2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005,2007
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #if _SAMBA_BUILD_ == 4
22 #include "libgpo/gpo.h"
23 #include "source4/libgpo/ads_convenience.h"
26 /****************************************************************
27 parse the raw extension string into a GP_EXT structure
28 ****************************************************************/
30 bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
31 const char *extension_raw,
32 struct GP_EXT **gp_ext)
35 struct GP_EXT *ext = NULL;
36 char **ext_list = NULL;
37 char **ext_strings = NULL;
44 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw));
46 ext = talloc_zero(mem_ctx, struct GP_EXT);
51 ext_list = str_list_make(mem_ctx, extension_raw, "]");
56 for (i = 0; ext_list[i] != NULL; i++) {
63 ext->extensions = talloc_zero_array(mem_ctx, char *,
65 ext->extensions_guid = talloc_zero_array(mem_ctx, char *,
67 ext->snapins = talloc_zero_array(mem_ctx, char *,
69 ext->snapins_guid = talloc_zero_array(mem_ctx, char *,
73 ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
75 if (!ext->extensions || !ext->extensions_guid ||
76 !ext->snapins || !ext->snapins_guid ||
81 for (i = 0; ext_list[i] != NULL; i++) {
86 DEBUGADD(10,("extension #%d\n", i));
94 ext_strings = str_list_make(mem_ctx, p, "}");
95 if (ext_strings == NULL) {
99 for (k = 0; ext_strings[k] != NULL; k++) {
109 ext->extensions[i] = talloc_strdup(mem_ctx,
110 cse_gpo_guid_string_to_name(q));
111 ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
113 /* we might have no name for the guid */
114 if (ext->extensions_guid[i] == NULL) {
118 for (k = 1; ext_strings[k] != NULL; k++) {
120 char *m = ext_strings[k];
126 /* FIXME: theoretically there could be more than one
127 * snapin per extension */
128 ext->snapins[i] = talloc_strdup(mem_ctx,
129 cse_snapin_gpo_guid_string_to_name(m));
130 ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
132 /* we might have no name for the guid */
133 if (ext->snapins_guid[i] == NULL) {
144 talloc_free(ext_list);
145 talloc_free(ext_strings);
152 /****************************************************************
153 parse the raw link string into a GP_LINK structure
154 ****************************************************************/
156 static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
157 const char *gp_link_raw,
159 struct GP_LINK *gp_link)
161 ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
165 ZERO_STRUCTP(gp_link);
167 DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
169 link_list = str_list_make_v3(mem_ctx, gp_link_raw, "]");
174 for (i = 0; link_list[i] != NULL; i++) {
178 gp_link->gp_opts = options;
179 gp_link->num_links = i;
181 if (gp_link->num_links) {
182 gp_link->link_names = talloc_zero_array(mem_ctx, char *,
184 gp_link->link_opts = talloc_zero_array(mem_ctx, uint32_t,
188 gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
190 if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
194 for (i = 0; link_list[i] != NULL; i++) {
198 DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i));
211 gp_link->link_names[i] = talloc_strdup(mem_ctx, q);
212 if (gp_link->link_names[i] == NULL) {
215 gp_link->link_names[i][PTR_DIFF(p, q)] = 0;
217 gp_link->link_opts[i] = atoi(p + 1);
219 DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
220 gp_link->link_names[i]));
221 DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
222 gp_link->link_opts[i]));
226 status = ADS_SUCCESS;
229 talloc_free(link_list);
234 /****************************************************************
235 helper call to get a GP_LINK structure from a linkdn
236 ****************************************************************/
238 ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
241 struct GP_LINK *gp_link_struct)
244 const char *attrs[] = {"gPLink", "gPOptions", NULL};
245 LDAPMessage *res = NULL;
249 ZERO_STRUCTP(gp_link_struct);
251 status = ads_search_dn(ads, &res, link_dn, attrs);
252 if (!ADS_ERR_OK(status)) {
253 DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
254 ads_errstr(status)));
258 if (ads_count_replies(ads, res) != 1) {
259 DEBUG(10,("ads_get_gpo_link: no result\n"));
260 ads_msgfree(ads, res);
261 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
264 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
265 if (gp_link == NULL) {
266 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
267 ads_msgfree(ads, res);
268 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
271 /* perfectly legal to have no options */
272 if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
273 DEBUG(10,("ads_get_gpo_link: "
274 "no 'gPOptions' attribute found\n"));
278 ads_msgfree(ads, res);
280 return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
283 /****************************************************************
284 helper call to add a gp link
285 ****************************************************************/
287 ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
294 const char *attrs[] = {"gPLink", NULL};
295 LDAPMessage *res = NULL;
296 const char *gp_link, *gp_link_new;
299 /* although ADS allows to set anything here, we better check here if
300 * the gpo_dn is sane */
302 if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
303 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
306 status = ads_search_dn(ads, &res, link_dn, attrs);
307 if (!ADS_ERR_OK(status)) {
308 DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
309 ads_errstr(status)));
313 if (ads_count_replies(ads, res) != 1) {
314 DEBUG(10,("ads_add_gpo_link: no result\n"));
315 ads_msgfree(ads, res);
316 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
319 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
320 if (gp_link == NULL) {
321 gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
324 gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
325 gp_link, gpo_dn, gpo_opt);
328 ads_msgfree(ads, res);
329 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
331 mods = ads_init_mods(mem_ctx);
332 ADS_ERROR_HAVE_NO_MEMORY(mods);
334 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
335 if (!ADS_ERR_OK(status)) {
339 return ads_gen_mod(ads, link_dn, mods);
342 /****************************************************************
343 helper call to delete add a gp link
344 ****************************************************************/
346 /* untested & broken */
347 ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
353 const char *attrs[] = {"gPLink", NULL};
354 LDAPMessage *res = NULL;
355 const char *gp_link, *gp_link_new = NULL;
358 /* check for a sane gpo_dn */
359 if (gpo_dn[0] != '[') {
360 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
361 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
364 if (gpo_dn[strlen(gpo_dn)] != ']') {
365 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
366 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
369 status = ads_search_dn(ads, &res, link_dn, attrs);
370 if (!ADS_ERR_OK(status)) {
371 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
372 ads_errstr(status)));
376 if (ads_count_replies(ads, res) != 1) {
377 DEBUG(10,("ads_delete_gpo_link: no result\n"));
378 ads_msgfree(ads, res);
379 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
382 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
383 if (gp_link == NULL) {
384 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
387 /* find link to delete */
388 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
391 ads_msgfree(ads, res);
392 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
394 mods = ads_init_mods(mem_ctx);
395 ADS_ERROR_HAVE_NO_MEMORY(mods);
397 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
398 if (!ADS_ERR_OK(status)) {
402 return ads_gen_mod(ads, link_dn, mods);
405 /****************************************************************
406 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
407 ****************************************************************/
409 ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
413 struct GROUP_POLICY_OBJECT *gpo)
417 ADS_ERROR_HAVE_NO_MEMORY(res);
420 gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn);
422 gpo->ds_path = ads_get_dn(ads, mem_ctx, res);
425 ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path);
427 if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
428 return ADS_ERROR(LDAP_NO_MEMORY);
431 if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
432 return ADS_ERROR(LDAP_NO_MEMORY);
435 gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
437 ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
439 gpo->display_name = ads_pull_string(ads, mem_ctx, res,
441 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
443 gpo->name = ads_pull_string(ads, mem_ctx, res,
445 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
447 gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
448 "gPCMachineExtensionNames");
449 gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
450 "gPCUserExtensionNames");
452 ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
453 &gpo->security_descriptor);
454 ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
456 return ADS_ERROR(LDAP_SUCCESS);
459 /****************************************************************
460 get a GROUP_POLICY_OBJECT structure based on different input parameters
461 ****************************************************************/
463 ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
466 const char *display_name,
467 const char *guid_name,
468 struct GROUP_POLICY_OBJECT *gpo)
471 LDAPMessage *res = NULL;
474 const char *attrs[] = {
479 "gPCFunctionalityVersion",
480 "gPCMachineExtensionNames",
481 "gPCUserExtensionNames",
484 "ntSecurityDescriptor",
487 uint32_t sd_flags = DACL_SECURITY_INFORMATION;
491 if (!gpo_dn && !display_name && !guid_name) {
492 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
497 if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
498 gpo_dn = gpo_dn + strlen("LDAP://");
501 status = ads_search_retry_dn_sd_flags(ads, &res,
505 } else if (display_name || guid_name) {
507 filter = talloc_asprintf(mem_ctx,
508 "(&(objectclass=groupPolicyContainer)(%s=%s))",
509 display_name ? "displayName" : "name",
510 display_name ? display_name : guid_name);
511 ADS_ERROR_HAVE_NO_MEMORY(filter);
513 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
514 LDAP_SCOPE_SUBTREE, filter,
515 attrs, sd_flags, &res);
518 if (!ADS_ERR_OK(status)) {
519 DEBUG(10,("ads_get_gpo: search failed with %s\n",
520 ads_errstr(status)));
524 if (ads_count_replies(ads, res) != 1) {
525 DEBUG(10,("ads_get_gpo: no result\n"));
526 ads_msgfree(ads, res);
527 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
530 dn = ads_get_dn(ads, mem_ctx, res);
532 ads_msgfree(ads, res);
533 return ADS_ERROR(LDAP_NO_MEMORY);
536 status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
537 ads_msgfree(ads, res);
543 /****************************************************************
544 add a gplink to the GROUP_POLICY_OBJECT linked list
545 ****************************************************************/
547 static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
549 struct GROUP_POLICY_OBJECT **gpo_list,
551 struct GP_LINK *gp_link,
552 enum GPO_LINK_TYPE link_type,
553 bool only_add_forced_gpos,
554 const NT_USER_TOKEN *token)
559 for (i = 0; i < gp_link->num_links; i++) {
561 struct GROUP_POLICY_OBJECT *new_gpo = NULL;
563 if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
564 DEBUG(10,("skipping disabled GPO\n"));
568 if (only_add_forced_gpos) {
570 if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
571 DEBUG(10,("skipping nonenforced GPO link "
572 "because GPOPTIONS_BLOCK_INHERITANCE "
576 DEBUG(10,("adding enforced GPO link although "
577 "the GPOPTIONS_BLOCK_INHERITANCE "
582 new_gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
583 ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
585 status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
586 NULL, NULL, new_gpo);
587 if (!ADS_ERR_OK(status)) {
588 DEBUG(10,("failed to get gpo: %s\n",
589 gp_link->link_names[i]));
593 status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
595 if (!ADS_ERR_OK(status)) {
596 DEBUG(10,("skipping GPO \"%s\" as object "
597 "has no access to it\n",
598 new_gpo->display_name));
599 talloc_free(new_gpo);
603 new_gpo->link = link_dn;
604 new_gpo->link_type = link_type;
606 DLIST_ADD(*gpo_list, new_gpo);
608 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
609 "to GPO list\n", i, gp_link->link_names[i]));
612 return ADS_ERROR(LDAP_SUCCESS);
615 /****************************************************************
616 ****************************************************************/
618 ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
621 NT_USER_TOKEN **token)
625 DOM_SID primary_group_sid;
626 DOM_SID *ad_token_sids;
627 size_t num_ad_token_sids = 0;
629 size_t num_token_sids = 0;
630 NT_USER_TOKEN *new_token = NULL;
633 status = ads_get_tokensids(ads, mem_ctx, dn,
634 &object_sid, &primary_group_sid,
635 &ad_token_sids, &num_ad_token_sids);
636 if (!ADS_ERR_OK(status)) {
640 token_sids = TALLOC_ARRAY(mem_ctx, DOM_SID, 1);
641 ADS_ERROR_HAVE_NO_MEMORY(token_sids);
643 status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx,
647 if (!ADS_ERR_OK(status)) {
651 for (i = 0; i < num_ad_token_sids; i++) {
653 if (sid_check_is_in_builtin(&ad_token_sids[i])) {
657 status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx,
661 if (!ADS_ERR_OK(status)) {
666 new_token = create_local_nt_token(mem_ctx, &object_sid, false,
667 num_token_sids, token_sids);
668 ADS_ERROR_HAVE_NO_MEMORY(new_token);
672 debug_nt_user_token(DBGC_CLASS, 5, *token);
674 return ADS_ERROR_LDAP(LDAP_SUCCESS);
677 /****************************************************************
678 ****************************************************************/
680 static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
681 struct GROUP_POLICY_OBJECT **gpo_list,
682 enum GPO_LINK_TYPE link_type)
684 struct GROUP_POLICY_OBJECT *gpo = NULL;
686 ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
688 gpo = TALLOC_ZERO_P(mem_ctx, struct GROUP_POLICY_OBJECT);
689 ADS_ERROR_HAVE_NO_MEMORY(gpo);
691 gpo->name = talloc_strdup(mem_ctx, "Local Policy");
692 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
694 gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
695 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
697 gpo->link_type = link_type;
699 DLIST_ADD(*gpo_list, gpo);
701 return ADS_ERROR_NT(NT_STATUS_OK);
704 /****************************************************************
705 get the full list of GROUP_POLICY_OBJECTs for a given dn
706 ****************************************************************/
708 ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
712 const NT_USER_TOKEN *token,
713 struct GROUP_POLICY_OBJECT **gpo_list)
715 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
718 struct GP_LINK gp_link;
719 const char *parent_dn, *site_dn, *tmp_dn;
720 bool add_only_forced_gpos = false;
722 ZERO_STRUCTP(gpo_list);
725 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
728 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
731 status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
733 if (!ADS_ERR_OK(status)) {
739 /* are site GPOs valid for users as well ??? */
740 if (flags & GPO_LIST_FLAG_MACHINE) {
742 status = ads_site_dn_for_machine(ads, mem_ctx,
743 ads->config.ldap_server_name,
745 if (!ADS_ERR_OK(status)) {
749 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
752 status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
753 if (ADS_ERR_OK(status)) {
755 if (DEBUGLEVEL >= 100) {
756 dump_gplink(ads, mem_ctx, &gp_link);
759 status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
762 add_only_forced_gpos,
764 if (!ADS_ERR_OK(status)) {
768 if (flags & GPO_LIST_FLAG_SITEONLY) {
769 return ADS_ERROR(LDAP_SUCCESS);
772 /* inheritance can't be blocked at the site level */
778 while ((parent_dn = ads_parent_dn(tmp_dn)) &&
779 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
783 /* An account can just be a member of one domain */
784 if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
786 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
789 status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
791 if (ADS_ERR_OK(status)) {
793 if (DEBUGLEVEL >= 100) {
794 dump_gplink(ads, mem_ctx, &gp_link);
797 /* block inheritance from now on */
798 if (gp_link.gp_opts &
799 GPOPTIONS_BLOCK_INHERITANCE) {
800 add_only_forced_gpos = true;
803 status = add_gplink_to_gpo_list(ads,
809 add_only_forced_gpos,
811 if (!ADS_ERR_OK(status)) {
823 while ((parent_dn = ads_parent_dn(tmp_dn)) &&
824 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
827 /* (O)rganizational(U)nit */
829 /* An account can be a member of more OUs */
830 if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
832 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
835 status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
837 if (ADS_ERR_OK(status)) {
839 if (DEBUGLEVEL >= 100) {
840 dump_gplink(ads, mem_ctx, &gp_link);
843 /* block inheritance from now on */
844 if (gp_link.gp_opts &
845 GPOPTIONS_BLOCK_INHERITANCE) {
846 add_only_forced_gpos = true;
849 status = add_gplink_to_gpo_list(ads,
855 add_only_forced_gpos,
857 if (!ADS_ERR_OK(status)) {
867 return ADS_ERROR(LDAP_SUCCESS);
870 #endif /* HAVE_LDAP */
git.samba.org / ira / wip.git / blob