/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- net_ads_gpo_refresh
- net_ads_gpo_list_all
- net_ads_gpo_list
- net_ads_gpo_apply
- net_ads_gpo_link_get
- net_ads_gpo_link_add
- net_ads_gpo_link_delete
- net_ads_gpo_get_gpo
- net_ads_gpo
1 /*
2 Samba Unix/Linux SMB client library
3 net ads commands for Group Policy
4 Copyright (C) 2005-2008 Guenther Deschner (gd@samba.org)
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "utils/net.h"
22
23 #ifdef HAVE_ADS
24
25 static int net_ads_gpo_refresh(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
26 {
27 TALLOC_CTX *mem_ctx;
28 ADS_STRUCT *ads;
29 ADS_STATUS status;
30 const char *dn = NULL;
31 struct GROUP_POLICY_OBJECT *gpo_list = NULL;
32 struct GROUP_POLICY_OBJECT *read_list = NULL;
33 uint32 uac = 0;
34 uint32 flags = 0;
35 struct GROUP_POLICY_OBJECT *gpo;
36 NTSTATUS result;
37 struct nt_user_token *token = NULL;
38
39 if (argc < 1 || c->display_usage) {
40 d_printf("Usage:\n"
41 "net ads gpo refresh <username|machinename>\n"
42 " Lists all GPOs assigned to an account and "
43 "downloads them\n"
44 " username\tUser to refresh GPOs for\n"
45 " machinename\tMachine to refresh GPOs for\n");
46 return -1;
47 }
48
49 mem_ctx = talloc_init("net_ads_gpo_refresh");
50 if (mem_ctx == NULL) {
51 return -1;
52 }
53
54 status = ads_startup(c, false, &ads);
55 if (!ADS_ERR_OK(status)) {
56 d_printf("failed to connect AD server: %s\n", ads_errstr(status));
57 goto out;
58 }
59
60 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
61 if (!ADS_ERR_OK(status)) {
62 d_printf("failed to find samaccount for %s\n", argv[0]);
63 goto out;
64 }
65
66 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
67 flags |= GPO_LIST_FLAG_MACHINE;
68 }
69
70 d_printf("\n%s: '%s' has dn: '%s'\n\n",
71 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
72 argv[0], dn);
73
74 d_printf("* fetching token ");
75 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
76 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
77 } else {
78 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
79 }
80
81 if (!ADS_ERR_OK(status)) {
82 d_printf("failed: %s\n", ads_errstr(status));
83 goto out;
84 }
85 d_printf("finished\n");
86
87 d_printf("* fetching GPO List ");
88 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
89 if (!ADS_ERR_OK(status)) {
90 d_printf("failed: %s\n", ads_errstr(status));
91 goto out;
92 }
93 d_printf("finished\n");
94
95 d_printf("* refreshing Group Policy Data ");
96 if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx,
97 flags,
98 gpo_list))) {
99 d_printf("failed: %s\n", nt_errstr(result));
100 goto out;
101 }
102 d_printf("finished\n");
103
104 d_printf("* storing GPO list to registry ");
105
106 {
107 WERROR werr = gp_reg_state_store(mem_ctx, flags, dn,
108 token, gpo_list);
109 if (!W_ERROR_IS_OK(werr)) {
110 d_printf("failed: %s\n", win_errstr(werr));
111 goto out;
112 }
113 }
114
115 d_printf("finished\n");
116
117 if (c->opt_verbose) {
118
119 d_printf("* dumping GPO list\n");
120
121 for (gpo = gpo_list; gpo; gpo = gpo->next) {
122
123 dump_gpo(ads, mem_ctx, gpo, 0);
124 #if 0
125 char *server, *share, *nt_path, *unix_path;
126
127 d_printf("--------------------------------------\n");
128 d_printf("Name:\t\t\t%s\n", gpo->display_name);
129 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
130 gpo->version,
131 GPO_VERSION_USER(gpo->version),
132 GPO_VERSION_MACHINE(gpo->version));
133
134 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
135 &server, &share, &nt_path,
136 &unix_path);
137 if (!NT_STATUS_IS_OK(result)) {
138 d_printf("got: %s\n", nt_errstr(result));
139 }
140
141 d_printf("GPO stored on server: %s, share: %s\n", server, share);
142 d_printf("\tremote path:\t%s\n", nt_path);
143 d_printf("\tlocal path:\t%s\n", unix_path);
144 #endif
145 }
146 }
147
148 d_printf("* re-reading GPO list from registry ");
149
150 {
151 WERROR werr = gp_reg_state_read(mem_ctx, flags,
152 &token->user_sids[0],
153 &read_list);
154 if (!W_ERROR_IS_OK(werr)) {
155 d_printf("failed: %s\n", win_errstr(werr));
156 goto out;
157 }
158 }
159
160 d_printf("finished\n");
161
162 if (c->opt_verbose) {
163
164 d_printf("* dumping GPO list from registry\n");
165
166 for (gpo = read_list; gpo; gpo = gpo->next) {
167
168 dump_gpo(ads, mem_ctx, gpo, 0);
169
170 #if 0
171 char *server, *share, *nt_path, *unix_path;
172
173 d_printf("--------------------------------------\n");
174 d_printf("Name:\t\t\t%s\n", gpo->display_name);
175 d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
176 gpo->version,
177 GPO_VERSION_USER(gpo->version),
178 GPO_VERSION_MACHINE(gpo->version));
179
180 result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
181 &server, &share, &nt_path,
182 &unix_path);
183 if (!NT_STATUS_IS_OK(result)) {
184 d_printf("got: %s\n", nt_errstr(result));
185 }
186
187 d_printf("GPO stored on server: %s, share: %s\n", server, share);
188 d_printf("\tremote path:\t%s\n", nt_path);
189 d_printf("\tlocal path:\t%s\n", unix_path);
190 #endif
191 }
192 }
193
194 out:
195 ads_destroy(&ads);
196 talloc_destroy(mem_ctx);
197 return 0;
198 }
199
200 static int net_ads_gpo_list_all(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
201 {
202 ADS_STRUCT *ads;
203 ADS_STATUS status;
204 LDAPMessage *res = NULL;
205 int num_reply = 0;
206 LDAPMessage *msg = NULL;
207 struct GROUP_POLICY_OBJECT gpo;
208 TALLOC_CTX *mem_ctx;
209 char *dn;
210 const char *attrs[] = {
211 "versionNumber",
212 "flags",
213 "gPCFileSysPath",
214 "displayName",
215 "name",
216 "gPCMachineExtensionNames",
217 "gPCUserExtensionNames",
218 "ntSecurityDescriptor",
219 NULL
220 };
221
222 if (c->display_usage) {
223 d_printf("Usage:\n"
224 "net ads gpo listall\n"
225 " List all GPOs on the DC\n");
226 return 0;
227 }
228
229 mem_ctx = talloc_init("net_ads_gpo_list_all");
230 if (mem_ctx == NULL) {
231 return -1;
232 }
233
234 status = ads_startup(c, false, &ads);
235 if (!ADS_ERR_OK(status)) {
236 goto out;
237 }
238
239 status = ads_do_search_all_sd_flags(ads, ads->config.bind_path,
240 LDAP_SCOPE_SUBTREE,
241 "(objectclass=groupPolicyContainer)",
242 attrs,
243 DACL_SECURITY_INFORMATION,
244 &res);
245
246 if (!ADS_ERR_OK(status)) {
247 d_printf("search failed: %s\n", ads_errstr(status));
248 goto out;
249 }
250
251 num_reply = ads_count_replies(ads, res);
252
253 d_printf("Got %d replies\n\n", num_reply);
254
255 /* dump the results */
256 for (msg = ads_first_entry(ads, res);
257 msg;
258 msg = ads_next_entry(ads, msg)) {
259
260 if ((dn = ads_get_dn(ads, mem_ctx, msg)) == NULL) {
261 goto out;
262 }
263
264 status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
265
266 if (!ADS_ERR_OK(status)) {
267 d_printf("ads_parse_gpo failed: %s\n",
268 ads_errstr(status));
269 goto out;
270 }
271
272 dump_gpo(ads, mem_ctx, &gpo, 0);
273 }
274
275 out:
276 ads_msgfree(ads, res);
277
278 TALLOC_FREE(mem_ctx);
279 ads_destroy(&ads);
280
281 return 0;
282 }
283
284 static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
285 {
286 ADS_STRUCT *ads;
287 ADS_STATUS status;
288 LDAPMessage *res = NULL;
289 TALLOC_CTX *mem_ctx;
290 const char *dn = NULL;
291 uint32 uac = 0;
292 uint32 flags = 0;
293 struct GROUP_POLICY_OBJECT *gpo_list;
294 struct nt_user_token *token = NULL;
295
296 if (argc < 1 || c->display_usage) {
297 d_printf("Usage:\n"
298 "net ads gpo list <username|machinename>\n"
299 " Lists all GPOs for machine/user\n"
300 " username\tUser to list GPOs for\n"
301 " machinename\tMachine to list GPOs for\n");
302 return -1;
303 }
304
305 mem_ctx = talloc_init("net_ads_gpo_list");
306 if (mem_ctx == NULL) {
307 goto out;
308 }
309
310 status = ads_startup(c, false, &ads);
311 if (!ADS_ERR_OK(status)) {
312 goto out;
313 }
314
315 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
316 if (!ADS_ERR_OK(status)) {
317 goto out;
318 }
319
320 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
321 flags |= GPO_LIST_FLAG_MACHINE;
322 }
323
324 d_printf("%s: '%s' has dn: '%s'\n",
325 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
326 argv[0], dn);
327
328 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
329 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
330 } else {
331 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
332 }
333
334 if (!ADS_ERR_OK(status)) {
335 goto out;
336 }
337
338 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
339 if (!ADS_ERR_OK(status)) {
340 goto out;
341 }
342
343 dump_gpo_list(ads, mem_ctx, gpo_list, 0);
344
345 out:
346 ads_msgfree(ads, res);
347
348 talloc_destroy(mem_ctx);
349 ads_destroy(&ads);
350
351 return 0;
352 }
353
354 #if 0
355 static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
356 {
357 TALLOC_CTX *mem_ctx;
358 ADS_STRUCT *ads;
359 ADS_STATUS status;
360 const char *dn = NULL;
361 struct GROUP_POLICY_OBJECT *gpo_list;
362 uint32 uac = 0;
363 uint32 flags = 0;
364 struct nt_user_token *token = NULL;
365 const char *filter = NULL;
366
367 if (argc < 1 || c->display_usage) {
368 d_printf("Usage:\n"
369 "net ads gpo apply <username|machinename>\n"
370 " Apply GPOs for machine/user\n"
371 " username\tUsername to apply GPOs for\n"
372 " machinename\tMachine to apply GPOs for\n");
373 return -1;
374 }
375
376 mem_ctx = talloc_init("net_ads_gpo_apply");
377 if (mem_ctx == NULL) {
378 goto out;
379 }
380
381 if (argc >= 2) {
382 filter = cse_gpo_name_to_guid_string(argv[1]);
383 }
384
385 status = ads_startup(c, false, &ads);
386 if (!ADS_ERR_OK(status)) {
387 d_printf("got: %s\n", ads_errstr(status));
388 goto out;
389 }
390
391 status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
392 if (!ADS_ERR_OK(status)) {
393 d_printf("failed to find samaccount for %s: %s\n",
394 argv[0], ads_errstr(status));
395 goto out;
396 }
397
398 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
399 flags |= GPO_LIST_FLAG_MACHINE;
400 }
401
402 if (opt_verbose) {
403 flags |= GPO_INFO_FLAG_VERBOSE;
404 }
405
406 d_printf("%s: '%s' has dn: '%s'\n",
407 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
408 argv[0], dn);
409
410 if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
411 status = gp_get_machine_token(ads, mem_ctx, dn, &token);
412 } else {
413 status = ads_get_sid_token(ads, mem_ctx, dn, &token);
414 }
415
416 if (!ADS_ERR_OK(status)) {
417 goto out;
418 }
419
420 status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
421 if (!ADS_ERR_OK(status)) {
422 goto out;
423 }
424
425 status = gpo_process_gpo_list(ads, mem_ctx, token, gpo_list,
426 filter, flags);
427 if (!ADS_ERR_OK(status)) {
428 d_printf("failed to process gpo list: %s\n",
429 ads_errstr(status));
430 goto out;
431 }
432
433 out:
434 ads_destroy(&ads);
435 talloc_destroy(mem_ctx);
436 return 0;
437 }
438 #endif
439
440 static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
441 {
442 ADS_STRUCT *ads;
443 ADS_STATUS status;
444 TALLOC_CTX *mem_ctx;
445 struct GP_LINK gp_link;
446
447 if (argc < 1 || c->display_usage) {
448 d_printf("Usage:\n"
449 "net ads gpo linkget <container>\n"
450 " Lists gPLink of a containter\n"
451 " container\tContainer to get link for\n");
452 return -1;
453 }
454
455 mem_ctx = talloc_init("add_gpo_link");
456 if (mem_ctx == NULL) {
457 return -1;
458 }
459
460 status = ads_startup(c, false, &ads);
461 if (!ADS_ERR_OK(status)) {
462 goto out;
463 }
464
465 status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
466 if (!ADS_ERR_OK(status)) {
467 d_printf("get link for %s failed: %s\n", argv[0],
468 ads_errstr(status));
469 goto out;
470 }
471
472 dump_gplink(ads, mem_ctx, &gp_link);
473
474 out:
475 talloc_destroy(mem_ctx);
476 ads_destroy(&ads);
477
478 return 0;
479 }
480
481 static int net_ads_gpo_link_add(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
482 {
483 ADS_STRUCT *ads;
484 ADS_STATUS status;
485 uint32 gpo_opt = 0;
486 TALLOC_CTX *mem_ctx;
487
488 if (argc < 2 || c->display_usage) {
489 d_printf("Usage:\n"
490 "net ads gpo linkadd <linkdn> <gpodn> [options]\n"
491 " Link a container to a GPO\n"
492 " linkdn\tContainer to link to a GPO\n"
493 " gpodn\tGPO to link container to\n");
494 d_printf("note: DNs must be provided properly escaped.\n");
495 d_printf("See RFC 4514 for details\n");
496 return -1;
497 }
498
499 mem_ctx = talloc_init("add_gpo_link");
500 if (mem_ctx == NULL) {
501 return -1;
502 }
503
504 if (argc == 3) {
505 gpo_opt = atoi(argv[2]);
506 }
507
508 status = ads_startup(c, false, &ads);
509 if (!ADS_ERR_OK(status)) {
510 goto out;
511 }
512
513 status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
514 if (!ADS_ERR_OK(status)) {
515 d_printf("link add failed: %s\n", ads_errstr(status));
516 goto out;
517 }
518
519 out:
520 talloc_destroy(mem_ctx);
521 ads_destroy(&ads);
522
523 return 0;
524 }
525
526 #if 0 /* broken */
527
528 static int net_ads_gpo_link_delete(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
529 {
530 ADS_STRUCT *ads;
531 ADS_STATUS status;
532 TALLOC_CTX *mem_ctx;
533
534 if (argc < 2 || c->display_usage) {
535 d_printf("Usage:\n"
536 "net ads gpo linkdelete <linkdn> <gpodn>\n"
537 " Delete a GPO link\n"
538 " <linkdn>\tContainer to delete GPO from\n"
539 " <gpodn>\tGPO to delete from container\n");
540 return -1;
541 }
542
543 mem_ctx = talloc_init("delete_gpo_link");
544 if (mem_ctx == NULL) {
545 return -1;
546 }
547
548 status = ads_startup(c, false, &ads);
549 if (!ADS_ERR_OK(status)) {
550 goto out;
551 }
552
553 status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
554 if (!ADS_ERR_OK(status)) {
555 d_printf("delete link failed: %s\n", ads_errstr(status));
556 goto out;
557 }
558
559 out:
560 talloc_destroy(mem_ctx);
561 ads_destroy(&ads);
562
563 return 0;
564 }
565
566 #endif
567
568 static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
569 {
570 ADS_STRUCT *ads;
571 ADS_STATUS status;
572 TALLOC_CTX *mem_ctx;
573 struct GROUP_POLICY_OBJECT gpo;
574
575 if (argc < 1 || c->display_usage) {
576 d_printf("Usage:\n"
577 "net ads gpo getgpo <gpo>\n"
578 " List speciefied GPO\n"
579 " gpo\t\tGPO to list\n");
580 return -1;
581 }
582
583 mem_ctx = talloc_init("ads_gpo_get_gpo");
584 if (mem_ctx == NULL) {
585 return -1;
586 }
587
588 status = ads_startup(c, false, &ads);
589 if (!ADS_ERR_OK(status)) {
590 goto out;
591 }
592
593 if (strnequal(argv[0], "CN={", strlen("CN={"))) {
594 status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
595 } else {
596 status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
597 }
598
599 if (!ADS_ERR_OK(status)) {
600 d_printf("get gpo for [%s] failed: %s\n", argv[0],
601 ads_errstr(status));
602 goto out;
603 }
604
605 dump_gpo(ads, mem_ctx, &gpo, 1);
606
607 out:
608 talloc_destroy(mem_ctx);
609 ads_destroy(&ads);
610
611 return 0;
612 }
613
614 int net_ads_gpo(struct net_context *c, int argc, const char **argv)
/* [<][>][^][v][top][bottom][index][help] */
615 {
616 struct functable func[] = {
617 #if 0
618 {
619 "apply",
620 net_ads_gpo_apply,
621 NET_TRANSPORT_ADS,
622 "Apply GPO to container",
623 "net ads gpo apply\n"
624 " Apply GPO to container"
625 },
626 #endif
627 {
628 "getgpo",
629 net_ads_gpo_get_gpo,
630 NET_TRANSPORT_ADS,
631 "List specified GPO",
632 "net ads gpo getgpo\n"
633 " List specified GPO"
634 },
635 {
636 "linkadd",
637 net_ads_gpo_link_add,
638 NET_TRANSPORT_ADS,
639 "Link a container to a GPO",
640 "net ads gpo linkadd\n"
641 " Link a container to a GPO"
642 },
643 #if 0
644 {
645 "linkdelete",
646 net_ads_gpo_link_delete,
647 NET_TRANSPORT_ADS,
648 "Delete GPO link from a container",
649 "net ads gpo linkdelete\n"
650 " Delete GPO link from a container"
651 },
652 #endif
653 {
654 "linkget",
655 net_ads_gpo_link_get,
656 NET_TRANSPORT_ADS,
657 "Lists gPLink of containter",
658 "net ads gpo linkget\n"
659 " Lists gPLink of containter"
660 },
661 {
662 "list",
663 net_ads_gpo_list,
664 NET_TRANSPORT_ADS,
665 "Lists all GPOs for machine/user",
666 "net ads gpo list\n"
667 " Lists all GPOs for machine/user"
668 },
669 {
670 "listall",
671 net_ads_gpo_list_all,
672 NET_TRANSPORT_ADS,
673 "Lists all GPOs on a DC",
674 "net ads gpo listall\n"
675 " Lists all GPOs on a DC"
676 },
677 {
678 "refresh",
679 net_ads_gpo_refresh,
680 NET_TRANSPORT_ADS,
681 "Lists all GPOs assigned to an account and downloads "
682 "them",
683 "net ads gpo refresh\n"
684 " Lists all GPOs assigned to an account and "
685 "downloads them"
686 },
687 {NULL, NULL, 0, NULL, NULL}
688 };
689
690 return net_run_function(c, argc, argv, "net ads gpo", func);
691 }
692
693 #endif /* HAVE_ADS */