctx
;
165 struct ldb_context
*ldb_ctx
;
168 /* Initialise the libnet context */
169 net_ctx
= libnet_context_init(ev_ctx
, lp_ctx
);
170 net_ctx
->cred
= credentials
;
172 /* Prepare libnet lookup structure for looking a DC (PDC is correct). */
173 io
= talloc_zero(mem_ctx
, struct libnet_LookupDCs
);
174 NT_STATUS_HAVE_NO_MEMORY(io
);
175 io
->in
.name_type
= NBT_NAME_PDC
;
176 io
->in
.domain_name
= lpcfg_workgroup(lp_ctx
);
178 /* Find Active DC's */
179 rv
= libnet_LookupDCs(net_ctx
, mem_ctx
, io
);
180 if (!NT_STATUS_IS_OK(rv
)) {
181 DEBUG(0, ("Failed to lookup DCs in domain\n"));
185 /* Connect to ldap://DC_NAME with all relevant contexts*/
186 url
= talloc_asprintf(mem_ctx
, "ldap://%s", io
->out
.dcs
[0].name
);
187 NT_STATUS_HAVE_NO_MEMORY(url
);
188 ldb_ctx
= ldb_wrap_connect(mem_ctx
, net_ctx
->event_ctx
, lp_ctx
,
189 url
, NULL
, net_ctx
->cred
, 0);
190 if (ldb_ctx
== NULL
) {
191 DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url
));
192 return NT_STATUS_UNSUCCESSFUL
;
195 *gp_ctx
= talloc_zero(mem_ctx
, struct gp_context
);
196 NT_STATUS_HAVE_NO_MEMORY(gp_ctx
);
198 (*gp_ctx
)->lp_ctx
= lp_ctx
;
199 (*gp_ctx
)->credentials
= credentials
;
200 (*gp_ctx
)->ev_ctx
= ev_ctx
;
201 (*gp_ctx
)->ldb_ctx
= ldb_ctx
;
202 (*gp_ctx
)->active_dc
= talloc_reference(*gp_ctx
, &io
->out
.dcs
[0]);
204 /* We don't need to keep the libnet context */
205 talloc_free(net_ctx
);
209 NTSTATUS
gp_list_all_gpos(struct gp_context
*gp_ctx
, struct gp_object
***ret
)
211 struct ldb_result
*result
;
216 struct gp_object
**gpo
;
217 unsigned int i
; /* same as in struct ldb_result */
220 /* Create a forked memory context, as a base for everything here */
221 mem_ctx
= talloc_new(gp_ctx
);
222 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
224 /* Create full ldb dn of the policies base object */
225 dn
= ldb_get_default_basedn(gp_ctx
->ldb_ctx
);
226 rv
= ldb_dn_add_child(dn
, ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, "CN=Policies,CN=System"));
228 DEBUG(0, ("Can't append subtree to DN\n"));
229 talloc_free(mem_ctx
);
230 return NT_STATUS_UNSUCCESSFUL
;
233 DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn
)));
235 attrs
= talloc_array(mem_ctx
, const char *, 7);
237 TALLOC_FREE(mem_ctx
);
238 return NT_STATUS_NO_MEMORY
;
241 attrs
[0] = "nTSecurityDescriptor";
242 attrs
[1] = "versionNumber";
245 attrs
[4] = "displayName";
246 attrs
[5] = "gPCFileSysPath";
249 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_ONELEVEL
, attrs
, "(objectClass=groupPolicyContainer)");
250 if (rv
!= LDB_SUCCESS
) {
251 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
252 talloc_free(mem_ctx
);
253 return NT_STATUS_UNSUCCESSFUL
;
256 gpo
= talloc_array(gp_ctx
, struct gp_object
*, result
->count
+1);
258 TALLOC_FREE(mem_ctx
);
259 return NT_STATUS_NO_MEMORY
;
262 gpo
[result
->count
] = NULL
;
264 for (i
= 0; i
< result
->count
; i
++) {
265 status
= parse_gpo(gp_ctx
, result
->msgs
[i
], &gpo
[i
]);
266 if (!NT_STATUS_IS_OK(status
)) {
267 DEBUG(0, ("Failed to parse GPO.\n"));
268 talloc_free(mem_ctx
);
273 talloc_free(mem_ctx
);
279 NTSTATUS
gp_get_gpo_info(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_object
**ret
)
281 struct ldb_result
*result
;
283 struct gp_object
*gpo
;
289 /* Create a forked memory context, as a base for everything here */
290 mem_ctx
= talloc_new(gp_ctx
);
291 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
293 /* Create an ldb dn struct for the dn string */
294 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
296 attrs
= talloc_array(mem_ctx
, const char *, 7);
298 TALLOC_FREE(mem_ctx
);
299 return NT_STATUS_NO_MEMORY
;
302 attrs
[0] = "nTSecurityDescriptor";
303 attrs
[1] = "versionNumber";
306 attrs
[4] = "displayName";
307 attrs
[5] = "gPCFileSysPath";
310 rv
= ldb_search(gp_ctx
->ldb_ctx
,
316 "objectClass=groupPolicyContainer");
317 if (rv
!= LDB_SUCCESS
) {
318 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
319 talloc_free(mem_ctx
);
320 return NT_STATUS_UNSUCCESSFUL
;
323 /* We expect exactly one record */
324 if (result
->count
!= 1) {
325 DEBUG(0, ("Could not find GPC with dn %s\n", dn_str
));
326 talloc_free(mem_ctx
);
327 return NT_STATUS_NOT_FOUND
;
330 status
= parse_gpo(gp_ctx
, result
->msgs
[0], &gpo
);
331 if (!NT_STATUS_IS_OK(status
)) {
332 DEBUG(0, ("Failed to parse GPO.\n"));
333 talloc_free(mem_ctx
);
337 talloc_free(mem_ctx
);
343 static NTSTATUS
parse_gplink (TALLOC_CTX
*mem_ctx
, const char *gplink_str
, struct gp_link
***ret
)
347 struct gp_link
**gplinks
;
349 const char *gplink_start
= "[LDAP://";
351 gplinks
= talloc_array(mem_ctx
, struct gp_link
*, 1);
352 NT_STATUS_HAVE_NO_MEMORY(gplinks
);
356 /* Assuming every gPLink starts with "[LDAP://" */
357 start
= strlen(gplink_start
);
359 for (pos
= start
; pos
< strlen(gplink_str
); pos
++) {
360 if (gplink_str
[pos
] == ';') {
361 gplinks
= talloc_realloc(mem_ctx
, gplinks
, struct gp_link
*, idx
+2);
362 NT_STATUS_HAVE_NO_MEMORY(gplinks
);
363 gplinks
[idx
] = talloc(mem_ctx
, struct gp_link
);
364 NT_STATUS_HAVE_NO_MEMORY(gplinks
[idx
]);
365 gplinks
[idx
]->dn
= talloc_strndup(mem_ctx
,
368 if (gplinks
[idx
]->dn
== NULL
) {
369 TALLOC_FREE(gplinks
);
370 return NT_STATUS_NO_MEMORY
;
373 for (start
= pos
+ 1; gplink_str
[pos
] != ']'; pos
++);
375 buf
= talloc_strndup(gplinks
, gplink_str
+ start
, pos
- start
);
377 TALLOC_FREE(gplinks
);
378 return NT_STATUS_NO_MEMORY
;
380 gplinks
[idx
]->options
= (uint32_t) strtoll(buf
, &end
, 0);
383 /* Set the last entry in the array to be NULL */
384 gplinks
[idx
+ 1] = NULL
;
386 /* Increment the array index, the string position past
387 the next "[LDAP://", and set the start reference */
389 pos
+= strlen(gplink_start
)+1;
399 NTSTATUS
gp_get_gplinks(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_link
***ret
)
403 struct ldb_result
*result
;
404 struct gp_link
**gplinks
;
410 /* Create a forked memory context, as a base for everything here */
411 mem_ctx
= talloc_new(gp_ctx
);
412 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
414 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
416 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, NULL
, "(objectclass=*)");
417 if (rv
!= LDB_SUCCESS
) {
418 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
419 talloc_free(mem_ctx
);
420 return NT_STATUS_UNSUCCESSFUL
;
423 for (i
= 0; i
< result
->count
; i
++) {
424 for (j
= 0; j
< result
->msgs
[i
]->num_elements
; j
++) {
425 struct ldb_message_element
*element
= &result
->msgs
[i
]->elements
[j
];
427 if (strcmp(element
->name
, "gPLink") == 0) {
428 SMB_ASSERT(element
->num_values
> 0);
429 gplink_str
= talloc_strdup(mem_ctx
, (char *) element
->values
[0].data
);
430 if (gplink_str
== NULL
) {
431 TALLOC_FREE(mem_ctx
);
432 return NT_STATUS_NO_MEMORY
;
438 gplink_str
= talloc_strdup(mem_ctx
, "");
439 if (gplink_str
== NULL
) {
440 TALLOC_FREE(mem_ctx
);
441 return NT_STATUS_NO_MEMORY
;
446 status
= parse_gplink(gp_ctx
, gplink_str
, &gplinks
);
447 if (!NT_STATUS_IS_OK(status
)) {
448 DEBUG(0, ("Failed to parse gPLink\n"));
452 talloc_free(mem_ctx
);
458 NTSTATUS
gp_list_gpos(struct gp_context
*gp_ctx
, struct security_token
*token
, const char ***ret
)
462 struct ldb_result
*result
;
465 struct ldb_message_element
*element
;
467 const char *attrs
[] = { "objectClass", NULL
};
470 unsigned int count
= 0;
473 ACCOUNT_TYPE_USER
= 0,
474 ACCOUNT_TYPE_MACHINE
= 1
477 /* Create a forked memory context, as a base for everything here */
478 mem_ctx
= talloc_new(gp_ctx
);
479 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
481 sid
= ldap_encode_ndr_dom_sid(mem_ctx
,
482 &token
->sids
[PRIMARY_USER_SID_INDEX
]);
483 NT_STATUS_HAVE_NO_MEMORY(sid
);
485 /* Find the user DN and objectclass via the sid from the security token */
486 rv
= ldb_search(gp_ctx
->ldb_ctx
,
489 ldb_get_default_basedn(gp_ctx
->ldb_ctx
),
492 "(&(objectclass=user)(objectSid=%s))", sid
);
493 if (rv
!= LDB_SUCCESS
) {
494 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),
495 ldb_errstring(gp_ctx
->ldb_ctx
)));
496 talloc_free(mem_ctx
);
497 return NT_STATUS_UNSUCCESSFUL
;
499 if (result
->count
!= 1) {
500 DEBUG(0, ("Could not find user with sid %s.\n", sid
));
501 talloc_free(mem_ctx
);
502 return NT_STATUS_UNSUCCESSFUL
;
504 DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result
->msgs
[0]->dn
)));
506 element
= ldb_msg_find_element(result
->msgs
[0], "objectClass");
508 /* We need to know if this account is a user or machine. */
509 account_type
= ACCOUNT_TYPE_USER
;
510 for (i
= 0; i
< element
->num_values
; i
++) {
511 if (strcmp((char *)element
->values
[i
].data
, "computer") == 0) {
512 account_type
= ACCOUNT_TYPE_MACHINE
;
513 DEBUG(10, ("This user is a machine\n"));
517 gpos
= talloc_array(gp_ctx
, const char *, 1);
519 TALLOC_FREE(mem_ctx
);
520 return NT_STATUS_NO_MEMORY
;
524 /* Walk through the containers until we hit the root */
526 dn
= ldb_dn_get_parent(mem_ctx
, result
->msgs
[0]->dn
);
527 while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx
->ldb_ctx
), dn
) == 0) {
528 const char *gpo_attrs
[] = { "gPLink", "gPOptions", NULL
};
529 struct gp_link
**gplinks
;
530 enum gpo_inheritance gpoptions
;
532 DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn
)));
534 /* Get the gPLink and gPOptions attributes from the container */
535 rv
= ldb_search(gp_ctx
->ldb_ctx
,
542 if (rv
!= LDB_SUCCESS
) {
543 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),
544 ldb_errstring(gp_ctx
->ldb_ctx
)));
545 talloc_free(mem_ctx
);
546 return NT_STATUS_UNSUCCESSFUL
;
549 /* Parse the gPLink attribute, put it into a nice struct array */
550 status
= parse_gplink(mem_ctx
, ldb_msg_find_attr_as_string(result
->msgs
[0], "gPLink", ""), &gplinks
);
551 if (!NT_STATUS_IS_OK(status
)) {
552 DEBUG(0, ("Failed to parse gPLink\n"));
553 talloc_free(mem_ctx
);
557 /* Check all group policy links on this container */
558 for (i
= 0; gplinks
[i
] != NULL
; i
++) {
559 struct gp_object
*gpo
;
560 uint32_t access_granted
;
562 /* If inheritance was blocked at a higher level and this
563 * gplink is not enforced, it should not be applied */
564 if (!inherit
&& !(gplinks
[i
]->options
& GPLINK_OPT_ENFORCE
))
567 /* Don't apply disabled links */
568 if (gplinks
[i
]->options
& GPLINK_OPT_DISABLE
)
571 /* Get GPO information */
572 status
= gp_get_gpo_info(gp_ctx
, gplinks
[i
]->dn
, &gpo
);
573 if (!NT_STATUS_IS_OK(status
)) {
574 DEBUG(0, ("Failed to get gpo information for %s\n", gplinks
[i
]->dn
));
575 talloc_free(mem_ctx
);
579 /* If the account does not have read access, this GPO does not apply
581 status
= se_access_check(gpo
->security_descriptor
,
583 (SEC_STD_READ_CONTROL
| SEC_ADS_LIST
| SEC_ADS_READ_PROP
),
585 if (!NT_STATUS_IS_OK(status
)) {
589 /* If the account is a user and the GPO has user disabled flag, or
590 * a machine and the GPO has machine disabled flag, this GPO does
591 * not apply to this account */
592 if ((account_type
== ACCOUNT_TYPE_USER
&&
593 (gpo
->flags
& GPO_FLAG_USER_DISABLE
)) ||
594 (account_type
== ACCOUNT_TYPE_MACHINE
&&
595 (gpo
->flags
& GPO_FLAG_MACHINE_DISABLE
))) {
599 /* Add the GPO to the list */
600 gpos
= talloc_realloc(gp_ctx
, gpos
, const char *, count
+2);
602 TALLOC_FREE(mem_ctx
);
603 return NT_STATUS_NO_MEMORY
;
605 gpos
[count
] = talloc_strdup(gp_ctx
, gplinks
[i
]->dn
);
606 if (gpos
[count
] == NULL
) {
607 TALLOC_FREE(mem_ctx
);
608 return NT_STATUS_NO_MEMORY
;
610 gpos
[count
+1] = NULL
;
617 /* If inheritance is blocked, then we should only add enforced gPLinks
619 gpoptions
= ldb_msg_find_attr_as_uint(result
->msgs
[0], "gPOptions", 0);
620 if (gpoptions
== GPO_BLOCK_INHERITANCE
) {
623 dn
= ldb_dn_get_parent(mem_ctx
, dn
);
626 talloc_free(mem_ctx
);
632 NTSTATUS
gp_set_gplink(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_link
*gplink
)
635 struct ldb_result
*result
;
637 struct ldb_message
*msg
;
638 const char *attrs
[] = { "gPLink", NULL
};
639 const char *gplink_str
;
643 /* Create a forked memory context, as a base for everything here */
644 mem_ctx
= talloc_new(gp_ctx
);
645 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
647 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
649 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, attrs
, "(objectclass=*)");
650 if (rv
!= LDB_SUCCESS
) {
651 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
652 talloc_free(mem_ctx
);
653 return NT_STATUS_UNSUCCESSFUL
;
656 if (result
->count
!= 1) {
657 talloc_free(mem_ctx
);
658 return NT_STATUS_NOT_FOUND
;
661 gplink_str
= ldb_msg_find_attr_as_string(result
->msgs
[0], "gPLink", "");
663 /* If this GPO link already exists, alter the options, else add it */
664 if ((start
= strcasestr(gplink_str
, gplink
->dn
)) != NULL
) {
665 start
+= strlen(gplink
->dn
);
668 while (*start
!= ']' && *start
!= '\0') {
671 gplink_str
= talloc_asprintf(mem_ctx
, "%s;%d%s", gplink_str
, gplink
->options
, start
);
672 if (gplink_str
== NULL
) {
673 TALLOC_FREE(mem_ctx
);
674 return NT_STATUS_NO_MEMORY
;
678 /* Prepend the new GPO link to the string. This list is backwards in priority. */
679 gplink_str
= talloc_asprintf(mem_ctx
, "[LDAP://%s;%d]%s", gplink
->dn
, gplink
->options
, gplink_str
);
680 if (gplink_str
== NULL
) {
681 TALLOC_FREE(mem_ctx
);
682 return NT_STATUS_NO_MEMORY
;
688 msg
= ldb_msg_new(mem_ctx
);
690 TALLOC_FREE(mem_ctx
);
691 return NT_STATUS_NO_MEMORY
;
696 rv
= ldb_msg_add_string(msg
, "gPLink", gplink_str
);
697 if (rv
!= LDB_SUCCESS
) {
698 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv
)));
699 talloc_free(mem_ctx
);
700 return NT_STATUS_UNSUCCESSFUL
;
702 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
704 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
705 if (rv
!= LDB_SUCCESS
) {
706 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
707 talloc_free(mem_ctx
);
708 return NT_STATUS_UNSUCCESSFUL
;
711 talloc_free(mem_ctx
);
715 NTSTATUS
gp_del_gplink(struct gp_context
*gp_ctx
, const char *dn_str
, const char *gplink_dn
)
718 struct ldb_result
*result
;
720 struct ldb_message
*msg
;
721 const char *attrs
[] = { "gPLink", NULL
};
722 const char *gplink_str
, *search_string
;
726 /* Create a forked memory context, as a base for everything here */
727 mem_ctx
= talloc_new(gp_ctx
);
728 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
730 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
732 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, attrs
, "(objectclass=*)");
733 if (rv
!= LDB_SUCCESS
) {
734 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
735 talloc_free(mem_ctx
);
736 return NT_STATUS_UNSUCCESSFUL
;
739 if (result
->count
!= 1) {
740 talloc_free(mem_ctx
);
741 return NT_STATUS_NOT_FOUND
;
744 gplink_str
= ldb_msg_find_attr_as_string(result
->msgs
[0], "gPLink", "");
746 /* If this GPO link already exists, alter the options, else add it */
747 search_string
= talloc_asprintf(mem_ctx
, "[LDAP://%s]", gplink_dn
);
748 if (search_string
== NULL
) {
749 TALLOC_FREE(mem_ctx
);
750 return NT_STATUS_NO_MEMORY
;
753 p
= strcasestr(gplink_str
, search_string
);
755 talloc_free(mem_ctx
);
756 return NT_STATUS_NOT_FOUND
;
761 while (*p
!= ']' && *p
!= '\0') {
765 gplink_str
= talloc_asprintf(mem_ctx
, "%s%s", gplink_str
, p
);
766 if (gplink_str
== NULL
) {
767 TALLOC_FREE(mem_ctx
);
768 return NT_STATUS_NO_MEMORY
;
772 msg
= ldb_msg_new(mem_ctx
);
774 TALLOC_FREE(mem_ctx
);
775 return NT_STATUS_NO_MEMORY
;
780 if (strcmp(gplink_str
, "") == 0) {
781 rv
= ldb_msg_add_empty(msg
, "gPLink", LDB_FLAG_MOD_DELETE
, NULL
);
782 if (rv
!= LDB_SUCCESS
) {
783 DEBUG(0, ("LDB message add empty element failed: %s\n", ldb_strerror(rv
)));
784 talloc_free(mem_ctx
);
785 return NT_STATUS_UNSUCCESSFUL
;
788 rv
= ldb_msg_add_string(msg
, "gPLink", gplink_str
);
789 if (rv
!= LDB_SUCCESS
) {
790 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv
)));
791 talloc_free(mem_ctx
);
792 return NT_STATUS_UNSUCCESSFUL
;
794 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
796 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
797 if (rv
!= LDB_SUCCESS
) {
798 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
799 talloc_free(mem_ctx
);
800 return NT_STATUS_UNSUCCESSFUL
;
803 talloc_free(mem_ctx
);
807 NTSTATUS
gp_get_inheritance(struct gp_context
*gp_ctx
, const char *dn_str
, enum gpo_inheritance
*inheritance
)
810 struct ldb_result
*result
;
812 const char *attrs
[] = { "gPOptions", NULL
};
815 /* Create a forked memory context, as a base for everything here */
816 mem_ctx
= talloc_new(gp_ctx
);
817 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
819 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
821 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, attrs
, "(objectclass=*)");
822 if (rv
!= LDB_SUCCESS
) {
823 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
824 talloc_free(mem_ctx
);
825 return NT_STATUS_UNSUCCESSFUL
;
828 if (result
->count
!= 1) {
829 talloc_free(mem_ctx
);
830 return NT_STATUS_NOT_FOUND
;
833 *inheritance
= ldb_msg_find_attr_as_uint(result
->msgs
[0], "gPOptions", 0);
835 talloc_free(mem_ctx
);
839 NTSTATUS
gp_set_inheritance(struct gp_context
*gp_ctx
, const char *dn_str
, enum gpo_inheritance inheritance
)
841 char *inheritance_string
;
842 struct ldb_message
*msg
;
845 msg
= ldb_msg_new(gp_ctx
);
846 NT_STATUS_HAVE_NO_MEMORY(msg
);
848 msg
->dn
= ldb_dn_new(msg
, gp_ctx
->ldb_ctx
, dn_str
);
850 inheritance_string
= talloc_asprintf(msg
, "%d", inheritance
);
851 if (inheritance_string
== NULL
) {
853 return NT_STATUS_NO_MEMORY
;
856 rv
= ldb_msg_add_string(msg
, "gPOptions", inheritance_string
);
857 if (rv
!= LDB_SUCCESS
) {
858 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv
)));
860 return NT_STATUS_UNSUCCESSFUL
;
862 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
864 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
865 if (rv
!= LDB_SUCCESS
) {
866 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
868 return NT_STATUS_UNSUCCESSFUL
;
875 NTSTATUS
gp_create_ldap_gpo(struct gp_context
*gp_ctx
, struct gp_object
*gpo
)
877 struct ldb_message
*msg
;
880 char *dn_str
, *flags_str
, *version_str
;
881 struct ldb_dn
*child_dn
, *gpo_dn
;
883 mem_ctx
= talloc_new(gp_ctx
);
884 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
887 msg
= ldb_msg_new(mem_ctx
);
889 TALLOC_FREE(mem_ctx
);
890 return NT_STATUS_NO_MEMORY
;
893 msg
->dn
= ldb_get_default_basedn(gp_ctx
->ldb_ctx
);
894 dn_str
= talloc_asprintf(mem_ctx
, "CN=%s,CN=Policies,CN=System", gpo
->name
);
895 if (dn_str
== NULL
) {
896 TALLOC_FREE(mem_ctx
);
897 return NT_STATUS_NO_MEMORY
;
900 child_dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
901 rv
= ldb_dn_add_child(msg
->dn
, child_dn
);
902 if (!rv
) goto ldb_msg_add_error
;
904 flags_str
= talloc_asprintf(mem_ctx
, "%d", gpo
->flags
);
905 if (flags_str
== NULL
) {
906 TALLOC_FREE(mem_ctx
);
907 return NT_STATUS_NO_MEMORY
;
910 version_str
= talloc_asprintf(mem_ctx
, "%d", gpo
->version
);
911 if (version_str
== NULL
) {
912 TALLOC_FREE(mem_ctx
);
913 return NT_STATUS_NO_MEMORY
;
916 rv
= ldb_msg_add_string(msg
, "objectClass", "top");
917 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
918 rv
= ldb_msg_add_string(msg
, "objectClass", "container");
919 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
920 rv
= ldb_msg_add_string(msg
, "objectClass", "groupPolicyContainer");
921 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
922 rv
= ldb_msg_add_string(msg
, "displayName", gpo
->display_name
);
923 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
924 rv
= ldb_msg_add_string(msg
, "name", gpo
->name
);
925 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
926 rv
= ldb_msg_add_string(msg
, "CN", gpo
->name
);
927 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
928 rv
= ldb_msg_add_string(msg
, "gPCFileSysPath", gpo
->file_sys_path
);
929 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
930 rv
= ldb_msg_add_string(msg
, "flags", flags_str
);
931 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
932 rv
= ldb_msg_add_string(msg
, "versionNumber", version_str
);
933 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
934 rv
= ldb_msg_add_string(msg
, "showInAdvancedViewOnly", "TRUE");
935 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
936 rv
= ldb_msg_add_string(msg
, "gpCFunctionalityVersion", "2");
937 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
939 rv
= ldb_add(gp_ctx
->ldb_ctx
, msg
);
940 if (rv
!= LDB_SUCCESS
) {
941 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx
->ldb_ctx
)));
942 talloc_free(mem_ctx
);
943 return NT_STATUS_UNSUCCESSFUL
;
949 msg
= ldb_msg_new(mem_ctx
);
951 TALLOC_FREE(mem_ctx
);
952 return NT_STATUS_NO_MEMORY
;
955 msg
->dn
= ldb_dn_copy(mem_ctx
, gpo_dn
);
956 child_dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, "CN=User");
957 rv
= ldb_dn_add_child(msg
->dn
, child_dn
);
958 if (!rv
) goto ldb_msg_add_error
;
960 rv
= ldb_msg_add_string(msg
, "objectClass", "top");
961 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
962 rv
= ldb_msg_add_string(msg
, "objectClass", "container");
963 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
964 rv
= ldb_msg_add_string(msg
, "showInAdvancedViewOnly", "TRUE");
965 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
966 rv
= ldb_msg_add_string(msg
, "CN", "User");
967 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
968 rv
= ldb_msg_add_string(msg
, "name", "User");
969 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
971 rv
= ldb_add(gp_ctx
->ldb_ctx
, msg
);
972 if (rv
!= LDB_SUCCESS
) {
973 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx
->ldb_ctx
)));
974 talloc_free(mem_ctx
);
975 return NT_STATUS_UNSUCCESSFUL
;
979 msg
= ldb_msg_new(mem_ctx
);
981 TALLOC_FREE(mem_ctx
);
982 return NT_STATUS_NO_MEMORY
;
985 msg
->dn
= ldb_dn_copy(mem_ctx
, gpo_dn
);
986 child_dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, "CN=Machine");
987 rv
= ldb_dn_add_child(msg
->dn
, child_dn
);
988 if (!rv
) goto ldb_msg_add_error
;
990 rv
= ldb_msg_add_string(msg
, "objectClass", "top");
991 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
992 rv
= ldb_msg_add_string(msg
, "objectClass", "container");
993 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
994 rv
= ldb_msg_add_string(msg
, "showInAdvancedViewOnly", "TRUE");
995 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
996 rv
= ldb_msg_add_string(msg
, "CN", "Machine");
997 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
998 rv
= ldb_msg_add_string(msg
, "name", "Machine");
999 if (rv
!= LDB_SUCCESS
) goto ldb_msg_add_error
;
1001 rv
= ldb_add(gp_ctx
->ldb_ctx
, msg
);
1002 if (rv
!= LDB_SUCCESS
) {
1003 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx
->ldb_ctx
)));
1004 talloc_free(mem_ctx
);
1005 return NT_STATUS_UNSUCCESSFUL
;
1008 gpo
->dn
= talloc_strdup(gpo
, ldb_dn_get_linearized(gpo_dn
));
1009 if (gpo
->dn
== NULL
) {
1010 TALLOC_FREE(mem_ctx
);
1011 return NT_STATUS_NO_MEMORY
;
1014 talloc_free(mem_ctx
);
1015 return NT_STATUS_OK
;
1018 DEBUG(0, ("LDB Error adding element to ldb message\n"));
1019 talloc_free(mem_ctx
);
1020 return NT_STATUS_UNSUCCESSFUL
;
1023 NTSTATUS
gp_set_ads_acl (struct gp_context
*gp_ctx
, const char *dn_str
, const struct security_descriptor
*sd
)
1025 TALLOC_CTX
*mem_ctx
;
1027 enum ndr_err_code ndr_err
;
1028 struct ldb_message
*msg
;
1031 /* Create a forked memory context to clean up easily */
1032 mem_ctx
= talloc_new(gp_ctx
);
1033 NT_STATUS_HAVE_NO_MEMORY(mem_ctx
);
1035 /* Push the security descriptor through the NDR library */
1036 ndr_err
= ndr_push_struct_blob(&data
,
1039 (ndr_push_flags_fn_t
)ndr_push_security_descriptor
);
1040 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
1041 return ndr_map_error2ntstatus(ndr_err
);
1045 /* Create a LDB message */
1046 msg
= ldb_msg_new(mem_ctx
);
1048 TALLOC_FREE(mem_ctx
);
1049 return NT_STATUS_NO_MEMORY
;
1052 msg
->dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
1054 rv
= ldb_msg_add_value(msg
, "nTSecurityDescriptor", &data
, NULL
);
1055 if (rv
!= LDB_SUCCESS
) {
1056 DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv
)));
1057 talloc_free(mem_ctx
);
1058 return NT_STATUS_UNSUCCESSFUL
;
1060 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
1062 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
1063 if (rv
!= LDB_SUCCESS
) {
1064 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
1065 talloc_free(mem_ctx
);
1066 return NT_STATUS_UNSUCCESSFUL
;
1069 talloc_free(mem_ctx
);
1070 return NT_STATUS_OK
;
1073 /* This function sets flags, version and displayName on a GPO */
1074 NTSTATUS
gp_set_ldap_gpo(struct gp_context
*gp_ctx
, struct gp_object
*gpo
)
1077 TALLOC_CTX
*mem_ctx
;
1078 struct ldb_message
*msg
;
1079 char *version_str
, *flags_str
;
1081 mem_ctx
= talloc_new(gp_ctx
);
1083 msg
= ldb_msg_new(mem_ctx
);
1085 TALLOC_FREE(mem_ctx
);
1086 return NT_STATUS_NO_MEMORY
;
1089 msg
->dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, gpo
->dn
);
1091 version_str
= talloc_asprintf(mem_ctx
, "%d", gpo
->version
);
1093 TALLOC_FREE(mem_ctx
);
1094 return NT_STATUS_NO_MEMORY
;
1097 flags_str
= talloc_asprintf(mem_ctx
, "%d", gpo
->flags
);
1099 TALLOC_FREE(mem_ctx
);
1100 return NT_STATUS_NO_MEMORY
;
1103 rv
= ldb_msg_add_string(msg
, "flags", flags_str
);
1104 if (rv
!= LDB_SUCCESS
) {
1105 DEBUG(0, ("LDB message add string failed for flags: %s\n", ldb_strerror(rv
)));
1106 talloc_free(mem_ctx
);
1107 return NT_STATUS_UNSUCCESSFUL
;
1109 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
1111 rv
= ldb_msg_add_string(msg
, "version", version_str
);
1112 if (rv
!= LDB_SUCCESS
) {
1113 DEBUG(0, ("LDB message add string failed for version: %s\n", ldb_strerror(rv
)));
1114 talloc_free(mem_ctx
);
1115 return NT_STATUS_UNSUCCESSFUL
;
1117 msg
->elements
[1].flags
= LDB_FLAG_MOD_REPLACE
;
1119 rv
= ldb_msg_add_string(msg
, "displayName", gpo
->display_name
);
1120 if (rv
!= LDB_SUCCESS
) {
1121 DEBUG(0, ("LDB message add string failed for displayName: %s\n", ldb_strerror(rv
)));
1122 talloc_free(mem_ctx
);
1123 return NT_STATUS_UNSUCCESSFUL
;
1125 msg
->elements
[2].flags
= LDB_FLAG_MOD_REPLACE
;
1127 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
1128 if (rv
!= LDB_SUCCESS
) {
1129 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
1130 talloc_free(mem_ctx
);
1131 return NT_STATUS_UNSUCCESSFUL
;
1134 talloc_free(mem_ctx
);
1135 return NT_STATUS_OK
;