2 Samba Unix/Linux SMB client library
3 net ads commands for Group Policy
4 Copyright (C) 2005-2008 Guenther Deschner (gd@samba.org)
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "utils/net.h"
23 #include "../libgpo/gpo.h"
24 #include "libgpo/gpo_proto.h"
25 #include "../libds/common/flags.h"
29 static int net_ads_gpo_refresh(struct net_context *c, int argc, const char **argv)
34 const char *dn = NULL;
35 struct GROUP_POLICY_OBJECT *gpo_list = NULL;
36 struct GROUP_POLICY_OBJECT *read_list = NULL;
39 struct GROUP_POLICY_OBJECT *gpo;
41 struct security_token *token = NULL;
44 if (argc < 1 || c->display_usage) {
45 d_printf("%s\n%s\n%s",
47 _("net ads gpo refresh <username|machinename>"),
48 _(" Lists all GPOs assigned to an account and "
50 " username\tUser to refresh GPOs for\n"
51 " machinename\tMachine to refresh GPOs for\n"));
55 mem_ctx = talloc_init("net_ads_gpo_refresh");
56 if (mem_ctx == NULL) {
60 status = ads_startup(c, false, &ads);
61 if (!ADS_ERR_OK(status)) {
62 d_printf(_("failed to connect AD server: %s\n"), ads_errstr(status));
66 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
67 if (!ADS_ERR_OK(status)) {
68 d_printf(_("failed to find samaccount for %s\n"), argv[0]);
72 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
73 flags |= GPO_LIST_FLAG_MACHINE;
76 d_printf(_("\n%s: '%s' has dn: '%s'\n\n"),
77 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? _("machine") : _("user"),
80 d_printf(_("* fetching token "));
81 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
82 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
84 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
87 if (!ADS_ERR_OK(status)) {
88 d_printf(_("failed: %s\n"), ads_errstr(status));
91 d_printf(_("finished\n"));
93 d_printf(_("* fetching GPO List "));
94 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
95 if (!ADS_ERR_OK(status)) {
96 d_printf(_("failed: %s\n"),
100 d_printf(_("finished\n"));
102 d_printf(_("* Refreshing Group Policy Data "));
103 gpo_cache_path = cache_path(talloc_tos(), GPO_CACHE_DIR);
104 if (gpo_cache_path == NULL) {
105 d_printf(_("failed: %s\n"), nt_errstr(NT_STATUS_NO_MEMORY));
108 result = check_refresh_gpo_list(ads, mem_ctx,
112 TALLOC_FREE(gpo_cache_path);
113 if (!NT_STATUS_IS_OK(result)) {
114 d_printf(_("failed: %s\n"), nt_errstr(result));
117 d_printf(_("finished\n"));
119 d_printf(_("* storing GPO list to registry "));
122 WERROR werr = gp_reg_state_store(mem_ctx, flags, dn,
124 if (!W_ERROR_IS_OK(werr)) {
125 d_printf(_("failed: %s\n"), win_errstr(werr));
130 d_printf(_("finished\n"));
132 if (c->opt_verbose) {
134 d_printf(_("* dumping GPO list\n"));
136 for (gpo = gpo_list; gpo; gpo = gpo->next) {
140 char *server, *share, *nt_path, *unix_path;
142 d_printf("--------------------------------------\n");
143 d_printf("Name:\t\t\t%s\n", gpo->display_name);
144 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
146 GPO_VERSION_USER(gpo->version),
147 GPO_VERSION_MACHINE(gpo->version));
149 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
150 &server, &share, &nt_path,
152 if (!NT_STATUS_IS_OK(result)) {
153 d_printf("got: %s\n", nt_errstr(result));
156 d_printf("GPO stored on server: %s, share: %s\n", server, share);
157 d_printf("\tremote path:\t%s\n", nt_path);
158 d_printf("\tlocal path:\t%s\n", unix_path);
163 d_printf(_("* re-reading GPO list from registry "));
166 WERROR werr = gp_reg_state_read(mem_ctx, flags,
169 if (!W_ERROR_IS_OK(werr)) {
170 d_printf(_("failed: %s\n"), win_errstr(werr));
175 d_printf(_("finished\n"));
177 if (c->opt_verbose) {
179 d_printf(_("* dumping GPO list from registry\n"));
181 for (gpo = read_list; gpo; gpo = gpo->next) {
186 char *server, *share, *nt_path, *unix_path;
188 d_printf("--------------------------------------\n");
189 d_printf("Name:\t\t\t%s\n", gpo->display_name);
190 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
192 GPO_VERSION_USER(gpo->version),
193 GPO_VERSION_MACHINE(gpo->version));
195 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
196 &server, &share, &nt_path,
198 if (!NT_STATUS_IS_OK(result)) {
199 d_printf("got: %s\n", nt_errstr(result));
202 d_printf("GPO stored on server: %s, share: %s\n", server, share);
203 d_printf("\tremote path:\t%s\n", nt_path);
204 d_printf("\tlocal path:\t%s\n", unix_path);
211 talloc_destroy(mem_ctx);
215 static int net_ads_gpo_list_all(struct net_context *c, int argc, const char **argv)
219 LDAPMessage *res = NULL;
221 LDAPMessage *msg = NULL;
222 struct GROUP_POLICY_OBJECT gpo;
225 const char *attrs[] = {
231 "gPCMachineExtensionNames",
232 "gPCUserExtensionNames",
233 "ntSecurityDescriptor",
237 if (c->display_usage) {
239 "net ads gpo listall\n"
242 _("List all GPOs on the DC"));
246 mem_ctx = talloc_init("net_ads_gpo_list_all");
247 if (mem_ctx == NULL) {
251 status = ads_startup(c, false, &ads);
252 if (!ADS_ERR_OK(status)) {
256 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
258 "(objectclass=groupPolicyContainer)",
263 if (!ADS_ERR_OK(status)) {
264 d_printf(_("search failed: %s\n"), ads_errstr(status));
268 num_reply = ads_count_replies(ads, res);
270 d_printf(_("Got %d replies\n\n"), num_reply);
272 /* dump the results */
273 for (msg = ads_first_entry(ads, res);
275 msg = ads_next_entry(ads, msg)) {
277 if ((dn = ads_get_dn(ads, mem_ctx, msg)) == NULL) {
281 status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
283 if (!ADS_ERR_OK(status)) {
284 d_printf(_("ads_parse_gpo failed: %s\n"),
293 ads_msgfree(ads, res);
295 TALLOC_FREE(mem_ctx);
301 static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv)
303 ADS_STRUCT *ads = NULL;
305 LDAPMessage *res = NULL;
307 const char *dn = NULL;
310 struct GROUP_POLICY_OBJECT *gpo_list;
311 struct security_token *token = NULL;
313 if (argc < 1 || c->display_usage) {
314 d_printf("%s\n%s\n%s",
316 _("net ads gpo list <username|machinename>"),
317 _(" Lists all GPOs for machine/user\n"
318 " username\tUser to list GPOs for\n"
319 " machinename\tMachine to list GPOs for\n"));
323 mem_ctx = talloc_init("net_ads_gpo_list");
324 if (mem_ctx == NULL) {
328 status = ads_startup(c, false, &ads);
329 if (!ADS_ERR_OK(status)) {
333 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
334 if (!ADS_ERR_OK(status)) {
338 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
339 flags |= GPO_LIST_FLAG_MACHINE;
342 d_printf(_("%s: '%s' has dn: '%s'\n"),
343 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? _("machine") : _("user"),
346 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
347 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
349 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
352 if (!ADS_ERR_OK(status)) {
356 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
357 if (!ADS_ERR_OK(status)) {
361 dump_gpo_list(gpo_list, 0);
364 ads_msgfree(ads, res);
366 talloc_destroy(mem_ctx);
372 static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv)
377 const char *dn = NULL;
378 struct GROUP_POLICY_OBJECT *gpo_list;
381 struct security_token *token = NULL;
382 const char *filter = NULL;
384 if (argc < 1 || c->display_usage) {
386 "net ads gpo apply <username|machinename>\n"
387 " Apply GPOs for machine/user\n"
388 " username\tUsername to apply GPOs for\n"
389 " machinename\tMachine to apply GPOs for\n");
393 mem_ctx = talloc_init("net_ads_gpo_apply");
394 if (mem_ctx == NULL) {
399 filter = cse_gpo_name_to_guid_string(argv[1]);
402 status = ads_startup(c, false, &ads);
403 /* filter = cse_gpo_name_to_guid_string("Security"); */
405 if (!ADS_ERR_OK(status)) {
406 d_printf("got: %s\n", ads_errstr(status));
410 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
411 if (!ADS_ERR_OK(status)) {
412 d_printf("failed to find samaccount for %s: %s\n",
413 argv[0], ads_errstr(status));
417 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
418 flags |= GPO_LIST_FLAG_MACHINE;
421 if (c->opt_verbose) {
422 flags |= GPO_INFO_FLAG_VERBOSE;
425 d_printf("%s: '%s' has dn: '%s'\n",
426 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
429 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
430 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
432 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
435 if (!ADS_ERR_OK(status)) {
439 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
440 if (!ADS_ERR_OK(status)) {
444 status = ADS_ERROR_NT(gpo_process_gpo_list(mem_ctx, token, NULL, gpo_list,
446 if (!ADS_ERR_OK(status)) {
447 d_printf("failed to process gpo list: %s\n",
454 talloc_destroy(mem_ctx);
458 static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv)
463 struct GP_LINK gp_link;
465 if (argc < 1 || c->display_usage) {
466 d_printf("%s\n%s\n%s",
468 _("net ads gpo linkget <container>"),
469 _(" Lists gPLink of a container\n"
470 " container\tContainer to get link for\n"));
474 mem_ctx = talloc_init("add_gpo_link");
475 if (mem_ctx == NULL) {
479 status = ads_startup(c, false, &ads);
480 if (!ADS_ERR_OK(status)) {
484 status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
485 if (!ADS_ERR_OK(status)) {
486 d_printf(_("get link for %s failed: %s\n"), argv[0],
491 dump_gplink(&gp_link);
494 talloc_destroy(mem_ctx);
500 static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv)
504 uint32_t gpo_opt = 0;
507 if (argc < 2 || c->display_usage) {
508 d_printf("%s\n%s\n%s",
510 _("net ads gpo linkadd <linkdn> <gpodn> [options]"),
511 _(" Link a container to a GPO\n"
512 " linkdn\tContainer to link to a GPO\n"
513 " gpodn\tGPO to link container to\n"));
514 d_printf(_("note: DNs must be provided properly escaped.\n"
515 "See RFC 4514 for details\n"));
519 mem_ctx = talloc_init("add_gpo_link");
520 if (mem_ctx == NULL) {
525 gpo_opt = atoi(argv[2]);
528 status = ads_startup(c, false, &ads);
529 if (!ADS_ERR_OK(status)) {
533 status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
534 if (!ADS_ERR_OK(status)) {
535 d_printf(_("link add failed: %s\n"), ads_errstr(status));
540 talloc_destroy(mem_ctx);
548 static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv)
554 if (argc < 2 || c->display_usage) {
556 "net ads gpo linkdelete <linkdn> <gpodn>\n"
557 " Delete a GPO link\n"
558 " <linkdn>\tContainer to delete GPO from\n"
559 " <gpodn>\tGPO to delete from container\n");
563 mem_ctx = talloc_init("delete_gpo_link");
564 if (mem_ctx == NULL) {
568 status = ads_startup(c, false, &ads);
569 if (!ADS_ERR_OK(status)) {
573 status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
574 if (!ADS_ERR_OK(status)) {
575 d_printf("delete link failed: %s\n", ads_errstr(status));
580 talloc_destroy(mem_ctx);
588 static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv)
593 struct GROUP_POLICY_OBJECT gpo;
595 if (argc < 1 || c->display_usage) {
596 d_printf("%s\n%s\n%s",
598 _("net ads gpo getgpo <gpo>"),
599 _(" List specified GPO\n"
600 " gpo\t\tGPO to list\n"));
604 mem_ctx = talloc_init("ads_gpo_get_gpo");
605 if (mem_ctx == NULL) {
609 status = ads_startup(c, false, &ads);
610 if (!ADS_ERR_OK(status)) {
614 if (strnequal(argv[0], "CN={", strlen("CN={"))) {
615 status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
617 status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
620 if (!ADS_ERR_OK(status)) {
621 d_printf(_("get gpo for [%s] failed: %s\n"), argv[0],
629 talloc_destroy(mem_ctx);
635 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
637 struct functable func[] = {
642 "Apply GPO to container",
643 "net ads gpo apply\n"
644 " Apply GPO to container"
650 N_("List specified GPO"),
651 N_("net ads gpo getgpo\n"
652 " List specified GPO")
656 net_ads_gpo_link_add,
658 N_("Link a container to a GPO"),
659 N_("net ads gpo linkadd\n"
660 " Link a container to a GPO")
665 net_ads_gpo_link_delete,
667 "Delete GPO link from a container",
668 "net ads gpo linkdelete\n"
669 " Delete GPO link from a container"
674 net_ads_gpo_link_get,
676 N_("Lists gPLink of container"),
677 N_("net ads gpo linkget\n"
678 " Lists gPLink of container")
684 N_("Lists all GPOs for machine/user"),
685 N_("net ads gpo list\n"
686 " Lists all GPOs for machine/user")
690 net_ads_gpo_list_all,
692 N_("Lists all GPOs on a DC"),
693 N_("net ads gpo listall\n"
694 " Lists all GPOs on a DC")
700 N_("Lists all GPOs assigned to an account and "
702 N_("net ads gpo refresh\n"
703 " Lists all GPOs assigned to an account and "
706 {NULL, NULL, 0, NULL, NULL}
709 return net_run_function(c, argc, argv, "net ads gpo", func);
712 #endif /* HAVE_ADS */
git.samba.org / samba.git / blob