Add getinheritance and setinheritance to net gpo util and library.

Signed-off-by: Jelmer Vernooij <jelmer@samba.org>

diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c
index 2d8d4f921c03ba44566ce04dbc0f12f137cb9d1a..f8806e964300855162b2f011f78c02371464bc48 100644 (file)
--- a/source4/lib/policy/gp_ldap.c
+++ b/source4/lib/policy/gp_ldap.c
@@ -677,3 +677,64 @@ NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char
        talloc_free(mem_ctx);
        return NT_STATUS_OK;
 }
+
+NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance)
+{
+       TALLOC_CTX *mem_ctx;
+       struct ldb_result *result;
+       struct ldb_dn *dn;
+       const char *attrs[] = { "gPOptions", NULL };
+       int rv;
+
+       /* Create a forked memory context, as a base for everything here */
+       mem_ctx = talloc_new(gp_ctx);
+
+       dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+
+       rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
+       if (rv != LDB_SUCCESS) {
+               DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
+               talloc_free(mem_ctx);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       if (result->count != 1) {
+               talloc_free(mem_ctx);
+               return NT_STATUS_NOT_FOUND;
+       }
+
+       *inheritance = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
+
+       talloc_free(mem_ctx);
+       return NT_STATUS_OK;
+}
+
+NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance)
+{
+       char *inheritance_string;
+       struct ldb_message *msg;
+       int rv;
+
+       msg = ldb_msg_new(gp_ctx);
+       msg->dn = ldb_dn_new(msg, gp_ctx->ldb_ctx, dn_str);
+
+       inheritance_string = talloc_asprintf(msg, "%d", inheritance);
+
+       rv = ldb_msg_add_string(msg, "gPOptions", inheritance_string);
+       if (rv != 0) {
+               DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
+               talloc_free(msg);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+       msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
+
+       rv = ldb_modify(gp_ctx->ldb_ctx, msg);
+       if (rv != 0) {
+               DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
+               talloc_free(msg);
+               return NT_STATUS_UNSUCCESSFUL;
+       }
+
+       talloc_free(msg);
+       return NT_STATUS_OK;
+}

diff --git a/source4/lib/policy/policy.h b/source4/lib/policy/policy.h
index 05a28159890908c91747c7993ad88b0316f16d44..2811abf608d560b4cbedb57f5ff2da6059780c4a 100644 (file)
--- a/source4/lib/policy/policy.h
+++ b/source4/lib/policy/policy.h
@@ -29,6 +29,8 @@
 #define GPO_FLAG_USER_DISABLE          (1 << 0)
 #define GPO_FLAG_MACHINE_DISABLE       (1 << 1)
 
+struct security_token;
+
 enum gpo_inheritance {
        GPO_INHERIT = 0,
        GPO_BLOCK_INHERITANCE = 1,
@@ -82,5 +84,7 @@ NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret
 
 NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink);
 NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gp_dn);
+NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance);
+NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance);
 
 #endif

diff --git a/source4/utils/net/net_gpo.c b/source4/utils/net/net_gpo.c
index 61e10bc395d70500d4215941266193f0184077b4..bfcb0f0ad297590d316d8e84de6e6583501597b2 100644 (file)
--- a/source4/utils/net/net_gpo.c
+++ b/source4/utils/net/net_gpo.c
@@ -134,8 +134,8 @@ static int net_gpo_get_gpo(struct net_context *ctx, int argc, const char **argv)
 
 static int net_gpo_link_get_usage(struct net_context *ctx, int argc, const char **argv)
 {
-       d_printf("Syntax: net gpo linkget <dn> [options]\n");
-       d_printf("For a list of available options, please type net gpo linkget --help\n");
+       d_printf("Syntax: net gpo getlink <dn> [options]\n");
+       d_printf("For a list of available options, please type net gpo getlink --help\n");
        return 0;
 }
 
@@ -274,8 +274,8 @@ static int net_gpo_list(struct net_context *ctx, int argc, const char **argv)
 
 static int net_gpo_link_set_usage(struct net_context *ctx, int argc, const char **argv)
 {
-       d_printf("Syntax: net gpo linkset <container> <gpo> ['disable'] ['enforce'] [options]\n");
-       d_printf("For a list of available options, please type net gpo linkset --help\n");
+       d_printf("Syntax: net gpo setlink <container> <gpo> ['disable'] ['enforce'] [options]\n");
+       d_printf("For a list of available options, please type net gpo setlink --help\n");
        return 0;
 }
 
@@ -324,8 +324,8 @@ static int net_gpo_link_set(struct net_context *ctx, int argc, const char **argv
 
 static int net_gpo_link_del_usage(struct net_context *ctx, int argc, const char **argv)
 {
-       d_printf("Syntax: net gpo linkdel <container> <gpo> [options]\n");
-       d_printf("For a list of available options, please type net gpo linkdel --help\n");
+       d_printf("Syntax: net gpo dellink <container> <gpo> [options]\n");
+       d_printf("For a list of available options, please type net gpo dellink --help\n");
        return 0;
 }
 
@@ -358,12 +358,96 @@ static int net_gpo_link_del(struct net_context *ctx, int argc, const char **argv
        return 0;
 }
 
+static int net_gpo_inheritance_get_usage(struct net_context *ctx, int argc, const char **argv)
+{
+       d_printf("Syntax: net gpo getinheritance <container> [options]\n");
+       d_printf("For a list of available options, please type net gpo getinheritance --help\n");
+       return 0;
+}
+
+static int net_gpo_inheritance_get(struct net_context *ctx, int argc, const char **argv)
+{
+       struct gp_context *gp_ctx;
+       enum gpo_inheritance inheritance;
+       NTSTATUS status;
+
+       if (argc != 1) {
+               return net_gpo_inheritance_get_usage(ctx, argc, argv);
+       }
+
+       status = gp_init(ctx, ctx->lp_ctx, ctx->credentials, ctx->event_ctx, &gp_ctx);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0, ("Failed to connect to DC's LDAP: %s\n", get_friendly_nt_error_msg(status)));
+               return 1;
+       }
+
+       status = gp_get_inheritance(gp_ctx, argv[0], &inheritance);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0, ("Failed to set GPO link on container: %s\n", get_friendly_nt_error_msg(status)));
+               return 1;
+       }
+
+       if (inheritance == GPO_BLOCK_INHERITANCE) {
+               d_printf("container has GPO_BLOCK_INHERITANCE\n");
+       } else {
+               d_printf("container has GPO_INHERIT\n");
+       }
+
+       talloc_free(gp_ctx);
+       return 0;
+}
+
+static int net_gpo_inheritance_set_usage(struct net_context *ctx, int argc, const char **argv)
+{
+       d_printf("Syntax: net gpo setinheritance <container> <\"block\"|\"inherit\"> [options]\n");
+       d_printf("For a list of available options, please type net gpo setinheritance --help\n");
+       return 0;
+}
+
+static int net_gpo_inheritance_set(struct net_context *ctx, int argc, const char **argv)
+{
+       struct gp_context *gp_ctx;
+       enum gpo_inheritance inheritance;
+       NTSTATUS status;
+
+       if (argc != 2) {
+               return net_gpo_inheritance_set_usage(ctx, argc, argv);
+       }
+
+       if (strcmp(argv[1], "inherit") == 0) {
+               inheritance = GPO_INHERIT;
+       } else if (strcmp(argv[1], "block") == 0) {
+               inheritance = GPO_BLOCK_INHERITANCE;
+       } else {
+               return net_gpo_inheritance_set_usage(ctx, argc, argv);
+       }
+
+       status = gp_init(ctx, ctx->lp_ctx, ctx->credentials, ctx->event_ctx, &gp_ctx);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0, ("Failed to connect to DC's LDAP: %s\n", get_friendly_nt_error_msg(status)));
+               return 1;
+       }
+
+       status = gp_set_inheritance(gp_ctx, argv[0], inheritance);
+       if (!NT_STATUS_IS_OK(status)) {
+               DEBUG(0, ("Failed to set GPO link on container: %s\n", get_friendly_nt_error_msg(status)));
+               return 1;
+       }
+
+       /* Display current links */
+       net_gpo_inheritance_get(ctx, 1, argv);
+
+       return 0;
+}
+
 static const struct net_functable net_gpo_functable[] = {
        { "listall", "List all GPO's on a DC\n", net_gpo_list_all, net_gpo_list_all_usage },
        { "getgpo", "List specificied GPO\n", net_gpo_get_gpo, net_gpo_get_gpo_usage },
-       { "linkget", "List gPLink of container\n", net_gpo_link_get, net_gpo_link_get_usage },
-       { "linkset", "Link a GPO to a container\n", net_gpo_link_set, net_gpo_link_set_usage },
-       { "linkdel", "Delete GPO link from a container\n", net_gpo_link_del, net_gpo_link_del_usage },
+       { "getlink", "List gPLink of container\n", net_gpo_link_get, net_gpo_link_get_usage },
+       { "setlink", "Link a GPO to a container\n", net_gpo_link_set, net_gpo_link_set_usage },
+       { "dellink", "Delete GPO link from a container\n", net_gpo_link_del, net_gpo_link_del_usage },
+       { "getinheritance", "Get inheritance flag from a container\n", net_gpo_inheritance_get, net_gpo_inheritance_get_usage },
+       { "setinheritance", "Set inheritance flag on a container\n", net_gpo_inheritance_set, net_gpo_inheritance_set_usage },
        { "list", "List all GPO's for a machine/user\n", net_gpo_list, net_gpo_list_usage },
 /*     { "apply", "Apply GPO to container\n", net_gpo_apply, net_gpo_usage }, */
 //     { "refresh", "List all GPO's for machine/user and download them\n", net_gpo_refresh, net_gpo_refresh_usage },