2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Guenther Deschner 2005-2006
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
24 #define DEFAULT_DOMAIN_POLICY "Default Domain Policy"
25 #define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy"
27 /* should we store a parsed guid ? */
30 const char *guid_string;
35 const char *guid_string;
36 ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx, const char *, const char *);
40 static struct gpo_table gpo_default_policy[] = {
41 { DEFAULT_DOMAIN_POLICY,
42 "31B2F340-016D-11D2-945F-00C04FB984F9" },
43 { DEFAULT_DOMAIN_CONTROLLERS_POLICY,
44 "6AC1786C-016F-11D2-945F-00C04fB984F9" },
49 /* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */
51 static struct gpo_table gpo_cse_extensions[] = {
52 { "Administrative Templates Extension",
53 "35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */
54 { "Microsoft Disc Quota",
55 "3610EDA5-77EF-11D2-8DC5-00C04FA31A66" },
57 "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
58 { "Folder Redirection",
59 "25537BA6-77A8-11D2-9B6C-0000F8080861" },
61 "E437BC1C-AA7D-11D2-A382-00C04F991E27" },
62 { "Internet Explorer Branding",
63 "A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" },
64 { "QoS Packet Scheduler",
65 "426031c0-0b47-4852-b0ca-ac3d37bfcb39" },
67 "42B5FAAE-6536-11D2-AE5A-0000F87571E3" },
69 "827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
70 { "Software Installation",
71 "C6DC5466-785A-11D2-84D0-00C04FB169F7" },
72 { "Wireless Group Policy",
73 "0ACDD40C-75AC-BAA0-BF6DE7E7FE63" },
78 static struct snapin_table gpo_cse_snapin_extensions[] = {
79 { "Administrative Templates",
80 "0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none },
82 "53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
83 { "EFS recovery policy processing",
84 "B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none },
85 { "Folder Redirection policy processing",
86 "25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none },
87 { "Folder Redirection",
88 "88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none },
89 { "Registry policy processing",
90 "35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none },
91 { "Remote Installation Services",
92 "3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
93 { "Security Settings",
94 "803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings },
95 { "Security policy processing",
96 "827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings },
98 "3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
100 "53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
104 static const char *name_to_guid_string(const char *name, struct gpo_table *table)
108 for (i = 0; table[i].name; i++) {
109 if (strequal(name, table[i].name)) {
110 return table[i].guid_string;
117 static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table)
121 for (i = 0; table[i].guid_string; i++) {
122 if (strequal(guid_string, table[i].guid_string)) {
123 return table[i].name;
130 static const char *snapin_guid_string_to_name(const char *guid_string,
131 struct snapin_table *table)
134 for (i = 0; table[i].guid_string; i++) {
135 if (strequal(guid_string, table[i].guid_string)) {
136 return table[i].name;
143 static const char *default_gpo_name_to_guid_string(const char *name)
145 return name_to_guid_string(name, gpo_default_policy);
148 static const char *default_gpo_guid_string_to_name(const char *guid)
150 return guid_string_to_name(guid, gpo_default_policy);
154 const char *cse_gpo_guid_string_to_name(const char *guid)
156 return guid_string_to_name(guid, gpo_cse_extensions);
159 static const char *cse_gpo_name_to_guid_string(const char *name)
161 return name_to_guid_string(name, gpo_cse_extensions);
164 const char *cse_snapin_gpo_guid_string_to_name(const char *guid)
166 return snapin_guid_string_to_name(guid, gpo_cse_snapin_extensions);
169 void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel)
171 int lvl = debuglevel;
174 if (gp_ext == NULL) {
178 DEBUG(lvl,("\t---------------------\n\n"));
179 DEBUGADD(lvl,("\tname:\t\t\t%s\n", gp_ext->gp_extension));
181 for (i=0; i< gp_ext->num_exts; i++) {
183 DEBUGADD(lvl,("\textension:\t\t\t%s\n", gp_ext->extensions_guid[i]));
184 DEBUGADD(lvl,("\textension (name):\t\t\t%s\n", gp_ext->extensions[i]));
186 DEBUGADD(lvl,("\tsnapin:\t\t\t%s\n", gp_ext->snapins_guid[i]));
187 DEBUGADD(lvl,("\tsnapin (name):\t\t\t%s\n", gp_ext->snapins[i]));
191 void dump_gpo(TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo, int debuglevel)
193 int lvl = debuglevel;
199 DEBUG(lvl,("---------------------\n\n"));
201 DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name));
202 DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name));
203 DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version));
204 DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", GPO_VERSION_USER(gpo->version),
205 GPO_VERSION_USER(gpo->version)));
206 DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", GPO_VERSION_MACHINE(gpo->version),
207 GPO_VERSION_MACHINE(gpo->version)));
208 DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path));
209 DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path));
211 DEBUGADD(lvl,("options:\t\t%d ", gpo->options));
212 if (gpo->options & GPFLAGS_USER_SETTINGS_DISABLED) {
213 DEBUGADD(lvl,("GPFLAGS_USER_SETTINGS_DISABLED "));
215 if (gpo->options & GPFLAGS_MACHINE_SETTINGS_DISABLED) {
216 DEBUGADD(lvl,("GPFLAGS_MACHINE_SETTINGS_DISABLED"));
218 DEBUGADD(lvl,("\n"));
220 DEBUGADD(lvl,("link:\t\t\t%s\n", gpo->link));
221 DEBUGADD(lvl,("link_type:\t\t%d ", gpo->link_type));
222 switch (gpo->link_type) {
224 DEBUGADD(lvl,("GP_LINK_UNKOWN\n"));
227 DEBUGADD(lvl,("GP_LINK_OU\n"));
230 DEBUGADD(lvl,("GP_LINK_DOMAIN\n"));
233 DEBUGADD(lvl,("GP_LINK_SITE\n"));
235 case GP_LINK_MACHINE:
236 DEBUGADD(lvl,("GP_LINK_MACHINE\n"));
242 DEBUGADD(lvl,("machine_extensions:\t%s\n", gpo->machine_extensions));
244 if (gpo->machine_extensions) {
246 struct GP_EXT *gp_ext = NULL;
249 status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
250 if (!ADS_ERR_OK(status)) {
253 dump_gp_ext(gp_ext, lvl);
256 DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions));
258 if (gpo->user_extensions) {
260 struct GP_EXT *gp_ext = NULL;
263 status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
264 if (!ADS_ERR_OK(status)) {
267 dump_gp_ext(gp_ext, lvl);
271 /****************************************************************
272 ****************************************************************/
274 void dump_gpo_list(TALLOC_CTX *mem_ctx,
275 struct GROUP_POLICY_OBJECT *gpo_list,
278 struct GROUP_POLICY_OBJECT *gpo = NULL;
280 for (gpo = gpo_list; gpo; gpo = gpo->next) {
281 dump_gpo(mem_ctx, gpo, debuglevel);
285 /****************************************************************
286 ****************************************************************/
288 void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
294 if (gp_link == NULL) {
298 DEBUG(lvl,("---------------------\n\n"));
300 DEBUGADD(lvl,("gplink: %s\n", gp_link->gp_link));
301 DEBUGADD(lvl,("gpopts: %d ", gp_link->gp_opts));
302 switch (gp_link->gp_opts) {
303 case GPOPTIONS_INHERIT:
304 DEBUGADD(lvl,("GPOPTIONS_INHERIT\n"));
306 case GPOPTIONS_BLOCK_INHERITANCE:
307 DEBUGADD(lvl,("GPOPTIONS_BLOCK_INHERITANCE\n"));
313 DEBUGADD(lvl,("num links: %d\n", gp_link->num_links));
315 for (i = 0; i < gp_link->num_links; i++) {
317 DEBUGADD(lvl,("---------------------\n\n"));
319 DEBUGADD(lvl,("link: #%d\n", i + 1));
320 DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i]));
322 DEBUGADD(lvl,("opt: %d ", gp_link->link_opts[i]));
323 if (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) {
324 DEBUGADD(lvl,("GPO_LINK_OPT_ENFORCED "));
326 if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
327 DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED"));
329 DEBUGADD(lvl,("\n"));
331 if (ads != NULL && mem_ctx != NULL) {
333 struct GROUP_POLICY_OBJECT gpo;
335 status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo);
336 if (!ADS_ERR_OK(status)) {
337 DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status)));
340 dump_gpo(mem_ctx, &gpo, lvl);
345 /****************************************************************
346 ****************************************************************/
348 ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
350 const char *extension_guid,
351 const char *snapin_guid)
355 for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) {
357 if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) {
359 return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx,
360 extension_guid, snapin_guid);
364 DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n",
365 extension_guid, snapin_guid));
370 /****************************************************************
371 ****************************************************************/
373 ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
375 struct GROUP_POLICY_OBJECT *gpo,
376 const char *extension_guid_filter,
380 struct GP_EXT *gp_ext = NULL;
383 if (flags & GPO_LIST_FLAG_MACHINE) {
385 if (gpo->machine_extensions) {
387 status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
389 if (!ADS_ERR_OK(status)) {
394 /* nothing to apply */
400 if (gpo->user_extensions) {
402 status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
404 if (!ADS_ERR_OK(status)) {
408 /* nothing to apply */
413 for (i=0; i<gp_ext->num_exts; i++) {
415 if (extension_guid_filter && !strequal(extension_guid_filter, gp_ext->extensions_guid[i])) {
419 status = process_extension_with_snapin(ads, mem_ctx,
420 gp_ext->extensions_guid[i],
421 gp_ext->snapins_guid[i]);
422 if (!ADS_ERR_OK(status)) {
430 /****************************************************************
431 ****************************************************************/
433 ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
435 struct GROUP_POLICY_OBJECT *gpo_list,
436 const char *extensions_guid,
440 struct GROUP_POLICY_OBJECT *gpo;
442 for (gpo = gpo_list; gpo; gpo = gpo->next) {
444 status = gpo_process_a_gpo(ads, mem_ctx, gpo,
445 extensions_guid, flags);
447 if (!ADS_ERR_OK(status)) {
456 ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads,
458 const char *extension_guid,
459 const char *snapin_guid)
461 DEBUG(10,("gpo_snapin_handler_none\n"));
466 ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads,
468 const char *extension_guid,
469 const char *snapin_guid)
471 DEBUG(10,("gpo_snapin_handler_security_settings\n"));
476 ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads,
478 const char *hostname,
479 SAM_UNK_INFO_12 *lockout_policy)
481 return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED);
484 /****************************************************************
485 ****************************************************************/
487 ADS_STATUS gpo_password_policy(ADS_STRUCT *ads,
489 const char *hostname,
490 SAM_UNK_INFO_1 *password_policy)
493 struct GROUP_POLICY_OBJECT *gpo_list;
494 const char *attrs[] = {"distinguishedName", "userAccountControl", NULL};
496 LDAPMessage *res = NULL;
499 filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", hostname);
500 if (filter == NULL) {
501 return ADS_ERROR(LDAP_NO_MEMORY);
504 status = ads_do_search_all(ads, ads->config.bind_path,
506 filter, attrs, &res);
508 if (!ADS_ERR_OK(status)) {
512 if (ads_count_replies(ads, res) != 1) {
513 ads_msgfree(ads, res);
514 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
517 dn = ads_get_dn(ads, res);
519 ads_msgfree(ads, res);
520 return ADS_ERROR(LDAP_NO_MEMORY);
523 if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
524 ads_msgfree(ads, res);
525 ads_memfree(ads, dn);
526 return ADS_ERROR(LDAP_NO_MEMORY);
529 ads_msgfree(ads, res);
531 if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) {
532 ads_memfree(ads, dn);
533 return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
536 status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list);
537 if (!ADS_ERR_OK(status)) {
538 ads_memfree(ads, dn);
542 ads_memfree(ads, dn);
544 status = gpo_process_gpo_list(ads, mem_ctx, gpo_list,
545 cse_gpo_name_to_guid_string("Security"),
546 GPO_LIST_FLAG_MACHINE);
547 if (!ADS_ERR_OK(status)) {
554 /****************************************************************
555 check wether the version number in a GROUP_POLICY_OBJECT match those of the
556 locally stored version. If not, fetch the required policy via CIFS
557 ****************************************************************/
559 NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
561 struct GROUP_POLICY_OBJECT *gpo,
562 struct cli_state **cli_out)
567 char *nt_path = NULL;
568 char *unix_path = NULL;
569 uint32 sysvol_gpt_version = 0;
570 char *display_name = NULL;
571 struct cli_state *cli = NULL;
573 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
574 &server, &share, &nt_path, &unix_path);
576 if (!NT_STATUS_IS_OK(result)) {
580 result = gpo_get_sysvol_gpt_version(mem_ctx,
584 if (!NT_STATUS_IS_OK(result) &&
585 !NT_STATUS_EQUAL(result, NT_STATUS_NO_SUCH_FILE)) {
586 DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
591 while (gpo->version > sysvol_gpt_version) {
593 DEBUG(1,("check_refresh_gpo: need to refresh GPO\n"));
595 if (*cli_out == NULL) {
597 result = cli_full_connection(&cli, global_myname(),
598 server, /* ads->config.ldap_server_name, */
601 ads->auth.user_name, NULL, ads->auth.password,
602 CLI_FULL_CONNECTION_USE_KERBEROS,
604 if (!NT_STATUS_IS_OK(result)) {
605 DEBUG(10,("check_refresh_gpo: failed to connect: %s\n", nt_errstr(result)));
612 result = gpo_fetch_files(mem_ctx, *cli_out, gpo);
613 if (!NT_STATUS_IS_OK(result)) {
617 result = gpo_get_sysvol_gpt_version(mem_ctx,
621 if (!NT_STATUS_IS_OK(result)) {
622 DEBUG(10,("check_refresh_gpo: failed to get local gpt version: %s\n",
627 if (gpo->version == sysvol_gpt_version) {
632 DEBUG(10,("Name:\t\t\t%s\n", gpo->display_name));
633 DEBUGADD(10,("sysvol GPT version:\t%d (user: %d, machine: %d)\n",
635 GPO_VERSION_USER(sysvol_gpt_version),
636 GPO_VERSION_MACHINE(sysvol_gpt_version)));
637 DEBUGADD(10,("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
639 GPO_VERSION_USER(gpo->version),
640 GPO_VERSION_MACHINE(gpo->version)));
642 result = NT_STATUS_OK;
649 /****************************************************************
650 check wether the version numbers in the gpo_list match the locally stored, if
651 not, go and get each required GPO via CIFS
652 ****************************************************************/
654 NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
656 struct GROUP_POLICY_OBJECT *gpo_list)
658 NTSTATUS result = NT_STATUS_UNSUCCESSFUL;
659 struct cli_state *cli = NULL;
660 struct GROUP_POLICY_OBJECT *gpo;
663 return NT_STATUS_INVALID_PARAMETER;
666 for (gpo = gpo_list; gpo; gpo = gpo->next) {
668 result = check_refresh_gpo(ads, mem_ctx, gpo, &cli);
669 if (!NT_STATUS_IS_OK(result)) {
674 result = NT_STATUS_OK;
684 #endif /* HAVE_LDAP */
git.samba.org / sfrench / samba-autobuild / .git / blob