2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Jelmer Vernooij 2008
5 * Copyright (C) Wilco Baan Hofman 2008-2010
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "param/param.h"
22 #include "lib/ldb/include/ldb.h"
23 #include "lib/ldb-samba/ldb_wrap.h"
24 #include "auth/credentials/credentials.h"
25 #include "../librpc/gen_ndr/nbt.h"
26 #include "libcli/libcli.h"
27 #include "libnet/libnet.h"
28 #include "../librpc/gen_ndr/ndr_security.h"
29 #include "../libcli/security/dom_sid.h"
30 #include "libcli/security/security.h"
31 #include "libcli/ldap/ldap_ndr.h"
32 #include "../lib/talloc/talloc.h"
33 #include "lib/policy/policy.h"
35 struct gpo_stringmap {
39 static const struct gpo_stringmap gplink_options [] = {
40 { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE },
41 { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE },
44 static const struct gpo_stringmap gpo_flags [] = {
45 { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE },
46 { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE },
49 static const struct gpo_stringmap gpo_inheritance [] = {
50 { "GPO_INHERIT", GPO_INHERIT },
51 { "GPO_BLOCK_INHERITANCE", GPO_BLOCK_INHERITANCE },
56 static NTSTATUS parse_gpo(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct gp_object **ret)
58 struct gp_object *gpo = talloc(mem_ctx, struct gp_object);
59 enum ndr_err_code ndr_err;
60 const DATA_BLOB *data;
62 NT_STATUS_HAVE_NO_MEMORY(gpo);
64 gpo->dn = talloc_strdup(mem_ctx, ldb_dn_get_linearized(msg->dn));
65 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->dn, gpo);
67 DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo->dn));
69 gpo->display_name = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "displayName", ""));
70 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->display_name, gpo);
72 gpo->name = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "name", ""));
73 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->name, gpo);
75 gpo->flags = ldb_msg_find_attr_as_uint(msg, "flags", 0);
76 gpo->version = ldb_msg_find_attr_as_uint(msg, "versionNumber", 0);
78 gpo->file_sys_path = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "gPCFileSysPath", ""));
79 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->file_sys_path, gpo);
81 /* Pull the security descriptor through the NDR library */
82 data = ldb_msg_find_ldb_val(msg, "nTSecurityDescriptor");
83 gpo->security_descriptor = talloc(gpo, struct security_descriptor);
84 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->security_descriptor, gpo);
86 ndr_err = ndr_pull_struct_blob(data,
88 gpo->security_descriptor,
89 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
90 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
91 return ndr_map_error2ntstatus(ndr_err);
98 NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret)
100 unsigned int i, count=0;
101 const char **flag_strs = talloc_array(mem_ctx, const char *, 1);
103 NT_STATUS_HAVE_NO_MEMORY(flag_strs);
107 for (i = 0; gpo_flags[i].str != NULL; i++) {
108 if (flags & gpo_flags[i].flags) {
109 flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2);
110 NT_STATUS_HAVE_NO_MEMORY(flag_strs);
111 flag_strs[count] = gpo_flags[i].str;
112 flag_strs[count+1] = NULL;
120 NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t options, const char ***ret)
122 unsigned int i, count=0;
123 const char **flag_strs = talloc_array(mem_ctx, const char *, 1);
125 NT_STATUS_HAVE_NO_MEMORY(flag_strs);
128 for (i = 0; gplink_options[i].str != NULL; i++) {
129 if (options & gplink_options[i].flags) {
130 flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2);
131 NT_STATUS_HAVE_NO_MEMORY(flag_strs);
132 flag_strs[count] = gplink_options[i].str;
133 flag_strs[count+1] = NULL;
141 NTSTATUS gp_init(TALLOC_CTX *mem_ctx,
142 struct loadparm_context *lp_ctx,
143 struct cli_credentials *credentials,
144 struct tevent_context *ev_ctx,
145 struct gp_context **gp_ctx)
148 struct libnet_LookupDCs *io;
150 struct libnet_context *net_ctx;
151 struct ldb_context *ldb_ctx;
154 /* Initialise the libnet context */
155 net_ctx = libnet_context_init(ev_ctx, lp_ctx);
156 net_ctx->cred = credentials;
158 /* Prepare libnet lookup structure for looking a DC (PDC is correct). */
159 io = talloc_zero(mem_ctx, struct libnet_LookupDCs);
160 NT_STATUS_HAVE_NO_MEMORY(io);
161 io->in.name_type = NBT_NAME_PDC;
162 io->in.domain_name = lpcfg_workgroup(lp_ctx);
164 /* Find Active DC's */
165 rv = libnet_LookupDCs(net_ctx, mem_ctx, io);
166 if (!NT_STATUS_IS_OK(rv)) {
167 DEBUG(0, ("Failed to lookup DCs in domain\n"));
171 /* Connect to ldap://DC_NAME with all relevant contexts*/
172 url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name);
173 NT_STATUS_HAVE_NO_MEMORY(url);
174 ldb_ctx = ldb_wrap_connect(mem_ctx, net_ctx->event_ctx, lp_ctx,
175 url, NULL, net_ctx->cred, 0);
176 if (ldb_ctx == NULL) {
177 DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url));
178 return NT_STATUS_UNSUCCESSFUL;
182 *gp_ctx = talloc_zero(mem_ctx, struct gp_context);
183 NT_STATUS_HAVE_NO_MEMORY(gp_ctx);
185 (*gp_ctx)->lp_ctx = lp_ctx;
186 (*gp_ctx)->credentials = credentials;
187 (*gp_ctx)->ev_ctx = ev_ctx;
188 (*gp_ctx)->ldb_ctx = ldb_ctx;
189 (*gp_ctx)->active_dc = io->out.dcs[0];
191 /* We don't need to keep the libnet context */
192 talloc_free(net_ctx);
196 NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret)
198 struct ldb_result *result;
203 struct gp_object **gpo;
204 unsigned int i; /* same as in struct ldb_result */
207 /* Create a forked memory context, as a base for everything here */
208 mem_ctx = talloc_new(gp_ctx);
209 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
211 /* Create full ldb dn of the policies base object */
212 dn = ldb_get_default_basedn(gp_ctx->ldb_ctx);
213 rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System"));
215 DEBUG(0, ("Can't append subtree to DN\n"));
216 talloc_free(mem_ctx);
217 return NT_STATUS_UNSUCCESSFUL;
220 DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn)));
222 attrs = talloc_array(mem_ctx, const char *, 7);
223 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(attrs, mem_ctx);
225 attrs[0] = "nTSecurityDescriptor";
226 attrs[1] = "versionNumber";
229 attrs[4] = "displayName";
230 attrs[5] = "gPCFileSysPath";
233 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_ONELEVEL, attrs, "(objectClass=groupPolicyContainer)");
234 if (rv != LDB_SUCCESS) {
235 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
236 talloc_free(mem_ctx);
237 return NT_STATUS_UNSUCCESSFUL;
240 gpo = talloc_array(gp_ctx, struct gp_object *, result->count+1);
241 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo, mem_ctx);
243 gpo[result->count] = NULL;
245 for (i = 0; i < result->count; i++) {
246 status = parse_gpo(gp_ctx, result->msgs[i], &gpo[i]);
247 if (!NT_STATUS_IS_OK(status)) {
248 DEBUG(0, ("Failed to parse GPO.\n"));
249 talloc_free(mem_ctx);
254 talloc_free(mem_ctx);
260 NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *dn_str, struct gp_object **ret)
262 struct ldb_result *result;
264 struct gp_object *gpo;
270 /* Create a forked memory context, as a base for everything here */
271 mem_ctx = talloc_new(gp_ctx);
272 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
274 /* Create an ldb dn struct for the dn string */
275 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
277 attrs = talloc_array(mem_ctx, const char *, 7);
278 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(attrs, mem_ctx);
280 attrs[0] = "nTSecurityDescriptor";
281 attrs[1] = "versionNumber";
284 attrs[4] = "displayName";
285 attrs[5] = "gPCFileSysPath";
288 rv = ldb_search(gp_ctx->ldb_ctx,
294 "objectClass=groupPolicyContainer");
295 if (rv != LDB_SUCCESS) {
296 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
297 talloc_free(mem_ctx);
298 return NT_STATUS_UNSUCCESSFUL;
301 /* We expect exactly one record */
302 if (result->count != 1) {
303 DEBUG(0, ("Could not find GPC with dn %s\n", dn_str));
304 talloc_free(mem_ctx);
305 return NT_STATUS_NOT_FOUND;
308 status = parse_gpo(gp_ctx, result->msgs[0], &gpo);
309 if (!NT_STATUS_IS_OK(status)) {
310 DEBUG(0, ("Failed to parse GPO.\n"));
311 talloc_free(mem_ctx);
315 talloc_free(mem_ctx);
321 static NTSTATUS parse_gplink (TALLOC_CTX *mem_ctx, const char *gplink_str, struct gp_link ***ret)
325 struct gp_link **gplinks;
327 const char *gplink_start = "[LDAP://";
329 gplinks = talloc_array(mem_ctx, struct gp_link *, 1);
330 NT_STATUS_HAVE_NO_MEMORY(gplinks);
334 /* Assuming every gPLink starts with "[LDAP://" */
335 start = strlen(gplink_start);
337 for (pos = start; pos < strlen(gplink_str); pos++) {
338 if (gplink_str[pos] == ';') {
339 gplinks = talloc_realloc(mem_ctx, gplinks, struct gp_link *, idx+2);
340 NT_STATUS_HAVE_NO_MEMORY(gplinks);
341 gplinks[idx] = talloc(mem_ctx, struct gp_link);
342 NT_STATUS_HAVE_NO_MEMORY(gplinks[idx]);
343 gplinks[idx]->dn = talloc_strndup(mem_ctx,
346 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gplinks[idx]->dn, gplinks);
348 for (start = pos + 1; gplink_str[pos] != ']'; pos++);
350 buf = talloc_strndup(gplinks, gplink_str + start, pos - start);
351 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(buf, gplinks);
352 gplinks[idx]->options = (uint32_t) strtoll(buf, &end, 0);
355 /* Set the last entry in the array to be NULL */
356 gplinks[idx + 1] = NULL;
358 /* Increment the array index, the string position past
359 the next "[LDAP://", and set the start reference */
361 pos += strlen(gplink_start)+1;
371 NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *dn_str, struct gp_link ***ret)
375 struct ldb_result *result;
376 struct gp_link **gplinks;
382 /* Create a forked memory context, as a base for everything here */
383 mem_ctx = talloc_new(gp_ctx);
384 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
386 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
388 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, NULL, "(objectclass=*)");
389 if (rv != LDB_SUCCESS) {
390 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
391 talloc_free(mem_ctx);
392 return NT_STATUS_UNSUCCESSFUL;
395 for (i = 0; i < result->count; i++) {
396 for (j = 0; j < result->msgs[i]->num_elements; j++) {
397 struct ldb_message_element *element = &result->msgs[i]->elements[j];
399 if (strcmp(element->name, "gPLink") == 0) {
400 SMB_ASSERT(element->num_values > 0);
401 gplink_str = talloc_strdup(mem_ctx, (char *) element->values[0].data);
402 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gplink_str, mem_ctx);
407 gplink_str = talloc_strdup(mem_ctx, "");
408 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gplink_str, mem_ctx);
412 status = parse_gplink(gp_ctx, gplink_str, &gplinks);
413 if (!NT_STATUS_IS_OK(status)) {
414 DEBUG(0, ("Failed to parse gPLink\n"));
418 talloc_free(mem_ctx);
424 NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret)
428 struct ldb_result *result;
431 struct ldb_message_element *element;
433 const char *attrs[] = { "objectClass", NULL };
436 unsigned int count = 0;
439 ACCOUNT_TYPE_USER = 0,
440 ACCOUNT_TYPE_MACHINE = 1
443 /* Create a forked memory context, as a base for everything here */
444 mem_ctx = talloc_new(gp_ctx);
445 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
447 sid = ldap_encode_ndr_dom_sid(mem_ctx,
448 &token->sids[PRIMARY_USER_SID_INDEX]);
449 NT_STATUS_HAVE_NO_MEMORY(sid);
451 /* Find the user DN and objectclass via the sid from the security token */
452 rv = ldb_search(gp_ctx->ldb_ctx,
455 ldb_get_default_basedn(gp_ctx->ldb_ctx),
458 "(&(objectclass=user)(objectSid=%s))", sid);
459 if (rv != LDB_SUCCESS) {
460 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),
461 ldb_errstring(gp_ctx->ldb_ctx)));
462 talloc_free(mem_ctx);
463 return NT_STATUS_UNSUCCESSFUL;
465 if (result->count != 1) {
466 DEBUG(0, ("Could not find user with sid %s.\n", sid));
467 talloc_free(mem_ctx);
468 return NT_STATUS_UNSUCCESSFUL;
470 DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result->msgs[0]->dn)));
472 element = ldb_msg_find_element(result->msgs[0], "objectClass");
474 /* We need to know if this account is a user or machine. */
475 account_type = ACCOUNT_TYPE_USER;
476 for (i = 0; i < element->num_values; i++) {
477 if (strcmp((char *)element->values[i].data, "computer") == 0) {
478 account_type = ACCOUNT_TYPE_MACHINE;
479 DEBUG(10, ("This user is a machine\n"));
483 gpos = talloc_array(gp_ctx, const char *, 1);
484 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpos, mem_ctx);
487 /* Walk through the containers until we hit the root */
489 dn = ldb_dn_get_parent(mem_ctx, result->msgs[0]->dn);
490 while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx->ldb_ctx), dn) == 0) {
491 const char *gpo_attrs[] = { "gPLink", "gPOptions", NULL };
492 struct gp_link **gplinks;
493 enum gpo_inheritance gpoptions;
495 DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn)));
497 /* Get the gPLink and gPOptions attributes from the container */
498 rv = ldb_search(gp_ctx->ldb_ctx,
505 if (rv != LDB_SUCCESS) {
506 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),
507 ldb_errstring(gp_ctx->ldb_ctx)));
508 talloc_free(mem_ctx);
509 return NT_STATUS_UNSUCCESSFUL;
512 /* Parse the gPLink attribute, put it into a nice struct array */
513 status = parse_gplink(mem_ctx, ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", ""), &gplinks);
514 if (!NT_STATUS_IS_OK(status)) {
515 DEBUG(0, ("Failed to parse gPLink\n"));
516 talloc_free(mem_ctx);
520 /* Check all group policy links on this container */
521 for (i = 0; gplinks[i] != NULL; i++) {
522 struct gp_object *gpo;
523 uint32_t access_granted;
525 /* If inheritance was blocked at a higher level and this
526 * gplink is not enforced, it should not be applied */
527 if (!inherit && !(gplinks[i]->options & GPLINK_OPT_ENFORCE))
530 /* Don't apply disabled links */
531 if (gplinks[i]->options & GPLINK_OPT_DISABLE)
534 /* Get GPO information */
535 status = gp_get_gpo_info(gp_ctx, gplinks[i]->dn, &gpo);
536 if (!NT_STATUS_IS_OK(status)) {
537 DEBUG(0, ("Failed to get gpo information for %s\n", gplinks[i]->dn));
538 talloc_free(mem_ctx);
542 /* If the account does not have read access, this GPO does not apply
544 status = sec_access_check(gpo->security_descriptor,
546 (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP),
548 if (!NT_STATUS_IS_OK(status)) {
552 /* If the account is a user and the GPO has user disabled flag, or
553 * a machine and the GPO has machine disabled flag, this GPO does
554 * not apply to this account */
555 if ((account_type == ACCOUNT_TYPE_USER &&
556 (gpo->flags & GPO_FLAG_USER_DISABLE)) ||
557 (account_type == ACCOUNT_TYPE_MACHINE &&
558 (gpo->flags & GPO_FLAG_MACHINE_DISABLE))) {
562 /* Add the GPO to the list */
563 gpos = talloc_realloc(gp_ctx, gpos, const char *, count+2);
564 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpos, mem_ctx);
565 gpos[count] = talloc_strdup(gp_ctx, gplinks[i]->dn);
566 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpos[count], mem_ctx);
567 gpos[count+1] = NULL;
574 /* If inheritance is blocked, then we should only add enforced gPLinks
576 gpoptions = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
577 if (gpoptions == GPO_BLOCK_INHERITANCE) {
580 dn = ldb_dn_get_parent(mem_ctx, dn);
583 talloc_free(mem_ctx);
589 NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink)
592 struct ldb_result *result;
594 struct ldb_message *msg;
595 const char *attrs[] = { "gPLink", NULL };
596 const char *gplink_str;
600 /* Create a forked memory context, as a base for everything here */
601 mem_ctx = talloc_new(gp_ctx);
602 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
604 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
606 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
607 if (rv != LDB_SUCCESS) {
608 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
609 talloc_free(mem_ctx);
610 return NT_STATUS_UNSUCCESSFUL;
613 if (result->count != 1) {
614 talloc_free(mem_ctx);
615 return NT_STATUS_NOT_FOUND;
618 gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", "");
620 /* If this GPO link already exists, alter the options, else add it */
621 if ((start = strcasestr(gplink_str, gplink->dn)) != NULL) {
622 start += strlen(gplink->dn);
625 while (*start != ']' && *start != '\0') {
628 gplink_str = talloc_asprintf(mem_ctx, "%s;%d%s", gplink_str, gplink->options, start);
629 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gplink_str, mem_ctx);
632 /* Prepend the new GPO link to the string. This list is backwards in priority. */
633 gplink_str = talloc_asprintf(mem_ctx, "[LDAP://%s;%d]%s", gplink->dn, gplink->options, gplink_str);
634 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gplink_str, mem_ctx);
639 msg = ldb_msg_new(mem_ctx);
640 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
644 rv = ldb_msg_add_string(msg, "gPLink", gplink_str);
646 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
647 talloc_free(mem_ctx);
648 return NT_STATUS_UNSUCCESSFUL;
650 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
652 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
654 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
655 talloc_free(mem_ctx);
656 return NT_STATUS_UNSUCCESSFUL;
659 talloc_free(mem_ctx);
663 NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gplink_dn)
666 struct ldb_result *result;
668 struct ldb_message *msg;
669 const char *attrs[] = { "gPLink", NULL };
670 const char *gplink_str, *search_string;
674 /* Create a forked memory context, as a base for everything here */
675 mem_ctx = talloc_new(gp_ctx);
676 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
678 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
680 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
681 if (rv != LDB_SUCCESS) {
682 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
683 talloc_free(mem_ctx);
684 return NT_STATUS_UNSUCCESSFUL;
687 if (result->count != 1) {
688 talloc_free(mem_ctx);
689 return NT_STATUS_NOT_FOUND;
692 gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", "");
694 /* If this GPO link already exists, alter the options, else add it */
695 search_string = talloc_asprintf(mem_ctx, "[LDAP://%s]", gplink_dn);
696 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(search_string, mem_ctx);
698 p = strcasestr(gplink_str, search_string);
700 talloc_free(mem_ctx);
701 return NT_STATUS_NOT_FOUND;
706 while (*p != ']' && *p != '\0') {
710 gplink_str = talloc_asprintf(mem_ctx, "%s%s", gplink_str, p);
711 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gplink_str, mem_ctx);
714 msg = ldb_msg_new(mem_ctx);
715 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
719 if (strcmp(gplink_str, "") == 0) {
720 rv = ldb_msg_add_empty(msg, "gPLink", LDB_FLAG_MOD_DELETE, NULL);
722 DEBUG(0, ("LDB message add empty element failed: %s\n", ldb_strerror(rv)));
723 talloc_free(mem_ctx);
724 return NT_STATUS_UNSUCCESSFUL;
727 rv = ldb_msg_add_string(msg, "gPLink", gplink_str);
729 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
730 talloc_free(mem_ctx);
731 return NT_STATUS_UNSUCCESSFUL;
733 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
735 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
737 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
738 talloc_free(mem_ctx);
739 return NT_STATUS_UNSUCCESSFUL;
742 talloc_free(mem_ctx);
746 NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance)
749 struct ldb_result *result;
751 const char *attrs[] = { "gPOptions", NULL };
754 /* Create a forked memory context, as a base for everything here */
755 mem_ctx = talloc_new(gp_ctx);
756 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
758 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
760 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
761 if (rv != LDB_SUCCESS) {
762 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
763 talloc_free(mem_ctx);
764 return NT_STATUS_UNSUCCESSFUL;
767 if (result->count != 1) {
768 talloc_free(mem_ctx);
769 return NT_STATUS_NOT_FOUND;
772 *inheritance = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
774 talloc_free(mem_ctx);
778 NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance)
780 char *inheritance_string;
781 struct ldb_message *msg;
784 msg = ldb_msg_new(gp_ctx);
785 NT_STATUS_HAVE_NO_MEMORY(msg);
787 msg->dn = ldb_dn_new(msg, gp_ctx->ldb_ctx, dn_str);
789 inheritance_string = talloc_asprintf(msg, "%d", inheritance);
790 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(inheritance_string, msg);
792 rv = ldb_msg_add_string(msg, "gPOptions", inheritance_string);
794 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
796 return NT_STATUS_UNSUCCESSFUL;
798 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
800 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
802 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
804 return NT_STATUS_UNSUCCESSFUL;
811 NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo)
813 struct ldb_message *msg;
816 char *dn_str, *flags_str, *version_str;
817 struct ldb_dn *child_dn, *gpo_dn;
819 mem_ctx = talloc_new(gp_ctx);
820 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
823 msg = ldb_msg_new(mem_ctx);
824 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
826 msg->dn = ldb_get_default_basedn(gp_ctx->ldb_ctx);
827 dn_str = talloc_asprintf(mem_ctx, "CN=%s,CN=Policies,CN=System", gpo->name);
828 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(dn_str, mem_ctx);
830 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
831 rv = ldb_dn_add_child(msg->dn, child_dn);
832 if (!rv) goto ldb_msg_add_error;
834 flags_str = talloc_asprintf(mem_ctx, "%d", gpo->flags);
835 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(flags_str, mem_ctx);
837 version_str = talloc_asprintf(mem_ctx, "%d", gpo->version);
838 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(version_str, mem_ctx);
840 rv = ldb_msg_add_string(msg, "objectClass", "top");
841 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
842 rv = ldb_msg_add_string(msg, "objectClass", "container");
843 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
844 rv = ldb_msg_add_string(msg, "objectClass", "groupPolicyContainer");
845 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
846 rv = ldb_msg_add_string(msg, "displayName", gpo->display_name);
847 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
848 rv = ldb_msg_add_string(msg, "name", gpo->name);
849 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
850 rv = ldb_msg_add_string(msg, "CN", gpo->name);
851 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
852 rv = ldb_msg_add_string(msg, "gPCFileSysPath", gpo->file_sys_path);
853 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
854 rv = ldb_msg_add_string(msg, "flags", flags_str);
855 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
856 rv = ldb_msg_add_string(msg, "versionNumber", version_str);
857 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
858 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
859 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
860 rv = ldb_msg_add_string(msg, "gpCFunctionalityVersion", "2");
861 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
863 rv = ldb_add(gp_ctx->ldb_ctx, msg);
864 if (rv != LDB_SUCCESS) {
865 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
866 talloc_free(mem_ctx);
867 return NT_STATUS_UNSUCCESSFUL;
873 msg = ldb_msg_new(mem_ctx);
874 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
876 msg->dn = ldb_dn_copy(mem_ctx, gpo_dn);
877 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=User");
878 rv = ldb_dn_add_child(msg->dn, child_dn);
879 if (!rv) goto ldb_msg_add_error;
881 rv = ldb_msg_add_string(msg, "objectClass", "top");
882 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
883 rv = ldb_msg_add_string(msg, "objectClass", "container");
884 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
885 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
886 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
887 rv = ldb_msg_add_string(msg, "CN", "User");
888 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
889 rv = ldb_msg_add_string(msg, "name", "User");
890 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
892 rv = ldb_add(gp_ctx->ldb_ctx, msg);
893 if (rv != LDB_SUCCESS) {
894 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
895 talloc_free(mem_ctx);
896 return NT_STATUS_UNSUCCESSFUL;
900 msg = ldb_msg_new(mem_ctx);
901 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
903 msg->dn = ldb_dn_copy(mem_ctx, gpo_dn);
904 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Machine");
905 rv = ldb_dn_add_child(msg->dn, child_dn);
906 if (!rv) goto ldb_msg_add_error;
908 rv = ldb_msg_add_string(msg, "objectClass", "top");
909 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
910 rv = ldb_msg_add_string(msg, "objectClass", "container");
911 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
912 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
913 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
914 rv = ldb_msg_add_string(msg, "CN", "Machine");
915 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
916 rv = ldb_msg_add_string(msg, "name", "Machine");
917 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
919 rv = ldb_add(gp_ctx->ldb_ctx, msg);
920 if (rv != LDB_SUCCESS) {
921 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
922 talloc_free(mem_ctx);
923 return NT_STATUS_UNSUCCESSFUL;
926 gpo->dn = talloc_strdup(gpo, ldb_dn_get_linearized(gpo_dn));
927 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->dn, mem_ctx);
929 talloc_free(mem_ctx);
933 DEBUG(0, ("LDB Error adding element to ldb message\n"));
934 talloc_free(mem_ctx);
935 return NT_STATUS_UNSUCCESSFUL;
938 NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
942 enum ndr_err_code ndr_err;
943 struct ldb_message *msg;
946 /* Create a forked memory context to clean up easily */
947 mem_ctx = talloc_new(gp_ctx);
948 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
950 /* Push the security descriptor through the NDR library */
951 ndr_err = ndr_push_struct_blob(&data,
954 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
955 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
956 return ndr_map_error2ntstatus(ndr_err);
960 /* Create a LDB message */
961 msg = ldb_msg_new(mem_ctx);
962 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
964 msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
966 rv = ldb_msg_add_value(msg, "nTSecurityDescriptor", &data, NULL);
968 DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv)));
969 talloc_free(mem_ctx);
970 return NT_STATUS_UNSUCCESSFUL;
972 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
974 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
976 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
977 talloc_free(mem_ctx);
978 return NT_STATUS_UNSUCCESSFUL;
981 talloc_free(mem_ctx);
985 /* This function sets flags, version and displayName on a GPO */
986 NTSTATUS gp_set_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo)
990 struct ldb_message *msg;
991 char *version_str, *flags_str;
993 mem_ctx = talloc_new(gp_ctx);
995 msg = ldb_msg_new(mem_ctx);
996 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
998 msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, gpo->dn);
1000 version_str = talloc_asprintf(mem_ctx, "%d", gpo->version);
1001 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
1003 flags_str = talloc_asprintf(mem_ctx, "%d", gpo->flags);
1004 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(msg, mem_ctx);
1006 rv = ldb_msg_add_string(msg, "flags", flags_str);
1008 DEBUG(0, ("LDB message add string failed for flags: %s\n", ldb_strerror(rv)));
1009 talloc_free(mem_ctx);
1010 return NT_STATUS_UNSUCCESSFUL;
1012 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
1014 rv = ldb_msg_add_string(msg, "version", version_str);
1016 DEBUG(0, ("LDB message add string failed for version: %s\n", ldb_strerror(rv)));
1017 talloc_free(mem_ctx);
1018 return NT_STATUS_UNSUCCESSFUL;
1020 msg->elements[1].flags = LDB_FLAG_MOD_REPLACE;
1022 rv = ldb_msg_add_string(msg, "displayName", gpo->display_name);
1024 DEBUG(0, ("LDB message add string failed for displayName: %s\n", ldb_strerror(rv)));
1025 talloc_free(mem_ctx);
1026 return NT_STATUS_UNSUCCESSFUL;
1028 msg->elements[2].flags = LDB_FLAG_MOD_REPLACE;
1030 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
1032 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
1033 talloc_free(mem_ctx);
1034 return NT_STATUS_UNSUCCESSFUL;
1037 talloc_free(mem_ctx);
1038 return NT_STATUS_OK;
git.samba.org / sfrench / samba-autobuild / .git / blob