2 Samba Unix/Linux SMB client library
3 net ads commands for Group Policy
4 Copyright (C) 2005-2008 Guenther Deschner (gd@samba.org)
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "utils/net.h"
23 #include "../libgpo/gpo.h"
24 #include "libgpo/gpo_proto.h"
25 #include "../libds/common/flags.h"
29 static int net_ads_gpo_refresh(struct net_context *c, int argc, const char **argv)
34 const char *dn = NULL;
35 struct GROUP_POLICY_OBJECT *gpo_list = NULL;
36 struct GROUP_POLICY_OBJECT *read_list = NULL;
39 struct GROUP_POLICY_OBJECT *gpo;
41 struct nt_user_token *token = NULL;
43 if (argc < 1 || c->display_usage) {
44 d_printf("%s\n%s\n%s",
46 _("net ads gpo refresh <username|machinename>"),
47 _(" Lists all GPOs assigned to an account and "
49 " username\tUser to refresh GPOs for\n"
50 " machinename\tMachine to refresh GPOs for\n"));
54 mem_ctx = talloc_init("net_ads_gpo_refresh");
55 if (mem_ctx == NULL) {
59 status = ads_startup(c, false, &ads);
60 if (!ADS_ERR_OK(status)) {
61 d_printf(_("failed to connect AD server: %s\n"), ads_errstr(status));
65 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
66 if (!ADS_ERR_OK(status)) {
67 d_printf(_("failed to find samaccount for %s\n"), argv[0]);
71 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
72 flags |= GPO_LIST_FLAG_MACHINE;
75 d_printf(_("\n%s: '%s' has dn: '%s'\n\n"),
76 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? _("machine") : _("user"),
79 d_printf(_("* fetching token "));
80 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
81 status = gp_get_machine_token(ads, mem_ctx, NULL, dn, &token);
83 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
86 if (!ADS_ERR_OK(status)) {
87 d_printf(_("failed: %s\n"), ads_errstr(status));
90 d_printf(_("finished\n"));
92 d_printf(_("* fetching GPO List "));
93 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
94 if (!ADS_ERR_OK(status)) {
95 d_printf(_("failed: %s\n"),
99 d_printf(_("finished\n"));
101 d_printf(_("* Refreshing Group Policy Data "));
102 if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx,
103 cache_path(GPO_CACHE_DIR),
107 d_printf(_("failed: %s\n"), nt_errstr(result));
110 d_printf(_("finished\n"));
112 d_printf(_("* storing GPO list to registry "));
115 WERROR werr = gp_reg_state_store(mem_ctx, flags, dn,
117 if (!W_ERROR_IS_OK(werr)) {
118 d_printf(_("failed: %s\n"), win_errstr(werr));
123 d_printf(_("finished\n"));
125 if (c->opt_verbose) {
127 d_printf(_("* dumping GPO list\n"));
129 for (gpo = gpo_list; gpo; gpo = gpo->next) {
131 dump_gpo(ads, mem_ctx, gpo, 0);
133 char *server, *share, *nt_path, *unix_path;
135 d_printf("--------------------------------------\n");
136 d_printf("Name:\t\t\t%s\n", gpo->display_name);
137 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
139 GPO_VERSION_USER(gpo->version),
140 GPO_VERSION_MACHINE(gpo->version));
142 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
143 &server, &share, &nt_path,
145 if (!NT_STATUS_IS_OK(result)) {
146 d_printf("got: %s\n", nt_errstr(result));
149 d_printf("GPO stored on server: %s, share: %s\n", server, share);
150 d_printf("\tremote path:\t%s\n", nt_path);
151 d_printf("\tlocal path:\t%s\n", unix_path);
156 d_printf(_("* re-reading GPO list from registry "));
159 WERROR werr = gp_reg_state_read(mem_ctx, flags,
160 &token->user_sids[0],
162 if (!W_ERROR_IS_OK(werr)) {
163 d_printf(_("failed: %s\n"), win_errstr(werr));
168 d_printf(_("finished\n"));
170 if (c->opt_verbose) {
172 d_printf(_("* dumping GPO list from registry\n"));
174 for (gpo = read_list; gpo; gpo = gpo->next) {
176 dump_gpo(ads, mem_ctx, gpo, 0);
179 char *server, *share, *nt_path, *unix_path;
181 d_printf("--------------------------------------\n");
182 d_printf("Name:\t\t\t%s\n", gpo->display_name);
183 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
185 GPO_VERSION_USER(gpo->version),
186 GPO_VERSION_MACHINE(gpo->version));
188 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
189 &server, &share, &nt_path,
191 if (!NT_STATUS_IS_OK(result)) {
192 d_printf("got: %s\n", nt_errstr(result));
195 d_printf("GPO stored on server: %s, share: %s\n", server, share);
196 d_printf("\tremote path:\t%s\n", nt_path);
197 d_printf("\tlocal path:\t%s\n", unix_path);
204 talloc_destroy(mem_ctx);
208 static int net_ads_gpo_list_all(struct net_context *c, int argc, const char **argv)
212 LDAPMessage *res = NULL;
214 LDAPMessage *msg = NULL;
215 struct GROUP_POLICY_OBJECT gpo;
218 const char *attrs[] = {
224 "gPCMachineExtensionNames",
225 "gPCUserExtensionNames",
226 "ntSecurityDescriptor",
230 if (c->display_usage) {
232 "net ads gpo listall\n"
235 _("List all GPOs on the DC"));
239 mem_ctx = talloc_init("net_ads_gpo_list_all");
240 if (mem_ctx == NULL) {
244 status = ads_startup(c, false, &ads);
245 if (!ADS_ERR_OK(status)) {
249 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
251 "(objectclass=groupPolicyContainer)",
256 if (!ADS_ERR_OK(status)) {
257 d_printf(_("search failed: %s\n"), ads_errstr(status));
261 num_reply = ads_count_replies(ads, res);
263 d_printf(_("Got %d replies\n\n"), num_reply);
265 /* dump the results */
266 for (msg = ads_first_entry(ads, res);
268 msg = ads_next_entry(ads, msg)) {
270 if ((dn = ads_get_dn(ads, mem_ctx, msg)) == NULL) {
274 status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
276 if (!ADS_ERR_OK(status)) {
277 d_printf(_("ads_parse_gpo failed: %s\n"),
282 dump_gpo(ads, mem_ctx, &gpo, 0);
286 ads_msgfree(ads, res);
288 TALLOC_FREE(mem_ctx);
294 static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv)
296 ADS_STRUCT *ads = NULL;
298 LDAPMessage *res = NULL;
300 const char *dn = NULL;
303 struct GROUP_POLICY_OBJECT *gpo_list;
304 struct nt_user_token *token = NULL;
306 if (argc < 1 || c->display_usage) {
307 d_printf("%s\n%s\n%s",
309 _("net ads gpo list <username|machinename>"),
310 _(" Lists all GPOs for machine/user\n"
311 " username\tUser to list GPOs for\n"
312 " machinename\tMachine to list GPOs for\n"));
316 mem_ctx = talloc_init("net_ads_gpo_list");
317 if (mem_ctx == NULL) {
321 status = ads_startup(c, false, &ads);
322 if (!ADS_ERR_OK(status)) {
326 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
327 if (!ADS_ERR_OK(status)) {
331 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
332 flags |= GPO_LIST_FLAG_MACHINE;
335 d_printf(_("%s: '%s' has dn: '%s'\n"),
336 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? _("machine") : _("user"),
339 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
340 status = gp_get_machine_token(ads, mem_ctx, NULL, dn, &token);
342 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
345 if (!ADS_ERR_OK(status)) {
349 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
350 if (!ADS_ERR_OK(status)) {
354 dump_gpo_list(ads, mem_ctx, gpo_list, 0);
357 ads_msgfree(ads, res);
359 talloc_destroy(mem_ctx);
365 static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv)
370 const char *dn = NULL;
371 struct GROUP_POLICY_OBJECT *gpo_list;
374 struct nt_user_token *token = NULL;
375 const char *filter = NULL;
377 if (argc < 1 || c->display_usage) {
379 "net ads gpo apply <username|machinename>\n"
380 " Apply GPOs for machine/user\n"
381 " username\tUsername to apply GPOs for\n"
382 " machinename\tMachine to apply GPOs for\n");
386 mem_ctx = talloc_init("net_ads_gpo_apply");
387 if (mem_ctx == NULL) {
392 filter = cse_gpo_name_to_guid_string(argv[1]);
395 status = ads_startup(c, false, &ads);
396 /* filter = cse_gpo_name_to_guid_string("Security"); */
398 if (!ADS_ERR_OK(status)) {
399 d_printf("got: %s\n", ads_errstr(status));
403 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
404 if (!ADS_ERR_OK(status)) {
405 d_printf("failed to find samaccount for %s: %s\n",
406 argv[0], ads_errstr(status));
410 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
411 flags |= GPO_LIST_FLAG_MACHINE;
414 if (c->opt_verbose) {
415 flags |= GPO_INFO_FLAG_VERBOSE;
418 d_printf("%s: '%s' has dn: '%s'\n",
419 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
422 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
423 status = gp_get_machine_token(ads, mem_ctx, NULL, dn, &token);
425 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
428 if (!ADS_ERR_OK(status)) {
432 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
433 if (!ADS_ERR_OK(status)) {
437 status = gpo_process_gpo_list(ads, mem_ctx, token, gpo_list,
439 if (!ADS_ERR_OK(status)) {
440 d_printf("failed to process gpo list: %s\n",
447 talloc_destroy(mem_ctx);
451 static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv)
456 struct GP_LINK gp_link;
458 if (argc < 1 || c->display_usage) {
459 d_printf("%s\n%s\n%s",
461 _("net ads gpo linkget <container>"),
462 _(" Lists gPLink of a containter\n"
463 " container\tContainer to get link for\n"));
467 mem_ctx = talloc_init("add_gpo_link");
468 if (mem_ctx == NULL) {
472 status = ads_startup(c, false, &ads);
473 if (!ADS_ERR_OK(status)) {
477 status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
478 if (!ADS_ERR_OK(status)) {
479 d_printf(_("get link for %s failed: %s\n"), argv[0],
484 dump_gplink(ads, mem_ctx, &gp_link);
487 talloc_destroy(mem_ctx);
493 static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv)
500 if (argc < 2 || c->display_usage) {
501 d_printf("%s\n%s\n%s",
503 _("net ads gpo linkadd <linkdn> <gpodn> [options]"),
504 _(" Link a container to a GPO\n"
505 " linkdn\tContainer to link to a GPO\n"
506 " gpodn\tGPO to link container to\n"));
507 d_printf(_("note: DNs must be provided properly escaped.\n"
508 "See RFC 4514 for details\n"));
512 mem_ctx = talloc_init("add_gpo_link");
513 if (mem_ctx == NULL) {
518 gpo_opt = atoi(argv[2]);
521 status = ads_startup(c, false, &ads);
522 if (!ADS_ERR_OK(status)) {
526 status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
527 if (!ADS_ERR_OK(status)) {
528 d_printf(_("link add failed: %s\n"), ads_errstr(status));
533 talloc_destroy(mem_ctx);
541 static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv)
547 if (argc < 2 || c->display_usage) {
549 "net ads gpo linkdelete <linkdn> <gpodn>\n"
550 " Delete a GPO link\n"
551 " <linkdn>\tContainer to delete GPO from\n"
552 " <gpodn>\tGPO to delete from container\n");
556 mem_ctx = talloc_init("delete_gpo_link");
557 if (mem_ctx == NULL) {
561 status = ads_startup(c, false, &ads);
562 if (!ADS_ERR_OK(status)) {
566 status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
567 if (!ADS_ERR_OK(status)) {
568 d_printf("delete link failed: %s\n", ads_errstr(status));
573 talloc_destroy(mem_ctx);
581 static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv)
586 struct GROUP_POLICY_OBJECT gpo;
588 if (argc < 1 || c->display_usage) {
589 d_printf("%s\n%s\n%s",
591 _("net ads gpo getgpo <gpo>"),
592 _(" List speciefied GPO\n"
593 " gpo\t\tGPO to list\n"));
597 mem_ctx = talloc_init("ads_gpo_get_gpo");
598 if (mem_ctx == NULL) {
602 status = ads_startup(c, false, &ads);
603 if (!ADS_ERR_OK(status)) {
607 if (strnequal(argv[0], "CN={", strlen("CN={"))) {
608 status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
610 status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
613 if (!ADS_ERR_OK(status)) {
614 d_printf(_("get gpo for [%s] failed: %s\n"), argv[0],
619 dump_gpo(ads, mem_ctx, &gpo, 1);
622 talloc_destroy(mem_ctx);
628 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
630 struct functable func[] = {
635 "Apply GPO to container",
636 "net ads gpo apply\n"
637 " Apply GPO to container"
643 N_("List specified GPO"),
644 N_("net ads gpo getgpo\n"
645 " List specified GPO")
649 net_ads_gpo_link_add,
651 N_("Link a container to a GPO"),
652 N_("net ads gpo linkadd\n"
653 " Link a container to a GPO")
658 net_ads_gpo_link_delete,
660 "Delete GPO link from a container",
661 "net ads gpo linkdelete\n"
662 " Delete GPO link from a container"
667 net_ads_gpo_link_get,
669 N_("Lists gPLink of containter"),
670 N_("net ads gpo linkget\n"
671 " Lists gPLink of containter")
677 N_("Lists all GPOs for machine/user"),
678 N_("net ads gpo list\n"
679 " Lists all GPOs for machine/user")
683 net_ads_gpo_list_all,
685 N_("Lists all GPOs on a DC"),
686 N_("net ads gpo listall\n"
687 " Lists all GPOs on a DC")
693 N_("Lists all GPOs assigned to an account and "
695 N_("net ads gpo refresh\n"
696 " Lists all GPOs assigned to an account and "
699 {NULL, NULL, 0, NULL, NULL}
702 return net_run_function(c, argc, argv, "net ads gpo", func);
705 #endif /* HAVE_ADS */
git.samba.org / samba.git / blob