2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005,2007
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
22 /****************************************************************
23 parse the raw extension string into a GP_EXT structure
24 ****************************************************************/
26 bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
27 const char *extension_raw,
28 struct GP_EXT **gp_ext)
31 struct GP_EXT *ext = NULL;
32 char **ext_list = NULL;
33 char **ext_strings = NULL;
40 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw));
42 ext = TALLOC_ZERO_P(mem_ctx, struct GP_EXT);
47 ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]");
52 for (i = 0; ext_list[i] != NULL; i++) {
59 ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *,
61 ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
63 ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *,
65 ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *,
69 ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
71 if (!ext->extensions || !ext->extensions_guid ||
72 !ext->snapins || !ext->snapins_guid ||
77 for (i = 0; ext_list[i] != NULL; i++) {
82 DEBUGADD(10,("extension #%d\n", i));
90 ext_strings = str_list_make_talloc(mem_ctx, p, "}");
91 if (ext_strings == NULL) {
95 for (k = 0; ext_strings[k] != NULL; k++) {
105 ext->extensions[i] = talloc_strdup(mem_ctx,
106 cse_gpo_guid_string_to_name(q));
107 ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
109 /* we might have no name for the guid */
110 if (ext->extensions_guid[i] == NULL) {
114 for (k = 1; ext_strings[k] != NULL; k++) {
116 char *m = ext_strings[k];
122 /* FIXME: theoretically there could be more than one
123 * snapin per extension */
124 ext->snapins[i] = talloc_strdup(mem_ctx,
125 cse_snapin_gpo_guid_string_to_name(m));
126 ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
128 /* we might have no name for the guid */
129 if (ext->snapins_guid[i] == NULL) {
141 str_list_free_talloc(mem_ctx, &ext_list);
144 str_list_free_talloc(mem_ctx, &ext_strings);
152 /****************************************************************
153 parse the raw link string into a GP_LINK structure
154 ****************************************************************/
156 static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
157 const char *gp_link_raw,
159 struct GP_LINK *gp_link)
161 ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
165 ZERO_STRUCTP(gp_link);
167 DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
169 link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]");
174 for (i = 0; link_list[i] != NULL; i++) {
178 gp_link->gp_opts = options;
179 gp_link->num_links = i;
181 if (gp_link->num_links) {
182 gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *,
184 gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32_t,
188 gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
190 if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
194 for (i = 0; link_list[i] != NULL; i++) {
198 DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i));
211 gp_link->link_names[i] = talloc_strdup(mem_ctx, q);
212 if (gp_link->link_names[i] == NULL) {
215 gp_link->link_names[i][PTR_DIFF(p, q)] = 0;
217 gp_link->link_opts[i] = atoi(p + 1);
219 DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
220 gp_link->link_names[i]));
221 DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
222 gp_link->link_opts[i]));
226 status = ADS_SUCCESS;
231 str_list_free_talloc(mem_ctx, &link_list);
237 /****************************************************************
238 helper call to get a GP_LINK structure from a linkdn
239 ****************************************************************/
241 ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
244 struct GP_LINK *gp_link_struct)
247 const char *attrs[] = {"gPLink", "gPOptions", NULL};
248 LDAPMessage *res = NULL;
252 ZERO_STRUCTP(gp_link_struct);
254 status = ads_search_dn(ads, &res, link_dn, attrs);
255 if (!ADS_ERR_OK(status)) {
256 DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
257 ads_errstr(status)));
261 if (ads_count_replies(ads, res) != 1) {
262 DEBUG(10,("ads_get_gpo_link: no result\n"));
263 ads_msgfree(ads, res);
264 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
267 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
268 if (gp_link == NULL) {
269 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
270 ads_msgfree(ads, res);
271 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
274 /* perfectly legal to have no options */
275 if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
276 DEBUG(10,("ads_get_gpo_link: "
277 "no 'gPOptions' attribute found\n"));
281 ads_msgfree(ads, res);
283 return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
286 /****************************************************************
287 helper call to add a gp link
288 ****************************************************************/
290 ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
297 const char *attrs[] = {"gPLink", NULL};
298 LDAPMessage *res = NULL;
299 const char *gp_link, *gp_link_new;
302 /* although ADS allows to set anything here, we better check here if
303 * the gpo_dn is sane */
305 if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
306 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
309 status = ads_search_dn(ads, &res, link_dn, attrs);
310 if (!ADS_ERR_OK(status)) {
311 DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
312 ads_errstr(status)));
316 if (ads_count_replies(ads, res) != 1) {
317 DEBUG(10,("ads_add_gpo_link: no result\n"));
318 ads_msgfree(ads, res);
319 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
322 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
323 if (gp_link == NULL) {
324 gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
327 gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
328 gp_link, gpo_dn, gpo_opt);
331 ads_msgfree(ads, res);
332 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
334 mods = ads_init_mods(mem_ctx);
335 ADS_ERROR_HAVE_NO_MEMORY(mods);
337 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
338 if (!ADS_ERR_OK(status)) {
342 return ads_gen_mod(ads, link_dn, mods);
345 /****************************************************************
346 helper call to delete add a gp link
347 ****************************************************************/
349 /* untested & broken */
350 ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
356 const char *attrs[] = {"gPLink", NULL};
357 LDAPMessage *res = NULL;
358 const char *gp_link, *gp_link_new = NULL;
361 /* check for a sane gpo_dn */
362 if (gpo_dn[0] != '[') {
363 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
364 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
367 if (gpo_dn[strlen(gpo_dn)] != ']') {
368 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
369 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
372 status = ads_search_dn(ads, &res, link_dn, attrs);
373 if (!ADS_ERR_OK(status)) {
374 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
375 ads_errstr(status)));
379 if (ads_count_replies(ads, res) != 1) {
380 DEBUG(10,("ads_delete_gpo_link: no result\n"));
381 ads_msgfree(ads, res);
382 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
385 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
386 if (gp_link == NULL) {
387 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
390 /* find link to delete */
391 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
394 ads_msgfree(ads, res);
395 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
397 mods = ads_init_mods(mem_ctx);
398 ADS_ERROR_HAVE_NO_MEMORY(mods);
400 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
401 if (!ADS_ERR_OK(status)) {
405 return ads_gen_mod(ads, link_dn, mods);
408 /****************************************************************
409 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
410 ****************************************************************/
412 ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
416 struct GROUP_POLICY_OBJECT *gpo)
420 ADS_ERROR_HAVE_NO_MEMORY(res);
423 gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn);
425 gpo->ds_path = ads_get_dn(ads, res);
428 ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path);
430 if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
431 return ADS_ERROR(LDAP_NO_MEMORY);
434 if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
435 return ADS_ERROR(LDAP_NO_MEMORY);
438 gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
440 ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
442 gpo->display_name = ads_pull_string(ads, mem_ctx, res,
444 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
446 gpo->name = ads_pull_string(ads, mem_ctx, res,
448 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
450 gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
451 "gPCMachineExtensionNames");
452 gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
453 "gPCUserExtensionNames");
455 ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
456 &gpo->security_descriptor);
457 ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
459 return ADS_ERROR(LDAP_SUCCESS);
462 /****************************************************************
463 get a GROUP_POLICY_OBJECT structure based on different input paramters
464 ****************************************************************/
466 ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
469 const char *display_name,
470 const char *guid_name,
471 struct GROUP_POLICY_OBJECT *gpo)
474 LDAPMessage *res = NULL;
477 const char *attrs[] = {
482 "gPCFunctionalityVersion",
483 "gPCMachineExtensionNames",
484 "gPCUserExtensionNames",
487 "ntSecurityDescriptor",
490 uint32_t sd_flags = DACL_SECURITY_INFORMATION;
494 if (!gpo_dn && !display_name && !guid_name) {
495 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
500 if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
501 gpo_dn = gpo_dn + strlen("LDAP://");
504 status = ads_search_retry_dn_sd_flags(ads, &res,
508 } else if (display_name || guid_name) {
510 filter = talloc_asprintf(mem_ctx,
511 "(&(objectclass=groupPolicyContainer)(%s=%s))",
512 display_name ? "displayName" : "name",
513 display_name ? display_name : guid_name);
514 ADS_ERROR_HAVE_NO_MEMORY(filter);
516 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
517 LDAP_SCOPE_SUBTREE, filter,
518 attrs, sd_flags, &res);
521 if (!ADS_ERR_OK(status)) {
522 DEBUG(10,("ads_get_gpo: search failed with %s\n",
523 ads_errstr(status)));
527 if (ads_count_replies(ads, res) != 1) {
528 DEBUG(10,("ads_get_gpo: no result\n"));
529 ads_msgfree(ads, res);
530 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
533 dn = ads_get_dn(ads, res);
535 ads_msgfree(ads, res);
536 return ADS_ERROR(LDAP_NO_MEMORY);
539 status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
540 ads_msgfree(ads, res);
541 ads_memfree(ads, dn);
546 /****************************************************************
547 add a gplink to the GROUP_POLICY_OBJECT linked list
548 ****************************************************************/
550 static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
552 struct GROUP_POLICY_OBJECT **gpo_list,
554 struct GP_LINK *gp_link,
555 enum GPO_LINK_TYPE link_type,
556 bool only_add_forced_gpos,
557 const struct nt_user_token *token)
562 for (i = 0; i < gp_link->num_links; i++) {
564 struct GROUP_POLICY_OBJECT *new_gpo = NULL;
566 if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
567 DEBUG(10,("skipping disabled GPO\n"));
571 if (only_add_forced_gpos) {
573 if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
574 DEBUG(10,("skipping nonenforced GPO link "
575 "because GPOPTIONS_BLOCK_INHERITANCE "
579 DEBUG(10,("adding enforced GPO link although "
580 "the GPOPTIONS_BLOCK_INHERITANCE "
585 new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
586 ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
588 status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
589 NULL, NULL, new_gpo);
590 if (!ADS_ERR_OK(status)) {
591 DEBUG(10,("failed to get gpo: %s\n",
592 gp_link->link_names[i]));
596 status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
598 if (!ADS_ERR_OK(status)) {
599 DEBUG(10,("skipping GPO \"%s\" as object "
600 "has no access to it\n",
601 new_gpo->display_name));
602 TALLOC_FREE(new_gpo);
606 new_gpo->link = link_dn;
607 new_gpo->link_type = link_type;
609 DLIST_ADD(*gpo_list, new_gpo);
611 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
612 "to GPO list\n", i, gp_link->link_names[i]));
615 return ADS_ERROR(LDAP_SUCCESS);
618 /****************************************************************
619 ****************************************************************/
621 ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
624 struct nt_user_token **token)
628 DOM_SID primary_group_sid;
629 DOM_SID *ad_token_sids;
630 size_t num_ad_token_sids = 0;
632 size_t num_token_sids = 0;
633 struct nt_user_token *new_token = NULL;
636 status = ads_get_tokensids(ads, mem_ctx, dn,
637 &object_sid, &primary_group_sid,
638 &ad_token_sids, &num_ad_token_sids);
639 if (!ADS_ERR_OK(status)) {
643 token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
644 ADS_ERROR_HAVE_NO_MEMORY(token_sids);
646 if (!add_sid_to_array_unique(mem_ctx, &primary_group_sid, &token_sids,
648 return ADS_ERROR(LDAP_NO_MEMORY);
651 for (i = 0; i < num_ad_token_sids; i++) {
653 if (sid_check_is_in_builtin(&ad_token_sids[i])) {
657 if (!add_sid_to_array_unique(mem_ctx, &ad_token_sids[i],
658 &token_sids, &num_token_sids)) {
659 return ADS_ERROR(LDAP_NO_MEMORY);
663 new_token = create_local_nt_token(mem_ctx, &object_sid, False,
664 num_token_sids, token_sids);
665 ADS_ERROR_HAVE_NO_MEMORY(new_token);
669 debug_nt_user_token(DBGC_CLASS, 5, *token);
671 return ADS_ERROR_LDAP(LDAP_SUCCESS);
674 /****************************************************************
675 ****************************************************************/
677 static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
678 struct GROUP_POLICY_OBJECT **gpo_list,
679 enum GPO_LINK_TYPE link_type)
681 struct GROUP_POLICY_OBJECT *gpo = NULL;
683 ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
685 gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
686 ADS_ERROR_HAVE_NO_MEMORY(gpo);
688 gpo->name = talloc_strdup(mem_ctx, "Local Policy");
689 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
691 gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
692 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
694 gpo->link_type = link_type;
696 DLIST_ADD(*gpo_list, gpo);
698 return ADS_ERROR_NT(NT_STATUS_OK);
701 /****************************************************************
702 get the full list of GROUP_POLICY_OBJECTs for a given dn
703 ****************************************************************/
705 ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
709 const struct nt_user_token *token,
710 struct GROUP_POLICY_OBJECT **gpo_list)
712 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
715 struct GP_LINK gp_link;
716 const char *parent_dn, *site_dn, *tmp_dn;
717 bool add_only_forced_gpos = False;
719 ZERO_STRUCTP(gpo_list);
722 return ADS_ERROR(LDAP_PARAM_ERROR);
725 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
728 status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
730 if (!ADS_ERR_OK(status)) {
736 /* are site GPOs valid for users as well ??? */
737 if (flags & GPO_LIST_FLAG_MACHINE) {
739 status = ads_site_dn_for_machine(ads, mem_ctx,
740 ads->config.ldap_server_name,
742 if (!ADS_ERR_OK(status)) {
746 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
749 status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
750 if (ADS_ERR_OK(status)) {
752 if (DEBUGLEVEL >= 100) {
753 dump_gplink(ads, mem_ctx, &gp_link);
756 status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
759 add_only_forced_gpos,
761 if (!ADS_ERR_OK(status)) {
765 if (flags & GPO_LIST_FLAG_SITEONLY) {
766 return ADS_ERROR(LDAP_SUCCESS);
769 /* inheritance can't be blocked at the site level */
775 while ((parent_dn = ads_parent_dn(tmp_dn)) &&
776 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
780 /* An account can just be a member of one domain */
781 if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
783 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
786 status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
788 if (ADS_ERR_OK(status)) {
790 if (DEBUGLEVEL >= 100) {
791 dump_gplink(ads, mem_ctx, &gp_link);
794 /* block inheritance from now on */
795 if (gp_link.gp_opts &
796 GPOPTIONS_BLOCK_INHERITANCE) {
797 add_only_forced_gpos = True;
800 status = add_gplink_to_gpo_list(ads,
806 add_only_forced_gpos,
808 if (!ADS_ERR_OK(status)) {
820 while ((parent_dn = ads_parent_dn(tmp_dn)) &&
821 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
824 /* (O)rganizational(U)nit */
826 /* An account can be a member of more OUs */
827 if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
829 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
832 status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
834 if (ADS_ERR_OK(status)) {
836 if (DEBUGLEVEL >= 100) {
837 dump_gplink(ads, mem_ctx, &gp_link);
840 /* block inheritance from now on */
841 if (gp_link.gp_opts &
842 GPOPTIONS_BLOCK_INHERITANCE) {
843 add_only_forced_gpos = True;
846 status = add_gplink_to_gpo_list(ads,
852 add_only_forced_gpos,
854 if (!ADS_ERR_OK(status)) {
864 return ADS_ERROR(LDAP_SUCCESS);
867 #endif /* HAVE_LDAP */