diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-05 17:47:29 +0000 |
commit | 4f5791ebd03eaec1c7da0865a383175b05102712 (patch) | |
tree | 8ce7b00f7a76baa386372422adebbe64510812d4 /source4/lib/policy | |
parent | Initial commit. (diff) | |
download | samba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip |
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source4/lib/policy')
-rw-r--r-- | source4/lib/policy/gp_filesys.c | 698 | ||||
-rw-r--r-- | source4/lib/policy/gp_ini.c | 133 | ||||
-rw-r--r-- | source4/lib/policy/gp_ldap.c | 1130 | ||||
-rw-r--r-- | source4/lib/policy/gp_manage.c | 329 | ||||
-rw-r--r-- | source4/lib/policy/policy.h | 125 | ||||
-rw-r--r-- | source4/lib/policy/pypolicy.c | 174 | ||||
-rw-r--r-- | source4/lib/policy/samba-policy.pc.in | 12 | ||||
-rw-r--r-- | source4/lib/policy/wscript_build | 22 |
8 files changed, 2623 insertions, 0 deletions
diff --git a/source4/lib/policy/gp_filesys.c b/source4/lib/policy/gp_filesys.c new file mode 100644 index 0000000..8ad4645 --- /dev/null +++ b/source4/lib/policy/gp_filesys.c @@ -0,0 +1,698 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Wilco Baan Hofman 2008-2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ +#include "includes.h" +#include "system/filesys.h" +#include "lib/policy/policy.h" +#include "libcli/raw/smb.h" +#include "libcli/libcli.h" +#include "param/param.h" +#include "libcli/resolve/resolve.h" +#include "libcli/raw/libcliraw.h" +#include <dirent.h> +#include <errno.h> + +#define GP_MAX_DEPTH 25 + +struct gp_file_entry { + bool is_directory; + const char *rel_path; +}; +struct gp_file_list { + uint32_t num_files; + struct gp_file_entry *files; +}; +struct gp_list_state { + struct smbcli_tree *tree; + uint8_t depth; + const char *cur_rel_path; + const char *share_path; + + struct gp_file_list list; +}; + +static NTSTATUS gp_do_list(const char *, struct gp_list_state *); + +/* Create a temporary policy directory */ +static const char *gp_tmpdir(TALLOC_CTX *mem_ctx) +{ + char *gp_dir = talloc_asprintf(mem_ctx, "%s/policy", tmpdir()); + struct stat st; + int rv; + + if (gp_dir == NULL) return NULL; + + if (stat(gp_dir, &st) != 0) { + rv = mkdir(gp_dir, 0755); + if (rv < 0) { + DEBUG(0, ("Failed to create directory %s: %s\n", + gp_dir, strerror(errno))); + talloc_free(gp_dir); + return NULL; + } + } + + return gp_dir; +} + +/* This function is called by the smbcli_list function */ +static void gp_list_helper (struct clilist_file_info *info, const char *mask, + void *list_state_ptr) +{ + struct gp_list_state *state = list_state_ptr; + const char *rel_path; + + /* Ignore . and .. directory entries */ + if (strcmp(info->name, ".") == 0 || strcmp(info->name, "..") == 0) { + return; + } + + /* Safety check against ../.. in filenames which may occur on non-POSIX + * platforms */ + if (strstr(info->name, "../")) { + return; + } + + rel_path = talloc_asprintf(state, "%s\\%s", state->cur_rel_path, info->name); + if (rel_path == NULL) return; + + /* Append entry to file list */ + state->list.files = talloc_realloc(state, state->list.files, + struct gp_file_entry, + state->list.num_files + 1); + if (state->list.files == NULL) return; + + state->list.files[state->list.num_files].rel_path = rel_path; + + /* Directory */ + if (info->attrib & FILE_ATTRIBUTE_DIRECTORY) { + state->list.files[state->list.num_files].is_directory = true; + state->list.num_files++; + + /* Recurse into this directory if the depth is below the maximum */ + if (state->depth < GP_MAX_DEPTH) { + gp_do_list(rel_path, state); + } + + return; + } + + state->list.files[state->list.num_files].is_directory = false; + state->list.num_files++; + + return; +} + +static NTSTATUS gp_do_list (const char *rel_path, struct gp_list_state *state) +{ + uint16_t attributes; + int rv; + char *mask; + const char *old_rel_path; + + attributes = FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN | + FILE_ATTRIBUTE_DIRECTORY; + + /* Update the relative paths, while buffering the parent */ + old_rel_path = state->cur_rel_path; + state->cur_rel_path = rel_path; + state->depth++; + + /* Get the current mask */ + mask = talloc_asprintf(state, "%s%s\\*", state->share_path, rel_path); + NT_STATUS_HAVE_NO_MEMORY(mask); + rv = smbcli_list(state->tree, mask, attributes, gp_list_helper, state); + talloc_free(mask); + + /* Go back to the state of the parent */ + state->cur_rel_path = old_rel_path; + state->depth--; + + if (rv == -1) + return NT_STATUS_UNSUCCESSFUL; + + return NT_STATUS_OK; +} + +static NTSTATUS gp_cli_connect(struct gp_context *gp_ctx) +{ + struct smbcli_options options; + struct smbcli_session_options session_options; + + if (gp_ctx->cli != NULL) + return NT_STATUS_OK; + + gp_ctx->cli = smbcli_state_init(gp_ctx); + + lpcfg_smbcli_options(gp_ctx->lp_ctx, &options); + lpcfg_smbcli_session_options(gp_ctx->lp_ctx, &session_options); + + return smbcli_full_connection(gp_ctx, + &gp_ctx->cli, + gp_ctx->active_dc->name, + lpcfg_smb_ports(gp_ctx->lp_ctx), + "sysvol", + NULL, + lpcfg_socket_options(gp_ctx->lp_ctx), + gp_ctx->credentials, + lpcfg_resolve_context(gp_ctx->lp_ctx), + gp_ctx->ev_ctx, + &options, + &session_options, + lpcfg_gensec_settings(gp_ctx, gp_ctx->lp_ctx)); +} + +static char * gp_get_share_path(TALLOC_CTX *mem_ctx, const char *file_sys_path) +{ + unsigned int i, bkslash_cnt; + + /* Get the path from the share down (\\..\..\(this\stuff) */ + for (i = 0, bkslash_cnt = 0; file_sys_path[i] != '\0'; i++) { + if (file_sys_path[i] == '\\') + bkslash_cnt++; + + if (bkslash_cnt == 4) { + return talloc_strdup(mem_ctx, &file_sys_path[i]); + } + } + + return NULL; +} + +static NTSTATUS gp_get_file (struct smbcli_tree *tree, const char *remote_src, + const char *local_dst) +{ + int fh_remote, fh_local; + uint8_t *buf; + size_t nread = 0; + size_t buf_size = 1024; + size_t file_size; + uint16_t attr; + + /* Open the remote file */ + fh_remote = smbcli_open(tree, remote_src, O_RDONLY, DENY_NONE); + if (fh_remote == -1) { + DEBUG(0, ("Failed to open remote file: %s\n", remote_src)); + return NT_STATUS_UNSUCCESSFUL; + } + + /* Open the local file */ + fh_local = open(local_dst, O_WRONLY | O_CREAT | O_TRUNC, 0644); + if (fh_local == -1) { + DEBUG(0, ("Failed to open local file: %s\n", local_dst)); + smbcli_close(tree, fh_remote); + return NT_STATUS_UNSUCCESSFUL; + } + + /* Get the remote file size for error checking */ + if (NT_STATUS_IS_ERR(smbcli_qfileinfo(tree, fh_remote, + &attr, &file_size, NULL, NULL, NULL, NULL, NULL)) && + NT_STATUS_IS_ERR(smbcli_getattrE(tree, fh_remote, + &attr, &file_size, NULL, NULL, NULL))) { + DEBUG(0, ("Failed to get remote file size: %s\n", smbcli_errstr(tree))); + smbcli_close(tree, fh_remote); + close(fh_local); + return NT_STATUS_UNSUCCESSFUL; + } + + buf = talloc_zero_array(tree, uint8_t, buf_size); + if (buf == NULL) { + smbcli_close(tree, fh_remote); + close(fh_local); + return NT_STATUS_NO_MEMORY; + } + + /* Copy the contents of the file */ + while (1) { + int n = smbcli_read(tree, fh_remote, buf, nread, buf_size); + + if (n <= 0) { + break; + } + + if (write(fh_local, buf, n) != n) { + DEBUG(0, ("Short write while copying file.\n")); + smbcli_close(tree, fh_remote); + close(fh_local); + talloc_free(buf); + return NT_STATUS_UNSUCCESSFUL; + } + nread += n; + } + + /* Close the files */ + smbcli_close(tree, fh_remote); + close(fh_local); + + talloc_free(buf); + + /* Bytes read should match the file size, or the copy was incomplete */ + if (nread != file_size) { + DEBUG(0, ("Remote/local file size mismatch after copying file: " + "%s (remote %zu, local %zu).\n", + remote_src, file_size, nread)); + return NT_STATUS_UNSUCCESSFUL; + } + + return NT_STATUS_OK; +} + +static NTSTATUS gp_get_files(struct smbcli_tree *tree, const char *share_path, + const char *local_path, struct gp_file_list *list) +{ + uint32_t i; + int rv; + char *local_rel_path, *full_local_path, *full_remote_path; + TALLOC_CTX *mem_ctx; + NTSTATUS status; + + mem_ctx = talloc_new(tree); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + for (i = 0; i < list->num_files; i++) { + + /* Get local path by replacing backslashes with slashes */ + local_rel_path = talloc_strdup(mem_ctx, list->files[i].rel_path); + if (local_rel_path == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + string_replace(local_rel_path, '\\', '/'); + + full_local_path = talloc_asprintf(mem_ctx, "%s%s", local_path, + local_rel_path); + if (full_local_path == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* If the entry is a directory, create it. */ + if (list->files[i].is_directory == true) { + rv = mkdir(full_local_path, 0755); + if (rv < 0) { + DEBUG(0, ("Failed to create directory %s: %s\n", + full_local_path, strerror(errno))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + continue; + } + + full_remote_path = talloc_asprintf(mem_ctx, "%s%s", share_path, + list->files[i].rel_path); + if (full_remote_path == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* Get the file */ + status = gp_get_file(tree, full_remote_path, full_local_path); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Error getting file.\n")); + talloc_free(mem_ctx); + return status; + } + } + + return NT_STATUS_OK; +} + +NTSTATUS gp_fetch_gpt (struct gp_context *gp_ctx, struct gp_object *gpo, + const char **ret_local_path) +{ + TALLOC_CTX *mem_ctx; + struct gp_list_state *state; + NTSTATUS status; + struct stat st; + int rv; + const char *local_path, *share_path; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + if (gp_ctx->cli == NULL) { + status = gp_cli_connect(gp_ctx); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to create cli connection to DC\n")); + talloc_free(mem_ctx); + return status; + } + } + + /* Get the remote path to copy from */ + share_path = gp_get_share_path(mem_ctx, gpo->file_sys_path); + if (share_path == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* Get the local path to copy to */ + local_path = talloc_asprintf(gp_ctx, "%s/%s", gp_tmpdir(mem_ctx), gpo->name); + if (local_path == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* Prepare the state structure */ + state = talloc_zero(mem_ctx, struct gp_list_state); + if (state == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + state->tree = gp_ctx->cli->tree; + state->share_path = share_path; + + /* Create the GPO dir if it does not exist */ + if (stat(local_path, &st) != 0) { + rv = mkdir(local_path, 0755); + if (rv < 0) { + DEBUG(0, ("Could not create local path\n")); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + } + + /* Get the file list */ + status = gp_do_list("", state); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Could not list GPO files on remote server\n")); + talloc_free(mem_ctx); + return status; + } + + /* If the list has no entries there is a problem. */ + if (state->list.num_files == 0) { + DEBUG(0, ("File list is has no entries. Is the GPT directory empty?\n")); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + /* Fetch the files */ + status = gp_get_files(gp_ctx->cli->tree, share_path, local_path, &state->list); + + /* Return the local path to the gpo */ + *ret_local_path = local_path; + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} + +static NTSTATUS push_recursive (struct gp_context *gp_ctx, const char *local_path, + const char *remote_path, int depth) +{ + DIR *dir; + struct dirent *dirent; + char *entry_local_path = NULL; + char *entry_remote_path = NULL; + int local_fd = -1, remote_fd = -1; + int buf[1024]; + int nread, total_read; + struct stat s; + NTSTATUS status; + + dir = opendir(local_path); + while ((dirent = readdir(dir)) != NULL) { + if (strcmp(dirent->d_name, ".") == 0 || + strcmp(dirent->d_name, "..") == 0) { + continue; + } + + entry_local_path = talloc_asprintf(gp_ctx, "%s/%s", local_path, + dirent->d_name); + if (entry_local_path == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + entry_remote_path = talloc_asprintf(gp_ctx, "%s\\%s", + remote_path, dirent->d_name); + if (entry_remote_path == NULL) { + status = NT_STATUS_NO_MEMORY; + goto done; + } + + if (stat(entry_local_path, &s) != 0) { + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + if (s.st_mode & S_IFDIR) { + DEBUG(6, ("Pushing directory %s to %s on sysvol\n", + entry_local_path, entry_remote_path)); + smbcli_mkdir(gp_ctx->cli->tree, entry_remote_path); + if (depth < GP_MAX_DEPTH) { + push_recursive(gp_ctx, entry_local_path, + entry_remote_path, depth+1); + } + } else { + DEBUG(6, ("Pushing file %s to %s on sysvol\n", + entry_local_path, entry_remote_path)); + remote_fd = smbcli_open(gp_ctx->cli->tree, + entry_remote_path, + O_WRONLY | O_CREAT, + 0); + if (remote_fd < 0) { + DEBUG(0, ("Failed to create remote file: %s\n", + entry_remote_path)); + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + local_fd = open(entry_local_path, O_RDONLY); + if (local_fd < 0) { + DEBUG(0, ("Failed to open local file: %s\n", + entry_local_path)); + status = NT_STATUS_UNSUCCESSFUL; + goto done; + } + total_read = 0; + while ((nread = read(local_fd, &buf, sizeof(buf)))) { + if (nread == -1) { + DBG_ERR("read failed with errno %s\n", + strerror(errno)); + status = NT_STATUS_UNSUCCESSFUL; + close(local_fd); + local_fd = -1; + goto done; + } + smbcli_write(gp_ctx->cli->tree, remote_fd, 0, + &buf, total_read, nread); + total_read += nread; + } + + close(local_fd); + local_fd = -1; + smbcli_close(gp_ctx->cli->tree, remote_fd); + remote_fd = -1; + } + TALLOC_FREE(entry_local_path); + TALLOC_FREE(entry_remote_path); + } + + status = NT_STATUS_OK; +done: + if (local_fd != -1) { + close(local_fd); + } + if (remote_fd != -1) { + smbcli_close(gp_ctx->cli->tree, remote_fd); + } + talloc_free(entry_local_path); + talloc_free(entry_remote_path); + + closedir(dir); + + return status; +} + + + +NTSTATUS gp_push_gpt(struct gp_context *gp_ctx, const char *local_path, + const char *file_sys_path) +{ + NTSTATUS status; + char *share_path; + + if (gp_ctx->cli == NULL) { + status = gp_cli_connect(gp_ctx); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to create cli connection to DC\n")); + return status; + } + } + share_path = gp_get_share_path(gp_ctx, file_sys_path); + + DEBUG(5, ("Copying %s to %s on sysvol\n", local_path, share_path)); + + smbcli_mkdir(gp_ctx->cli->tree, share_path); + + status = push_recursive(gp_ctx, local_path, share_path, 0); + + talloc_free(share_path); + return status; +} + +NTSTATUS gp_create_gpt(struct gp_context *gp_ctx, const char *name, + const char *file_sys_path) +{ + TALLOC_CTX *mem_ctx; + const char *tmp_dir, *policy_dir, *tmp_str; + int rv; + int fd; + NTSTATUS status; + const char *file_content = "[General]\r\nVersion=0\r\n"; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + tmp_dir = gp_tmpdir(mem_ctx); + NT_STATUS_HAVE_NO_MEMORY(tmp_dir); + policy_dir = talloc_asprintf(mem_ctx, "%s/%s", tmp_dir, name); + NT_STATUS_HAVE_NO_MEMORY(policy_dir); + + /* Create the directories */ + + rv = mkdir(policy_dir, 0755); + if (rv < 0) { + DEBUG(0, ("Could not create the policy dir: %s\n", policy_dir)); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + tmp_str = talloc_asprintf(mem_ctx, "%s/User", policy_dir); + NT_STATUS_HAVE_NO_MEMORY(tmp_str); + rv = mkdir(tmp_str, 0755); + if (rv < 0) { + DEBUG(0, ("Could not create the User dir: %s\n", tmp_str)); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + tmp_str = talloc_asprintf(mem_ctx, "%s/Machine", policy_dir); + NT_STATUS_HAVE_NO_MEMORY(tmp_str); + rv = mkdir(tmp_str, 0755); + if (rv < 0) { + DEBUG(0, ("Could not create the Machine dir: %s\n", tmp_str)); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + /* Create a GPT.INI with version 0 */ + + tmp_str = talloc_asprintf(mem_ctx, "%s/GPT.INI", policy_dir); + NT_STATUS_HAVE_NO_MEMORY(tmp_str); + fd = open(tmp_str, O_CREAT | O_WRONLY, 0644); + if (fd < 0) { + DEBUG(0, ("Could not create the GPT.INI: %s\n", tmp_str)); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + rv = write(fd, file_content, strlen(file_content)); + close(fd); + if (rv != strlen(file_content)) { + DEBUG(0, ("Short write in GPT.INI\n")); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + /* Upload the GPT to the sysvol share on a DC */ + status = gp_push_gpt(gp_ctx, policy_dir, file_sys_path); + if (!NT_STATUS_IS_OK(status)) { + talloc_free(mem_ctx); + return status; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} + +NTSTATUS gp_set_gpt_security_descriptor(struct gp_context *gp_ctx, + struct gp_object *gpo, + struct security_descriptor *sd) +{ + TALLOC_CTX *mem_ctx; + NTSTATUS status; + union smb_setfileinfo fileinfo; + union smb_open io; + union smb_close io_close; + + /* Create a connection to sysvol if it is not already there */ + if (gp_ctx->cli == NULL) { + status = gp_cli_connect(gp_ctx); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to create cli connection to DC\n")); + return status; + } + } + + /* Create a forked memory context which can be freed easily */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + /* Open the directory with NTCreate AndX call */ + io.generic.level = RAW_OPEN_NTCREATEX; + io.ntcreatex.in.root_fid.fnum = 0; + io.ntcreatex.in.flags = 0; + io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; + io.ntcreatex.in.create_options = 0; + io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; + io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE; + io.ntcreatex.in.alloc_size = 0; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN; + io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS; + io.ntcreatex.in.security_flags = 0; + io.ntcreatex.in.fname = gp_get_share_path(mem_ctx, gpo->file_sys_path); + status = smb_raw_open(gp_ctx->cli->tree, mem_ctx, &io); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Can't open GPT directory\n")); + talloc_free(mem_ctx); + return status; + } + + /* Set the security descriptor on the directory */ + fileinfo.generic.level = RAW_SFILEINFO_SEC_DESC; + fileinfo.set_secdesc.in.file.fnum = io.ntcreatex.out.file.fnum; + fileinfo.set_secdesc.in.secinfo_flags = SECINFO_PROTECTED_DACL | + SECINFO_OWNER | + SECINFO_GROUP | + SECINFO_DACL; + fileinfo.set_secdesc.in.sd = sd; + status = smb_raw_setfileinfo(gp_ctx->cli->tree, &fileinfo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set security descriptor on the GPT\n")); + talloc_free(mem_ctx); + return status; + } + + /* Close the directory */ + io_close.close.level = RAW_CLOSE_CLOSE; + io_close.close.in.file.fnum = io.ntcreatex.out.file.fnum; + io_close.close.in.write_time = 0; + status = smb_raw_close(gp_ctx->cli->tree, &io_close); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to close directory\n")); + talloc_free(mem_ctx); + return status; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} diff --git a/source4/lib/policy/gp_ini.c b/source4/lib/policy/gp_ini.c new file mode 100644 index 0000000..da2f5f4 --- /dev/null +++ b/source4/lib/policy/gp_ini.c @@ -0,0 +1,133 @@ + +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Wilco Baan Hofman 2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ +#include "includes.h" +#include "lib/util/samba_util.h" +#include "lib/policy/policy.h" + +struct gp_parse_context { + struct gp_ini_context *ini; + int32_t cur_section; +}; + + +static bool gp_add_ini_section(const char *name, void *callback_data) +{ + struct gp_parse_context *parse = callback_data; + struct gp_ini_context *ini = parse->ini; + + ini->sections = talloc_realloc(ini, ini->sections, struct gp_ini_section, ini->num_sections+1); + if (ini->sections == NULL) return false; + ini->sections[ini->num_sections].name = talloc_strdup(ini, name); + if (ini->sections[ini->num_sections].name == NULL) return false; + parse->cur_section = ini->num_sections; + ini->num_sections++; + + return true; +} + +static bool gp_add_ini_param(const char *name, const char *value, void *callback_data) +{ + struct gp_parse_context *parse = callback_data; + struct gp_ini_context *ini = parse->ini; + struct gp_ini_section *section; + + if (parse->cur_section == -1) { + return false; + } + + section = &ini->sections[parse->cur_section]; + + section->params = talloc_realloc(ini, ini->sections[parse->cur_section].params, struct gp_ini_param, section->num_params+1); + if (section->params == NULL) return false; + section->params[section->num_params].name = talloc_strdup(ini, name); + if (section->params[section->num_params].name == NULL) return false; + section->params[section->num_params].value = talloc_strdup(ini, value); + if (section->params[section->num_params].value == NULL) return false; + section->num_params++; + + return true; +} + +NTSTATUS gp_parse_ini(TALLOC_CTX *mem_ctx, struct gp_context *gp_ctx, const char *filename, struct gp_ini_context **ret) +{ + struct gp_parse_context parse; + bool rv; + + parse.ini = talloc_zero(mem_ctx, struct gp_ini_context); + NT_STATUS_HAVE_NO_MEMORY(parse.ini); + parse.cur_section = -1; + + rv = pm_process(filename, gp_add_ini_section, gp_add_ini_param, &parse); + if (!rv) { + DEBUG(0, ("Error while processing ini file %s\n", filename)); + return NT_STATUS_UNSUCCESSFUL; + } + + *ret = parse.ini; + return NT_STATUS_OK; +} + +NTSTATUS gp_get_ini_string(struct gp_ini_context *ini, const char *section, const char *name, char **ret) +{ + uint16_t i; + int32_t cur_sec = -1; + for (i = 0; i < ini->num_sections; i++) { + if (strcmp(ini->sections[i].name, section) == 0) { + cur_sec = i; + break; + } + } + + if (cur_sec == -1) { + return NT_STATUS_NOT_FOUND; + } + + for (i = 0; i < ini->sections[cur_sec].num_params; i++) { + if (strcmp(ini->sections[cur_sec].params[i].name, name) == 0) { + *ret = ini->sections[cur_sec].params[i].value; + return NT_STATUS_OK; + } + } + return NT_STATUS_NOT_FOUND; +} + +NTSTATUS gp_get_ini_uint(struct gp_ini_context *ini, const char *section, const char *name, uint32_t *ret) +{ + uint16_t i; + int32_t cur_sec = -1; + for (i = 0; i < ini->num_sections; i++) { + if (strcmp(ini->sections[i].name, section) == 0) { + cur_sec = i; + break; + } + } + + if (cur_sec == -1) { + return NT_STATUS_NOT_FOUND; + } + + for (i = 0; i < ini->sections[cur_sec].num_params; i++) { + if (strcmp(ini->sections[cur_sec].params[i].name, name) == 0) { + *ret = atol(ini->sections[cur_sec].params[i].value); + return NT_STATUS_OK; + } + } + return NT_STATUS_NOT_FOUND; +} diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c new file mode 100644 index 0000000..67b329b --- /dev/null +++ b/source4/lib/policy/gp_ldap.c @@ -0,0 +1,1130 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Jelmer Vernooij 2008 + * Copyright (C) Wilco Baan Hofman 2008-2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ +#include "includes.h" +#include "param/param.h" +#include <ldb.h> +#include "lib/ldb-samba/ldb_wrap.h" +#include "auth/credentials/credentials.h" +#include "../librpc/gen_ndr/nbt.h" +#include "libcli/libcli.h" +#include "libnet/libnet.h" +#include "../librpc/gen_ndr/ndr_security.h" +#include "../libcli/security/security.h" +#include "libcli/ldap/ldap_ndr.h" +#include "../lib/talloc/talloc.h" +#include "lib/policy/policy.h" + +struct gpo_stringmap { + const char *str; + uint32_t flags; +}; +static const struct gpo_stringmap gplink_options [] = { + { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE }, + { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE }, + { NULL, 0 } +}; +static const struct gpo_stringmap gpo_flags [] = { + { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE }, + { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE }, + { NULL, 0 } +}; + +static NTSTATUS parse_gpo(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct gp_object **ret) +{ + struct gp_object *gpo = talloc(mem_ctx, struct gp_object); + enum ndr_err_code ndr_err; + const DATA_BLOB *data; + + NT_STATUS_HAVE_NO_MEMORY(gpo); + + gpo->dn = talloc_strdup(mem_ctx, ldb_dn_get_linearized(msg->dn)); + if (gpo->dn == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo->dn)); + + gpo->display_name = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "displayName", "")); + if (gpo->display_name == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + gpo->name = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "name", "")); + if (gpo->name == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + gpo->flags = ldb_msg_find_attr_as_uint(msg, "flags", 0); + gpo->version = ldb_msg_find_attr_as_uint(msg, "versionNumber", 0); + + gpo->file_sys_path = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "gPCFileSysPath", "")); + if (gpo->file_sys_path == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + /* Pull the security descriptor through the NDR library */ + data = ldb_msg_find_ldb_val(msg, "nTSecurityDescriptor"); + gpo->security_descriptor = talloc(gpo, struct security_descriptor); + if (gpo->security_descriptor == NULL) { + TALLOC_FREE(gpo); + return NT_STATUS_NO_MEMORY; + } + + ndr_err = ndr_pull_struct_blob(data, + mem_ctx, + gpo->security_descriptor, + (ndr_pull_flags_fn_t)ndr_pull_security_descriptor); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return ndr_map_error2ntstatus(ndr_err); + } + + *ret = gpo; + return NT_STATUS_OK; +} + +NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret) +{ + unsigned int i, count=0; + const char **flag_strs = talloc_array(mem_ctx, const char *, 1); + + NT_STATUS_HAVE_NO_MEMORY(flag_strs); + + flag_strs[0] = NULL; + + for (i = 0; gpo_flags[i].str != NULL; i++) { + if (flags & gpo_flags[i].flags) { + flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2); + NT_STATUS_HAVE_NO_MEMORY(flag_strs); + flag_strs[count] = gpo_flags[i].str; + flag_strs[count+1] = NULL; + count++; + } + } + *ret = flag_strs; + return NT_STATUS_OK; +} + +NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t options, const char ***ret) +{ + unsigned int i, count=0; + const char **flag_strs = talloc_array(mem_ctx, const char *, 1); + + NT_STATUS_HAVE_NO_MEMORY(flag_strs); + flag_strs[0] = NULL; + + for (i = 0; gplink_options[i].str != NULL; i++) { + if (options & gplink_options[i].flags) { + flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2); + NT_STATUS_HAVE_NO_MEMORY(flag_strs); + flag_strs[count] = gplink_options[i].str; + flag_strs[count+1] = NULL; + count++; + } + } + *ret = flag_strs; + return NT_STATUS_OK; +} + +NTSTATUS gp_init(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct cli_credentials *credentials, + struct tevent_context *ev_ctx, + struct gp_context **gp_ctx) +{ + + struct libnet_LookupDCs *io; + char *url; + struct libnet_context *net_ctx; + struct ldb_context *ldb_ctx; + NTSTATUS rv; + + /* Initialise the libnet context */ + net_ctx = libnet_context_init(ev_ctx, lp_ctx); + net_ctx->cred = credentials; + + /* Prepare libnet lookup structure for looking a DC (PDC is correct). */ + io = talloc_zero(mem_ctx, struct libnet_LookupDCs); + NT_STATUS_HAVE_NO_MEMORY(io); + io->in.name_type = NBT_NAME_PDC; + io->in.domain_name = lpcfg_workgroup(lp_ctx); + + /* Find Active DC's */ + rv = libnet_LookupDCs(net_ctx, mem_ctx, io); + if (!NT_STATUS_IS_OK(rv)) { + DEBUG(0, ("Failed to lookup DCs in domain\n")); + return rv; + } + + /* Connect to ldap://DC_NAME with all relevant contexts*/ + url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name); + NT_STATUS_HAVE_NO_MEMORY(url); + ldb_ctx = ldb_wrap_connect(mem_ctx, net_ctx->event_ctx, lp_ctx, + url, NULL, net_ctx->cred, 0); + if (ldb_ctx == NULL) { + DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url)); + return NT_STATUS_UNSUCCESSFUL; + } + + *gp_ctx = talloc_zero(mem_ctx, struct gp_context); + NT_STATUS_HAVE_NO_MEMORY(gp_ctx); + + (*gp_ctx)->lp_ctx = lp_ctx; + (*gp_ctx)->credentials = credentials; + (*gp_ctx)->ev_ctx = ev_ctx; + (*gp_ctx)->ldb_ctx = ldb_ctx; + (*gp_ctx)->active_dc = talloc_reference(*gp_ctx, &io->out.dcs[0]); + + /* We don't need to keep the libnet context */ + talloc_free(net_ctx); + return NT_STATUS_OK; +} + +NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret) +{ + struct ldb_result *result; + int rv; + NTSTATUS status; + TALLOC_CTX *mem_ctx; + struct ldb_dn *dn; + struct gp_object **gpo; + unsigned int i; /* same as in struct ldb_result */ + const char **attrs; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + /* Create full ldb dn of the policies base object */ + dn = ldb_get_default_basedn(gp_ctx->ldb_ctx); + rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System")); + if (!rv) { + DEBUG(0, ("Can't append subtree to DN\n")); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn))); + + attrs = talloc_array(mem_ctx, const char *, 7); + if (attrs == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + attrs[0] = "nTSecurityDescriptor"; + attrs[1] = "versionNumber"; + attrs[2] = "flags"; + attrs[3] = "name"; + attrs[4] = "displayName"; + attrs[5] = "gPCFileSysPath"; + attrs[6] = NULL; + + rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_ONELEVEL, attrs, "(objectClass=groupPolicyContainer)"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + gpo = talloc_array(gp_ctx, struct gp_object *, result->count+1); + if (gpo == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + gpo[result->count] = NULL; + + for (i = 0; i < result->count; i++) { + status = parse_gpo(gp_ctx, result->msgs[i], &gpo[i]); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to parse GPO.\n")); + talloc_free(mem_ctx); + return status; + } + } + + talloc_free(mem_ctx); + + *ret = gpo; + return NT_STATUS_OK; +} + +NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *dn_str, struct gp_object **ret) +{ + struct ldb_result *result; + struct ldb_dn *dn; + struct gp_object *gpo; + int rv; + NTSTATUS status; + TALLOC_CTX *mem_ctx; + const char **attrs; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + /* Create an ldb dn struct for the dn string */ + dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + + attrs = talloc_array(mem_ctx, const char *, 7); + if (attrs == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + attrs[0] = "nTSecurityDescriptor"; + attrs[1] = "versionNumber"; + attrs[2] = "flags"; + attrs[3] = "name"; + attrs[4] = "displayName"; + attrs[5] = "gPCFileSysPath"; + attrs[6] = NULL; + + rv = ldb_search(gp_ctx->ldb_ctx, + mem_ctx, + &result, + dn, + LDB_SCOPE_BASE, + attrs, + "objectClass=groupPolicyContainer"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + /* We expect exactly one record */ + if (result->count != 1) { + DEBUG(0, ("Could not find GPC with dn %s\n", dn_str)); + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + status = parse_gpo(gp_ctx, result->msgs[0], &gpo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to parse GPO.\n")); + talloc_free(mem_ctx); + return status; + } + + talloc_free(mem_ctx); + + *ret = gpo; + return NT_STATUS_OK; +} + +static NTSTATUS parse_gplink (TALLOC_CTX *mem_ctx, const char *gplink_str, struct gp_link ***ret) +{ + int start, idx=0; + int pos; + struct gp_link **gplinks; + char *buf, *end; + const char *gplink_start = "[LDAP://"; + + gplinks = talloc_array(mem_ctx, struct gp_link *, 1); + NT_STATUS_HAVE_NO_MEMORY(gplinks); + + gplinks[0] = NULL; + + /* Assuming every gPLink starts with "[LDAP://" */ + start = strlen(gplink_start); + + for (pos = start; pos < strlen(gplink_str); pos++) { + if (gplink_str[pos] == ';') { + gplinks = talloc_realloc(mem_ctx, gplinks, struct gp_link *, idx+2); + NT_STATUS_HAVE_NO_MEMORY(gplinks); + gplinks[idx] = talloc(mem_ctx, struct gp_link); + NT_STATUS_HAVE_NO_MEMORY(gplinks[idx]); + gplinks[idx]->dn = talloc_strndup(mem_ctx, + gplink_str + start, + pos - start); + if (gplinks[idx]->dn == NULL) { + TALLOC_FREE(gplinks); + return NT_STATUS_NO_MEMORY; + } + + for (start = pos + 1; gplink_str[pos] != ']'; pos++); + + buf = talloc_strndup(gplinks, gplink_str + start, pos - start); + if (buf == NULL) { + TALLOC_FREE(gplinks); + return NT_STATUS_NO_MEMORY; + } + gplinks[idx]->options = (uint32_t) strtoll(buf, &end, 0); + talloc_free(buf); + + /* Set the last entry in the array to be NULL */ + gplinks[idx + 1] = NULL; + + /* Increment the array index, the string position past + the next "[LDAP://", and set the start reference */ + idx++; + pos += strlen(gplink_start)+1; + start = pos; + } + } + + *ret = gplinks; + return NT_STATUS_OK; +} + + +NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *dn_str, struct gp_link ***ret) +{ + TALLOC_CTX *mem_ctx; + struct ldb_dn *dn; + struct ldb_result *result; + struct gp_link **gplinks; + char *gplink_str; + int rv; + unsigned int i; + NTSTATUS status; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + + rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, NULL, "(objectclass=*)"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + for (i = 0; i < result->count; i++) { + struct ldb_message_element *element = \ + ldb_msg_find_element(result->msgs[i], "gPLink"); + if (element != NULL) { + SMB_ASSERT(element->num_values > 0); + gplink_str = talloc_strdup( + mem_ctx, + (char *) element->values[0].data); + if (gplink_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + goto found; + } + } + gplink_str = talloc_strdup(mem_ctx, ""); + if (gplink_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + found: + + status = parse_gplink(gp_ctx, gplink_str, &gplinks); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to parse gPLink\n")); + return status; + } + + talloc_free(mem_ctx); + + *ret = gplinks; + return NT_STATUS_OK; +} + +NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret) +{ + TALLOC_CTX *mem_ctx; + const char **gpos; + struct ldb_result *result; + char *sid; + struct ldb_dn *dn; + struct ldb_message_element *element; + bool inherit; + const char *attrs[] = { "objectClass", NULL }; + int rv; + NTSTATUS status; + unsigned int count = 0; + unsigned int i; + enum { + ACCOUNT_TYPE_USER = 0, + ACCOUNT_TYPE_MACHINE = 1 + } account_type; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + sid = ldap_encode_ndr_dom_sid(mem_ctx, + &token->sids[PRIMARY_USER_SID_INDEX]); + NT_STATUS_HAVE_NO_MEMORY(sid); + + /* Find the user DN and objectclass via the sid from the security token */ + rv = ldb_search(gp_ctx->ldb_ctx, + mem_ctx, + &result, + ldb_get_default_basedn(gp_ctx->ldb_ctx), + LDB_SCOPE_SUBTREE, + attrs, + "(&(objectclass=user)(objectSid=%s))", sid); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), + ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + if (result->count != 1) { + DEBUG(0, ("Could not find user with sid %s.\n", sid)); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result->msgs[0]->dn))); + + element = ldb_msg_find_element(result->msgs[0], "objectClass"); + + /* We need to know if this account is a user or machine. */ + account_type = ACCOUNT_TYPE_USER; + for (i = 0; i < element->num_values; i++) { + if (strcmp((char *)element->values[i].data, "computer") == 0) { + account_type = ACCOUNT_TYPE_MACHINE; + DEBUG(10, ("This user is a machine\n")); + } + } + + gpos = talloc_array(gp_ctx, const char *, 1); + if (gpos == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + gpos[0] = NULL; + + /* Walk through the containers until we hit the root */ + inherit = 1; + dn = ldb_dn_get_parent(mem_ctx, result->msgs[0]->dn); + while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx->ldb_ctx), dn) == 0) { + const char *gpo_attrs[] = { "gPLink", "gPOptions", NULL }; + struct gp_link **gplinks; + enum gpo_inheritance gpoptions; + + DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn))); + + /* Get the gPLink and gPOptions attributes from the container */ + rv = ldb_search(gp_ctx->ldb_ctx, + mem_ctx, + &result, + dn, + LDB_SCOPE_BASE, + gpo_attrs, + "objectclass=*"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), + ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + /* Parse the gPLink attribute, put it into a nice struct array */ + status = parse_gplink(mem_ctx, ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", ""), &gplinks); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to parse gPLink\n")); + talloc_free(mem_ctx); + return status; + } + + /* Check all group policy links on this container */ + for (i = 0; gplinks[i] != NULL; i++) { + struct gp_object *gpo; + uint32_t access_granted; + + /* If inheritance was blocked at a higher level and this + * gplink is not enforced, it should not be applied */ + if (!inherit && !(gplinks[i]->options & GPLINK_OPT_ENFORCE)) + continue; + + /* Don't apply disabled links */ + if (gplinks[i]->options & GPLINK_OPT_DISABLE) + continue; + + /* Get GPO information */ + status = gp_get_gpo_info(gp_ctx, gplinks[i]->dn, &gpo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to get gpo information for %s\n", gplinks[i]->dn)); + talloc_free(mem_ctx); + return status; + } + + /* If the account does not have read access, this GPO does not apply + * to this account */ + status = se_access_check(gpo->security_descriptor, + token, + (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP), + &access_granted); + if (!NT_STATUS_IS_OK(status)) { + continue; + } + + /* If the account is a user and the GPO has user disabled flag, or + * a machine and the GPO has machine disabled flag, this GPO does + * not apply to this account */ + if ((account_type == ACCOUNT_TYPE_USER && + (gpo->flags & GPO_FLAG_USER_DISABLE)) || + (account_type == ACCOUNT_TYPE_MACHINE && + (gpo->flags & GPO_FLAG_MACHINE_DISABLE))) { + continue; + } + + /* Add the GPO to the list */ + gpos = talloc_realloc(gp_ctx, gpos, const char *, count+2); + if (gpos == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + gpos[count] = talloc_strdup(gp_ctx, gplinks[i]->dn); + if (gpos[count] == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + gpos[count+1] = NULL; + count++; + + /* Clean up */ + talloc_free(gpo); + } + + /* If inheritance is blocked, then we should only add enforced gPLinks + * higher up */ + gpoptions = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0); + if (gpoptions == GPO_BLOCK_INHERITANCE) { + inherit = 0; + } + dn = ldb_dn_get_parent(mem_ctx, dn); + } + + talloc_free(mem_ctx); + + *ret = gpos; + return NT_STATUS_OK; +} + +NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink) +{ + TALLOC_CTX *mem_ctx; + struct ldb_result *result; + struct ldb_dn *dn; + struct ldb_message *msg; + const char *attrs[] = { "gPLink", NULL }; + const char *gplink_str; + int rv; + char *start; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + + rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + if (result->count != 1) { + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", ""); + + /* If this GPO link already exists, alter the options, else add it */ + if ((start = strcasestr(gplink_str, gplink->dn)) != NULL) { + start += strlen(gplink->dn); + *start = '\0'; + start++; + while (*start != ']' && *start != '\0') { + start++; + } + gplink_str = talloc_asprintf(mem_ctx, "%s;%d%s", gplink_str, gplink->options, start); + if (gplink_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + } else { + /* Prepend the new GPO link to the string. This list is backwards in priority. */ + gplink_str = talloc_asprintf(mem_ctx, "[LDAP://%s;%d]%s", gplink->dn, gplink->options, gplink_str); + if (gplink_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + } + + + + msg = ldb_msg_new(mem_ctx); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + msg->dn = dn; + + rv = ldb_msg_add_string(msg, "gPLink", gplink_str); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + rv = ldb_modify(gp_ctx->ldb_ctx, msg); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} + +NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gplink_dn) +{ + TALLOC_CTX *mem_ctx; + struct ldb_result *result; + struct ldb_dn *dn; + struct ldb_message *msg; + const char *attrs[] = { "gPLink", NULL }; + const char *gplink_str, *search_string; + int rv; + char *p; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + + rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + if (result->count != 1) { + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", ""); + + /* If this GPO link already exists, alter the options, else add it */ + search_string = talloc_asprintf(mem_ctx, "[LDAP://%s]", gplink_dn); + if (search_string == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + p = strcasestr(gplink_str, search_string); + if (p == NULL) { + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + *p = '\0'; + p++; + while (*p != ']' && *p != '\0') { + p++; + } + p++; + gplink_str = talloc_asprintf(mem_ctx, "%s%s", gplink_str, p); + if (gplink_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + + msg = ldb_msg_new(mem_ctx); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + msg->dn = dn; + + if (strcmp(gplink_str, "") == 0) { + rv = ldb_msg_add_empty(msg, "gPLink", LDB_FLAG_MOD_DELETE, NULL); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB message add empty element failed: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + } else { + rv = ldb_msg_add_string(msg, "gPLink", gplink_str); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + } + rv = ldb_modify(gp_ctx->ldb_ctx, msg); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} + +NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance) +{ + TALLOC_CTX *mem_ctx; + struct ldb_result *result; + struct ldb_dn *dn; + const char *attrs[] = { "gPOptions", NULL }; + int rv; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + + rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)"); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + if (result->count != 1) { + talloc_free(mem_ctx); + return NT_STATUS_NOT_FOUND; + } + + *inheritance = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0); + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} + +NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance) +{ + char *inheritance_string; + struct ldb_message *msg; + int rv; + + msg = ldb_msg_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(msg); + + msg->dn = ldb_dn_new(msg, gp_ctx->ldb_ctx, dn_str); + + inheritance_string = talloc_asprintf(msg, "%d", inheritance); + if (inheritance_string == NULL) { + TALLOC_FREE(msg); + return NT_STATUS_NO_MEMORY; + } + + rv = ldb_msg_add_string(msg, "gPOptions", inheritance_string); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv))); + talloc_free(msg); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + rv = ldb_modify(gp_ctx->ldb_ctx, msg); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv))); + talloc_free(msg); + return NT_STATUS_UNSUCCESSFUL; + } + + talloc_free(msg); + return NT_STATUS_OK; +} + +NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo) +{ + struct ldb_message *msg; + TALLOC_CTX *mem_ctx; + int rv; + char *dn_str, *flags_str, *version_str; + struct ldb_dn *child_dn, *gpo_dn; + + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + /* CN={GUID} */ + msg = ldb_msg_new(mem_ctx); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + msg->dn = ldb_get_default_basedn(gp_ctx->ldb_ctx); + dn_str = talloc_asprintf(mem_ctx, "CN=%s,CN=Policies,CN=System", gpo->name); + if (dn_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + rv = ldb_dn_add_child(msg->dn, child_dn); + if (!rv) goto ldb_msg_add_error; + + flags_str = talloc_asprintf(mem_ctx, "%d", gpo->flags); + if (flags_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + version_str = talloc_asprintf(mem_ctx, "%d", gpo->version); + if (version_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + rv = ldb_msg_add_string(msg, "objectClass", "top"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "objectClass", "container"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "objectClass", "groupPolicyContainer"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "displayName", gpo->display_name); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "name", gpo->name); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "CN", gpo->name); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "gPCFileSysPath", gpo->file_sys_path); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "flags", flags_str); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "versionNumber", version_str); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "gpCFunctionalityVersion", "2"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + + rv = ldb_add(gp_ctx->ldb_ctx, msg); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + gpo_dn = msg->dn; + + /* CN=User */ + msg = ldb_msg_new(mem_ctx); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + msg->dn = ldb_dn_copy(mem_ctx, gpo_dn); + child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=User"); + rv = ldb_dn_add_child(msg->dn, child_dn); + if (!rv) goto ldb_msg_add_error; + + rv = ldb_msg_add_string(msg, "objectClass", "top"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "objectClass", "container"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "CN", "User"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "name", "User"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + + rv = ldb_add(gp_ctx->ldb_ctx, msg); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + /* CN=Machine */ + msg = ldb_msg_new(mem_ctx); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + msg->dn = ldb_dn_copy(mem_ctx, gpo_dn); + child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Machine"); + rv = ldb_dn_add_child(msg->dn, child_dn); + if (!rv) goto ldb_msg_add_error; + + rv = ldb_msg_add_string(msg, "objectClass", "top"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "objectClass", "container"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "CN", "Machine"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + rv = ldb_msg_add_string(msg, "name", "Machine"); + if (rv != LDB_SUCCESS) goto ldb_msg_add_error; + + rv = ldb_add(gp_ctx->ldb_ctx, msg); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + gpo->dn = talloc_strdup(gpo, ldb_dn_get_linearized(gpo_dn)); + if (gpo->dn == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; + + ldb_msg_add_error: + DEBUG(0, ("LDB Error adding element to ldb message\n")); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; +} + +NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd) +{ + TALLOC_CTX *mem_ctx; + DATA_BLOB data; + enum ndr_err_code ndr_err; + struct ldb_message *msg; + int rv; + + /* Create a forked memory context to clean up easily */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + /* Push the security descriptor through the NDR library */ + ndr_err = ndr_push_struct_blob(&data, + mem_ctx, + sd, + (ndr_push_flags_fn_t)ndr_push_security_descriptor); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + return ndr_map_error2ntstatus(ndr_err); + } + + + /* Create a LDB message */ + msg = ldb_msg_new(mem_ctx); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str); + + rv = ldb_msg_add_value(msg, "nTSecurityDescriptor", &data, NULL); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + rv = ldb_modify(gp_ctx->ldb_ctx, msg); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} + +/* This function sets flags, version and displayName on a GPO */ +NTSTATUS gp_set_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo) +{ + int rv; + TALLOC_CTX *mem_ctx; + struct ldb_message *msg; + char *version_str, *flags_str; + + mem_ctx = talloc_new(gp_ctx); + + msg = ldb_msg_new(mem_ctx); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, gpo->dn); + + version_str = talloc_asprintf(mem_ctx, "%d", gpo->version); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + flags_str = talloc_asprintf(mem_ctx, "%d", gpo->flags); + if (msg == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + rv = ldb_msg_add_string(msg, "flags", flags_str); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB message add string failed for flags: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[0].flags = LDB_FLAG_MOD_REPLACE; + + rv = ldb_msg_add_string(msg, "version", version_str); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB message add string failed for version: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[1].flags = LDB_FLAG_MOD_REPLACE; + + rv = ldb_msg_add_string(msg, "displayName", gpo->display_name); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB message add string failed for displayName: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + msg->elements[2].flags = LDB_FLAG_MOD_REPLACE; + + rv = ldb_modify(gp_ctx->ldb_ctx, msg); + if (rv != LDB_SUCCESS) { + DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv))); + talloc_free(mem_ctx); + return NT_STATUS_UNSUCCESSFUL; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} diff --git a/source4/lib/policy/gp_manage.c b/source4/lib/policy/gp_manage.c new file mode 100644 index 0000000..769e6c0 --- /dev/null +++ b/source4/lib/policy/gp_manage.c @@ -0,0 +1,329 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Wilco Baan Hofman 2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ +#include "includes.h" +#include "../libcli/security/dom_sid.h" +#include "../libcli/security/security_descriptor.h" +#include "../librpc/ndr/libndr.h" +#include "../lib/util/charset/charset.h" +#include "param/param.h" +#include "lib/policy/policy.h" + +uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask) +{ + uint32_t fs_mask; + + /* Copy the standard access mask */ + fs_mask = access_mask & 0x001F0000; + + /* When READ_PROP and LIST_CONTENTS are set, read access is granted on the GPT */ + if (access_mask & SEC_ADS_READ_PROP && access_mask & SEC_ADS_LIST) { + fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_LIST | SEC_DIR_READ_ATTRIBUTE | + SEC_DIR_READ_EA | SEC_DIR_TRAVERSE; + } + + /* When WRITE_PROP is set, full write access is granted on the GPT */ + if (access_mask & SEC_ADS_WRITE_PROP) { + fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_WRITE_ATTRIBUTE | + SEC_DIR_WRITE_EA | SEC_DIR_ADD_FILE | + SEC_DIR_ADD_SUBDIR; + } + + /* Map CREATE_CHILD to add file and add subdir */ + if (access_mask & SEC_ADS_CREATE_CHILD) + fs_mask |= SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR; + + /* Map ADS delete child to dir delete child */ + if (access_mask & SEC_ADS_DELETE_CHILD) + fs_mask |= SEC_DIR_DELETE_CHILD; + + return fs_mask; +} + +NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret) +{ + struct security_descriptor *fs_sd; + NTSTATUS status; + uint32_t i; + + /* Allocate the file system security descriptor */ + fs_sd = talloc(mem_ctx, struct security_descriptor); + NT_STATUS_HAVE_NO_MEMORY(fs_sd); + + /* Copy the basic information from the directory server security descriptor */ + fs_sd->owner_sid = talloc_memdup(fs_sd, ds_sd->owner_sid, sizeof(struct dom_sid)); + if (fs_sd->owner_sid == NULL) { + TALLOC_FREE(fs_sd); + return NT_STATUS_NO_MEMORY; + } + + fs_sd->group_sid = talloc_memdup(fs_sd, ds_sd->group_sid, sizeof(struct dom_sid)); + if (fs_sd->group_sid == NULL) { + TALLOC_FREE(fs_sd); + return NT_STATUS_NO_MEMORY; + } + + fs_sd->type = ds_sd->type; + fs_sd->revision = ds_sd->revision; + + /* Copy the sacl */ + fs_sd->sacl = security_acl_dup(fs_sd, ds_sd->sacl); + if (fs_sd->sacl == NULL) { + TALLOC_FREE(fs_sd); + return NT_STATUS_NO_MEMORY; + } + + /* Copy the dacl */ + fs_sd->dacl = talloc_zero(fs_sd, struct security_acl); + if (fs_sd->dacl == NULL) { + TALLOC_FREE(fs_sd); + return NT_STATUS_NO_MEMORY; + } + + for (i = 0; i < ds_sd->dacl->num_aces; i++) { + char *trustee = dom_sid_string(fs_sd, &ds_sd->dacl->aces[i].trustee); + struct security_ace *ace; + + /* Don't add the allow for SID_BUILTIN_PREW2K */ + if ((ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT || + ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED) && + strcmp(trustee, SID_BUILTIN_PREW2K) == 0) { + talloc_free(trustee); + continue; + } + + /* Copy the ace from the directory server security descriptor */ + ace = talloc_memdup(fs_sd, &ds_sd->dacl->aces[i], sizeof(struct security_ace)); + if (ace == NULL) { + TALLOC_FREE(fs_sd); + return NT_STATUS_NO_MEMORY; + } + + /* Set specific inheritance flags for within the GPO */ + ace->flags |= SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT; + if (strcmp(trustee, SID_CREATOR_OWNER) == 0) { + ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY; + } + + /* Get a directory access mask from the assigned access mask on the LDAP object */ + ace->access_mask = gp_ads_to_dir_access_mask(ace->access_mask); + + /* Add the ace to the security descriptor DACL */ + status = security_descriptor_dacl_add(fs_sd, ace); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to add a dacl to file system security descriptor\n")); + return status; + } + + /* Clean up the allocated data in this iteration */ + talloc_free(trustee); + } + + *ret = fs_sd; + return NT_STATUS_OK; +} + + +NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret) +{ + struct GUID guid_struct; + char *guid_str; + char *name; + struct security_descriptor *sd; + TALLOC_CTX *mem_ctx; + struct gp_object *gpo; + NTSTATUS status; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + /* Create the gpo struct to return later */ + gpo = talloc(gp_ctx, struct gp_object); + if (gpo == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* Generate a GUID */ + guid_struct = GUID_random(); + guid_str = GUID_string2(mem_ctx, &guid_struct); + if (guid_str == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + name = strupper_talloc(mem_ctx, guid_str); + if (name == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* Prepare the GPO struct */ + gpo->dn = NULL; + gpo->name = name; + gpo->flags = 0; + gpo->version = 0; + gpo->display_name = talloc_strdup(gpo, display_name); + if (gpo->display_name == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + gpo->file_sys_path = talloc_asprintf(gpo, "\\\\%s\\sysvol\\%s\\Policies\\%s", lpcfg_dnsdomain(gp_ctx->lp_ctx), lpcfg_dnsdomain(gp_ctx->lp_ctx), name); + if (gpo->file_sys_path == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + + /* Create the GPT */ + status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to create GPT\n")); + talloc_free(mem_ctx); + return status; + } + + + /* Create the LDAP GPO, including CN=User and CN=Machine */ + status = gp_create_ldap_gpo(gp_ctx, gpo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to create LDAP group policy object\n")); + talloc_free(mem_ctx); + return status; + } + + /* Get the new security descriptor */ + status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to fetch LDAP group policy object\n")); + talloc_free(mem_ctx); + return status; + } + + /* Create matching file and DS security descriptors */ + status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n")); + talloc_free(mem_ctx); + return status; + } + + /* Set the security descriptor on the filesystem for this GPO */ + status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n")); + talloc_free(mem_ctx); + return status; + } + + talloc_free(mem_ctx); + + *ret = gpo; + return NT_STATUS_OK; +} + +NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd) +{ + TALLOC_CTX *mem_ctx; + struct security_descriptor *fs_sd; + struct gp_object *gpo; + NTSTATUS status; + + /* Create a forked memory context, as a base for everything here */ + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + /* Set the ACL on LDAP database */ + status = gp_set_ads_acl(gp_ctx, dn_str, sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set ACL on ADS\n")); + talloc_free(mem_ctx); + return status; + } + + /* Get the group policy object information, for filesystem location and merged sd */ + status = gp_get_gpo_info(gp_ctx, dn_str, &gpo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set ACL on ADS\n")); + talloc_free(mem_ctx); + return status; + } + + /* Create matching file and DS security descriptors */ + status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &fs_sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n")); + talloc_free(mem_ctx); + return status; + } + + /* Set the security descriptor on the filesystem for this GPO */ + status = gp_set_gpt_security_descriptor(gp_ctx, gpo, fs_sd); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n")); + talloc_free(mem_ctx); + return status; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} + +NTSTATUS gp_push_gpo (struct gp_context *gp_ctx, const char *local_path, struct gp_object *gpo) +{ + NTSTATUS status; + TALLOC_CTX *mem_ctx; + struct gp_ini_context *ini; + char *filename; + + mem_ctx = talloc_new(gp_ctx); + NT_STATUS_HAVE_NO_MEMORY(mem_ctx); + + /* Get version from ini file */ + /* FIXME: The local file system may be case sensitive */ + filename = talloc_asprintf(mem_ctx, "%s/%s", local_path, "GPT.INI"); + if (filename == NULL) { + TALLOC_FREE(mem_ctx); + return NT_STATUS_NO_MEMORY; + } + status = gp_parse_ini(mem_ctx, gp_ctx, local_path, &ini); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to parse GPT.INI.\n")); + talloc_free(mem_ctx); + return status; + } + + /* Push the GPT to the remote sysvol */ + status = gp_push_gpt(gp_ctx, local_path, gpo->file_sys_path); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to push GPT to DC's sysvol share.\n")); + talloc_free(mem_ctx); + return status; + } + + /* Write version to LDAP */ + status = gp_set_ldap_gpo(gp_ctx, gpo); + if (!NT_STATUS_IS_OK(status)) { + DEBUG(0, ("Failed to set GPO options in DC's LDAP.\n")); + talloc_free(mem_ctx); + return status; + } + + talloc_free(mem_ctx); + return NT_STATUS_OK; +} diff --git a/source4/lib/policy/policy.h b/source4/lib/policy/policy.h new file mode 100644 index 0000000..3d8a0dc --- /dev/null +++ b/source4/lib/policy/policy.h @@ -0,0 +1,125 @@ +/* + * Unix SMB/CIFS implementation. + * Group Policy Object Support + * Copyright (C) Guenther Deschner 2005-2008 (from samba 3 gpo.h) + * Copyright (C) Wilco Baan Hofman 2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#ifndef __POLICY_H__ +#define __POLICY_H__ + +#define GPLINK_OPT_DISABLE (1 << 0) +#define GPLINK_OPT_ENFORCE (1 << 1) + +#define GPO_FLAG_USER_DISABLE (1 << 0) +#define GPO_FLAG_MACHINE_DISABLE (1 << 1) + +struct security_token; +struct nbt_dc_name; + +enum gpo_inheritance { + GPO_INHERIT = 0, + GPO_BLOCK_INHERITANCE = 1, +}; + +struct gp_context { + struct ldb_context *ldb_ctx; + struct loadparm_context *lp_ctx; + struct cli_credentials *credentials; + struct tevent_context *ev_ctx; + struct smbcli_state *cli; + struct nbt_dc_name *active_dc; +}; + +struct gp_object { + uint32_t version; + uint32_t flags; + const char *display_name; + const char *name; + const char *dn; + const char *file_sys_path; + struct security_descriptor *security_descriptor; +}; + + +struct gp_link { + uint32_t options; + const char *dn; +}; + +struct gp_ini_param { + char *name; + char *value; +}; + +struct gp_ini_section { + char *name; + uint16_t num_params; + struct gp_ini_param *params; +}; + +struct gp_ini_context { + uint16_t num_sections; + struct gp_ini_section *sections; +}; + +NTSTATUS gp_init(TALLOC_CTX *mem_ctx, + struct loadparm_context *lp_ctx, + struct cli_credentials *creds, + struct tevent_context *ev_ctx, + struct gp_context **gp_ctx); + + +/* LDAP functions */ +NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret); +NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *req_dn, struct gp_link ***ret); +NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret); + +NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *dn_str, struct gp_object **ret); + + +NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret); +NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret); + +NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink); +NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gp_dn); +NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance); +NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance); + +NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo); +NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd); +NTSTATUS gp_push_gpo (struct gp_context *gp_ctx, const char *local_path, struct gp_object *gpo); +NTSTATUS gp_set_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo); + +/* File system functions */ +NTSTATUS gp_fetch_gpt (struct gp_context *gp_ctx, struct gp_object *gpo, const char **path); +NTSTATUS gp_create_gpt(struct gp_context *gp_ctx, const char *name, const char *file_sys_path); +NTSTATUS gp_set_gpt_security_descriptor(struct gp_context *gp_ctx, struct gp_object *gpo, struct security_descriptor *sd); +NTSTATUS gp_push_gpt(struct gp_context *gp_ctx, const char *local_path, + const char *file_sys_path); + +/* Ini functions */ +NTSTATUS gp_parse_ini(TALLOC_CTX *mem_ctx, struct gp_context *gp_ctx, const char *filename, struct gp_ini_context **ret); +NTSTATUS gp_get_ini_string(struct gp_ini_context *ini, const char *section, const char *name, char **ret); +NTSTATUS gp_get_ini_uint(struct gp_ini_context *ini, const char *section, const char *name, uint32_t *ret); + +/* Managing functions */ +NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret); +NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret); +NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd); +uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask); + +#endif diff --git a/source4/lib/policy/pypolicy.c b/source4/lib/policy/pypolicy.c new file mode 100644 index 0000000..f40d811 --- /dev/null +++ b/source4/lib/policy/pypolicy.c @@ -0,0 +1,174 @@ +/* + * Unix SMB/CIFS implementation. + * Python bindings for libpolicy + * Copyright (C) Jelmer Vernooij 2010 + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, see <http://www.gnu.org/licenses/>. + */ + +#include <Python.h> +#include "includes.h" +#include "python/py3compat.h" +#include "policy.h" +#include "libcli/util/pyerrors.h" + +void initpolicy(void); + +static PyObject *py_get_gpo_flags(PyObject *self, PyObject *args) +{ + int flags; + PyObject *py_ret; + const char **ret; + TALLOC_CTX *mem_ctx; + int i; + NTSTATUS status; + + if (!PyArg_ParseTuple(args, "i", &flags)) + return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + status = gp_get_gpo_flags(mem_ctx, flags, &ret); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + talloc_free(mem_ctx); + return NULL; + } + + py_ret = PyList_New(0); + for (i = 0; ret[i]; i++) { + int res = 0; + PyObject *item = PyUnicode_FromString(ret[i]); + if (item == NULL) { + talloc_free(mem_ctx); + Py_DECREF(py_ret); + PyErr_NoMemory(); + return NULL; + } + res = PyList_Append(py_ret, item); + Py_CLEAR(item); + if (res == -1) { + Py_DECREF(py_ret); + talloc_free(mem_ctx); + return NULL; + } + } + + talloc_free(mem_ctx); + + return py_ret; +} + +static PyObject *py_get_gplink_options(PyObject *self, PyObject *args) +{ + int flags; + PyObject *py_ret; + const char **ret; + TALLOC_CTX *mem_ctx; + int i; + NTSTATUS status; + + if (!PyArg_ParseTuple(args, "i", &flags)) + return NULL; + + mem_ctx = talloc_new(NULL); + if (mem_ctx == NULL) { + PyErr_NoMemory(); + return NULL; + } + + status = gp_get_gplink_options(mem_ctx, flags, &ret); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + talloc_free(mem_ctx); + return NULL; + } + + py_ret = PyList_New(0); + for (i = 0; ret[i]; i++) { + int res = 0; + PyObject *item = PyUnicode_FromString(ret[i]); + if (item == NULL) { + talloc_free(mem_ctx); + Py_DECREF(py_ret); + PyErr_NoMemory(); + return NULL; + } + res = PyList_Append(py_ret, item); + Py_CLEAR(item); + if (res == -1) { + Py_DECREF(py_ret); + talloc_free(mem_ctx); + return NULL; + } + } + + talloc_free(mem_ctx); + + return py_ret; +} + +static PyObject *py_ads_to_dir_access_mask(PyObject *self, PyObject *args) +{ + uint32_t access_mask, dir_mask; + + if (! PyArg_ParseTuple(args, "I", &access_mask)) + return NULL; + + dir_mask = gp_ads_to_dir_access_mask(access_mask); + + return Py_BuildValue("I", dir_mask); +} + + +static PyMethodDef py_policy_methods[] = { + { "get_gpo_flags", (PyCFunction)py_get_gpo_flags, METH_VARARGS, + "get_gpo_flags(flags) -> list" }, + { "get_gplink_options", (PyCFunction)py_get_gplink_options, METH_VARARGS, + "get_gplink_options(options) -> list" }, + { "ads_to_dir_access_mask", (PyCFunction)py_ads_to_dir_access_mask, METH_VARARGS, + "ads_to_dir_access_mask(access_mask) -> dir_mask" }, + {0} +}; + +static struct PyModuleDef moduledef = { + PyModuleDef_HEAD_INIT, + .m_name = "policy", + .m_doc = "(Group) Policy manipulation", + .m_size = -1, + .m_methods = py_policy_methods, +}; + +MODULE_INIT_FUNC(policy) +{ + PyObject *m = NULL; + + m = PyModule_Create(&moduledef); + if (!m) + return m; + + PyModule_AddObject(m, "GPO_FLAG_USER_DISABLE", + PyLong_FromLong(GPO_FLAG_USER_DISABLE)); + PyModule_AddObject(m, "GPO_MACHINE_USER_DISABLE", + PyLong_FromLong(GPO_FLAG_MACHINE_DISABLE)); + PyModule_AddObject(m, "GPLINK_OPT_DISABLE", + PyLong_FromLong(GPLINK_OPT_DISABLE )); + PyModule_AddObject(m, "GPLINK_OPT_ENFORCE ", + PyLong_FromLong(GPLINK_OPT_ENFORCE )); + return m; +} diff --git a/source4/lib/policy/samba-policy.pc.in b/source4/lib/policy/samba-policy.pc.in new file mode 100644 index 0000000..3247ae3 --- /dev/null +++ b/source4/lib/policy/samba-policy.pc.in @@ -0,0 +1,12 @@ +prefix=@prefix@ +exec_prefix=@exec_prefix@ +libdir=@libdir@ +includedir=@includedir@ + +Name: samba-policy +Description: Active Directory Group Policy library +Requires: talloc +Requires.private: ldb +Version: @PACKAGE_VERSION@ +Libs: @LIB_RPATH@ -L${libdir} -lsamba-policy +Cflags: -I${includedir} -DHAVE_IMMEDIATE_STRUCTURES=1 diff --git a/source4/lib/policy/wscript_build b/source4/lib/policy/wscript_build new file mode 100644 index 0000000..027d4be --- /dev/null +++ b/source4/lib/policy/wscript_build @@ -0,0 +1,22 @@ +#!/usr/bin/env python + + + +pytalloc_util = bld.pyembed_libname('pytalloc-util') +samba_policy = bld.pyembed_libname('samba-policy') +samba_net = bld.pyembed_libname('samba-net') +bld.SAMBA_LIBRARY(samba_policy, + source='gp_ldap.c gp_filesys.c gp_manage.c gp_ini.c', + pc_files='samba-policy.pc', + public_deps='ldb %s' % samba_net, + vnum='0.0.1', + pyembed=True, + public_headers='policy.h', + enabled=bld.PYTHON_BUILD_IS_ENABLED() + ) +bld.SAMBA_PYTHON( + 'py_policy', + source='pypolicy.c', + public_deps='%s %s' % (samba_policy, pytalloc_util), + realname='samba/policy.so' + ) |