}
if (!reg_ctx) {
- struct nt_user_token *token;
+ NT_USER_TOKEN *token;
token = registry_create_system_token(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(token);
NTSTATUS process_gpo_list_with_extension(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extension_guid,
const char *snapin_guid)
NTSTATUS gpext_process_extension(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct registry_key *root_key,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
TALLOC_CTX *mem_ctx,
uint32_t flags,
struct registry_key *root_key,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
const char *snapin_guid);
NTSTATUS (*process_group_policy2)(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extension_guid);
NTSTATUS process_gpo_list_with_extension(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extension_guid,
const char *snapin_guid);
NTSTATUS gpext_process_extension(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
uint32_t flags,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct registry_key *root_key,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid,
};
struct gp_registry_context {
- const struct nt_user_token *token;
+ const NT_USER_TOKEN *token;
const char *path;
struct registry_key *curr_key;
};
/* The following definitions come from libgpo/gpo_fetch.c */
NTSTATUS gpo_explode_filesyspath(TALLOC_CTX *mem_ctx,
+ const char *cache_path,
const char *file_sys_path,
char **server,
char **service,
char **nt_path,
char **unix_path);
NTSTATUS gpo_fetch_files(TALLOC_CTX *mem_ctx,
+ const char *cache_path,
struct cli_state *cli,
struct GROUP_POLICY_OBJECT *gpo);
NTSTATUS gpo_get_sysvol_gpt_version(TALLOC_CTX *mem_ctx,
ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *dn,
- struct nt_user_token **token);
+ NT_USER_TOKEN **token);
ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *dn,
uint32_t flags,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct GROUP_POLICY_OBJECT **gpo_list);
/* The following definitions come from libgpo/gpo_sec.c */
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
- const struct nt_user_token *token);
+ const NT_USER_TOKEN *token);
/* The following definitions come from libgpo/gpo_util.c */
void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link);
ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct registry_key *root_key,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid_filter,
uint32_t flags);
ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extensions_guid_filter,
uint32_t flags);
NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
+ const char *cache_path,
uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo,
struct cli_state **cli_out);
ADS_STATUS gp_get_machine_token(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *dn,
- struct nt_user_token **token);
+ NT_USER_TOKEN **token);
#include "../libgpo/gpext/gpext.h"
****************************************************************/
NTSTATUS gpo_explode_filesyspath(TALLOC_CTX *mem_ctx,
+ const char *cache_path,
const char *file_sys_path,
char **server,
char **service,
if ((path = talloc_asprintf(mem_ctx,
"%s/%s",
- cache_path(GPO_CACHE_DIR),
+ cache_path,
file_sys_path)) == NULL) {
return NT_STATUS_NO_MEMORY;
}
+#if _SAMBA_BUILD_ == 4
+ path = string_sub_talloc(mem_ctx, path, "\\", "/");
+#else
path = talloc_string_sub(mem_ctx, path, "\\", "/");
+#endif
if (!path) {
return NT_STATUS_NO_MEMORY;
}
****************************************************************/
static NTSTATUS gpo_prepare_local_store(TALLOC_CTX *mem_ctx,
+ const char *cache_path,
const char *unix_path)
{
- const char *top_dir = cache_path(GPO_CACHE_DIR);
char *current_dir;
char *tok;
- current_dir = talloc_strdup(mem_ctx, top_dir);
+ current_dir = talloc_strdup(mem_ctx, cache_path);
NT_STATUS_HAVE_NO_MEMORY(current_dir);
- if ((mkdir(top_dir, 0644)) < 0 && errno != EEXIST) {
+ if ((mkdir(cache_path, 0644)) < 0 && errno != EEXIST) {
return NT_STATUS_ACCESS_DENIED;
}
****************************************************************/
NTSTATUS gpo_fetch_files(TALLOC_CTX *mem_ctx,
+ const char *cache_path,
struct cli_state *cli,
struct GROUP_POLICY_OBJECT *gpo)
{
char *server, *service, *nt_path, *unix_path;
char *nt_ini_path, *unix_ini_path;
- result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
+ result = gpo_explode_filesyspath(mem_ctx, cache_path, gpo->file_sys_path,
&server, &service, &nt_path,
&unix_path);
NT_STATUS_NOT_OK_RETURN(result);
- result = gpo_prepare_local_store(mem_ctx, unix_path);
+ result = gpo_prepare_local_store(mem_ctx, cache_path, unix_path);
NT_STATUS_NOT_OK_RETURN(result);
unix_ini_path = talloc_asprintf(mem_ctx, "%s/%s", unix_path, GPT_INI);
struct GP_LINK *gp_link,
enum GPO_LINK_TYPE link_type,
bool only_add_forced_gpos,
- const struct nt_user_token *token)
+ const NT_USER_TOKEN *token)
{
ADS_STATUS status;
int i;
ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *dn,
- struct nt_user_token **token)
+ NT_USER_TOKEN **token)
{
ADS_STATUS status;
DOM_SID object_sid;
size_t num_ad_token_sids = 0;
DOM_SID *token_sids;
size_t num_token_sids = 0;
- struct nt_user_token *new_token = NULL;
+ NT_USER_TOKEN *new_token = NULL;
int i;
status = ads_get_tokensids(ads, mem_ctx, dn,
TALLOC_CTX *mem_ctx,
const char *dn,
uint32_t flags,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct GROUP_POLICY_OBJECT **gpo_list)
{
/* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
*/
#include "includes.h"
+#include "libcli/security/dom_sid.h"
+#if _SAMBA_BUILD_ == 4
+#include "libgpo/ads_convenience.h"
#include "librpc/gen_ndr/security.h"
#include "librpc/gen_ndr/ndr_misc.h"
#include "../libgpo/gpo.h"
+#endif
/****************************************************************
****************************************************************/
static bool gpo_sd_check_agp_access_bits(uint32_t access_mask)
{
+#if _SAMBA_BUILD_ == 4
+ return (access_mask & SEC_ADS_CONTROL_ACCESS);
+#else
return (access_mask & SEC_RIGHTS_EXTENDED);
+#endif
}
#if 0
****************************************************************/
static NTSTATUS gpo_sd_check_ace_denied_object(const struct security_ace *ace,
- const struct nt_user_token *token)
+ const NT_USER_TOKEN *token)
{
+ char *sid_str;
+
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
+ sid_str = dom_sid_string(NULL, &ace->trustee);
DEBUG(10,("gpo_sd_check_ace_denied_object: "
"Access denied as of ace for %s\n",
- sid_string_dbg(&ace->trustee)));
+ sid_str));
+ talloc_free(sid_str);
return NT_STATUS_ACCESS_DENIED;
}
****************************************************************/
static NTSTATUS gpo_sd_check_ace_allowed_object(const struct security_ace *ace,
- const struct nt_user_token *token)
+ const NT_USER_TOKEN *token)
{
+ char *sid_str;
+
if (gpo_sd_check_agp_object(ace) &&
gpo_sd_check_agp_access_bits(ace->access_mask) &&
nt_token_check_sid(&ace->trustee, token)) {
+ sid_str = dom_sid_string(NULL, &ace->trustee);
DEBUG(10,("gpo_sd_check_ace_allowed_object: "
"Access granted as of ace for %s\n",
- sid_string_dbg(&ace->trustee)));
+ sid_str));
+ talloc_free(sid_str);
+
return NT_STATUS_OK;
}
****************************************************************/
static NTSTATUS gpo_sd_check_ace(const struct security_ace *ace,
- const struct nt_user_token *token)
+ const NT_USER_TOKEN *token)
{
switch (ace->type) {
case SEC_ACE_TYPE_ACCESS_DENIED_OBJECT:
****************************************************************/
NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
- const struct nt_user_token *token)
+ const NT_USER_TOKEN *token)
{
struct security_descriptor *sd = gpo->security_descriptor;
struct security_acl *dacl = NULL;
ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct registry_key *root_key,
struct GROUP_POLICY_OBJECT *gpo,
const char *extension_guid_filter,
static ADS_STATUS gpo_process_gpo_list_by_ext(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct registry_key *root_key,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extensions_guid,
ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
- const struct nt_user_token *token,
+ const NT_USER_TOKEN *token,
struct GROUP_POLICY_OBJECT *gpo_list,
const char *extensions_guid_filter,
uint32_t flags)
if (!gp_ext_list) {
return ADS_ERROR_NT(NT_STATUS_DLL_INIT_FAILED);
}
-
+#if 0 /* Needs to be replaced with new patchfile_preg calls */
/* get the key here */
if (flags & GPO_LIST_FLAG_MACHINE) {
werr = gp_init_reg_ctx(mem_ctx, KEY_HKLM, REG_KEY_WRITE,
token,
®_ctx);
}
+#endif
if (!W_ERROR_IS_OK(werr)) {
gp_free_reg_ctx(reg_ctx);
return ADS_ERROR_NT(werror_to_ntstatus(werr));
NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
+ const char *cache_path,
uint32_t flags,
struct GROUP_POLICY_OBJECT *gpo,
struct cli_state **cli_out)
char *display_name = NULL;
struct cli_state *cli = NULL;
- result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
+ result = gpo_explode_filesyspath(mem_ctx, cache_path, gpo->file_sys_path,
&server, &share, &nt_path, &unix_path);
if (!NT_STATUS_IS_OK(result)) {
*cli_out = cli;
}
- result = gpo_fetch_files(mem_ctx, *cli_out, gpo);
+ result = gpo_fetch_files(mem_ctx, cache_path, *cli_out, gpo);
if (!NT_STATUS_IS_OK(result)) {
goto out;
}
ADS_STATUS gp_get_machine_token(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
const char *dn,
- struct nt_user_token **token)
+ NT_USER_TOKEN **token)
{
- struct nt_user_token *ad_token = NULL;
+ NT_USER_TOKEN *ad_token = NULL;
ADS_STATUS status;
NTSTATUS ntstatus;
return ret;
}
+
+bool nt_token_check_sid( const struct dom_sid *sid, const NT_USER_TOKEN *token)
+{
+ int i;
+
+ if (!sid || !token) {
+ return false;
+ }
+
+ if (dom_sid_equal(sid, token->user_sid)) {
+ return true;
+ }
+ if (dom_sid_equal(sid, token->group_sid)) {
+ return true;
+ }
+ for (i = 0; i < token->num_sids; i++) {
+ if (dom_sid_equal(sid, token->sids[i])) {
+ return true;
+ }
+ }
+
+ return false;
+}
+
+
/*
FIXME
Stub write functions, these do not do anything, though they should. -- Wilco
struct ldb_context *ldbctx;
} ADS_STRUCT;
+
+typedef struct security_token NT_USER_TOKEN;
+
typedef struct ldb_result LDAPMessage;
typedef void ** ADS_MODLIST;
NTSTATUS ads_ntstatus(ADS_STATUS status);
ADS_STATUS ads_build_ldap_error(int ldb_error);
ADS_STATUS ads_build_nt_error(NTSTATUS nt_status);
+bool nt_token_check_sid( const struct dom_sid *sid, const NT_USER_TOKEN *token);
ADS_MODLIST ads_init_mods(TALLOC_CTX *ctx);
ADS_STATUS ads_mod_str(TALLOC_CTX *ctx, ADS_MODLIST *mods, const char *name, const char *val);
ADS_STATUS ads_gen_mod(ADS_STRUCT *ads, const char *mod_dn, ADS_MODLIST mods);
git.samba.org / ira / wip.git / commitdiff