2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005,2007
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "libgpo/gpo.h"
23 #include "../libcli/security/security.h"
25 /****************************************************************
26 parse the raw extension string into a GP_EXT structure
27 ****************************************************************/
29 bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
30 const char *extension_raw,
31 struct GP_EXT **gp_ext)
34 struct GP_EXT *ext = NULL;
35 char **ext_list = NULL;
36 char **ext_strings = NULL;
43 DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw));
45 ext = talloc_zero(mem_ctx, struct GP_EXT);
50 ext_list = str_list_make(mem_ctx, extension_raw, "]");
55 for (i = 0; ext_list[i] != NULL; i++) {
62 ext->extensions = talloc_zero_array(mem_ctx, char *,
64 ext->extensions_guid = talloc_zero_array(mem_ctx, char *,
66 ext->snapins = talloc_zero_array(mem_ctx, char *,
68 ext->snapins_guid = talloc_zero_array(mem_ctx, char *,
72 ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
74 if (!ext->extensions || !ext->extensions_guid ||
75 !ext->snapins || !ext->snapins_guid ||
80 for (i = 0; ext_list[i] != NULL; i++) {
85 DEBUGADD(10,("extension #%d\n", i));
93 ext_strings = str_list_make(mem_ctx, p, "}");
94 if (ext_strings == NULL) {
98 for (k = 0; ext_strings[k] != NULL; k++) {
108 ext->extensions[i] = talloc_strdup(mem_ctx,
109 cse_gpo_guid_string_to_name(q));
110 ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
112 /* we might have no name for the guid */
113 if (ext->extensions_guid[i] == NULL) {
117 for (k = 1; ext_strings[k] != NULL; k++) {
119 char *m = ext_strings[k];
125 /* FIXME: theoretically there could be more than one
126 * snapin per extension */
127 ext->snapins[i] = talloc_strdup(mem_ctx,
128 cse_snapin_gpo_guid_string_to_name(m));
129 ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
131 /* we might have no name for the guid */
132 if (ext->snapins_guid[i] == NULL) {
143 talloc_free(ext_list);
144 talloc_free(ext_strings);
151 /****************************************************************
152 parse the raw link string into a GP_LINK structure
153 ****************************************************************/
155 static ADS_STATUS gpo_parse_gplink(TALLOC_CTX *mem_ctx,
156 const char *gp_link_raw,
158 struct GP_LINK *gp_link)
160 ADS_STATUS status = ADS_ERROR_NT(NT_STATUS_NO_MEMORY);
164 ZERO_STRUCTP(gp_link);
166 DEBUG(10,("gpo_parse_gplink: gPLink: %s\n", gp_link_raw));
168 link_list = str_list_make_v3(mem_ctx, gp_link_raw, "]");
173 for (i = 0; link_list[i] != NULL; i++) {
177 gp_link->gp_opts = options;
178 gp_link->num_links = i;
180 if (gp_link->num_links) {
181 gp_link->link_names = talloc_zero_array(mem_ctx, char *,
183 gp_link->link_opts = talloc_zero_array(mem_ctx, uint32_t,
187 gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
189 if (!gp_link->link_names || !gp_link->link_opts || !gp_link->gp_link) {
193 for (i = 0; link_list[i] != NULL; i++) {
197 DEBUGADD(10,("gpo_parse_gplink: processing link #%d\n", i));
210 gp_link->link_names[i] = talloc_strdup(mem_ctx, q);
211 if (gp_link->link_names[i] == NULL) {
214 gp_link->link_names[i][PTR_DIFF(p, q)] = 0;
216 gp_link->link_opts[i] = atoi(p + 1);
218 DEBUGADD(10,("gpo_parse_gplink: link: %s\n",
219 gp_link->link_names[i]));
220 DEBUGADD(10,("gpo_parse_gplink: opt: %d\n",
221 gp_link->link_opts[i]));
225 status = ADS_SUCCESS;
228 talloc_free(link_list);
233 /****************************************************************
234 helper call to get a GP_LINK structure from a linkdn
235 ****************************************************************/
237 ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
240 struct GP_LINK *gp_link_struct)
243 const char *attrs[] = {"gPLink", "gPOptions", NULL};
244 LDAPMessage *res = NULL;
248 ZERO_STRUCTP(gp_link_struct);
250 status = ads_search_dn(ads, &res, link_dn, attrs);
251 if (!ADS_ERR_OK(status)) {
252 DEBUG(10,("ads_get_gpo_link: search failed with %s\n",
253 ads_errstr(status)));
257 if (ads_count_replies(ads, res) != 1) {
258 DEBUG(10,("ads_get_gpo_link: no result\n"));
259 ads_msgfree(ads, res);
260 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
263 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
264 if (gp_link == NULL) {
265 DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
266 ads_msgfree(ads, res);
267 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
270 /* perfectly legal to have no options */
271 if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
272 DEBUG(10,("ads_get_gpo_link: "
273 "no 'gPOptions' attribute found\n"));
277 ads_msgfree(ads, res);
279 return gpo_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct);
282 /****************************************************************
283 helper call to add a gp link
284 ****************************************************************/
286 ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
293 const char *attrs[] = {"gPLink", NULL};
294 LDAPMessage *res = NULL;
295 const char *gp_link, *gp_link_new;
298 /* although ADS allows to set anything here, we better check here if
299 * the gpo_dn is sane */
301 if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
302 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
305 status = ads_search_dn(ads, &res, link_dn, attrs);
306 if (!ADS_ERR_OK(status)) {
307 DEBUG(10,("ads_add_gpo_link: search failed with %s\n",
308 ads_errstr(status)));
312 if (ads_count_replies(ads, res) != 1) {
313 DEBUG(10,("ads_add_gpo_link: no result\n"));
314 ads_msgfree(ads, res);
315 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
318 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
319 if (gp_link == NULL) {
320 gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]",
323 gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]",
324 gp_link, gpo_dn, gpo_opt);
327 ads_msgfree(ads, res);
328 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
330 mods = ads_init_mods(mem_ctx);
331 ADS_ERROR_HAVE_NO_MEMORY(mods);
333 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
334 if (!ADS_ERR_OK(status)) {
338 return ads_gen_mod(ads, link_dn, mods);
341 /****************************************************************
342 helper call to delete add a gp link
343 ****************************************************************/
345 /* untested & broken */
346 ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
352 const char *attrs[] = {"gPLink", NULL};
353 LDAPMessage *res = NULL;
354 const char *gp_link, *gp_link_new = NULL;
357 /* check for a sane gpo_dn */
358 if (gpo_dn[0] != '[') {
359 DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
360 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
363 if (gpo_dn[strlen(gpo_dn)] != ']') {
364 DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
365 return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
368 status = ads_search_dn(ads, &res, link_dn, attrs);
369 if (!ADS_ERR_OK(status)) {
370 DEBUG(10,("ads_delete_gpo_link: search failed with %s\n",
371 ads_errstr(status)));
375 if (ads_count_replies(ads, res) != 1) {
376 DEBUG(10,("ads_delete_gpo_link: no result\n"));
377 ads_msgfree(ads, res);
378 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
381 gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink");
382 if (gp_link == NULL) {
383 return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
386 /* find link to delete */
387 /* gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link,
390 ads_msgfree(ads, res);
391 ADS_ERROR_HAVE_NO_MEMORY(gp_link_new);
393 mods = ads_init_mods(mem_ctx);
394 ADS_ERROR_HAVE_NO_MEMORY(mods);
396 status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
397 if (!ADS_ERR_OK(status)) {
401 return ads_gen_mod(ads, link_dn, mods);
404 /****************************************************************
405 parse a GROUP_POLICY_OBJECT structure from an LDAPMessage result
406 ****************************************************************/
408 ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
412 struct GROUP_POLICY_OBJECT *gpo)
416 ADS_ERROR_HAVE_NO_MEMORY(res);
419 gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn);
421 gpo->ds_path = ads_get_dn(ads, mem_ctx, res);
424 ADS_ERROR_HAVE_NO_MEMORY(gpo->ds_path);
426 if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
427 return ADS_ERROR(LDAP_NO_MEMORY);
430 if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
431 return ADS_ERROR(LDAP_NO_MEMORY);
434 gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res,
436 ADS_ERROR_HAVE_NO_MEMORY(gpo->file_sys_path);
438 gpo->display_name = ads_pull_string(ads, mem_ctx, res,
440 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
442 gpo->name = ads_pull_string(ads, mem_ctx, res,
444 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
446 gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res,
447 "gPCMachineExtensionNames");
448 gpo->user_extensions = ads_pull_string(ads, mem_ctx, res,
449 "gPCUserExtensionNames");
451 ads_pull_sd(ads, mem_ctx, res, "ntSecurityDescriptor",
452 &gpo->security_descriptor);
453 ADS_ERROR_HAVE_NO_MEMORY(gpo->security_descriptor);
455 return ADS_ERROR(LDAP_SUCCESS);
458 /****************************************************************
459 get a GROUP_POLICY_OBJECT structure based on different input parameters
460 ****************************************************************/
462 ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
465 const char *display_name,
466 const char *guid_name,
467 struct GROUP_POLICY_OBJECT *gpo)
470 LDAPMessage *res = NULL;
473 const char *attrs[] = {
478 "gPCFunctionalityVersion",
479 "gPCMachineExtensionNames",
480 "gPCUserExtensionNames",
483 "ntSecurityDescriptor",
486 uint32_t sd_flags = SECINFO_DACL;
490 if (!gpo_dn && !display_name && !guid_name) {
491 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
496 if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
497 gpo_dn = gpo_dn + strlen("LDAP://");
500 status = ads_search_retry_dn_sd_flags(ads, &res,
504 } else if (display_name || guid_name) {
506 filter = talloc_asprintf(mem_ctx,
507 "(&(objectclass=groupPolicyContainer)(%s=%s))",
508 display_name ? "displayName" : "name",
509 display_name ? display_name : guid_name);
510 ADS_ERROR_HAVE_NO_MEMORY(filter);
512 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
513 LDAP_SCOPE_SUBTREE, filter,
514 attrs, sd_flags, &res);
517 if (!ADS_ERR_OK(status)) {
518 DEBUG(10,("ads_get_gpo: search failed with %s\n",
519 ads_errstr(status)));
523 if (ads_count_replies(ads, res) != 1) {
524 DEBUG(10,("ads_get_gpo: no result\n"));
525 ads_msgfree(ads, res);
526 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
529 dn = ads_get_dn(ads, mem_ctx, res);
531 ads_msgfree(ads, res);
532 return ADS_ERROR(LDAP_NO_MEMORY);
535 status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
536 ads_msgfree(ads, res);
542 /****************************************************************
543 add a gplink to the GROUP_POLICY_OBJECT linked list
544 ****************************************************************/
546 static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
548 struct GROUP_POLICY_OBJECT **gpo_list,
550 struct GP_LINK *gp_link,
551 enum GPO_LINK_TYPE link_type,
552 bool only_add_forced_gpos,
553 const struct security_token *token)
558 for (i = 0; i < gp_link->num_links; i++) {
560 struct GROUP_POLICY_OBJECT *new_gpo = NULL;
562 if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
563 DEBUG(10,("skipping disabled GPO\n"));
567 if (only_add_forced_gpos) {
569 if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
570 DEBUG(10,("skipping nonenforced GPO link "
571 "because GPOPTIONS_BLOCK_INHERITANCE "
575 DEBUG(10,("adding enforced GPO link although "
576 "the GPOPTIONS_BLOCK_INHERITANCE "
581 new_gpo = talloc_zero(mem_ctx, struct GROUP_POLICY_OBJECT);
582 ADS_ERROR_HAVE_NO_MEMORY(new_gpo);
584 status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i],
585 NULL, NULL, new_gpo);
586 if (!ADS_ERR_OK(status)) {
587 DEBUG(10,("failed to get gpo: %s\n",
588 gp_link->link_names[i]));
592 status = ADS_ERROR_NT(gpo_apply_security_filtering(new_gpo,
594 if (!ADS_ERR_OK(status)) {
595 DEBUG(10,("skipping GPO \"%s\" as object "
596 "has no access to it\n",
597 new_gpo->display_name));
598 talloc_free(new_gpo);
602 new_gpo->link = link_dn;
603 new_gpo->link_type = link_type;
605 DLIST_ADD(*gpo_list, new_gpo);
607 DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
608 "to GPO list\n", i, gp_link->link_names[i]));
611 return ADS_ERROR(LDAP_SUCCESS);
614 /****************************************************************
615 ****************************************************************/
617 ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
620 struct security_token **token)
623 struct dom_sid object_sid;
624 struct dom_sid primary_group_sid;
625 struct dom_sid *ad_token_sids;
626 size_t num_ad_token_sids = 0;
627 struct dom_sid *token_sids;
628 uint32_t num_token_sids = 0;
629 struct security_token *new_token = NULL;
632 status = ads_get_tokensids(ads, mem_ctx, dn,
633 &object_sid, &primary_group_sid,
634 &ad_token_sids, &num_ad_token_sids);
635 if (!ADS_ERR_OK(status)) {
639 token_sids = talloc_array(mem_ctx, struct dom_sid, 1);
640 ADS_ERROR_HAVE_NO_MEMORY(token_sids);
642 status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx,
646 if (!ADS_ERR_OK(status)) {
650 for (i = 0; i < num_ad_token_sids; i++) {
652 if (sid_check_is_in_builtin(&ad_token_sids[i])) {
656 status = ADS_ERROR_NT(add_sid_to_array_unique(mem_ctx,
660 if (!ADS_ERR_OK(status)) {
665 new_token = create_local_nt_token(mem_ctx, &object_sid, false,
666 num_token_sids, token_sids);
667 ADS_ERROR_HAVE_NO_MEMORY(new_token);
671 security_token_debug(DBGC_CLASS, 5, *token);
673 return ADS_ERROR_LDAP(LDAP_SUCCESS);
676 /****************************************************************
677 ****************************************************************/
679 static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
680 struct GROUP_POLICY_OBJECT **gpo_list,
681 enum GPO_LINK_TYPE link_type)
683 struct GROUP_POLICY_OBJECT *gpo = NULL;
685 ADS_ERROR_HAVE_NO_MEMORY(gpo_list);
687 gpo = talloc_zero(mem_ctx, struct GROUP_POLICY_OBJECT);
688 ADS_ERROR_HAVE_NO_MEMORY(gpo);
690 gpo->name = talloc_strdup(mem_ctx, "Local Policy");
691 ADS_ERROR_HAVE_NO_MEMORY(gpo->name);
693 gpo->display_name = talloc_strdup(mem_ctx, "Local Policy");
694 ADS_ERROR_HAVE_NO_MEMORY(gpo->display_name);
696 gpo->link_type = link_type;
698 DLIST_ADD(*gpo_list, gpo);
700 return ADS_ERROR_NT(NT_STATUS_OK);
703 /****************************************************************
704 get the full list of GROUP_POLICY_OBJECTs for a given dn
705 ****************************************************************/
707 ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
711 const struct security_token *token,
712 struct GROUP_POLICY_OBJECT **gpo_list)
714 /* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
717 struct GP_LINK gp_link;
718 const char *parent_dn, *site_dn, *tmp_dn;
719 bool add_only_forced_gpos = false;
721 ZERO_STRUCTP(gpo_list);
724 return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
727 if (!ads_set_sasl_wrap_flags(ads, ADS_AUTH_SASL_SIGN)) {
728 return ADS_ERROR(LDAP_INVALID_CREDENTIALS);
731 DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
734 status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
736 if (!ADS_ERR_OK(status)) {
742 /* are site GPOs valid for users as well ??? */
743 if (flags & GPO_LIST_FLAG_MACHINE) {
745 status = ads_site_dn_for_machine(ads, mem_ctx,
746 ads->config.ldap_server_name,
748 if (!ADS_ERR_OK(status)) {
752 DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
755 status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
756 if (ADS_ERR_OK(status)) {
758 if (DEBUGLEVEL >= 100) {
759 dump_gplink(ads, mem_ctx, &gp_link);
762 status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
765 add_only_forced_gpos,
767 if (!ADS_ERR_OK(status)) {
771 if (flags & GPO_LIST_FLAG_SITEONLY) {
772 return ADS_ERROR(LDAP_SUCCESS);
775 /* inheritance can't be blocked at the site level */
781 while ((parent_dn = ads_parent_dn(tmp_dn)) &&
782 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
786 /* An account can just be a member of one domain */
787 if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
789 DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n",
792 status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
794 if (ADS_ERR_OK(status)) {
796 if (DEBUGLEVEL >= 100) {
797 dump_gplink(ads, mem_ctx, &gp_link);
800 /* block inheritance from now on */
801 if (gp_link.gp_opts &
802 GPOPTIONS_BLOCK_INHERITANCE) {
803 add_only_forced_gpos = true;
806 status = add_gplink_to_gpo_list(ads,
812 add_only_forced_gpos,
814 if (!ADS_ERR_OK(status)) {
826 while ((parent_dn = ads_parent_dn(tmp_dn)) &&
827 (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
830 /* (O)rganizational(U)nit */
832 /* An account can be a member of more OUs */
833 if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
835 DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
838 status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
840 if (ADS_ERR_OK(status)) {
842 if (DEBUGLEVEL >= 100) {
843 dump_gplink(ads, mem_ctx, &gp_link);
846 /* block inheritance from now on */
847 if (gp_link.gp_opts &
848 GPOPTIONS_BLOCK_INHERITANCE) {
849 add_only_forced_gpos = true;
852 status = add_gplink_to_gpo_list(ads,
858 add_only_forced_gpos,
860 if (!ADS_ERR_OK(status)) {
870 return ADS_ERROR(LDAP_SUCCESS);
873 #endif /* HAVE_LDAP */
git.samba.org / nivanova / samba-autobuild / .git / blob