This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 2 of the License, or
+ the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
- along with this program; if not, write to the Free Software
- Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include "includes.h"
d_printf(
"net ads gpo <COMMAND>\n"\
"<COMMAND> can be either:\n"\
-" ADDLINK Link a container to a GPO\n"\
-" APPLY Apply all GPOs\n"\
-" DELETELINK Delete a gPLink from a container\n"\
-" EFFECTIVE Lists all GPOs assigned to a machine\n"\
+" APPLY Apply GPOs for machine/user\n"\
" GETGPO Lists specified GPO\n"\
-" GETLINK Lists gPLink of a containter\n"\
" HELP Prints this help message\n"\
-" LIST Lists all GPOs\n"\
+" LINKADD Link a container to a GPO\n"\
+/* " LINKDELETE Delete a gPLink from a container\n"\ */
+" LINKGET Lists gPLink of a containter\n"\
+" LIST Lists all GPOs for machine/user\n"\
+" LISTALL Lists all GPOs on a DC\n"\
+" REFRESH Lists all GPOs assigned to an account and downloads them\n"\
"\n"
);
return -1;
}
-static int net_ads_gpo_effective(int argc, const char **argv)
+static int net_ads_gpo_refresh(int argc, const char **argv)
{
TALLOC_CTX *mem_ctx;
ADS_STRUCT *ads;
ADS_STATUS status;
- const char *attrs[] = { "userAccountControl", NULL };
- LDAPMessage *res = NULL;
- const char *filter;
- char *dn = NULL;
- struct GROUP_POLICY_OBJECT *gpo_list;
+ const char *dn = NULL;
+ struct GROUP_POLICY_OBJECT *gpo_list = NULL;
uint32 uac = 0;
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo;
NTSTATUS result;
-
+ struct nt_user_token *token = NULL;
+
if (argc < 1) {
- printf("usage: net ads gpo effective <username|machinename>\n");
+ printf("usage: net ads gpo refresh <username|machinename>\n");
return -1;
}
- mem_ctx = talloc_init("net_ads_gpo_effective");
+ mem_ctx = talloc_init("net_ads_gpo_refresh");
if (mem_ctx == NULL) {
return -1;
}
- filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", argv[0]);
- if (filter == NULL) {
- goto out;
- }
-
status = ads_startup(False, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
- status = ads_do_search_all(ads, ads->config.bind_path,
- LDAP_SCOPE_SUBTREE,
- filter, attrs, &res);
-
+ status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
if (!ADS_ERR_OK(status)) {
- goto out;
- }
-
- if (ads_count_replies(ads, res) != 1) {
- printf("no result\n");
- goto out;
- }
-
- dn = ads_get_dn(ads, res);
- if (dn == NULL) {
- goto out;
- }
-
- if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
+ printf("failed to find samaccount for %s\n", argv[0]);
goto out;
}
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
- status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
+ status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) {
goto out;
}
- if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, gpo_list))) {
+ status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
+
+ if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, flags, gpo_list))) {
printf("failed to refresh GPOs: %s\n", nt_errstr(result));
goto out;
}
GPO_VERSION_USER(gpo->version),
GPO_VERSION_MACHINE(gpo->version));
- result = ads_gpo_explode_filesyspath(ads, mem_ctx, gpo->file_sys_path,
- &server, &share, &nt_path, &unix_path);
+ result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
+ &server, &share, &nt_path, &unix_path);
if (!NT_STATUS_IS_OK(result)) {
printf("got: %s\n", nt_errstr(result));
}
}
out:
- ads_memfree(ads, dn);
- ads_msgfree(ads, res);
-
ads_destroy(&ads);
talloc_destroy(mem_ctx);
return 0;
}
-static int net_ads_gpo_list(int argc, const char **argv)
+static int net_ads_gpo_list_all(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
"name",
"gPCMachineExtensionNames",
"gPCUserExtensionNames",
+ "ntSecurityDescriptor",
NULL
};
- mem_ctx = talloc_init("net_ads_gpo_list");
+ mem_ctx = talloc_init("net_ads_gpo_list_all");
if (mem_ctx == NULL) {
return -1;
}
goto out;
}
- status = ads_do_search_all(ads, ads->config.bind_path,
- LDAP_SCOPE_SUBTREE,
- "(objectclass=groupPolicyContainer)", attrs, &res);
+ status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
+ LDAP_SCOPE_SUBTREE,
+ "(objectclass=groupPolicyContainer)",
+ attrs,
+ DACL_SECURITY_INFORMATION,
+ &res);
+
if (!ADS_ERR_OK(status)) {
d_printf("search failed: %s\n", ads_errstr(status));
goto out;
status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
if (!ADS_ERR_OK(status)) {
- d_printf("parse failed: %s\n", ads_errstr(status));
+ d_printf("ads_parse_gpo failed: %s\n", ads_errstr(status));
ads_memfree(ads, dn);
goto out;
}
- dump_gpo(mem_ctx, &gpo);
+ dump_gpo(ads, mem_ctx, &gpo, 0);
ads_memfree(ads, dn);
}
return 0;
}
-static int net_ads_gpo_apply(int argc, const char **argv)
+static int net_ads_gpo_list(int argc, const char **argv)
{
- TALLOC_CTX *mem_ctx;
ADS_STRUCT *ads;
ADS_STATUS status;
- const char *attrs[] = {"distinguishedName", "userAccountControl", NULL};
LDAPMessage *res = NULL;
- const char *filter;
- char *dn = NULL;
- struct GROUP_POLICY_OBJECT *gpo_list;
+ TALLOC_CTX *mem_ctx;
+ const char *dn = NULL;
uint32 uac = 0;
uint32 flags = 0;
-
+ struct GROUP_POLICY_OBJECT *gpo_list;
+ struct nt_user_token *token = NULL;
+
if (argc < 1) {
- printf("usage: net ads gpo apply <username|machinename>\n");
+ printf("usage: net ads gpo list <username|machinename>\n");
return -1;
}
- mem_ctx = talloc_init("net_ads_gpo_apply");
+ mem_ctx = talloc_init("net_ads_gpo_list");
if (mem_ctx == NULL) {
goto out;
}
- filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", argv[0]);
- if (filter == NULL) {
+ status = ads_startup(False, &ads);
+ if (!ADS_ERR_OK(status)) {
goto out;
}
- status = ads_startup(False, &ads);
+ status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
if (!ADS_ERR_OK(status)) {
goto out;
}
- status = ads_do_search_all(ads, ads->config.bind_path,
- LDAP_SCOPE_SUBTREE,
- filter, attrs, &res);
-
+ if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
+ flags |= GPO_LIST_FLAG_MACHINE;
+ }
+
+ printf("%s: '%s' has dn: '%s'\n",
+ (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
+ argv[0], dn);
+
+ status = ads_get_sid_token(ads, mem_ctx, dn, &token);
if (!ADS_ERR_OK(status)) {
goto out;
}
- if (ads_count_replies(ads, res) != 1) {
- printf("no result\n");
+ status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
+ if (!ADS_ERR_OK(status)) {
goto out;
}
- dn = ads_get_dn(ads, res);
- if (dn == NULL) {
+ dump_gpo_list(ads, mem_ctx, gpo_list, 0);
+
+out:
+ ads_msgfree(ads, res);
+
+ talloc_destroy(mem_ctx);
+ ads_destroy(&ads);
+
+ return 0;
+}
+
+#if 0 /* not yet */
+static int net_ads_gpo_apply(int argc, const char **argv)
+{
+ TALLOC_CTX *mem_ctx;
+ ADS_STRUCT *ads;
+ ADS_STATUS status;
+ const char *dn = NULL;
+ struct GROUP_POLICY_OBJECT *gpo_list;
+ uint32 uac = 0;
+ uint32 flags = 0;
+
+ if (argc < 1) {
+ printf("usage: net ads gpo apply <username|machinename>\n");
+ return -1;
+ }
+
+ mem_ctx = talloc_init("net_ads_gpo_apply");
+ if (mem_ctx == NULL) {
goto out;
}
- if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
+ status = ads_startup(False, &ads);
+ if (!ADS_ERR_OK(status)) {
+ goto out;
+ }
+
+ status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
+ if (!ADS_ERR_OK(status)) {
goto out;
}
}
/* FIXME: allow to process just a single extension */
- status = gpo_process_gpo_list(ads, mem_ctx, &gpo_list, NULL, flags);
+ status = gpo_process_gpo_list(ads, mem_ctx, gpo_list, NULL, flags);
if (!ADS_ERR_OK(status)) {
goto out;
}
out:
- ads_memfree(ads, dn);
- ads_msgfree(ads, res);
-
ads_destroy(&ads);
talloc_destroy(mem_ctx);
return 0;
}
+#endif
-static int net_ads_gpo_get_link(int argc, const char **argv)
+static int net_ads_gpo_link_get(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
struct GP_LINK gp_link;
if (argc < 1) {
- printf("usage: net ads gpo getlink <linkname>\n");
+ printf("usage: net ads gpo linkget <linkname>\n");
return -1;
}
return 0;
}
-static int net_ads_gpo_add_link(int argc, const char **argv)
+static int net_ads_gpo_link_add(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
TALLOC_CTX *mem_ctx;
if (argc < 2) {
- printf("usage: net ads gpo addlink <linkdn> <gpodn> [options]\n");
+ printf("usage: net ads gpo linkadd <linkdn> <gpodn> [options]\n");
+ printf("note: DNs must be provided properly escaped.\n See RFC 4514 for details\n");
return -1;
}
status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
if (!ADS_ERR_OK(status)) {
- d_printf("add link failed: %s\n", ads_errstr(status));
+ d_printf("link add failed: %s\n", ads_errstr(status));
goto out;
}
return 0;
}
-static int net_ads_gpo_delete_link(int argc, const char **argv)
+#if 0 /* broken */
+
+static int net_ads_gpo_link_delete(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
return 0;
}
+#endif
+
static int net_ads_gpo_get_gpo(int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
TALLOC_CTX *mem_ctx;
struct GROUP_POLICY_OBJECT gpo;
- uint32 sysvol_gpt_version;
- char *display_name;
if (argc < 1) {
+ printf("usage: net ads gpo getgpo <gpo>\n");
return -1;
}
goto out;
}
- dump_gpo(mem_ctx, &gpo);
-
- status = ADS_ERROR_NT(ads_gpo_get_sysvol_gpt_version(ads, mem_ctx,
- gpo.file_sys_path,
- &sysvol_gpt_version,
- &display_name));
- if (!ADS_ERR_OK(status)) {
- goto out;
- }
-
- printf("sysvol GPT version: %d\n", sysvol_gpt_version);
+ dump_gpo(ads, mem_ctx, &gpo, 1);
out:
talloc_destroy(mem_ctx);
int net_ads_gpo(int argc, const char **argv)
{
struct functable func[] = {
- {"LIST", net_ads_gpo_list},
- {"EFFECTIVE", net_ads_gpo_effective},
- {"ADDLINK", net_ads_gpo_add_link},
- {"DELETELINK", net_ads_gpo_delete_link},
- {"GETLINK", net_ads_gpo_get_link},
+ /* {"APPLY", net_ads_gpo_apply}, */
{"GETGPO", net_ads_gpo_get_gpo},
{"HELP", net_ads_gpo_usage},
- {"APPLY", net_ads_gpo_apply},
+ {"LINKADD", net_ads_gpo_link_add},
+ /* {"LINKDELETE", net_ads_gpo_link_delete}, */
+ {"LINKGET", net_ads_gpo_link_get},
+ {"LIST", net_ads_gpo_list},
+ {"LISTALL", net_ads_gpo_list_all},
+ {"REFRESH", net_ads_gpo_refresh},
{NULL, NULL}
};