2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Jelmer Vernooij 2008
5 * Copyright (C) Wilco Baan Hofman 2008-2010
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "param/param.h"
22 #include "lib/ldb/include/ldb.h"
23 #include "lib/ldb_wrap.h"
24 #include "auth/credentials/credentials.h"
25 #include "../librpc/gen_ndr/nbt.h"
26 #include "libcli/libcli.h"
27 #include "libnet/libnet.h"
28 #include "../librpc/gen_ndr/ndr_security.h"
29 #include "../libcli/security/dom_sid.h"
30 #include "libcli/security/security.h"
31 #include "../lib/talloc/talloc.h"
34 struct gpo_stringmap
{
38 static const struct gpo_stringmap gplink_options
[] = {
39 { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE
},
40 { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE
},
43 static const struct gpo_stringmap gpo_flags
[] = {
44 { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE
},
45 { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE
},
48 static const struct gpo_stringmap gpo_inheritance
[] = {
49 { "GPO_INHERIT", GPO_INHERIT
},
50 { "GPO_BLOCK_INHERITANCE", GPO_BLOCK_INHERITANCE
},
55 static NTSTATUS
parse_gpo(TALLOC_CTX
*mem_ctx
, struct ldb_message
*msg
, struct gp_object
**ret
)
57 struct gp_object
*gpo
= talloc(mem_ctx
, struct gp_object
);
58 enum ndr_err_code ndr_err
;
59 const DATA_BLOB
*data
;
61 gpo
->dn
= talloc_steal(mem_ctx
, ldb_dn_get_linearized(msg
->dn
));
63 DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo
->dn
));
65 gpo
->display_name
= talloc_steal(mem_ctx
, ldb_msg_find_attr_as_string(msg
, "displayName", ""));
66 gpo
->name
= talloc_steal(mem_ctx
, ldb_msg_find_attr_as_string(msg
, "name", ""));
67 gpo
->flags
= ldb_msg_find_attr_as_uint(msg
, "name", 0);
68 gpo
->version
= ldb_msg_find_attr_as_uint(msg
, "version", 0);
69 gpo
->file_sys_path
= talloc_steal(mem_ctx
, ldb_msg_find_attr_as_string(msg
, "gPCFileSysPath", ""));
71 /* Pull the security descriptor through the NDR library */
72 data
= ldb_msg_find_ldb_val(msg
, "nTSecurityDescriptor");
73 gpo
->security_descriptor
= talloc(mem_ctx
, struct security_descriptor
);
74 ndr_err
= ndr_pull_struct_blob(data
,
77 gpo
->security_descriptor
,
78 (ndr_pull_flags_fn_t
)ndr_pull_security_descriptor
);
79 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err
)) {
80 return ndr_map_error2ntstatus(ndr_err
);
87 NTSTATUS
gp_get_gpo_flags(TALLOC_CTX
*mem_ctx
, uint32_t flags
, const char ***ret
)
89 unsigned int i
, count
=0;
90 const char **flag_strs
= talloc_array(mem_ctx
, const char *, 1);
94 for (i
= 0; gpo_flags
[i
].str
!= NULL
; i
++) {
95 if (flags
& gpo_flags
[i
].flags
) {
96 flag_strs
= talloc_realloc(mem_ctx
, flag_strs
, const char *, count
+2);
97 flag_strs
[count
] = gpo_flags
[i
].str
;
98 flag_strs
[count
+1] = NULL
;
106 NTSTATUS
gp_get_gplink_options(TALLOC_CTX
*mem_ctx
, uint32_t options
, const char ***ret
)
108 unsigned int i
, count
=0;
109 const char **flag_strs
= talloc_array(mem_ctx
, const char *, 1);
113 for (i
= 0; gplink_options
[i
].str
!= NULL
; i
++) {
114 if (options
& gplink_options
[i
].flags
) {
115 flag_strs
= talloc_realloc(mem_ctx
, flag_strs
, const char *, count
+2);
116 flag_strs
[count
] = gplink_options
[i
].str
;
117 flag_strs
[count
+1] = NULL
;
125 NTSTATUS
gp_init(TALLOC_CTX
*mem_ctx
,
126 struct loadparm_context
*lp_ctx
,
127 struct cli_credentials
*credentials
,
128 struct tevent_context
*ev_ctx
,
129 struct gp_context
**gp_ctx
)
132 struct libnet_LookupDCs
*io
;
134 struct libnet_context
*net_ctx
;
135 struct ldb_context
*ldb_ctx
;
138 /* Initialise the libnet context */
139 net_ctx
= libnet_context_init(ev_ctx
, lp_ctx
);
140 net_ctx
->cred
= credentials
;
142 /* Prepare libnet lookup structure for looking a DC (PDC is correct). */
143 io
= talloc_zero(mem_ctx
, struct libnet_LookupDCs
);
144 io
->in
.name_type
= NBT_NAME_PDC
;
145 io
->in
.domain_name
= lp_workgroup(lp_ctx
);
147 /* Find Active DC's */
148 rv
= libnet_LookupDCs(net_ctx
, mem_ctx
, io
);
149 if (!NT_STATUS_IS_OK(rv
)) {
150 DEBUG(0, ("Failed to lookup DCs in domain\n"));
154 /* Connect to ldap://DC_NAME with all relevant contexts*/
155 url
= talloc_asprintf(mem_ctx
, "ldap://%s", io
->out
.dcs
[0].name
);
156 ldb_ctx
= ldb_wrap_connect(mem_ctx
, net_ctx
->event_ctx
, lp_ctx
,
157 url
, NULL
, net_ctx
->cred
, 0);
158 if (ldb_ctx
== NULL
) {
159 DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url
));
160 return NT_STATUS_UNSUCCESSFUL
;
163 /* We don't need to keep the libnet context */
164 talloc_free(net_ctx
);
166 *gp_ctx
= talloc_zero(mem_ctx
, struct gp_context
);
167 (*gp_ctx
)->lp_ctx
= lp_ctx
;
168 (*gp_ctx
)->credentials
= credentials
;
169 (*gp_ctx
)->ev_ctx
= ev_ctx
;
170 (*gp_ctx
)->ldb_ctx
= ldb_ctx
;
174 NTSTATUS
gp_list_all_gpos(struct gp_context
*gp_ctx
, struct gp_object
***ret
)
176 struct ldb_result
*result
;
181 struct gp_object
**gpo
;
182 unsigned int i
; /* same as in struct ldb_result */
185 /* Create a forked memory context, as a base for everything here */
186 mem_ctx
= talloc_new(gp_ctx
);
188 /* Create full ldb dn of the policies base object */
189 dn
= ldb_get_default_basedn(gp_ctx
->ldb_ctx
);
190 rv
= ldb_dn_add_child(dn
, ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, "CN=Policies,CN=System"));
192 DEBUG(0, ("Can't append subtree to DN\n"));
193 talloc_free(mem_ctx
);
194 return NT_STATUS_UNSUCCESSFUL
;
197 DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn
)));
199 attrs
= talloc_array(mem_ctx
, const char *, 7);
200 attrs
[0] = "nTSecurityDescriptor";
201 attrs
[1] = "versionNumber";
204 attrs
[4] = "displayName";
205 attrs
[5] = "gPCFileSysPath";
208 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_ONELEVEL
, attrs
, "(objectClass=groupPolicyContainer)");
209 if (rv
!= LDB_SUCCESS
) {
210 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),ldb_errstring(gp_ctx
->ldb_ctx
)));
211 talloc_free(mem_ctx
);
212 return NT_STATUS_UNSUCCESSFUL
;
215 gpo
= talloc_array(gp_ctx
, struct gp_object
*, result
->count
+1);
216 gpo
[result
->count
] = NULL
;
218 for (i
= 0; i
< result
->count
; i
++) {
219 status
= parse_gpo(gp_ctx
, result
->msgs
[i
], &gpo
[i
]);
220 if (!NT_STATUS_IS_OK(status
)) {
221 DEBUG(0, ("Failed to parse GPO.\n"));
222 talloc_free(mem_ctx
);
227 talloc_free(mem_ctx
);
233 NTSTATUS
gp_get_gpo_info(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_object
**ret
)
235 struct ldb_result
*result
;
237 struct gp_object
*gpo
;
243 /* Create a forked memory context, as a base for everything here */
244 mem_ctx
= talloc_new(gp_ctx
);
246 /* Create an ldb dn struct for the dn string */
247 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
249 attrs
= talloc_array(mem_ctx
, const char *, 7);
250 attrs
[0] = "nTSecurityDescriptor";
251 attrs
[1] = "versionNumber";
254 attrs
[4] = "displayName";
255 attrs
[5] = "gPCFileSysPath";
258 rv
= ldb_search(gp_ctx
->ldb_ctx
,
264 "objectClass=groupPolicyContainer");
265 if (rv
!= LDB_SUCCESS
) {
266 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),ldb_errstring(gp_ctx
->ldb_ctx
)));
267 talloc_free(mem_ctx
);
268 return NT_STATUS_UNSUCCESSFUL
;
271 /* We expect exactly one record */
272 if (result
->count
!= 1) {
273 DEBUG(0, ("Could not find GPC with dn %s\n", dn_str
));
274 talloc_free(mem_ctx
);
275 return NT_STATUS_NOT_FOUND
;
278 status
= parse_gpo(gp_ctx
, result
->msgs
[0], &gpo
);
279 if (!NT_STATUS_IS_OK(status
)) {
280 DEBUG(0, ("Failed to parse GPO.\n"));
281 talloc_free(mem_ctx
);
285 talloc_free(mem_ctx
);
291 static NTSTATUS
parse_gplink (TALLOC_CTX
*mem_ctx
, const char *gplink_str
, struct gp_link
***ret
)
295 struct gp_link
**gplinks
;
298 gplinks
= talloc_array(mem_ctx
, struct gp_link
*, 1);
301 /* Assuming every gPLink starts with "[LDAP://" */
304 for (pos
= start
; pos
< strlen(gplink_str
); pos
++) {
305 if (gplink_str
[pos
] == ';') {
306 gplinks
= talloc_realloc(mem_ctx
, gplinks
, struct gp_link
*, idx
+2);
307 gplinks
[idx
] = talloc(mem_ctx
, struct gp_link
);
308 gplinks
[idx
]->dn
= talloc_strndup(mem_ctx
,
312 for (start
= pos
+ 1; gplink_str
[pos
] != ']'; pos
++);
314 buf
= talloc_strndup(gplinks
, gplink_str
+ start
, pos
- start
);
315 gplinks
[idx
]->options
= (uint32_t) strtoll(buf
, &end
, 0);
318 /* Set the last entry in the array to be NULL */
319 gplinks
[idx
+ 1] = NULL
;
321 /* Increment the array index, the string position past
322 the next "[LDAP://", and set the start reference */
334 NTSTATUS
gp_get_gplinks(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_link
***ret
)
338 struct ldb_result
*result
;
339 struct gp_link
**gplinks
;
345 /* Create a forked memory context, as a base for everything here */
346 mem_ctx
= talloc_new(gp_ctx
);
348 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
350 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, NULL
, "(objectclass=*)");
351 if (rv
!= LDB_SUCCESS
) {
352 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
353 talloc_free(mem_ctx
);
354 return NT_STATUS_UNSUCCESSFUL
;
357 for (i
= 0; i
< result
->count
; i
++) {
358 for (j
= 0; j
< result
->msgs
[i
]->num_elements
; j
++) {
359 struct ldb_message_element
*element
= &result
->msgs
[i
]->elements
[j
];
361 if (strcmp(element
->name
, "gPLink") == 0) {
362 SMB_ASSERT(element
->num_values
> 0);
363 gplink_str
= talloc_strdup(mem_ctx
, (char *) element
->values
[0].data
);
368 DEBUG(0, ("Object or gPLink attribute not found.\n"));
369 return NT_STATUS_NOT_FOUND
;
373 status
= parse_gplink(gp_ctx
, gplink_str
, &gplinks
);
374 if (!NT_STATUS_IS_OK(status
)) {
375 DEBUG(0, ("Failed to parse gPLink\n"));
379 talloc_free(mem_ctx
);
385 NTSTATUS
gp_list_gpos(struct gp_context
*gp_ctx
, struct security_token
*token
, const char ***ret
)
389 struct ldb_result
*result
;
392 struct ldb_message_element
*element
;
394 const char *attrs
[] = { "objectClass", NULL
};
397 unsigned int count
= 0;
400 ACCOUNT_TYPE_USER
= 0,
401 ACCOUNT_TYPE_MACHINE
= 1
404 /* Create a forked memory context, as a base for everything here */
405 mem_ctx
= talloc_new(gp_ctx
);
407 sid
= dom_sid_string(mem_ctx
, token
->user_sid
);
409 /* Find the user DN and objectclass via the sid from the security token */
410 rv
= ldb_search(gp_ctx
->ldb_ctx
,
413 ldb_get_default_basedn(gp_ctx
->ldb_ctx
),
416 "(&(objectclass=user)(objectSid=%s))", sid
);
417 if (rv
!= LDB_SUCCESS
) {
418 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),
419 ldb_errstring(gp_ctx
->ldb_ctx
)));
420 talloc_free(mem_ctx
);
421 return NT_STATUS_UNSUCCESSFUL
;
423 if (result
->count
!= 1) {
424 DEBUG(0, ("Could not find user with sid %s.\n", sid
));
425 talloc_free(mem_ctx
);
426 return NT_STATUS_UNSUCCESSFUL
;
428 DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result
->msgs
[0]->dn
)));
430 element
= ldb_msg_find_element(result
->msgs
[0], "objectClass");
432 /* We need to know if this account is a user or machine. */
433 account_type
= ACCOUNT_TYPE_USER
;
434 for (i
= 0; i
< element
->num_values
; i
++) {
435 if (strcmp((char *)element
->values
[i
].data
, "computer") == 0) {
436 account_type
= ACCOUNT_TYPE_MACHINE
;
437 DEBUG(10, ("This user is a machine\n"));
441 gpos
= talloc_array(gp_ctx
, const char *, 1);
444 /* Walk through the containers until we hit the root */
446 dn
= ldb_dn_get_parent(mem_ctx
, result
->msgs
[0]->dn
);
447 while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx
->ldb_ctx
), dn
) == 0) {
448 const char *gpo_attrs
[] = { "gPLink", "gPOptions", NULL
};
449 struct gp_link
**gplinks
;
450 enum gpo_inheritance gpoptions
;
452 DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn
)));
454 /* Get the gPLink and gPOptions attributes from the container */
455 rv
= ldb_search(gp_ctx
->ldb_ctx
,
462 if (rv
!= LDB_SUCCESS
) {
463 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
),
464 ldb_errstring(gp_ctx
->ldb_ctx
)));
465 talloc_free(mem_ctx
);
466 return NT_STATUS_UNSUCCESSFUL
;
469 /* Parse the gPLink attribute, put it into a nice struct array */
470 status
= parse_gplink(mem_ctx
, ldb_msg_find_attr_as_string(result
->msgs
[0], "gPLink", ""), &gplinks
);
471 if (!NT_STATUS_IS_OK(status
)) {
472 DEBUG(0, ("Failed to parse gPLink\n"));
473 talloc_free(mem_ctx
);
477 /* Check all group policy links on this container */
478 for (i
= 0; gplinks
[i
] != NULL
; i
++) {
479 struct gp_object
*gpo
;
480 uint32_t access_granted
;
482 /* If inheritance was blocked at a higher level and this
483 * gplink is not enforced, it should not be applied */
484 if (!inherit
&& !(gplinks
[i
]->options
& GPLINK_OPT_ENFORCE
))
487 /* Don't apply disabled links */
488 if (gplinks
[i
]->options
& GPLINK_OPT_DISABLE
)
491 /* Get GPO information */
492 status
= gp_get_gpo_info(gp_ctx
, gplinks
[i
]->dn
, &gpo
);
493 if (!NT_STATUS_IS_OK(status
)) {
494 DEBUG(0, ("Failed to get gpo information for %s\n", gplinks
[i
]->dn
));
495 talloc_free(mem_ctx
);
499 /* If the account does not have read access, this GPO does not apply
501 status
= sec_access_check(gpo
->security_descriptor
,
503 (SEC_STD_READ_CONTROL
| SEC_ADS_LIST
| SEC_ADS_READ_PROP
),
505 if (!NT_STATUS_IS_OK(status
)) {
509 /* If the account is a user and the GPO has user disabled flag, or
510 * a machine and the GPO has machine disabled flag, this GPO does
511 * not apply to this account */
512 if ((account_type
== ACCOUNT_TYPE_USER
&&
513 (gpo
->flags
& GPO_FLAG_USER_DISABLE
)) ||
514 (account_type
== ACCOUNT_TYPE_MACHINE
&&
515 (gpo
->flags
& GPO_FLAG_MACHINE_DISABLE
))) {
519 /* Add the GPO to the list */
520 gpos
= talloc_realloc(gp_ctx
, gpos
, const char *, count
+2);
521 gpos
[count
] = talloc_strdup(gp_ctx
, gplinks
[i
]->dn
);
522 gpos
[count
+1] = NULL
;
529 /* If inheritance is blocked, then we should only add enforced gPLinks
531 gpoptions
= ldb_msg_find_attr_as_uint(result
->msgs
[0], "gPOptions", 0);
532 if (gpoptions
== GPO_BLOCK_INHERITANCE
) {
535 dn
= ldb_dn_get_parent(mem_ctx
, dn
);
538 talloc_free(mem_ctx
);
544 NTSTATUS
gp_set_gplink(struct gp_context
*gp_ctx
, const char *dn_str
, struct gp_link
*gplink
)
547 struct ldb_result
*result
;
549 struct ldb_message
*msg
;
550 const char *attrs
[] = { "gPLink", NULL
};
551 const char *gplink_str
;
555 /* Create a forked memory context, as a base for everything here */
556 mem_ctx
= talloc_new(gp_ctx
);
558 dn
= ldb_dn_new(mem_ctx
, gp_ctx
->ldb_ctx
, dn_str
);
560 rv
= ldb_search(gp_ctx
->ldb_ctx
, mem_ctx
, &result
, dn
, LDB_SCOPE_BASE
, attrs
, "(objectclass=*)");
561 if (rv
!= LDB_SUCCESS
) {
562 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv
), ldb_errstring(gp_ctx
->ldb_ctx
)));
563 talloc_free(mem_ctx
);
564 return NT_STATUS_UNSUCCESSFUL
;
567 if (result
->count
!= 1) {
568 talloc_free(mem_ctx
);
569 return NT_STATUS_NOT_FOUND
;
572 gplink_str
= ldb_msg_find_attr_as_string(result
->msgs
[0], "gPLink", "");
574 /* If this GPO link already exists, alter the options, else add it */
575 if ((start
= strcasestr(gplink_str
, gplink
->dn
)) != NULL
) {
576 start
+= strlen(gplink
->dn
);
579 while (*start
!= ']' && *start
!= '\0') {
582 gplink_str
= talloc_asprintf(mem_ctx
, "%s;%d%s\n", gplink_str
, gplink
->options
, start
);
585 /* Prepend the new GPO link to the string. This list is backwards in priority. */
586 gplink_str
= talloc_asprintf(mem_ctx
, "[LDAP://%s;%d]%s", gplink
->dn
, gplink
->options
, gplink_str
);
591 msg
= ldb_msg_new(mem_ctx
);
594 rv
= ldb_msg_add_string(msg
, "gPLink", gplink_str
);
596 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv
)));
597 talloc_free(mem_ctx
);
598 return NT_STATUS_UNSUCCESSFUL
;
600 msg
->elements
[0].flags
= LDB_FLAG_MOD_REPLACE
;
602 rv
= ldb_modify(gp_ctx
->ldb_ctx
, msg
);
604 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv
)));
605 talloc_free(mem_ctx
);
606 return NT_STATUS_UNSUCCESSFUL
;
609 talloc_free(mem_ctx
);