2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Jelmer Vernooij 2008
5 * Copyright (C) Wilco Baan Hofman 2008-2010
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 3 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License
18 * along with this program; if not, see <http://www.gnu.org/licenses/>.
21 #include "param/param.h"
22 #include "lib/ldb/include/ldb.h"
23 #include "lib/ldb_wrap.h"
24 #include "auth/credentials/credentials.h"
25 #include "../librpc/gen_ndr/nbt.h"
26 #include "libcli/libcli.h"
27 #include "libnet/libnet.h"
28 #include "../librpc/gen_ndr/ndr_security.h"
29 #include "../libcli/security/dom_sid.h"
30 #include "libcli/security/security.h"
31 #include "../lib/talloc/talloc.h"
32 #include "lib/policy/policy.h"
34 struct gpo_stringmap {
38 static const struct gpo_stringmap gplink_options [] = {
39 { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE },
40 { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE },
43 static const struct gpo_stringmap gpo_flags [] = {
44 { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE },
45 { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE },
48 static const struct gpo_stringmap gpo_inheritance [] = {
49 { "GPO_INHERIT", GPO_INHERIT },
50 { "GPO_BLOCK_INHERITANCE", GPO_BLOCK_INHERITANCE },
55 static NTSTATUS parse_gpo(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct gp_object **ret)
57 struct gp_object *gpo = talloc(mem_ctx, struct gp_object);
58 enum ndr_err_code ndr_err;
59 const DATA_BLOB *data;
61 gpo->dn = talloc_steal(mem_ctx, ldb_dn_get_linearized(msg->dn));
63 DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo->dn));
65 gpo->display_name = ldb_msg_find_attr_as_string(msg, "displayName", "");
66 gpo->name = ldb_msg_find_attr_as_string(msg, "name", "");
67 gpo->flags = ldb_msg_find_attr_as_uint(msg, "name", 0);
68 gpo->version = ldb_msg_find_attr_as_uint(msg, "version", 0);
69 gpo->file_sys_path = ldb_msg_find_attr_as_string(msg, "gPCFileSysPath", "");
71 if (gpo->display_name[0] != '\0')
72 gpo->display_name = talloc_steal(mem_ctx, gpo->display_name);
73 if (gpo->name[0] != '\0')
74 gpo->name = talloc_steal(mem_ctx, gpo->name);
75 if (gpo->file_sys_path[0] != '\0')
76 gpo->file_sys_path = talloc_steal(mem_ctx, gpo->file_sys_path);
78 /* Pull the security descriptor through the NDR library */
79 data = ldb_msg_find_ldb_val(msg, "nTSecurityDescriptor");
80 gpo->security_descriptor = talloc(mem_ctx, struct security_descriptor);
81 ndr_err = ndr_pull_struct_blob(data,
83 gpo->security_descriptor,
84 (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
85 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
86 return ndr_map_error2ntstatus(ndr_err);
93 NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret)
95 unsigned int i, count=0;
96 const char **flag_strs = talloc_array(mem_ctx, const char *, 1);
100 for (i = 0; gpo_flags[i].str != NULL; i++) {
101 if (flags & gpo_flags[i].flags) {
102 flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2);
103 flag_strs[count] = gpo_flags[i].str;
104 flag_strs[count+1] = NULL;
112 NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t options, const char ***ret)
114 unsigned int i, count=0;
115 const char **flag_strs = talloc_array(mem_ctx, const char *, 1);
119 for (i = 0; gplink_options[i].str != NULL; i++) {
120 if (options & gplink_options[i].flags) {
121 flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2);
122 flag_strs[count] = gplink_options[i].str;
123 flag_strs[count+1] = NULL;
131 NTSTATUS gp_init(TALLOC_CTX *mem_ctx,
132 struct loadparm_context *lp_ctx,
133 struct cli_credentials *credentials,
134 struct tevent_context *ev_ctx,
135 struct gp_context **gp_ctx)
138 struct libnet_LookupDCs *io;
140 struct libnet_context *net_ctx;
141 struct ldb_context *ldb_ctx;
144 /* Initialise the libnet context */
145 net_ctx = libnet_context_init(ev_ctx, lp_ctx);
146 net_ctx->cred = credentials;
148 /* Prepare libnet lookup structure for looking a DC (PDC is correct). */
149 io = talloc_zero(mem_ctx, struct libnet_LookupDCs);
150 io->in.name_type = NBT_NAME_PDC;
151 io->in.domain_name = lp_workgroup(lp_ctx);
153 /* Find Active DC's */
154 rv = libnet_LookupDCs(net_ctx, mem_ctx, io);
155 if (!NT_STATUS_IS_OK(rv)) {
156 DEBUG(0, ("Failed to lookup DCs in domain\n"));
160 /* Connect to ldap://DC_NAME with all relevant contexts*/
161 url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name);
162 ldb_ctx = ldb_wrap_connect(mem_ctx, net_ctx->event_ctx, lp_ctx,
163 url, NULL, net_ctx->cred, 0);
164 if (ldb_ctx == NULL) {
165 DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url));
166 return NT_STATUS_UNSUCCESSFUL;
170 *gp_ctx = talloc_zero(mem_ctx, struct gp_context);
171 (*gp_ctx)->lp_ctx = lp_ctx;
172 (*gp_ctx)->credentials = credentials;
173 (*gp_ctx)->ev_ctx = ev_ctx;
174 (*gp_ctx)->ldb_ctx = ldb_ctx;
175 (*gp_ctx)->active_dc = io->out.dcs[0];
177 /* We don't need to keep the libnet context */
178 talloc_free(net_ctx);
182 NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret)
184 struct ldb_result *result;
189 struct gp_object **gpo;
190 unsigned int i; /* same as in struct ldb_result */
193 /* Create a forked memory context, as a base for everything here */
194 mem_ctx = talloc_new(gp_ctx);
196 /* Create full ldb dn of the policies base object */
197 dn = ldb_get_default_basedn(gp_ctx->ldb_ctx);
198 rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System"));
200 DEBUG(0, ("Can't append subtree to DN\n"));
201 talloc_free(mem_ctx);
202 return NT_STATUS_UNSUCCESSFUL;
205 DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn)));
207 attrs = talloc_array(mem_ctx, const char *, 7);
208 attrs[0] = "nTSecurityDescriptor";
209 attrs[1] = "versionNumber";
212 attrs[4] = "displayName";
213 attrs[5] = "gPCFileSysPath";
216 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_ONELEVEL, attrs, "(objectClass=groupPolicyContainer)");
217 if (rv != LDB_SUCCESS) {
218 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx)));
219 talloc_free(mem_ctx);
220 return NT_STATUS_UNSUCCESSFUL;
223 gpo = talloc_array(gp_ctx, struct gp_object *, result->count+1);
224 gpo[result->count] = NULL;
226 for (i = 0; i < result->count; i++) {
227 status = parse_gpo(gp_ctx, result->msgs[i], &gpo[i]);
228 if (!NT_STATUS_IS_OK(status)) {
229 DEBUG(0, ("Failed to parse GPO.\n"));
230 talloc_free(mem_ctx);
235 talloc_free(mem_ctx);
241 NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *dn_str, struct gp_object **ret)
243 struct ldb_result *result;
245 struct gp_object *gpo;
251 /* Create a forked memory context, as a base for everything here */
252 mem_ctx = talloc_new(gp_ctx);
254 /* Create an ldb dn struct for the dn string */
255 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
257 attrs = talloc_array(mem_ctx, const char *, 7);
258 attrs[0] = "nTSecurityDescriptor";
259 attrs[1] = "versionNumber";
262 attrs[4] = "displayName";
263 attrs[5] = "gPCFileSysPath";
266 rv = ldb_search(gp_ctx->ldb_ctx,
272 "objectClass=groupPolicyContainer");
273 if (rv != LDB_SUCCESS) {
274 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),ldb_errstring(gp_ctx->ldb_ctx)));
275 talloc_free(mem_ctx);
276 return NT_STATUS_UNSUCCESSFUL;
279 /* We expect exactly one record */
280 if (result->count != 1) {
281 DEBUG(0, ("Could not find GPC with dn %s\n", dn_str));
282 talloc_free(mem_ctx);
283 return NT_STATUS_NOT_FOUND;
286 status = parse_gpo(gp_ctx, result->msgs[0], &gpo);
287 if (!NT_STATUS_IS_OK(status)) {
288 DEBUG(0, ("Failed to parse GPO.\n"));
289 talloc_free(mem_ctx);
293 talloc_free(mem_ctx);
299 static NTSTATUS parse_gplink (TALLOC_CTX *mem_ctx, const char *gplink_str, struct gp_link ***ret)
303 struct gp_link **gplinks;
306 gplinks = talloc_array(mem_ctx, struct gp_link *, 1);
309 /* Assuming every gPLink starts with "[LDAP://" */
312 for (pos = start; pos < strlen(gplink_str); pos++) {
313 if (gplink_str[pos] == ';') {
314 gplinks = talloc_realloc(mem_ctx, gplinks, struct gp_link *, idx+2);
315 gplinks[idx] = talloc(mem_ctx, struct gp_link);
316 gplinks[idx]->dn = talloc_strndup(mem_ctx,
320 for (start = pos + 1; gplink_str[pos] != ']'; pos++);
322 buf = talloc_strndup(gplinks, gplink_str + start, pos - start);
323 gplinks[idx]->options = (uint32_t) strtoll(buf, &end, 0);
326 /* Set the last entry in the array to be NULL */
327 gplinks[idx + 1] = NULL;
329 /* Increment the array index, the string position past
330 the next "[LDAP://", and set the start reference */
342 NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *dn_str, struct gp_link ***ret)
346 struct ldb_result *result;
347 struct gp_link **gplinks;
353 /* Create a forked memory context, as a base for everything here */
354 mem_ctx = talloc_new(gp_ctx);
356 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
358 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, NULL, "(objectclass=*)");
359 if (rv != LDB_SUCCESS) {
360 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
361 talloc_free(mem_ctx);
362 return NT_STATUS_UNSUCCESSFUL;
365 for (i = 0; i < result->count; i++) {
366 for (j = 0; j < result->msgs[i]->num_elements; j++) {
367 struct ldb_message_element *element = &result->msgs[i]->elements[j];
369 if (strcmp(element->name, "gPLink") == 0) {
370 SMB_ASSERT(element->num_values > 0);
371 gplink_str = talloc_strdup(mem_ctx, (char *) element->values[0].data);
376 gplink_str = talloc_strdup(mem_ctx, "");
380 status = parse_gplink(gp_ctx, gplink_str, &gplinks);
381 if (!NT_STATUS_IS_OK(status)) {
382 DEBUG(0, ("Failed to parse gPLink\n"));
386 talloc_free(mem_ctx);
392 NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret)
396 struct ldb_result *result;
399 struct ldb_message_element *element;
401 const char *attrs[] = { "objectClass", NULL };
404 unsigned int count = 0;
407 ACCOUNT_TYPE_USER = 0,
408 ACCOUNT_TYPE_MACHINE = 1
411 /* Create a forked memory context, as a base for everything here */
412 mem_ctx = talloc_new(gp_ctx);
414 sid = dom_sid_string(mem_ctx, token->user_sid);
416 /* Find the user DN and objectclass via the sid from the security token */
417 rv = ldb_search(gp_ctx->ldb_ctx,
420 ldb_get_default_basedn(gp_ctx->ldb_ctx),
423 "(&(objectclass=user)(objectSid=%s))", sid);
424 if (rv != LDB_SUCCESS) {
425 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),
426 ldb_errstring(gp_ctx->ldb_ctx)));
427 talloc_free(mem_ctx);
428 return NT_STATUS_UNSUCCESSFUL;
430 if (result->count != 1) {
431 DEBUG(0, ("Could not find user with sid %s.\n", sid));
432 talloc_free(mem_ctx);
433 return NT_STATUS_UNSUCCESSFUL;
435 DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result->msgs[0]->dn)));
437 element = ldb_msg_find_element(result->msgs[0], "objectClass");
439 /* We need to know if this account is a user or machine. */
440 account_type = ACCOUNT_TYPE_USER;
441 for (i = 0; i < element->num_values; i++) {
442 if (strcmp((char *)element->values[i].data, "computer") == 0) {
443 account_type = ACCOUNT_TYPE_MACHINE;
444 DEBUG(10, ("This user is a machine\n"));
448 gpos = talloc_array(gp_ctx, const char *, 1);
451 /* Walk through the containers until we hit the root */
453 dn = ldb_dn_get_parent(mem_ctx, result->msgs[0]->dn);
454 while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx->ldb_ctx), dn) == 0) {
455 const char *gpo_attrs[] = { "gPLink", "gPOptions", NULL };
456 struct gp_link **gplinks;
457 enum gpo_inheritance gpoptions;
459 DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn)));
461 /* Get the gPLink and gPOptions attributes from the container */
462 rv = ldb_search(gp_ctx->ldb_ctx,
469 if (rv != LDB_SUCCESS) {
470 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),
471 ldb_errstring(gp_ctx->ldb_ctx)));
472 talloc_free(mem_ctx);
473 return NT_STATUS_UNSUCCESSFUL;
476 /* Parse the gPLink attribute, put it into a nice struct array */
477 status = parse_gplink(mem_ctx, ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", ""), &gplinks);
478 if (!NT_STATUS_IS_OK(status)) {
479 DEBUG(0, ("Failed to parse gPLink\n"));
480 talloc_free(mem_ctx);
484 /* Check all group policy links on this container */
485 for (i = 0; gplinks[i] != NULL; i++) {
486 struct gp_object *gpo;
487 uint32_t access_granted;
489 /* If inheritance was blocked at a higher level and this
490 * gplink is not enforced, it should not be applied */
491 if (!inherit && !(gplinks[i]->options & GPLINK_OPT_ENFORCE))
494 /* Don't apply disabled links */
495 if (gplinks[i]->options & GPLINK_OPT_DISABLE)
498 /* Get GPO information */
499 status = gp_get_gpo_info(gp_ctx, gplinks[i]->dn, &gpo);
500 if (!NT_STATUS_IS_OK(status)) {
501 DEBUG(0, ("Failed to get gpo information for %s\n", gplinks[i]->dn));
502 talloc_free(mem_ctx);
506 /* If the account does not have read access, this GPO does not apply
508 status = sec_access_check(gpo->security_descriptor,
510 (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP),
512 if (!NT_STATUS_IS_OK(status)) {
516 /* If the account is a user and the GPO has user disabled flag, or
517 * a machine and the GPO has machine disabled flag, this GPO does
518 * not apply to this account */
519 if ((account_type == ACCOUNT_TYPE_USER &&
520 (gpo->flags & GPO_FLAG_USER_DISABLE)) ||
521 (account_type == ACCOUNT_TYPE_MACHINE &&
522 (gpo->flags & GPO_FLAG_MACHINE_DISABLE))) {
526 /* Add the GPO to the list */
527 gpos = talloc_realloc(gp_ctx, gpos, const char *, count+2);
528 gpos[count] = talloc_strdup(gp_ctx, gplinks[i]->dn);
529 gpos[count+1] = NULL;
536 /* If inheritance is blocked, then we should only add enforced gPLinks
538 gpoptions = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
539 if (gpoptions == GPO_BLOCK_INHERITANCE) {
542 dn = ldb_dn_get_parent(mem_ctx, dn);
545 talloc_free(mem_ctx);
551 NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink)
554 struct ldb_result *result;
556 struct ldb_message *msg;
557 const char *attrs[] = { "gPLink", NULL };
558 const char *gplink_str;
562 /* Create a forked memory context, as a base for everything here */
563 mem_ctx = talloc_new(gp_ctx);
565 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
567 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
568 if (rv != LDB_SUCCESS) {
569 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
570 talloc_free(mem_ctx);
571 return NT_STATUS_UNSUCCESSFUL;
574 if (result->count != 1) {
575 talloc_free(mem_ctx);
576 return NT_STATUS_NOT_FOUND;
579 gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", "");
581 /* If this GPO link already exists, alter the options, else add it */
582 if ((start = strcasestr(gplink_str, gplink->dn)) != NULL) {
583 start += strlen(gplink->dn);
586 while (*start != ']' && *start != '\0') {
589 gplink_str = talloc_asprintf(mem_ctx, "%s;%d%s", gplink_str, gplink->options, start);
592 /* Prepend the new GPO link to the string. This list is backwards in priority. */
593 gplink_str = talloc_asprintf(mem_ctx, "[LDAP://%s;%d]%s", gplink->dn, gplink->options, gplink_str);
598 msg = ldb_msg_new(mem_ctx);
601 rv = ldb_msg_add_string(msg, "gPLink", gplink_str);
603 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
604 talloc_free(mem_ctx);
605 return NT_STATUS_UNSUCCESSFUL;
607 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
609 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
611 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
612 talloc_free(mem_ctx);
613 return NT_STATUS_UNSUCCESSFUL;
616 talloc_free(mem_ctx);
620 NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gplink_dn)
623 struct ldb_result *result;
625 struct ldb_message *msg;
626 const char *attrs[] = { "gPLink", NULL };
627 const char *gplink_str;
631 /* Create a forked memory context, as a base for everything here */
632 mem_ctx = talloc_new(gp_ctx);
634 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
636 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
637 if (rv != LDB_SUCCESS) {
638 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
639 talloc_free(mem_ctx);
640 return NT_STATUS_UNSUCCESSFUL;
643 if (result->count != 1) {
644 talloc_free(mem_ctx);
645 return NT_STATUS_NOT_FOUND;
648 gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", "");
650 /* If this GPO link already exists, alter the options, else add it */
651 p = strcasestr(gplink_str, talloc_asprintf(mem_ctx, "[LDAP://%s", gplink_dn));
653 talloc_free(mem_ctx);
654 return NT_STATUS_NOT_FOUND;
659 while (*p != ']' && *p != '\0') {
663 gplink_str = talloc_asprintf(mem_ctx, "%s%s", gplink_str, p);
666 msg = ldb_msg_new(mem_ctx);
669 if (strcmp(gplink_str, "") == 0) {
670 rv = ldb_msg_add_empty(msg, "gPLink", LDB_FLAG_MOD_DELETE, NULL);
672 DEBUG(0, ("LDB message add empty element failed: %s\n", ldb_strerror(rv)));
673 talloc_free(mem_ctx);
674 return NT_STATUS_UNSUCCESSFUL;
677 rv = ldb_msg_add_string(msg, "gPLink", gplink_str);
679 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
680 talloc_free(mem_ctx);
681 return NT_STATUS_UNSUCCESSFUL;
683 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
685 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
687 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
688 talloc_free(mem_ctx);
689 return NT_STATUS_UNSUCCESSFUL;
692 talloc_free(mem_ctx);
696 NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance)
699 struct ldb_result *result;
701 const char *attrs[] = { "gPOptions", NULL };
704 /* Create a forked memory context, as a base for everything here */
705 mem_ctx = talloc_new(gp_ctx);
707 dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
709 rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
710 if (rv != LDB_SUCCESS) {
711 DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
712 talloc_free(mem_ctx);
713 return NT_STATUS_UNSUCCESSFUL;
716 if (result->count != 1) {
717 talloc_free(mem_ctx);
718 return NT_STATUS_NOT_FOUND;
721 *inheritance = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
723 talloc_free(mem_ctx);
727 NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance)
729 char *inheritance_string;
730 struct ldb_message *msg;
733 msg = ldb_msg_new(gp_ctx);
734 msg->dn = ldb_dn_new(msg, gp_ctx->ldb_ctx, dn_str);
736 inheritance_string = talloc_asprintf(msg, "%d", inheritance);
738 rv = ldb_msg_add_string(msg, "gPOptions", inheritance_string);
740 DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
742 return NT_STATUS_UNSUCCESSFUL;
744 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
746 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
748 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
750 return NT_STATUS_UNSUCCESSFUL;
757 NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo)
759 struct ldb_message *msg;
763 struct ldb_dn *child_dn, *gpo_dn;
765 mem_ctx = talloc_new(gp_ctx);
768 msg = ldb_msg_new(mem_ctx);
770 msg->dn = ldb_get_default_basedn(gp_ctx->ldb_ctx);
771 dn_str = talloc_asprintf(mem_ctx, "CN=%s,CN=Policies,CN=System", gpo->name);
772 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
773 rv = ldb_dn_add_child(msg->dn, child_dn);
774 if (!rv) goto ldb_msg_add_error;
776 rv = ldb_msg_add_string(msg, "objectClass", "top");
777 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
778 rv = ldb_msg_add_string(msg, "objectClass", "container");
779 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
780 rv = ldb_msg_add_string(msg, "objectClass", "groupPolicyContainer");
781 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
782 rv = ldb_msg_add_string(msg, "displayName", gpo->display_name);
783 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
784 rv = ldb_msg_add_string(msg, "name", gpo->name);
785 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
786 rv = ldb_msg_add_string(msg, "CN", gpo->name);
787 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
788 rv = ldb_msg_add_string(msg, "gPCFileSysPath", gpo->file_sys_path);
789 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
790 rv = ldb_msg_add_string(msg, "flags",
791 talloc_asprintf(mem_ctx, "%d", gpo->flags));
792 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
793 rv = ldb_msg_add_string(msg, "versionNumber",
794 talloc_asprintf(mem_ctx, "%d", gpo->version));
795 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
796 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
797 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
798 rv = ldb_msg_add_string(msg, "gpCFunctionalityVersion", "2");
799 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
801 rv = ldb_add(gp_ctx->ldb_ctx, msg);
802 if (rv != LDB_SUCCESS) {
803 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
804 talloc_free(mem_ctx);
805 return NT_STATUS_UNSUCCESSFUL;
811 msg = ldb_msg_new(mem_ctx);
812 msg->dn = ldb_dn_copy(mem_ctx, gpo_dn);
813 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=User");
814 rv = ldb_dn_add_child(msg->dn, child_dn);
815 if (!rv) goto ldb_msg_add_error;
817 rv = ldb_msg_add_string(msg, "objectClass", "top");
818 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
819 rv = ldb_msg_add_string(msg, "objectClass", "container");
820 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
821 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
822 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
823 rv = ldb_msg_add_string(msg, "CN", "User");
824 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
825 rv = ldb_msg_add_string(msg, "name", "User");
826 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
828 rv = ldb_add(gp_ctx->ldb_ctx, msg);
829 if (rv != LDB_SUCCESS) {
830 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
831 talloc_free(mem_ctx);
832 return NT_STATUS_UNSUCCESSFUL;
836 msg = ldb_msg_new(mem_ctx);
837 msg->dn = ldb_dn_copy(mem_ctx, gpo_dn);
838 child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Machine");
839 rv = ldb_dn_add_child(msg->dn, child_dn);
840 if (!rv) goto ldb_msg_add_error;
842 rv = ldb_msg_add_string(msg, "objectClass", "top");
843 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
844 rv = ldb_msg_add_string(msg, "objectClass", "container");
845 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
846 rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
847 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
848 rv = ldb_msg_add_string(msg, "CN", "Machine");
849 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
850 rv = ldb_msg_add_string(msg, "name", "Machine");
851 if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
853 rv = ldb_add(gp_ctx->ldb_ctx, msg);
854 if (rv != LDB_SUCCESS) {
855 DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
856 talloc_free(mem_ctx);
857 return NT_STATUS_UNSUCCESSFUL;
860 gpo->dn = talloc_steal(gpo, ldb_dn_get_linearized(gpo_dn));
862 talloc_free(mem_ctx);
866 DEBUG(0, ("LDB Error adding element to ldb message\n"));
867 talloc_free(mem_ctx);
868 return NT_STATUS_UNSUCCESSFUL;
871 NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
875 enum ndr_err_code ndr_err;
876 struct ldb_message *msg;
879 /* Create a forked memory context to clean up easily */
880 mem_ctx = talloc_new(gp_ctx);
882 /* Push the security descriptor through the NDR library */
883 ndr_err = ndr_push_struct_blob(&data,
886 (ndr_push_flags_fn_t)ndr_push_security_descriptor);
887 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
888 return ndr_map_error2ntstatus(ndr_err);
892 /* Create a LDB message */
893 msg = ldb_msg_new(mem_ctx);
894 msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
896 rv = ldb_msg_add_value(msg, "nTSecurityDescriptor", &data, NULL);
898 DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv)));
899 talloc_free(mem_ctx);
900 return NT_STATUS_UNSUCCESSFUL;
902 msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
904 rv = ldb_modify(gp_ctx->ldb_ctx, msg);
906 DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
907 talloc_free(mem_ctx);
908 return NT_STATUS_UNSUCCESSFUL;
911 talloc_free(mem_ctx);