X-Git-Url: http://git.samba.org/samba.git/?a=blobdiff_plain;f=libgpo%2Fgpo_util.c;h=6ad5c3b7f2fadae197d717968c4211b84fb46d9c;hb=066ec8d6c75b172ba08d2d64938b2e2d50f66c84;hp=9bfb353dad01bcc13a29262d8af5179800a8a198;hpb=248554370af30f485a4088d0d5de675e77b2aa7b;p=gd%2Fsamba-autobuild%2F.git diff --git a/libgpo/gpo_util.c b/libgpo/gpo_util.c index 9bfb353dad0..6ad5c3b7f2f 100644 --- a/libgpo/gpo_util.c +++ b/libgpo/gpo_util.c @@ -18,15 +18,19 @@ */ #include "includes.h" +#include "system/filesys.h" #include "librpc/gen_ndr/ndr_misc.h" -#if _SAMBA_BUILD_ == 4 +#include "../librpc/gen_ndr/ndr_security.h" #include "../libgpo/gpo.h" -#include "source4/libgpo/ads_convenience.h" -#endif -#undef strdup +#include "../libcli/security/security.h" +#include "registry.h" +#include "libgpo/gpo_proto.h" +#include "libgpo/gpext/gpext.h" +#if 0 #define DEFAULT_DOMAIN_POLICY "Default Domain Policy" #define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy" +#endif /* should we store a parsed guid ? */ struct gp_table { @@ -225,15 +229,14 @@ void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel) /**************************************************************** ****************************************************************/ -void dump_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo, +void dump_gpo(const struct GROUP_POLICY_OBJECT *gpo, int debuglevel) { int lvl = debuglevel; + TALLOC_CTX *frame = talloc_stackframe(); if (gpo == NULL) { - return; + goto out; } DEBUG(lvl,("---------------------\n\n")); @@ -297,9 +300,9 @@ void dump_gpo(ADS_STRUCT *ads, struct GP_EXT *gp_ext = NULL; - if (!ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, + if (!ads_parse_gp_ext(frame, gpo->machine_extensions, &gp_ext)) { - return; + goto out; } dump_gp_ext(gp_ext, lvl); } @@ -310,39 +313,39 @@ void dump_gpo(ADS_STRUCT *ads, struct GP_EXT *gp_ext = NULL; - if (!ads_parse_gp_ext(mem_ctx, gpo->user_extensions, + if (!ads_parse_gp_ext(frame, gpo->user_extensions, &gp_ext)) { - return; + goto out; } dump_gp_ext(gp_ext, lvl); } + if (gpo->security_descriptor) { + DEBUGADD(lvl,("security descriptor:\n")); - DEBUGADD(lvl,("security descriptor:\n")); - - NDR_PRINT_DEBUG(security_descriptor, gpo->security_descriptor); + NDR_PRINT_DEBUG(security_descriptor, gpo->security_descriptor); + } + out: + talloc_free(frame); } /**************************************************************** ****************************************************************/ -void dump_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo_list, +void dump_gpo_list(const struct GROUP_POLICY_OBJECT *gpo_list, int debuglevel) { - struct GROUP_POLICY_OBJECT *gpo = NULL; + const struct GROUP_POLICY_OBJECT *gpo = NULL; for (gpo = gpo_list; gpo; gpo = gpo->next) { - dump_gpo(ads, mem_ctx, gpo, debuglevel); + dump_gpo(gpo, debuglevel); } } /**************************************************************** ****************************************************************/ -void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) +void dump_gplink(const struct GP_LINK *gp_link) { - ADS_STATUS status; int i; int lvl = 10; @@ -382,22 +385,6 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED")); } DEBUGADD(lvl,("\n")); - - if (ads != NULL && mem_ctx != NULL) { - - struct GROUP_POLICY_OBJECT gpo; - - status = ads_get_gpo(ads, mem_ctx, - gp_link->link_names[i], - NULL, NULL, &gpo); - if (!ADS_ERR_OK(status)) { - DEBUG(lvl,("get gpo for %s failed: %s\n", - gp_link->link_names[i], - ads_errstr(status))); - return; - } - dump_gpo(ads, mem_ctx, &gpo, lvl); - } } } @@ -406,10 +393,10 @@ void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link) /**************************************************************** ****************************************************************/ -static bool gpo_get_gp_ext_from_gpo(TALLOC_CTX *mem_ctx, - uint32_t flags, - struct GROUP_POLICY_OBJECT *gpo, - struct GP_EXT **gp_ext) +bool gpo_get_gp_ext_from_gpo(TALLOC_CTX *mem_ctx, + uint32_t flags, + const struct GROUP_POLICY_OBJECT *gpo, + struct GP_EXT **gp_ext) { ZERO_STRUCTP(*gp_ext); @@ -439,125 +426,18 @@ static bool gpo_get_gp_ext_from_gpo(TALLOC_CTX *mem_ctx, /**************************************************************** ****************************************************************/ -ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const struct nt_user_token *token, - struct registry_key *root_key, - struct GROUP_POLICY_OBJECT *gpo, - const char *extension_guid_filter, - uint32_t flags) -{ - struct GP_EXT *gp_ext = NULL; - int i; - - DEBUG(10,("gpo_process_a_gpo: processing gpo %s (%s)\n", - gpo->name, gpo->display_name)); - if (extension_guid_filter) { - DEBUGADD(10,("gpo_process_a_gpo: using filter %s (%s)\n", - extension_guid_filter, - cse_gpo_guid_string_to_name(extension_guid_filter))); - } - - if (!gpo_get_gp_ext_from_gpo(mem_ctx, flags, gpo, &gp_ext)) { - return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER); - } - - if (!gp_ext || !gp_ext->num_exts) { - if (flags & GPO_INFO_FLAG_VERBOSE) { - DEBUG(0,("gpo_process_a_gpo: " - "no policies in %s (%s) for this extension\n", - gpo->name, gpo->display_name)); - } - return ADS_SUCCESS; - } - - for (i=0; inum_exts; i++) { - - NTSTATUS ntstatus; - - if (extension_guid_filter && - !strequal(extension_guid_filter, - gp_ext->extensions_guid[i])) { - continue; - } - - ntstatus = gpext_process_extension(ads, mem_ctx, - flags, token, root_key, gpo, - gp_ext->extensions_guid[i], - gp_ext->snapins_guid[i]); - if (!NT_STATUS_IS_OK(ntstatus)) { - ADS_ERROR_NT(ntstatus); - } - } - - return ADS_SUCCESS; -} - -/**************************************************************** -****************************************************************/ - -static ADS_STATUS gpo_process_gpo_list_by_ext(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const struct nt_user_token *token, - struct registry_key *root_key, - struct GROUP_POLICY_OBJECT *gpo_list, - const char *extensions_guid, - uint32_t flags) +NTSTATUS gpo_process_gpo_list(TALLOC_CTX *mem_ctx, + const struct security_token *token, + const struct GROUP_POLICY_OBJECT *deleted_gpo_list, + const struct GROUP_POLICY_OBJECT *changed_gpo_list, + const char *extensions_guid_filter, + uint32_t flags) { - ADS_STATUS status; - struct GROUP_POLICY_OBJECT *gpo; - - for (gpo = gpo_list; gpo; gpo = gpo->next) { - - if (gpo->link_type == GP_LINK_LOCAL) { - continue; - } - - - /* FIXME: we need to pass down the *list* down to the - * extension, otherwise we cannot store the e.g. the *list* of - * logon-scripts correctly (for more then one GPO) */ - - status = gpo_process_a_gpo(ads, mem_ctx, token, root_key, - gpo, extensions_guid, flags); - - if (!ADS_ERR_OK(status)) { - DEBUG(0,("failed to process gpo by ext: %s\n", - ads_errstr(status))); - return status; - } - } - - return ADS_SUCCESS; -} - -/**************************************************************** -****************************************************************/ - -ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads, - TALLOC_CTX *mem_ctx, - const struct nt_user_token *token, - struct GROUP_POLICY_OBJECT *gpo_list, - const char *extensions_guid_filter, - uint32_t flags) -{ - ADS_STATUS status = ADS_SUCCESS; - struct gp_extension *gp_ext_list = NULL; - struct gp_extension *gp_ext = NULL; + NTSTATUS status = NT_STATUS_OK; struct registry_key *root_key = NULL; struct gp_registry_context *reg_ctx = NULL; WERROR werr; - status = ADS_ERROR_NT(init_gp_extensions(mem_ctx)); - if (!ADS_ERR_OK(status)) { - return status; - } - - gp_ext_list = get_gp_extension_list(); - if (!gp_ext_list) { - return ADS_ERROR_NT(NT_STATUS_DLL_INIT_FAILED); - } - /* get the key here */ if (flags & GPO_LIST_FLAG_MACHINE) { werr = gp_init_reg_ctx(mem_ctx, KEY_HKLM, REG_KEY_WRITE, @@ -569,59 +449,35 @@ ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads, ®_ctx); } if (!W_ERROR_IS_OK(werr)) { - gp_free_reg_ctx(reg_ctx); - return ADS_ERROR_NT(werror_to_ntstatus(werr)); + talloc_free(reg_ctx); + return werror_to_ntstatus(werr); } root_key = reg_ctx->curr_key; - for (gp_ext = gp_ext_list; gp_ext; gp_ext = gp_ext->next) { - - const char *guid_str = NULL; - - guid_str = GUID_string(mem_ctx, gp_ext->guid); - if (!guid_str) { - status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY); - goto done; - } - - if (extensions_guid_filter && - (!strequal(guid_str, extensions_guid_filter))) { - continue; - } - - DEBUG(0,("-------------------------------------------------\n")); - DEBUG(0,("gpo_process_gpo_list: processing ext: %s {%s}\n", - gp_ext->name, guid_str)); - - - status = gpo_process_gpo_list_by_ext(ads, mem_ctx, token, - root_key, gpo_list, - guid_str, flags); - if (!ADS_ERR_OK(status)) { - goto done; - } - } - - done: - gp_free_reg_ctx(reg_ctx); + status = gpext_process_extension(mem_ctx, + flags, token, root_key, + deleted_gpo_list, + changed_gpo_list, + extensions_guid_filter); + talloc_free(reg_ctx); talloc_free(root_key); - free_gp_extensions(); + gpext_free_gp_extensions(); return status; } /**************************************************************** - check wether the version number in a GROUP_POLICY_OBJECT match those of the + check whether the version number in a GROUP_POLICY_OBJECT match those of the locally stored version. If not, fetch the required policy via CIFS ****************************************************************/ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + const char *cache_dir, uint32_t flags, - struct GROUP_POLICY_OBJECT *gpo, - struct cli_state **cli_out) + const struct GROUP_POLICY_OBJECT *gpo) { NTSTATUS result; char *server = NULL; @@ -630,9 +486,8 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, char *unix_path = NULL; uint32_t sysvol_gpt_version = 0; char *display_name = NULL; - struct cli_state *cli = NULL; - result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, + result = gpo_explode_filesyspath(mem_ctx, cache_dir, gpo->file_sys_path, &server, &share, &nt_path, &unix_path); if (!NT_STATUS_IS_OK(result)) { @@ -660,30 +515,7 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, DEBUG(1,("check_refresh_gpo: need to refresh GPO\n")); - if (*cli_out == NULL) { - - result = cli_full_connection(&cli, - global_myname(), - ads_get_ldap_server_name(ads), - /* server */ - NULL, 0, - share, "A:", - ads->auth.user_name, NULL, - ads->auth.password, - CLI_FULL_CONNECTION_USE_KERBEROS | - CLI_FULL_CONNECTION_FALLBACK_AFTER_KERBEROS, - Undefined, NULL); - if (!NT_STATUS_IS_OK(result)) { - DEBUG(10,("check_refresh_gpo: " - "failed to connect: %s\n", - nt_errstr(result))); - goto out; - } - - *cli_out = cli; - } - - result = gpo_fetch_files(mem_ctx, *cli_out, gpo); + result = gpo_fetch_files(mem_ctx, ads, cache_dir, gpo); if (!NT_STATUS_IS_OK(result)) { goto out; } @@ -723,18 +555,18 @@ NTSTATUS check_refresh_gpo(ADS_STRUCT *ads, } /**************************************************************** - check wether the version numbers in the gpo_list match the locally stored, if + check whether the version numbers in the gpo_list match the locally stored, if not, go and get each required GPO via CIFS ****************************************************************/ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, + const char *cache_dir, uint32_t flags, - struct GROUP_POLICY_OBJECT *gpo_list) + const struct GROUP_POLICY_OBJECT *gpo_list) { NTSTATUS result = NT_STATUS_UNSUCCESSFUL; - struct cli_state *cli = NULL; - struct GROUP_POLICY_OBJECT *gpo; + const struct GROUP_POLICY_OBJECT *gpo; if (!gpo_list) { return NT_STATUS_INVALID_PARAMETER; @@ -742,7 +574,7 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, for (gpo = gpo_list; gpo; gpo = gpo->next) { - result = check_refresh_gpo(ads, mem_ctx, flags, gpo, &cli); + result = check_refresh_gpo(ads, mem_ctx, cache_dir, flags, gpo); if (!NT_STATUS_IS_OK(result)) { goto out; } @@ -751,9 +583,7 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, result = NT_STATUS_OK; out: - if (cli) { - cli_shutdown(cli); - } + /* FIXME close cli connection */ return result; } @@ -762,45 +592,51 @@ NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads, ****************************************************************/ NTSTATUS gpo_get_unix_path(TALLOC_CTX *mem_ctx, - struct GROUP_POLICY_OBJECT *gpo, + const char *cache_dir, + const struct GROUP_POLICY_OBJECT *gpo, char **unix_path) { char *server, *share, *nt_path; - return gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, + return gpo_explode_filesyspath(mem_ctx, cache_dir, gpo->file_sys_path, &server, &share, &nt_path, unix_path); } /**************************************************************** ****************************************************************/ -char *gpo_flag_str(uint32_t flags) +char *gpo_flag_str(TALLOC_CTX *ctx, uint32_t flags) { - fstring str = ""; + char *str = NULL; if (flags == 0) { return NULL; } + str = talloc_strdup(ctx, ""); + if (!str) { + return NULL; + } + if (flags & GPO_INFO_FLAG_SLOWLINK) - fstrcat(str, "GPO_INFO_FLAG_SLOWLINK "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_SLOWLINK "); if (flags & GPO_INFO_FLAG_VERBOSE) - fstrcat(str, "GPO_INFO_FLAG_VERBOSE "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_VERBOSE "); if (flags & GPO_INFO_FLAG_SAFEMODE_BOOT) - fstrcat(str, "GPO_INFO_FLAG_SAFEMODE_BOOT "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_SAFEMODE_BOOT "); if (flags & GPO_INFO_FLAG_NOCHANGES) - fstrcat(str, "GPO_INFO_FLAG_NOCHANGES "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_NOCHANGES "); if (flags & GPO_INFO_FLAG_MACHINE) - fstrcat(str, "GPO_INFO_FLAG_MACHINE "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_MACHINE "); if (flags & GPO_INFO_FLAG_LOGRSOP_TRANSITION) - fstrcat(str, "GPO_INFO_FLAG_LOGRSOP_TRANSITION "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_LOGRSOP_TRANSITION "); if (flags & GPO_INFO_FLAG_LINKTRANSITION) - fstrcat(str, "GPO_INFO_FLAG_LINKTRANSITION "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_LINKTRANSITION "); if (flags & GPO_INFO_FLAG_FORCED_REFRESH) - fstrcat(str, "GPO_INFO_FLAG_FORCED_REFRESH "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_FORCED_REFRESH "); if (flags & GPO_INFO_FLAG_BACKGROUND) - fstrcat(str, "GPO_INFO_FLAG_BACKGROUND "); + str = talloc_strdup_append(str, "GPO_INFO_FLAG_BACKGROUND "); - return strdup(str); + return str; } /**************************************************************** @@ -852,25 +688,106 @@ NTSTATUS gp_find_file(TALLOC_CTX *mem_ctx, ADS_STATUS gp_get_machine_token(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *dn, - struct nt_user_token **token) + struct security_token **token) { - struct nt_user_token *ad_token = NULL; +#ifdef HAVE_ADS + struct security_token *ad_token = NULL; ADS_STATUS status; NTSTATUS ntstatus; -#ifndef HAVE_ADS - return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED); -#endif status = ads_get_sid_token(ads, mem_ctx, dn, &ad_token); if (!ADS_ERR_OK(status)) { return status; } - ntstatus = merge_nt_token(mem_ctx, ad_token, get_system_token(), token); if (!NT_STATUS_IS_OK(ntstatus)) { return ADS_ERROR_NT(ntstatus); } - return ADS_SUCCESS; +#else + return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED); +#endif +} + +/**************************************************************** +****************************************************************/ + +NTSTATUS gpo_copy(TALLOC_CTX *mem_ctx, + const struct GROUP_POLICY_OBJECT *gpo_src, + struct GROUP_POLICY_OBJECT **gpo_dst) +{ + struct GROUP_POLICY_OBJECT *gpo; + + gpo = talloc_zero(mem_ctx, struct GROUP_POLICY_OBJECT); + NT_STATUS_HAVE_NO_MEMORY(gpo); + + gpo->options = gpo_src->options; + gpo->version = gpo_src->version; + + gpo->ds_path = talloc_strdup(gpo, gpo_src->ds_path); + if (gpo->ds_path == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + gpo->file_sys_path = talloc_strdup(gpo, gpo_src->file_sys_path); + if (gpo->file_sys_path == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + gpo->display_name = talloc_strdup(gpo, gpo_src->display_name); + if (gpo->display_name == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + gpo->name = talloc_strdup(gpo, gpo_src->name); + if (gpo->name == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + gpo->link = talloc_strdup(gpo, gpo_src->link); + if (gpo->link == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + gpo->link_type = gpo_src->link_type; + + if (gpo_src->user_extensions) { + gpo->user_extensions = talloc_strdup(gpo, gpo_src->user_extensions); + if (gpo->user_extensions == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + } + + if (gpo_src->machine_extensions) { + gpo->machine_extensions = talloc_strdup(gpo, gpo_src->machine_extensions); + if (gpo->machine_extensions == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + } + + if (gpo_src->security_descriptor == NULL) { + /* existing SD assumed */ + TALLOC_FREE(gpo); + return NT_STATUS_INVALID_PARAMETER; + } + gpo->security_descriptor = security_descriptor_copy(gpo, + gpo_src->security_descriptor); + if (gpo->security_descriptor == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + gpo->next = gpo->prev = NULL; + + *gpo_dst = gpo; + + return NT_STATUS_OK; }