summaryrefslogtreecommitdiffstats
path: root/source4/lib/policy
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-05-05 17:47:29 +0000
commit4f5791ebd03eaec1c7da0865a383175b05102712 (patch)
tree8ce7b00f7a76baa386372422adebbe64510812d4 /source4/lib/policy
parentInitial commit. (diff)
downloadsamba-4f5791ebd03eaec1c7da0865a383175b05102712.tar.xz
samba-4f5791ebd03eaec1c7da0865a383175b05102712.zip
Adding upstream version 2:4.17.12+dfsg.upstream/2%4.17.12+dfsgupstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'source4/lib/policy')
-rw-r--r--source4/lib/policy/gp_filesys.c698
-rw-r--r--source4/lib/policy/gp_ini.c133
-rw-r--r--source4/lib/policy/gp_ldap.c1130
-rw-r--r--source4/lib/policy/gp_manage.c329
-rw-r--r--source4/lib/policy/policy.h125
-rw-r--r--source4/lib/policy/pypolicy.c174
-rw-r--r--source4/lib/policy/samba-policy.pc.in12
-rw-r--r--source4/lib/policy/wscript_build22
8 files changed, 2623 insertions, 0 deletions
diff --git a/source4/lib/policy/gp_filesys.c b/source4/lib/policy/gp_filesys.c
new file mode 100644
index 0000000..8ad4645
--- /dev/null
+++ b/source4/lib/policy/gp_filesys.c
@@ -0,0 +1,698 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Wilco Baan Hofman 2008-2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#include "includes.h"
+#include "system/filesys.h"
+#include "lib/policy/policy.h"
+#include "libcli/raw/smb.h"
+#include "libcli/libcli.h"
+#include "param/param.h"
+#include "libcli/resolve/resolve.h"
+#include "libcli/raw/libcliraw.h"
+#include <dirent.h>
+#include <errno.h>
+
+#define GP_MAX_DEPTH 25
+
+struct gp_file_entry {
+ bool is_directory;
+ const char *rel_path;
+};
+struct gp_file_list {
+ uint32_t num_files;
+ struct gp_file_entry *files;
+};
+struct gp_list_state {
+ struct smbcli_tree *tree;
+ uint8_t depth;
+ const char *cur_rel_path;
+ const char *share_path;
+
+ struct gp_file_list list;
+};
+
+static NTSTATUS gp_do_list(const char *, struct gp_list_state *);
+
+/* Create a temporary policy directory */
+static const char *gp_tmpdir(TALLOC_CTX *mem_ctx)
+{
+ char *gp_dir = talloc_asprintf(mem_ctx, "%s/policy", tmpdir());
+ struct stat st;
+ int rv;
+
+ if (gp_dir == NULL) return NULL;
+
+ if (stat(gp_dir, &st) != 0) {
+ rv = mkdir(gp_dir, 0755);
+ if (rv < 0) {
+ DEBUG(0, ("Failed to create directory %s: %s\n",
+ gp_dir, strerror(errno)));
+ talloc_free(gp_dir);
+ return NULL;
+ }
+ }
+
+ return gp_dir;
+}
+
+/* This function is called by the smbcli_list function */
+static void gp_list_helper (struct clilist_file_info *info, const char *mask,
+ void *list_state_ptr)
+{
+ struct gp_list_state *state = list_state_ptr;
+ const char *rel_path;
+
+ /* Ignore . and .. directory entries */
+ if (strcmp(info->name, ".") == 0 || strcmp(info->name, "..") == 0) {
+ return;
+ }
+
+ /* Safety check against ../.. in filenames which may occur on non-POSIX
+ * platforms */
+ if (strstr(info->name, "../")) {
+ return;
+ }
+
+ rel_path = talloc_asprintf(state, "%s\\%s", state->cur_rel_path, info->name);
+ if (rel_path == NULL) return;
+
+ /* Append entry to file list */
+ state->list.files = talloc_realloc(state, state->list.files,
+ struct gp_file_entry,
+ state->list.num_files + 1);
+ if (state->list.files == NULL) return;
+
+ state->list.files[state->list.num_files].rel_path = rel_path;
+
+ /* Directory */
+ if (info->attrib & FILE_ATTRIBUTE_DIRECTORY) {
+ state->list.files[state->list.num_files].is_directory = true;
+ state->list.num_files++;
+
+ /* Recurse into this directory if the depth is below the maximum */
+ if (state->depth < GP_MAX_DEPTH) {
+ gp_do_list(rel_path, state);
+ }
+
+ return;
+ }
+
+ state->list.files[state->list.num_files].is_directory = false;
+ state->list.num_files++;
+
+ return;
+}
+
+static NTSTATUS gp_do_list (const char *rel_path, struct gp_list_state *state)
+{
+ uint16_t attributes;
+ int rv;
+ char *mask;
+ const char *old_rel_path;
+
+ attributes = FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN |
+ FILE_ATTRIBUTE_DIRECTORY;
+
+ /* Update the relative paths, while buffering the parent */
+ old_rel_path = state->cur_rel_path;
+ state->cur_rel_path = rel_path;
+ state->depth++;
+
+ /* Get the current mask */
+ mask = talloc_asprintf(state, "%s%s\\*", state->share_path, rel_path);
+ NT_STATUS_HAVE_NO_MEMORY(mask);
+ rv = smbcli_list(state->tree, mask, attributes, gp_list_helper, state);
+ talloc_free(mask);
+
+ /* Go back to the state of the parent */
+ state->cur_rel_path = old_rel_path;
+ state->depth--;
+
+ if (rv == -1)
+ return NT_STATUS_UNSUCCESSFUL;
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS gp_cli_connect(struct gp_context *gp_ctx)
+{
+ struct smbcli_options options;
+ struct smbcli_session_options session_options;
+
+ if (gp_ctx->cli != NULL)
+ return NT_STATUS_OK;
+
+ gp_ctx->cli = smbcli_state_init(gp_ctx);
+
+ lpcfg_smbcli_options(gp_ctx->lp_ctx, &options);
+ lpcfg_smbcli_session_options(gp_ctx->lp_ctx, &session_options);
+
+ return smbcli_full_connection(gp_ctx,
+ &gp_ctx->cli,
+ gp_ctx->active_dc->name,
+ lpcfg_smb_ports(gp_ctx->lp_ctx),
+ "sysvol",
+ NULL,
+ lpcfg_socket_options(gp_ctx->lp_ctx),
+ gp_ctx->credentials,
+ lpcfg_resolve_context(gp_ctx->lp_ctx),
+ gp_ctx->ev_ctx,
+ &options,
+ &session_options,
+ lpcfg_gensec_settings(gp_ctx, gp_ctx->lp_ctx));
+}
+
+static char * gp_get_share_path(TALLOC_CTX *mem_ctx, const char *file_sys_path)
+{
+ unsigned int i, bkslash_cnt;
+
+ /* Get the path from the share down (\\..\..\(this\stuff) */
+ for (i = 0, bkslash_cnt = 0; file_sys_path[i] != '\0'; i++) {
+ if (file_sys_path[i] == '\\')
+ bkslash_cnt++;
+
+ if (bkslash_cnt == 4) {
+ return talloc_strdup(mem_ctx, &file_sys_path[i]);
+ }
+ }
+
+ return NULL;
+}
+
+static NTSTATUS gp_get_file (struct smbcli_tree *tree, const char *remote_src,
+ const char *local_dst)
+{
+ int fh_remote, fh_local;
+ uint8_t *buf;
+ size_t nread = 0;
+ size_t buf_size = 1024;
+ size_t file_size;
+ uint16_t attr;
+
+ /* Open the remote file */
+ fh_remote = smbcli_open(tree, remote_src, O_RDONLY, DENY_NONE);
+ if (fh_remote == -1) {
+ DEBUG(0, ("Failed to open remote file: %s\n", remote_src));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Open the local file */
+ fh_local = open(local_dst, O_WRONLY | O_CREAT | O_TRUNC, 0644);
+ if (fh_local == -1) {
+ DEBUG(0, ("Failed to open local file: %s\n", local_dst));
+ smbcli_close(tree, fh_remote);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Get the remote file size for error checking */
+ if (NT_STATUS_IS_ERR(smbcli_qfileinfo(tree, fh_remote,
+ &attr, &file_size, NULL, NULL, NULL, NULL, NULL)) &&
+ NT_STATUS_IS_ERR(smbcli_getattrE(tree, fh_remote,
+ &attr, &file_size, NULL, NULL, NULL))) {
+ DEBUG(0, ("Failed to get remote file size: %s\n", smbcli_errstr(tree)));
+ smbcli_close(tree, fh_remote);
+ close(fh_local);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ buf = talloc_zero_array(tree, uint8_t, buf_size);
+ if (buf == NULL) {
+ smbcli_close(tree, fh_remote);
+ close(fh_local);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Copy the contents of the file */
+ while (1) {
+ int n = smbcli_read(tree, fh_remote, buf, nread, buf_size);
+
+ if (n <= 0) {
+ break;
+ }
+
+ if (write(fh_local, buf, n) != n) {
+ DEBUG(0, ("Short write while copying file.\n"));
+ smbcli_close(tree, fh_remote);
+ close(fh_local);
+ talloc_free(buf);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ nread += n;
+ }
+
+ /* Close the files */
+ smbcli_close(tree, fh_remote);
+ close(fh_local);
+
+ talloc_free(buf);
+
+ /* Bytes read should match the file size, or the copy was incomplete */
+ if (nread != file_size) {
+ DEBUG(0, ("Remote/local file size mismatch after copying file: "
+ "%s (remote %zu, local %zu).\n",
+ remote_src, file_size, nread));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS gp_get_files(struct smbcli_tree *tree, const char *share_path,
+ const char *local_path, struct gp_file_list *list)
+{
+ uint32_t i;
+ int rv;
+ char *local_rel_path, *full_local_path, *full_remote_path;
+ TALLOC_CTX *mem_ctx;
+ NTSTATUS status;
+
+ mem_ctx = talloc_new(tree);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ for (i = 0; i < list->num_files; i++) {
+
+ /* Get local path by replacing backslashes with slashes */
+ local_rel_path = talloc_strdup(mem_ctx, list->files[i].rel_path);
+ if (local_rel_path == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ string_replace(local_rel_path, '\\', '/');
+
+ full_local_path = talloc_asprintf(mem_ctx, "%s%s", local_path,
+ local_rel_path);
+ if (full_local_path == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* If the entry is a directory, create it. */
+ if (list->files[i].is_directory == true) {
+ rv = mkdir(full_local_path, 0755);
+ if (rv < 0) {
+ DEBUG(0, ("Failed to create directory %s: %s\n",
+ full_local_path, strerror(errno)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ continue;
+ }
+
+ full_remote_path = talloc_asprintf(mem_ctx, "%s%s", share_path,
+ list->files[i].rel_path);
+ if (full_remote_path == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Get the file */
+ status = gp_get_file(tree, full_remote_path, full_local_path);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Error getting file.\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+ }
+
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_fetch_gpt (struct gp_context *gp_ctx, struct gp_object *gpo,
+ const char **ret_local_path)
+{
+ TALLOC_CTX *mem_ctx;
+ struct gp_list_state *state;
+ NTSTATUS status;
+ struct stat st;
+ int rv;
+ const char *local_path, *share_path;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ if (gp_ctx->cli == NULL) {
+ status = gp_cli_connect(gp_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to create cli connection to DC\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+ }
+
+ /* Get the remote path to copy from */
+ share_path = gp_get_share_path(mem_ctx, gpo->file_sys_path);
+ if (share_path == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Get the local path to copy to */
+ local_path = talloc_asprintf(gp_ctx, "%s/%s", gp_tmpdir(mem_ctx), gpo->name);
+ if (local_path == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Prepare the state structure */
+ state = talloc_zero(mem_ctx, struct gp_list_state);
+ if (state == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ state->tree = gp_ctx->cli->tree;
+ state->share_path = share_path;
+
+ /* Create the GPO dir if it does not exist */
+ if (stat(local_path, &st) != 0) {
+ rv = mkdir(local_path, 0755);
+ if (rv < 0) {
+ DEBUG(0, ("Could not create local path\n"));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ }
+
+ /* Get the file list */
+ status = gp_do_list("", state);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Could not list GPO files on remote server\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* If the list has no entries there is a problem. */
+ if (state->list.num_files == 0) {
+ DEBUG(0, ("File list is has no entries. Is the GPT directory empty?\n"));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Fetch the files */
+ status = gp_get_files(gp_ctx->cli->tree, share_path, local_path, &state->list);
+
+ /* Return the local path to the gpo */
+ *ret_local_path = local_path;
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS push_recursive (struct gp_context *gp_ctx, const char *local_path,
+ const char *remote_path, int depth)
+{
+ DIR *dir;
+ struct dirent *dirent;
+ char *entry_local_path = NULL;
+ char *entry_remote_path = NULL;
+ int local_fd = -1, remote_fd = -1;
+ int buf[1024];
+ int nread, total_read;
+ struct stat s;
+ NTSTATUS status;
+
+ dir = opendir(local_path);
+ while ((dirent = readdir(dir)) != NULL) {
+ if (strcmp(dirent->d_name, ".") == 0 ||
+ strcmp(dirent->d_name, "..") == 0) {
+ continue;
+ }
+
+ entry_local_path = talloc_asprintf(gp_ctx, "%s/%s", local_path,
+ dirent->d_name);
+ if (entry_local_path == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ entry_remote_path = talloc_asprintf(gp_ctx, "%s\\%s",
+ remote_path, dirent->d_name);
+ if (entry_remote_path == NULL) {
+ status = NT_STATUS_NO_MEMORY;
+ goto done;
+ }
+
+ if (stat(entry_local_path, &s) != 0) {
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+ if (s.st_mode & S_IFDIR) {
+ DEBUG(6, ("Pushing directory %s to %s on sysvol\n",
+ entry_local_path, entry_remote_path));
+ smbcli_mkdir(gp_ctx->cli->tree, entry_remote_path);
+ if (depth < GP_MAX_DEPTH) {
+ push_recursive(gp_ctx, entry_local_path,
+ entry_remote_path, depth+1);
+ }
+ } else {
+ DEBUG(6, ("Pushing file %s to %s on sysvol\n",
+ entry_local_path, entry_remote_path));
+ remote_fd = smbcli_open(gp_ctx->cli->tree,
+ entry_remote_path,
+ O_WRONLY | O_CREAT,
+ 0);
+ if (remote_fd < 0) {
+ DEBUG(0, ("Failed to create remote file: %s\n",
+ entry_remote_path));
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+ local_fd = open(entry_local_path, O_RDONLY);
+ if (local_fd < 0) {
+ DEBUG(0, ("Failed to open local file: %s\n",
+ entry_local_path));
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+ }
+ total_read = 0;
+ while ((nread = read(local_fd, &buf, sizeof(buf)))) {
+ if (nread == -1) {
+ DBG_ERR("read failed with errno %s\n",
+ strerror(errno));
+ status = NT_STATUS_UNSUCCESSFUL;
+ close(local_fd);
+ local_fd = -1;
+ goto done;
+ }
+ smbcli_write(gp_ctx->cli->tree, remote_fd, 0,
+ &buf, total_read, nread);
+ total_read += nread;
+ }
+
+ close(local_fd);
+ local_fd = -1;
+ smbcli_close(gp_ctx->cli->tree, remote_fd);
+ remote_fd = -1;
+ }
+ TALLOC_FREE(entry_local_path);
+ TALLOC_FREE(entry_remote_path);
+ }
+
+ status = NT_STATUS_OK;
+done:
+ if (local_fd != -1) {
+ close(local_fd);
+ }
+ if (remote_fd != -1) {
+ smbcli_close(gp_ctx->cli->tree, remote_fd);
+ }
+ talloc_free(entry_local_path);
+ talloc_free(entry_remote_path);
+
+ closedir(dir);
+
+ return status;
+}
+
+
+
+NTSTATUS gp_push_gpt(struct gp_context *gp_ctx, const char *local_path,
+ const char *file_sys_path)
+{
+ NTSTATUS status;
+ char *share_path;
+
+ if (gp_ctx->cli == NULL) {
+ status = gp_cli_connect(gp_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to create cli connection to DC\n"));
+ return status;
+ }
+ }
+ share_path = gp_get_share_path(gp_ctx, file_sys_path);
+
+ DEBUG(5, ("Copying %s to %s on sysvol\n", local_path, share_path));
+
+ smbcli_mkdir(gp_ctx->cli->tree, share_path);
+
+ status = push_recursive(gp_ctx, local_path, share_path, 0);
+
+ talloc_free(share_path);
+ return status;
+}
+
+NTSTATUS gp_create_gpt(struct gp_context *gp_ctx, const char *name,
+ const char *file_sys_path)
+{
+ TALLOC_CTX *mem_ctx;
+ const char *tmp_dir, *policy_dir, *tmp_str;
+ int rv;
+ int fd;
+ NTSTATUS status;
+ const char *file_content = "[General]\r\nVersion=0\r\n";
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ tmp_dir = gp_tmpdir(mem_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_dir);
+ policy_dir = talloc_asprintf(mem_ctx, "%s/%s", tmp_dir, name);
+ NT_STATUS_HAVE_NO_MEMORY(policy_dir);
+
+ /* Create the directories */
+
+ rv = mkdir(policy_dir, 0755);
+ if (rv < 0) {
+ DEBUG(0, ("Could not create the policy dir: %s\n", policy_dir));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ tmp_str = talloc_asprintf(mem_ctx, "%s/User", policy_dir);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_str);
+ rv = mkdir(tmp_str, 0755);
+ if (rv < 0) {
+ DEBUG(0, ("Could not create the User dir: %s\n", tmp_str));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ tmp_str = talloc_asprintf(mem_ctx, "%s/Machine", policy_dir);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_str);
+ rv = mkdir(tmp_str, 0755);
+ if (rv < 0) {
+ DEBUG(0, ("Could not create the Machine dir: %s\n", tmp_str));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Create a GPT.INI with version 0 */
+
+ tmp_str = talloc_asprintf(mem_ctx, "%s/GPT.INI", policy_dir);
+ NT_STATUS_HAVE_NO_MEMORY(tmp_str);
+ fd = open(tmp_str, O_CREAT | O_WRONLY, 0644);
+ if (fd < 0) {
+ DEBUG(0, ("Could not create the GPT.INI: %s\n", tmp_str));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ rv = write(fd, file_content, strlen(file_content));
+ close(fd);
+ if (rv != strlen(file_content)) {
+ DEBUG(0, ("Short write in GPT.INI\n"));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Upload the GPT to the sysvol share on a DC */
+ status = gp_push_gpt(gp_ctx, policy_dir, file_sys_path);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_set_gpt_security_descriptor(struct gp_context *gp_ctx,
+ struct gp_object *gpo,
+ struct security_descriptor *sd)
+{
+ TALLOC_CTX *mem_ctx;
+ NTSTATUS status;
+ union smb_setfileinfo fileinfo;
+ union smb_open io;
+ union smb_close io_close;
+
+ /* Create a connection to sysvol if it is not already there */
+ if (gp_ctx->cli == NULL) {
+ status = gp_cli_connect(gp_ctx);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to create cli connection to DC\n"));
+ return status;
+ }
+ }
+
+ /* Create a forked memory context which can be freed easily */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ /* Open the directory with NTCreate AndX call */
+ io.generic.level = RAW_OPEN_NTCREATEX;
+ io.ntcreatex.in.root_fid.fnum = 0;
+ io.ntcreatex.in.flags = 0;
+ io.ntcreatex.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED;
+ io.ntcreatex.in.create_options = 0;
+ io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL;
+ io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
+ NTCREATEX_SHARE_ACCESS_WRITE;
+ io.ntcreatex.in.alloc_size = 0;
+ io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
+ io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_ANONYMOUS;
+ io.ntcreatex.in.security_flags = 0;
+ io.ntcreatex.in.fname = gp_get_share_path(mem_ctx, gpo->file_sys_path);
+ status = smb_raw_open(gp_ctx->cli->tree, mem_ctx, &io);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Can't open GPT directory\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Set the security descriptor on the directory */
+ fileinfo.generic.level = RAW_SFILEINFO_SEC_DESC;
+ fileinfo.set_secdesc.in.file.fnum = io.ntcreatex.out.file.fnum;
+ fileinfo.set_secdesc.in.secinfo_flags = SECINFO_PROTECTED_DACL |
+ SECINFO_OWNER |
+ SECINFO_GROUP |
+ SECINFO_DACL;
+ fileinfo.set_secdesc.in.sd = sd;
+ status = smb_raw_setfileinfo(gp_ctx->cli->tree, &fileinfo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set security descriptor on the GPT\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Close the directory */
+ io_close.close.level = RAW_CLOSE_CLOSE;
+ io_close.close.in.file.fnum = io.ntcreatex.out.file.fnum;
+ io_close.close.in.write_time = 0;
+ status = smb_raw_close(gp_ctx->cli->tree, &io_close);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to close directory\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
diff --git a/source4/lib/policy/gp_ini.c b/source4/lib/policy/gp_ini.c
new file mode 100644
index 0000000..da2f5f4
--- /dev/null
+++ b/source4/lib/policy/gp_ini.c
@@ -0,0 +1,133 @@
+
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Wilco Baan Hofman 2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#include "includes.h"
+#include "lib/util/samba_util.h"
+#include "lib/policy/policy.h"
+
+struct gp_parse_context {
+ struct gp_ini_context *ini;
+ int32_t cur_section;
+};
+
+
+static bool gp_add_ini_section(const char *name, void *callback_data)
+{
+ struct gp_parse_context *parse = callback_data;
+ struct gp_ini_context *ini = parse->ini;
+
+ ini->sections = talloc_realloc(ini, ini->sections, struct gp_ini_section, ini->num_sections+1);
+ if (ini->sections == NULL) return false;
+ ini->sections[ini->num_sections].name = talloc_strdup(ini, name);
+ if (ini->sections[ini->num_sections].name == NULL) return false;
+ parse->cur_section = ini->num_sections;
+ ini->num_sections++;
+
+ return true;
+}
+
+static bool gp_add_ini_param(const char *name, const char *value, void *callback_data)
+{
+ struct gp_parse_context *parse = callback_data;
+ struct gp_ini_context *ini = parse->ini;
+ struct gp_ini_section *section;
+
+ if (parse->cur_section == -1) {
+ return false;
+ }
+
+ section = &ini->sections[parse->cur_section];
+
+ section->params = talloc_realloc(ini, ini->sections[parse->cur_section].params, struct gp_ini_param, section->num_params+1);
+ if (section->params == NULL) return false;
+ section->params[section->num_params].name = talloc_strdup(ini, name);
+ if (section->params[section->num_params].name == NULL) return false;
+ section->params[section->num_params].value = talloc_strdup(ini, value);
+ if (section->params[section->num_params].value == NULL) return false;
+ section->num_params++;
+
+ return true;
+}
+
+NTSTATUS gp_parse_ini(TALLOC_CTX *mem_ctx, struct gp_context *gp_ctx, const char *filename, struct gp_ini_context **ret)
+{
+ struct gp_parse_context parse;
+ bool rv;
+
+ parse.ini = talloc_zero(mem_ctx, struct gp_ini_context);
+ NT_STATUS_HAVE_NO_MEMORY(parse.ini);
+ parse.cur_section = -1;
+
+ rv = pm_process(filename, gp_add_ini_section, gp_add_ini_param, &parse);
+ if (!rv) {
+ DEBUG(0, ("Error while processing ini file %s\n", filename));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ *ret = parse.ini;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_get_ini_string(struct gp_ini_context *ini, const char *section, const char *name, char **ret)
+{
+ uint16_t i;
+ int32_t cur_sec = -1;
+ for (i = 0; i < ini->num_sections; i++) {
+ if (strcmp(ini->sections[i].name, section) == 0) {
+ cur_sec = i;
+ break;
+ }
+ }
+
+ if (cur_sec == -1) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ for (i = 0; i < ini->sections[cur_sec].num_params; i++) {
+ if (strcmp(ini->sections[cur_sec].params[i].name, name) == 0) {
+ *ret = ini->sections[cur_sec].params[i].value;
+ return NT_STATUS_OK;
+ }
+ }
+ return NT_STATUS_NOT_FOUND;
+}
+
+NTSTATUS gp_get_ini_uint(struct gp_ini_context *ini, const char *section, const char *name, uint32_t *ret)
+{
+ uint16_t i;
+ int32_t cur_sec = -1;
+ for (i = 0; i < ini->num_sections; i++) {
+ if (strcmp(ini->sections[i].name, section) == 0) {
+ cur_sec = i;
+ break;
+ }
+ }
+
+ if (cur_sec == -1) {
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ for (i = 0; i < ini->sections[cur_sec].num_params; i++) {
+ if (strcmp(ini->sections[cur_sec].params[i].name, name) == 0) {
+ *ret = atol(ini->sections[cur_sec].params[i].value);
+ return NT_STATUS_OK;
+ }
+ }
+ return NT_STATUS_NOT_FOUND;
+}
diff --git a/source4/lib/policy/gp_ldap.c b/source4/lib/policy/gp_ldap.c
new file mode 100644
index 0000000..67b329b
--- /dev/null
+++ b/source4/lib/policy/gp_ldap.c
@@ -0,0 +1,1130 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Jelmer Vernooij 2008
+ * Copyright (C) Wilco Baan Hofman 2008-2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#include "includes.h"
+#include "param/param.h"
+#include <ldb.h>
+#include "lib/ldb-samba/ldb_wrap.h"
+#include "auth/credentials/credentials.h"
+#include "../librpc/gen_ndr/nbt.h"
+#include "libcli/libcli.h"
+#include "libnet/libnet.h"
+#include "../librpc/gen_ndr/ndr_security.h"
+#include "../libcli/security/security.h"
+#include "libcli/ldap/ldap_ndr.h"
+#include "../lib/talloc/talloc.h"
+#include "lib/policy/policy.h"
+
+struct gpo_stringmap {
+ const char *str;
+ uint32_t flags;
+};
+static const struct gpo_stringmap gplink_options [] = {
+ { "GPLINK_OPT_DISABLE", GPLINK_OPT_DISABLE },
+ { "GPLINK_OPT_ENFORCE", GPLINK_OPT_ENFORCE },
+ { NULL, 0 }
+};
+static const struct gpo_stringmap gpo_flags [] = {
+ { "GPO_FLAG_USER_DISABLE", GPO_FLAG_USER_DISABLE },
+ { "GPO_FLAG_MACHINE_DISABLE", GPO_FLAG_MACHINE_DISABLE },
+ { NULL, 0 }
+};
+
+static NTSTATUS parse_gpo(TALLOC_CTX *mem_ctx, struct ldb_message *msg, struct gp_object **ret)
+{
+ struct gp_object *gpo = talloc(mem_ctx, struct gp_object);
+ enum ndr_err_code ndr_err;
+ const DATA_BLOB *data;
+
+ NT_STATUS_HAVE_NO_MEMORY(gpo);
+
+ gpo->dn = talloc_strdup(mem_ctx, ldb_dn_get_linearized(msg->dn));
+ if (gpo->dn == NULL) {
+ TALLOC_FREE(gpo);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ DEBUG(9, ("Parsing GPO LDAP data for %s\n", gpo->dn));
+
+ gpo->display_name = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "displayName", ""));
+ if (gpo->display_name == NULL) {
+ TALLOC_FREE(gpo);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ gpo->name = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "name", ""));
+ if (gpo->name == NULL) {
+ TALLOC_FREE(gpo);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ gpo->flags = ldb_msg_find_attr_as_uint(msg, "flags", 0);
+ gpo->version = ldb_msg_find_attr_as_uint(msg, "versionNumber", 0);
+
+ gpo->file_sys_path = talloc_strdup(gpo, ldb_msg_find_attr_as_string(msg, "gPCFileSysPath", ""));
+ if (gpo->file_sys_path == NULL) {
+ TALLOC_FREE(gpo);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Pull the security descriptor through the NDR library */
+ data = ldb_msg_find_ldb_val(msg, "nTSecurityDescriptor");
+ gpo->security_descriptor = talloc(gpo, struct security_descriptor);
+ if (gpo->security_descriptor == NULL) {
+ TALLOC_FREE(gpo);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ ndr_err = ndr_pull_struct_blob(data,
+ mem_ctx,
+ gpo->security_descriptor,
+ (ndr_pull_flags_fn_t)ndr_pull_security_descriptor);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+ *ret = gpo;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret)
+{
+ unsigned int i, count=0;
+ const char **flag_strs = talloc_array(mem_ctx, const char *, 1);
+
+ NT_STATUS_HAVE_NO_MEMORY(flag_strs);
+
+ flag_strs[0] = NULL;
+
+ for (i = 0; gpo_flags[i].str != NULL; i++) {
+ if (flags & gpo_flags[i].flags) {
+ flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2);
+ NT_STATUS_HAVE_NO_MEMORY(flag_strs);
+ flag_strs[count] = gpo_flags[i].str;
+ flag_strs[count+1] = NULL;
+ count++;
+ }
+ }
+ *ret = flag_strs;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t options, const char ***ret)
+{
+ unsigned int i, count=0;
+ const char **flag_strs = talloc_array(mem_ctx, const char *, 1);
+
+ NT_STATUS_HAVE_NO_MEMORY(flag_strs);
+ flag_strs[0] = NULL;
+
+ for (i = 0; gplink_options[i].str != NULL; i++) {
+ if (options & gplink_options[i].flags) {
+ flag_strs = talloc_realloc(mem_ctx, flag_strs, const char *, count+2);
+ NT_STATUS_HAVE_NO_MEMORY(flag_strs);
+ flag_strs[count] = gplink_options[i].str;
+ flag_strs[count+1] = NULL;
+ count++;
+ }
+ }
+ *ret = flag_strs;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_init(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ struct cli_credentials *credentials,
+ struct tevent_context *ev_ctx,
+ struct gp_context **gp_ctx)
+{
+
+ struct libnet_LookupDCs *io;
+ char *url;
+ struct libnet_context *net_ctx;
+ struct ldb_context *ldb_ctx;
+ NTSTATUS rv;
+
+ /* Initialise the libnet context */
+ net_ctx = libnet_context_init(ev_ctx, lp_ctx);
+ net_ctx->cred = credentials;
+
+ /* Prepare libnet lookup structure for looking a DC (PDC is correct). */
+ io = talloc_zero(mem_ctx, struct libnet_LookupDCs);
+ NT_STATUS_HAVE_NO_MEMORY(io);
+ io->in.name_type = NBT_NAME_PDC;
+ io->in.domain_name = lpcfg_workgroup(lp_ctx);
+
+ /* Find Active DC's */
+ rv = libnet_LookupDCs(net_ctx, mem_ctx, io);
+ if (!NT_STATUS_IS_OK(rv)) {
+ DEBUG(0, ("Failed to lookup DCs in domain\n"));
+ return rv;
+ }
+
+ /* Connect to ldap://DC_NAME with all relevant contexts*/
+ url = talloc_asprintf(mem_ctx, "ldap://%s", io->out.dcs[0].name);
+ NT_STATUS_HAVE_NO_MEMORY(url);
+ ldb_ctx = ldb_wrap_connect(mem_ctx, net_ctx->event_ctx, lp_ctx,
+ url, NULL, net_ctx->cred, 0);
+ if (ldb_ctx == NULL) {
+ DEBUG(0, ("Can't connect to DC's LDAP with url %s\n", url));
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ *gp_ctx = talloc_zero(mem_ctx, struct gp_context);
+ NT_STATUS_HAVE_NO_MEMORY(gp_ctx);
+
+ (*gp_ctx)->lp_ctx = lp_ctx;
+ (*gp_ctx)->credentials = credentials;
+ (*gp_ctx)->ev_ctx = ev_ctx;
+ (*gp_ctx)->ldb_ctx = ldb_ctx;
+ (*gp_ctx)->active_dc = talloc_reference(*gp_ctx, &io->out.dcs[0]);
+
+ /* We don't need to keep the libnet context */
+ talloc_free(net_ctx);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret)
+{
+ struct ldb_result *result;
+ int rv;
+ NTSTATUS status;
+ TALLOC_CTX *mem_ctx;
+ struct ldb_dn *dn;
+ struct gp_object **gpo;
+ unsigned int i; /* same as in struct ldb_result */
+ const char **attrs;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ /* Create full ldb dn of the policies base object */
+ dn = ldb_get_default_basedn(gp_ctx->ldb_ctx);
+ rv = ldb_dn_add_child(dn, ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Policies,CN=System"));
+ if (!rv) {
+ DEBUG(0, ("Can't append subtree to DN\n"));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ DEBUG(10, ("Searching for policies in DN: %s\n", ldb_dn_get_linearized(dn)));
+
+ attrs = talloc_array(mem_ctx, const char *, 7);
+ if (attrs == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ attrs[0] = "nTSecurityDescriptor";
+ attrs[1] = "versionNumber";
+ attrs[2] = "flags";
+ attrs[3] = "name";
+ attrs[4] = "displayName";
+ attrs[5] = "gPCFileSysPath";
+ attrs[6] = NULL;
+
+ rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_ONELEVEL, attrs, "(objectClass=groupPolicyContainer)");
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ gpo = talloc_array(gp_ctx, struct gp_object *, result->count+1);
+ if (gpo == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ gpo[result->count] = NULL;
+
+ for (i = 0; i < result->count; i++) {
+ status = parse_gpo(gp_ctx, result->msgs[i], &gpo[i]);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to parse GPO.\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+ }
+
+ talloc_free(mem_ctx);
+
+ *ret = gpo;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *dn_str, struct gp_object **ret)
+{
+ struct ldb_result *result;
+ struct ldb_dn *dn;
+ struct gp_object *gpo;
+ int rv;
+ NTSTATUS status;
+ TALLOC_CTX *mem_ctx;
+ const char **attrs;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ /* Create an ldb dn struct for the dn string */
+ dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+
+ attrs = talloc_array(mem_ctx, const char *, 7);
+ if (attrs == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ attrs[0] = "nTSecurityDescriptor";
+ attrs[1] = "versionNumber";
+ attrs[2] = "flags";
+ attrs[3] = "name";
+ attrs[4] = "displayName";
+ attrs[5] = "gPCFileSysPath";
+ attrs[6] = NULL;
+
+ rv = ldb_search(gp_ctx->ldb_ctx,
+ mem_ctx,
+ &result,
+ dn,
+ LDB_SCOPE_BASE,
+ attrs,
+ "objectClass=groupPolicyContainer");
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* We expect exactly one record */
+ if (result->count != 1) {
+ DEBUG(0, ("Could not find GPC with dn %s\n", dn_str));
+ talloc_free(mem_ctx);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ status = parse_gpo(gp_ctx, result->msgs[0], &gpo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to parse GPO.\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ talloc_free(mem_ctx);
+
+ *ret = gpo;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS parse_gplink (TALLOC_CTX *mem_ctx, const char *gplink_str, struct gp_link ***ret)
+{
+ int start, idx=0;
+ int pos;
+ struct gp_link **gplinks;
+ char *buf, *end;
+ const char *gplink_start = "[LDAP://";
+
+ gplinks = talloc_array(mem_ctx, struct gp_link *, 1);
+ NT_STATUS_HAVE_NO_MEMORY(gplinks);
+
+ gplinks[0] = NULL;
+
+ /* Assuming every gPLink starts with "[LDAP://" */
+ start = strlen(gplink_start);
+
+ for (pos = start; pos < strlen(gplink_str); pos++) {
+ if (gplink_str[pos] == ';') {
+ gplinks = talloc_realloc(mem_ctx, gplinks, struct gp_link *, idx+2);
+ NT_STATUS_HAVE_NO_MEMORY(gplinks);
+ gplinks[idx] = talloc(mem_ctx, struct gp_link);
+ NT_STATUS_HAVE_NO_MEMORY(gplinks[idx]);
+ gplinks[idx]->dn = talloc_strndup(mem_ctx,
+ gplink_str + start,
+ pos - start);
+ if (gplinks[idx]->dn == NULL) {
+ TALLOC_FREE(gplinks);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (start = pos + 1; gplink_str[pos] != ']'; pos++);
+
+ buf = talloc_strndup(gplinks, gplink_str + start, pos - start);
+ if (buf == NULL) {
+ TALLOC_FREE(gplinks);
+ return NT_STATUS_NO_MEMORY;
+ }
+ gplinks[idx]->options = (uint32_t) strtoll(buf, &end, 0);
+ talloc_free(buf);
+
+ /* Set the last entry in the array to be NULL */
+ gplinks[idx + 1] = NULL;
+
+ /* Increment the array index, the string position past
+ the next "[LDAP://", and set the start reference */
+ idx++;
+ pos += strlen(gplink_start)+1;
+ start = pos;
+ }
+ }
+
+ *ret = gplinks;
+ return NT_STATUS_OK;
+}
+
+
+NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *dn_str, struct gp_link ***ret)
+{
+ TALLOC_CTX *mem_ctx;
+ struct ldb_dn *dn;
+ struct ldb_result *result;
+ struct gp_link **gplinks;
+ char *gplink_str;
+ int rv;
+ unsigned int i;
+ NTSTATUS status;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+
+ rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, NULL, "(objectclass=*)");
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ for (i = 0; i < result->count; i++) {
+ struct ldb_message_element *element = \
+ ldb_msg_find_element(result->msgs[i], "gPLink");
+ if (element != NULL) {
+ SMB_ASSERT(element->num_values > 0);
+ gplink_str = talloc_strdup(
+ mem_ctx,
+ (char *) element->values[0].data);
+ if (gplink_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ goto found;
+ }
+ }
+ gplink_str = talloc_strdup(mem_ctx, "");
+ if (gplink_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ found:
+
+ status = parse_gplink(gp_ctx, gplink_str, &gplinks);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to parse gPLink\n"));
+ return status;
+ }
+
+ talloc_free(mem_ctx);
+
+ *ret = gplinks;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret)
+{
+ TALLOC_CTX *mem_ctx;
+ const char **gpos;
+ struct ldb_result *result;
+ char *sid;
+ struct ldb_dn *dn;
+ struct ldb_message_element *element;
+ bool inherit;
+ const char *attrs[] = { "objectClass", NULL };
+ int rv;
+ NTSTATUS status;
+ unsigned int count = 0;
+ unsigned int i;
+ enum {
+ ACCOUNT_TYPE_USER = 0,
+ ACCOUNT_TYPE_MACHINE = 1
+ } account_type;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ sid = ldap_encode_ndr_dom_sid(mem_ctx,
+ &token->sids[PRIMARY_USER_SID_INDEX]);
+ NT_STATUS_HAVE_NO_MEMORY(sid);
+
+ /* Find the user DN and objectclass via the sid from the security token */
+ rv = ldb_search(gp_ctx->ldb_ctx,
+ mem_ctx,
+ &result,
+ ldb_get_default_basedn(gp_ctx->ldb_ctx),
+ LDB_SCOPE_SUBTREE,
+ attrs,
+ "(&(objectclass=user)(objectSid=%s))", sid);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),
+ ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ if (result->count != 1) {
+ DEBUG(0, ("Could not find user with sid %s.\n", sid));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ DEBUG(10,("Found DN for this user: %s\n", ldb_dn_get_linearized(result->msgs[0]->dn)));
+
+ element = ldb_msg_find_element(result->msgs[0], "objectClass");
+
+ /* We need to know if this account is a user or machine. */
+ account_type = ACCOUNT_TYPE_USER;
+ for (i = 0; i < element->num_values; i++) {
+ if (strcmp((char *)element->values[i].data, "computer") == 0) {
+ account_type = ACCOUNT_TYPE_MACHINE;
+ DEBUG(10, ("This user is a machine\n"));
+ }
+ }
+
+ gpos = talloc_array(gp_ctx, const char *, 1);
+ if (gpos == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ gpos[0] = NULL;
+
+ /* Walk through the containers until we hit the root */
+ inherit = 1;
+ dn = ldb_dn_get_parent(mem_ctx, result->msgs[0]->dn);
+ while (ldb_dn_compare_base(ldb_get_default_basedn(gp_ctx->ldb_ctx), dn) == 0) {
+ const char *gpo_attrs[] = { "gPLink", "gPOptions", NULL };
+ struct gp_link **gplinks;
+ enum gpo_inheritance gpoptions;
+
+ DEBUG(10, ("Getting gPLinks for DN: %s\n", ldb_dn_get_linearized(dn)));
+
+ /* Get the gPLink and gPOptions attributes from the container */
+ rv = ldb_search(gp_ctx->ldb_ctx,
+ mem_ctx,
+ &result,
+ dn,
+ LDB_SCOPE_BASE,
+ gpo_attrs,
+ "objectclass=*");
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv),
+ ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* Parse the gPLink attribute, put it into a nice struct array */
+ status = parse_gplink(mem_ctx, ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", ""), &gplinks);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to parse gPLink\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Check all group policy links on this container */
+ for (i = 0; gplinks[i] != NULL; i++) {
+ struct gp_object *gpo;
+ uint32_t access_granted;
+
+ /* If inheritance was blocked at a higher level and this
+ * gplink is not enforced, it should not be applied */
+ if (!inherit && !(gplinks[i]->options & GPLINK_OPT_ENFORCE))
+ continue;
+
+ /* Don't apply disabled links */
+ if (gplinks[i]->options & GPLINK_OPT_DISABLE)
+ continue;
+
+ /* Get GPO information */
+ status = gp_get_gpo_info(gp_ctx, gplinks[i]->dn, &gpo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to get gpo information for %s\n", gplinks[i]->dn));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* If the account does not have read access, this GPO does not apply
+ * to this account */
+ status = se_access_check(gpo->security_descriptor,
+ token,
+ (SEC_STD_READ_CONTROL | SEC_ADS_LIST | SEC_ADS_READ_PROP),
+ &access_granted);
+ if (!NT_STATUS_IS_OK(status)) {
+ continue;
+ }
+
+ /* If the account is a user and the GPO has user disabled flag, or
+ * a machine and the GPO has machine disabled flag, this GPO does
+ * not apply to this account */
+ if ((account_type == ACCOUNT_TYPE_USER &&
+ (gpo->flags & GPO_FLAG_USER_DISABLE)) ||
+ (account_type == ACCOUNT_TYPE_MACHINE &&
+ (gpo->flags & GPO_FLAG_MACHINE_DISABLE))) {
+ continue;
+ }
+
+ /* Add the GPO to the list */
+ gpos = talloc_realloc(gp_ctx, gpos, const char *, count+2);
+ if (gpos == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ gpos[count] = talloc_strdup(gp_ctx, gplinks[i]->dn);
+ if (gpos[count] == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ gpos[count+1] = NULL;
+ count++;
+
+ /* Clean up */
+ talloc_free(gpo);
+ }
+
+ /* If inheritance is blocked, then we should only add enforced gPLinks
+ * higher up */
+ gpoptions = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
+ if (gpoptions == GPO_BLOCK_INHERITANCE) {
+ inherit = 0;
+ }
+ dn = ldb_dn_get_parent(mem_ctx, dn);
+ }
+
+ talloc_free(mem_ctx);
+
+ *ret = gpos;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink)
+{
+ TALLOC_CTX *mem_ctx;
+ struct ldb_result *result;
+ struct ldb_dn *dn;
+ struct ldb_message *msg;
+ const char *attrs[] = { "gPLink", NULL };
+ const char *gplink_str;
+ int rv;
+ char *start;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+
+ rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (result->count != 1) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", "");
+
+ /* If this GPO link already exists, alter the options, else add it */
+ if ((start = strcasestr(gplink_str, gplink->dn)) != NULL) {
+ start += strlen(gplink->dn);
+ *start = '\0';
+ start++;
+ while (*start != ']' && *start != '\0') {
+ start++;
+ }
+ gplink_str = talloc_asprintf(mem_ctx, "%s;%d%s", gplink_str, gplink->options, start);
+ if (gplink_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ } else {
+ /* Prepend the new GPO link to the string. This list is backwards in priority. */
+ gplink_str = talloc_asprintf(mem_ctx, "[LDAP://%s;%d]%s", gplink->dn, gplink->options, gplink_str);
+ if (gplink_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ }
+
+
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->dn = dn;
+
+ rv = ldb_msg_add_string(msg, "gPLink", gplink_str);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
+
+ rv = ldb_modify(gp_ctx->ldb_ctx, msg);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gplink_dn)
+{
+ TALLOC_CTX *mem_ctx;
+ struct ldb_result *result;
+ struct ldb_dn *dn;
+ struct ldb_message *msg;
+ const char *attrs[] = { "gPLink", NULL };
+ const char *gplink_str, *search_string;
+ int rv;
+ char *p;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+
+ rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (result->count != 1) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ gplink_str = ldb_msg_find_attr_as_string(result->msgs[0], "gPLink", "");
+
+ /* If this GPO link already exists, alter the options, else add it */
+ search_string = talloc_asprintf(mem_ctx, "[LDAP://%s]", gplink_dn);
+ if (search_string == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ p = strcasestr(gplink_str, search_string);
+ if (p == NULL) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ *p = '\0';
+ p++;
+ while (*p != ']' && *p != '\0') {
+ p++;
+ }
+ p++;
+ gplink_str = talloc_asprintf(mem_ctx, "%s%s", gplink_str, p);
+ if (gplink_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->dn = dn;
+
+ if (strcmp(gplink_str, "") == 0) {
+ rv = ldb_msg_add_empty(msg, "gPLink", LDB_FLAG_MOD_DELETE, NULL);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB message add empty element failed: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ } else {
+ rv = ldb_msg_add_string(msg, "gPLink", gplink_str);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
+ }
+ rv = ldb_modify(gp_ctx->ldb_ctx, msg);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance)
+{
+ TALLOC_CTX *mem_ctx;
+ struct ldb_result *result;
+ struct ldb_dn *dn;
+ const char *attrs[] = { "gPOptions", NULL };
+ int rv;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+
+ rv = ldb_search(gp_ctx->ldb_ctx, mem_ctx, &result, dn, LDB_SCOPE_BASE, attrs, "(objectclass=*)");
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB search failed: %s\n%s\n", ldb_strerror(rv), ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ if (result->count != 1) {
+ talloc_free(mem_ctx);
+ return NT_STATUS_NOT_FOUND;
+ }
+
+ *inheritance = ldb_msg_find_attr_as_uint(result->msgs[0], "gPOptions", 0);
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance)
+{
+ char *inheritance_string;
+ struct ldb_message *msg;
+ int rv;
+
+ msg = ldb_msg_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(msg);
+
+ msg->dn = ldb_dn_new(msg, gp_ctx->ldb_ctx, dn_str);
+
+ inheritance_string = talloc_asprintf(msg, "%d", inheritance);
+ if (inheritance_string == NULL) {
+ TALLOC_FREE(msg);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ rv = ldb_msg_add_string(msg, "gPOptions", inheritance_string);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB message add string failed: %s\n", ldb_strerror(rv)));
+ talloc_free(msg);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
+
+ rv = ldb_modify(gp_ctx->ldb_ctx, msg);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
+ talloc_free(msg);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ talloc_free(msg);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo)
+{
+ struct ldb_message *msg;
+ TALLOC_CTX *mem_ctx;
+ int rv;
+ char *dn_str, *flags_str, *version_str;
+ struct ldb_dn *child_dn, *gpo_dn;
+
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ /* CN={GUID} */
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->dn = ldb_get_default_basedn(gp_ctx->ldb_ctx);
+ dn_str = talloc_asprintf(mem_ctx, "CN=%s,CN=Policies,CN=System", gpo->name);
+ if (dn_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+ rv = ldb_dn_add_child(msg->dn, child_dn);
+ if (!rv) goto ldb_msg_add_error;
+
+ flags_str = talloc_asprintf(mem_ctx, "%d", gpo->flags);
+ if (flags_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ version_str = talloc_asprintf(mem_ctx, "%d", gpo->version);
+ if (version_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ rv = ldb_msg_add_string(msg, "objectClass", "top");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "objectClass", "container");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "objectClass", "groupPolicyContainer");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "displayName", gpo->display_name);
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "name", gpo->name);
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "CN", gpo->name);
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "gPCFileSysPath", gpo->file_sys_path);
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "flags", flags_str);
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "versionNumber", version_str);
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "gpCFunctionalityVersion", "2");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+
+ rv = ldb_add(gp_ctx->ldb_ctx, msg);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ gpo_dn = msg->dn;
+
+ /* CN=User */
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->dn = ldb_dn_copy(mem_ctx, gpo_dn);
+ child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=User");
+ rv = ldb_dn_add_child(msg->dn, child_dn);
+ if (!rv) goto ldb_msg_add_error;
+
+ rv = ldb_msg_add_string(msg, "objectClass", "top");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "objectClass", "container");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "CN", "User");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "name", "User");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+
+ rv = ldb_add(gp_ctx->ldb_ctx, msg);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ /* CN=Machine */
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->dn = ldb_dn_copy(mem_ctx, gpo_dn);
+ child_dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, "CN=Machine");
+ rv = ldb_dn_add_child(msg->dn, child_dn);
+ if (!rv) goto ldb_msg_add_error;
+
+ rv = ldb_msg_add_string(msg, "objectClass", "top");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "objectClass", "container");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "showInAdvancedViewOnly", "TRUE");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "CN", "Machine");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+ rv = ldb_msg_add_string(msg, "name", "Machine");
+ if (rv != LDB_SUCCESS) goto ldb_msg_add_error;
+
+ rv = ldb_add(gp_ctx->ldb_ctx, msg);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB add error: %s\n", ldb_errstring(gp_ctx->ldb_ctx)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ gpo->dn = talloc_strdup(gpo, ldb_dn_get_linearized(gpo_dn));
+ if (gpo->dn == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+
+ ldb_msg_add_error:
+ DEBUG(0, ("LDB Error adding element to ldb message\n"));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+}
+
+NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
+{
+ TALLOC_CTX *mem_ctx;
+ DATA_BLOB data;
+ enum ndr_err_code ndr_err;
+ struct ldb_message *msg;
+ int rv;
+
+ /* Create a forked memory context to clean up easily */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ /* Push the security descriptor through the NDR library */
+ ndr_err = ndr_push_struct_blob(&data,
+ mem_ctx,
+ sd,
+ (ndr_push_flags_fn_t)ndr_push_security_descriptor);
+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
+ return ndr_map_error2ntstatus(ndr_err);
+ }
+
+
+ /* Create a LDB message */
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, dn_str);
+
+ rv = ldb_msg_add_value(msg, "nTSecurityDescriptor", &data, NULL);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB message add element failed for adding nTSecurityDescriptor: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
+
+ rv = ldb_modify(gp_ctx->ldb_ctx, msg);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
+
+/* This function sets flags, version and displayName on a GPO */
+NTSTATUS gp_set_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo)
+{
+ int rv;
+ TALLOC_CTX *mem_ctx;
+ struct ldb_message *msg;
+ char *version_str, *flags_str;
+
+ mem_ctx = talloc_new(gp_ctx);
+
+ msg = ldb_msg_new(mem_ctx);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ msg->dn = ldb_dn_new(mem_ctx, gp_ctx->ldb_ctx, gpo->dn);
+
+ version_str = talloc_asprintf(mem_ctx, "%d", gpo->version);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ flags_str = talloc_asprintf(mem_ctx, "%d", gpo->flags);
+ if (msg == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ rv = ldb_msg_add_string(msg, "flags", flags_str);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB message add string failed for flags: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ msg->elements[0].flags = LDB_FLAG_MOD_REPLACE;
+
+ rv = ldb_msg_add_string(msg, "version", version_str);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB message add string failed for version: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ msg->elements[1].flags = LDB_FLAG_MOD_REPLACE;
+
+ rv = ldb_msg_add_string(msg, "displayName", gpo->display_name);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB message add string failed for displayName: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+ msg->elements[2].flags = LDB_FLAG_MOD_REPLACE;
+
+ rv = ldb_modify(gp_ctx->ldb_ctx, msg);
+ if (rv != LDB_SUCCESS) {
+ DEBUG(0, ("LDB modify failed: %s\n", ldb_strerror(rv)));
+ talloc_free(mem_ctx);
+ return NT_STATUS_UNSUCCESSFUL;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
diff --git a/source4/lib/policy/gp_manage.c b/source4/lib/policy/gp_manage.c
new file mode 100644
index 0000000..769e6c0
--- /dev/null
+++ b/source4/lib/policy/gp_manage.c
@@ -0,0 +1,329 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Wilco Baan Hofman 2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#include "includes.h"
+#include "../libcli/security/dom_sid.h"
+#include "../libcli/security/security_descriptor.h"
+#include "../librpc/ndr/libndr.h"
+#include "../lib/util/charset/charset.h"
+#include "param/param.h"
+#include "lib/policy/policy.h"
+
+uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask)
+{
+ uint32_t fs_mask;
+
+ /* Copy the standard access mask */
+ fs_mask = access_mask & 0x001F0000;
+
+ /* When READ_PROP and LIST_CONTENTS are set, read access is granted on the GPT */
+ if (access_mask & SEC_ADS_READ_PROP && access_mask & SEC_ADS_LIST) {
+ fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_LIST | SEC_DIR_READ_ATTRIBUTE |
+ SEC_DIR_READ_EA | SEC_DIR_TRAVERSE;
+ }
+
+ /* When WRITE_PROP is set, full write access is granted on the GPT */
+ if (access_mask & SEC_ADS_WRITE_PROP) {
+ fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_WRITE_ATTRIBUTE |
+ SEC_DIR_WRITE_EA | SEC_DIR_ADD_FILE |
+ SEC_DIR_ADD_SUBDIR;
+ }
+
+ /* Map CREATE_CHILD to add file and add subdir */
+ if (access_mask & SEC_ADS_CREATE_CHILD)
+ fs_mask |= SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR;
+
+ /* Map ADS delete child to dir delete child */
+ if (access_mask & SEC_ADS_DELETE_CHILD)
+ fs_mask |= SEC_DIR_DELETE_CHILD;
+
+ return fs_mask;
+}
+
+NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret)
+{
+ struct security_descriptor *fs_sd;
+ NTSTATUS status;
+ uint32_t i;
+
+ /* Allocate the file system security descriptor */
+ fs_sd = talloc(mem_ctx, struct security_descriptor);
+ NT_STATUS_HAVE_NO_MEMORY(fs_sd);
+
+ /* Copy the basic information from the directory server security descriptor */
+ fs_sd->owner_sid = talloc_memdup(fs_sd, ds_sd->owner_sid, sizeof(struct dom_sid));
+ if (fs_sd->owner_sid == NULL) {
+ TALLOC_FREE(fs_sd);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ fs_sd->group_sid = talloc_memdup(fs_sd, ds_sd->group_sid, sizeof(struct dom_sid));
+ if (fs_sd->group_sid == NULL) {
+ TALLOC_FREE(fs_sd);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ fs_sd->type = ds_sd->type;
+ fs_sd->revision = ds_sd->revision;
+
+ /* Copy the sacl */
+ fs_sd->sacl = security_acl_dup(fs_sd, ds_sd->sacl);
+ if (fs_sd->sacl == NULL) {
+ TALLOC_FREE(fs_sd);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Copy the dacl */
+ fs_sd->dacl = talloc_zero(fs_sd, struct security_acl);
+ if (fs_sd->dacl == NULL) {
+ TALLOC_FREE(fs_sd);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ for (i = 0; i < ds_sd->dacl->num_aces; i++) {
+ char *trustee = dom_sid_string(fs_sd, &ds_sd->dacl->aces[i].trustee);
+ struct security_ace *ace;
+
+ /* Don't add the allow for SID_BUILTIN_PREW2K */
+ if ((ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT ||
+ ds_sd->dacl->aces[i].type == SEC_ACE_TYPE_ACCESS_ALLOWED) &&
+ strcmp(trustee, SID_BUILTIN_PREW2K) == 0) {
+ talloc_free(trustee);
+ continue;
+ }
+
+ /* Copy the ace from the directory server security descriptor */
+ ace = talloc_memdup(fs_sd, &ds_sd->dacl->aces[i], sizeof(struct security_ace));
+ if (ace == NULL) {
+ TALLOC_FREE(fs_sd);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Set specific inheritance flags for within the GPO */
+ ace->flags |= SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT;
+ if (strcmp(trustee, SID_CREATOR_OWNER) == 0) {
+ ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
+ }
+
+ /* Get a directory access mask from the assigned access mask on the LDAP object */
+ ace->access_mask = gp_ads_to_dir_access_mask(ace->access_mask);
+
+ /* Add the ace to the security descriptor DACL */
+ status = security_descriptor_dacl_add(fs_sd, ace);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to add a dacl to file system security descriptor\n"));
+ return status;
+ }
+
+ /* Clean up the allocated data in this iteration */
+ talloc_free(trustee);
+ }
+
+ *ret = fs_sd;
+ return NT_STATUS_OK;
+}
+
+
+NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret)
+{
+ struct GUID guid_struct;
+ char *guid_str;
+ char *name;
+ struct security_descriptor *sd;
+ TALLOC_CTX *mem_ctx;
+ struct gp_object *gpo;
+ NTSTATUS status;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ /* Create the gpo struct to return later */
+ gpo = talloc(gp_ctx, struct gp_object);
+ if (gpo == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Generate a GUID */
+ guid_struct = GUID_random();
+ guid_str = GUID_string2(mem_ctx, &guid_struct);
+ if (guid_str == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ name = strupper_talloc(mem_ctx, guid_str);
+ if (name == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Prepare the GPO struct */
+ gpo->dn = NULL;
+ gpo->name = name;
+ gpo->flags = 0;
+ gpo->version = 0;
+ gpo->display_name = talloc_strdup(gpo, display_name);
+ if (gpo->display_name == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ gpo->file_sys_path = talloc_asprintf(gpo, "\\\\%s\\sysvol\\%s\\Policies\\%s", lpcfg_dnsdomain(gp_ctx->lp_ctx), lpcfg_dnsdomain(gp_ctx->lp_ctx), name);
+ if (gpo->file_sys_path == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ /* Create the GPT */
+ status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to create GPT\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+
+ /* Create the LDAP GPO, including CN=User and CN=Machine */
+ status = gp_create_ldap_gpo(gp_ctx, gpo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to create LDAP group policy object\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Get the new security descriptor */
+ status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to fetch LDAP group policy object\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Create matching file and DS security descriptors */
+ status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Set the security descriptor on the filesystem for this GPO */
+ status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ talloc_free(mem_ctx);
+
+ *ret = gpo;
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
+{
+ TALLOC_CTX *mem_ctx;
+ struct security_descriptor *fs_sd;
+ struct gp_object *gpo;
+ NTSTATUS status;
+
+ /* Create a forked memory context, as a base for everything here */
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ /* Set the ACL on LDAP database */
+ status = gp_set_ads_acl(gp_ctx, dn_str, sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set ACL on ADS\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Get the group policy object information, for filesystem location and merged sd */
+ status = gp_get_gpo_info(gp_ctx, dn_str, &gpo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set ACL on ADS\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Create matching file and DS security descriptors */
+ status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &fs_sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Set the security descriptor on the filesystem for this GPO */
+ status = gp_set_gpt_security_descriptor(gp_ctx, gpo, fs_sd);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
+
+NTSTATUS gp_push_gpo (struct gp_context *gp_ctx, const char *local_path, struct gp_object *gpo)
+{
+ NTSTATUS status;
+ TALLOC_CTX *mem_ctx;
+ struct gp_ini_context *ini;
+ char *filename;
+
+ mem_ctx = talloc_new(gp_ctx);
+ NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
+
+ /* Get version from ini file */
+ /* FIXME: The local file system may be case sensitive */
+ filename = talloc_asprintf(mem_ctx, "%s/%s", local_path, "GPT.INI");
+ if (filename == NULL) {
+ TALLOC_FREE(mem_ctx);
+ return NT_STATUS_NO_MEMORY;
+ }
+ status = gp_parse_ini(mem_ctx, gp_ctx, local_path, &ini);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to parse GPT.INI.\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Push the GPT to the remote sysvol */
+ status = gp_push_gpt(gp_ctx, local_path, gpo->file_sys_path);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to push GPT to DC's sysvol share.\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ /* Write version to LDAP */
+ status = gp_set_ldap_gpo(gp_ctx, gpo);
+ if (!NT_STATUS_IS_OK(status)) {
+ DEBUG(0, ("Failed to set GPO options in DC's LDAP.\n"));
+ talloc_free(mem_ctx);
+ return status;
+ }
+
+ talloc_free(mem_ctx);
+ return NT_STATUS_OK;
+}
diff --git a/source4/lib/policy/policy.h b/source4/lib/policy/policy.h
new file mode 100644
index 0000000..3d8a0dc
--- /dev/null
+++ b/source4/lib/policy/policy.h
@@ -0,0 +1,125 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Object Support
+ * Copyright (C) Guenther Deschner 2005-2008 (from samba 3 gpo.h)
+ * Copyright (C) Wilco Baan Hofman 2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef __POLICY_H__
+#define __POLICY_H__
+
+#define GPLINK_OPT_DISABLE (1 << 0)
+#define GPLINK_OPT_ENFORCE (1 << 1)
+
+#define GPO_FLAG_USER_DISABLE (1 << 0)
+#define GPO_FLAG_MACHINE_DISABLE (1 << 1)
+
+struct security_token;
+struct nbt_dc_name;
+
+enum gpo_inheritance {
+ GPO_INHERIT = 0,
+ GPO_BLOCK_INHERITANCE = 1,
+};
+
+struct gp_context {
+ struct ldb_context *ldb_ctx;
+ struct loadparm_context *lp_ctx;
+ struct cli_credentials *credentials;
+ struct tevent_context *ev_ctx;
+ struct smbcli_state *cli;
+ struct nbt_dc_name *active_dc;
+};
+
+struct gp_object {
+ uint32_t version;
+ uint32_t flags;
+ const char *display_name;
+ const char *name;
+ const char *dn;
+ const char *file_sys_path;
+ struct security_descriptor *security_descriptor;
+};
+
+
+struct gp_link {
+ uint32_t options;
+ const char *dn;
+};
+
+struct gp_ini_param {
+ char *name;
+ char *value;
+};
+
+struct gp_ini_section {
+ char *name;
+ uint16_t num_params;
+ struct gp_ini_param *params;
+};
+
+struct gp_ini_context {
+ uint16_t num_sections;
+ struct gp_ini_section *sections;
+};
+
+NTSTATUS gp_init(TALLOC_CTX *mem_ctx,
+ struct loadparm_context *lp_ctx,
+ struct cli_credentials *creds,
+ struct tevent_context *ev_ctx,
+ struct gp_context **gp_ctx);
+
+
+/* LDAP functions */
+NTSTATUS gp_list_all_gpos(struct gp_context *gp_ctx, struct gp_object ***ret);
+NTSTATUS gp_get_gplinks(struct gp_context *gp_ctx, const char *req_dn, struct gp_link ***ret);
+NTSTATUS gp_list_gpos(struct gp_context *gp_ctx, struct security_token *token, const char ***ret);
+
+NTSTATUS gp_get_gpo_info(struct gp_context *gp_ctx, const char *dn_str, struct gp_object **ret);
+
+
+NTSTATUS gp_get_gplink_options(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret);
+NTSTATUS gp_get_gpo_flags(TALLOC_CTX *mem_ctx, uint32_t flags, const char ***ret);
+
+NTSTATUS gp_set_gplink(struct gp_context *gp_ctx, const char *dn_str, struct gp_link *gplink);
+NTSTATUS gp_del_gplink(struct gp_context *gp_ctx, const char *dn_str, const char *gp_dn);
+NTSTATUS gp_get_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance *inheritance);
+NTSTATUS gp_set_inheritance(struct gp_context *gp_ctx, const char *dn_str, enum gpo_inheritance inheritance);
+
+NTSTATUS gp_create_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo);
+NTSTATUS gp_set_ads_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd);
+NTSTATUS gp_push_gpo (struct gp_context *gp_ctx, const char *local_path, struct gp_object *gpo);
+NTSTATUS gp_set_ldap_gpo(struct gp_context *gp_ctx, struct gp_object *gpo);
+
+/* File system functions */
+NTSTATUS gp_fetch_gpt (struct gp_context *gp_ctx, struct gp_object *gpo, const char **path);
+NTSTATUS gp_create_gpt(struct gp_context *gp_ctx, const char *name, const char *file_sys_path);
+NTSTATUS gp_set_gpt_security_descriptor(struct gp_context *gp_ctx, struct gp_object *gpo, struct security_descriptor *sd);
+NTSTATUS gp_push_gpt(struct gp_context *gp_ctx, const char *local_path,
+ const char *file_sys_path);
+
+/* Ini functions */
+NTSTATUS gp_parse_ini(TALLOC_CTX *mem_ctx, struct gp_context *gp_ctx, const char *filename, struct gp_ini_context **ret);
+NTSTATUS gp_get_ini_string(struct gp_ini_context *ini, const char *section, const char *name, char **ret);
+NTSTATUS gp_get_ini_uint(struct gp_ini_context *ini, const char *section, const char *name, uint32_t *ret);
+
+/* Managing functions */
+NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret);
+NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret);
+NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd);
+uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask);
+
+#endif
diff --git a/source4/lib/policy/pypolicy.c b/source4/lib/policy/pypolicy.c
new file mode 100644
index 0000000..f40d811
--- /dev/null
+++ b/source4/lib/policy/pypolicy.c
@@ -0,0 +1,174 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Python bindings for libpolicy
+ * Copyright (C) Jelmer Vernooij 2010
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <Python.h>
+#include "includes.h"
+#include "python/py3compat.h"
+#include "policy.h"
+#include "libcli/util/pyerrors.h"
+
+void initpolicy(void);
+
+static PyObject *py_get_gpo_flags(PyObject *self, PyObject *args)
+{
+ int flags;
+ PyObject *py_ret;
+ const char **ret;
+ TALLOC_CTX *mem_ctx;
+ int i;
+ NTSTATUS status;
+
+ if (!PyArg_ParseTuple(args, "i", &flags))
+ return NULL;
+
+ mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ status = gp_get_gpo_flags(mem_ctx, flags, &ret);
+ if (!NT_STATUS_IS_OK(status)) {
+ PyErr_SetNTSTATUS(status);
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+
+ py_ret = PyList_New(0);
+ for (i = 0; ret[i]; i++) {
+ int res = 0;
+ PyObject *item = PyUnicode_FromString(ret[i]);
+ if (item == NULL) {
+ talloc_free(mem_ctx);
+ Py_DECREF(py_ret);
+ PyErr_NoMemory();
+ return NULL;
+ }
+ res = PyList_Append(py_ret, item);
+ Py_CLEAR(item);
+ if (res == -1) {
+ Py_DECREF(py_ret);
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+ }
+
+ talloc_free(mem_ctx);
+
+ return py_ret;
+}
+
+static PyObject *py_get_gplink_options(PyObject *self, PyObject *args)
+{
+ int flags;
+ PyObject *py_ret;
+ const char **ret;
+ TALLOC_CTX *mem_ctx;
+ int i;
+ NTSTATUS status;
+
+ if (!PyArg_ParseTuple(args, "i", &flags))
+ return NULL;
+
+ mem_ctx = talloc_new(NULL);
+ if (mem_ctx == NULL) {
+ PyErr_NoMemory();
+ return NULL;
+ }
+
+ status = gp_get_gplink_options(mem_ctx, flags, &ret);
+ if (!NT_STATUS_IS_OK(status)) {
+ PyErr_SetNTSTATUS(status);
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+
+ py_ret = PyList_New(0);
+ for (i = 0; ret[i]; i++) {
+ int res = 0;
+ PyObject *item = PyUnicode_FromString(ret[i]);
+ if (item == NULL) {
+ talloc_free(mem_ctx);
+ Py_DECREF(py_ret);
+ PyErr_NoMemory();
+ return NULL;
+ }
+ res = PyList_Append(py_ret, item);
+ Py_CLEAR(item);
+ if (res == -1) {
+ Py_DECREF(py_ret);
+ talloc_free(mem_ctx);
+ return NULL;
+ }
+ }
+
+ talloc_free(mem_ctx);
+
+ return py_ret;
+}
+
+static PyObject *py_ads_to_dir_access_mask(PyObject *self, PyObject *args)
+{
+ uint32_t access_mask, dir_mask;
+
+ if (! PyArg_ParseTuple(args, "I", &access_mask))
+ return NULL;
+
+ dir_mask = gp_ads_to_dir_access_mask(access_mask);
+
+ return Py_BuildValue("I", dir_mask);
+}
+
+
+static PyMethodDef py_policy_methods[] = {
+ { "get_gpo_flags", (PyCFunction)py_get_gpo_flags, METH_VARARGS,
+ "get_gpo_flags(flags) -> list" },
+ { "get_gplink_options", (PyCFunction)py_get_gplink_options, METH_VARARGS,
+ "get_gplink_options(options) -> list" },
+ { "ads_to_dir_access_mask", (PyCFunction)py_ads_to_dir_access_mask, METH_VARARGS,
+ "ads_to_dir_access_mask(access_mask) -> dir_mask" },
+ {0}
+};
+
+static struct PyModuleDef moduledef = {
+ PyModuleDef_HEAD_INIT,
+ .m_name = "policy",
+ .m_doc = "(Group) Policy manipulation",
+ .m_size = -1,
+ .m_methods = py_policy_methods,
+};
+
+MODULE_INIT_FUNC(policy)
+{
+ PyObject *m = NULL;
+
+ m = PyModule_Create(&moduledef);
+ if (!m)
+ return m;
+
+ PyModule_AddObject(m, "GPO_FLAG_USER_DISABLE",
+ PyLong_FromLong(GPO_FLAG_USER_DISABLE));
+ PyModule_AddObject(m, "GPO_MACHINE_USER_DISABLE",
+ PyLong_FromLong(GPO_FLAG_MACHINE_DISABLE));
+ PyModule_AddObject(m, "GPLINK_OPT_DISABLE",
+ PyLong_FromLong(GPLINK_OPT_DISABLE ));
+ PyModule_AddObject(m, "GPLINK_OPT_ENFORCE ",
+ PyLong_FromLong(GPLINK_OPT_ENFORCE ));
+ return m;
+}
diff --git a/source4/lib/policy/samba-policy.pc.in b/source4/lib/policy/samba-policy.pc.in
new file mode 100644
index 0000000..3247ae3
--- /dev/null
+++ b/source4/lib/policy/samba-policy.pc.in
@@ -0,0 +1,12 @@
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+libdir=@libdir@
+includedir=@includedir@
+
+Name: samba-policy
+Description: Active Directory Group Policy library
+Requires: talloc
+Requires.private: ldb
+Version: @PACKAGE_VERSION@
+Libs: @LIB_RPATH@ -L${libdir} -lsamba-policy
+Cflags: -I${includedir} -DHAVE_IMMEDIATE_STRUCTURES=1
diff --git a/source4/lib/policy/wscript_build b/source4/lib/policy/wscript_build
new file mode 100644
index 0000000..027d4be
--- /dev/null
+++ b/source4/lib/policy/wscript_build
@@ -0,0 +1,22 @@
+#!/usr/bin/env python
+
+
+
+pytalloc_util = bld.pyembed_libname('pytalloc-util')
+samba_policy = bld.pyembed_libname('samba-policy')
+samba_net = bld.pyembed_libname('samba-net')
+bld.SAMBA_LIBRARY(samba_policy,
+ source='gp_ldap.c gp_filesys.c gp_manage.c gp_ini.c',
+ pc_files='samba-policy.pc',
+ public_deps='ldb %s' % samba_net,
+ vnum='0.0.1',
+ pyembed=True,
+ public_headers='policy.h',
+ enabled=bld.PYTHON_BUILD_IS_ENABLED()
+ )
+bld.SAMBA_PYTHON(
+ 'py_policy',
+ source='pypolicy.c',
+ public_deps='%s %s' % (samba_policy, pytalloc_util),
+ realname='samba/policy.so'
+ )