static NTSTATUS gp_get_files(struct smbcli_tree *tree, const char *share_path,
const char *local_path, struct gp_file_list *list)
{
uint32_t i;
int rv;
char *local_rel_path, *full_local_path, *full_remote_path;
TALLOC_CTX *mem_ctx;
NTSTATUS status;
mem_ctx = talloc_new(tree);
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
for (i = 0; i < list->num_files; i++) {
/* Get local path by replacing backslashes with slashes */
local_rel_path = talloc_strdup(mem_ctx, list->files[i].rel_path);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(local_rel_path, mem_ctx);
string_replace(local_rel_path, '\\', '/');
full_local_path = talloc_asprintf(mem_ctx, "%s%s", local_path,
local_rel_path);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(full_local_path, mem_ctx);
/* If the entry is a directory, create it. */
if (list->files[i].is_directory == true) {
rv = mkdir(full_local_path, 0755);
if (rv < 0) {
DEBUG(0, ("Failed to create directory %s: %s\n",
full_local_path, strerror(errno)));
talloc_free(mem_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
continue;
}
full_remote_path = talloc_asprintf(mem_ctx, "%s%s", share_path,
list->files[i].rel_path);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(full_remote_path, mem_ctx);
/* Get the file */
status = gp_get_file(tree, full_remote_path, full_local_path);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Error getting file.\n"));
talloc_free(mem_ctx);
return status;
}
}
return NT_STATUS_OK;
}
NTSTATUS gp_push_gpo (struct gp_context *gp_ctx, const char *local_path, struct gp_object *gpo)
{
NTSTATUS status;
TALLOC_CTX *mem_ctx;
struct gp_ini_context *ini;
char *filename;
mem_ctx = talloc_new(gp_ctx);
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
/* Get version from ini file */
/* FIXME: The local file system may be case sensitive */
filename = talloc_asprintf(mem_ctx, "%s/%s", local_path, "GPT.INI");
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filename, mem_ctx);
status = gp_parse_ini(mem_ctx, gp_ctx, local_path, &ini);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to parse GPT.INI.\n"));
talloc_free(mem_ctx);
return status;
}
/* Push the GPT to the remote sysvol */
status = gp_push_gpt(gp_ctx, local_path, gpo->file_sys_path);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to push GPT to DC's sysvol share.\n"));
talloc_free(mem_ctx);
return status;
}
/* Write version to LDAP */
status = gp_set_ldap_gpo(gp_ctx, gpo);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to set GPO options in DC's LDAP.\n"));
talloc_free(mem_ctx);
return status;
}
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
_PUBLIC_ NTSTATUS auth_generate_session_info(TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx, /* Optional, if you don't want privilages */
struct ldb_context *sam_ctx, /* Optional, if you don't want local groups */
struct auth_user_info_dc *user_info_dc,
uint32_t session_info_flags,
struct auth_session_info **_session_info)
{
struct auth_session_info *session_info;
NTSTATUS nt_status;
unsigned int i, num_sids = 0;
const char *filter;
struct dom_sid *sids = NULL;
const struct dom_sid *anonymous_sid, *system_sid;
TALLOC_CTX *tmp_ctx = talloc_new(mem_ctx);
NT_STATUS_HAVE_NO_MEMORY(tmp_ctx);
session_info = talloc_zero(tmp_ctx, struct auth_session_info);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info, tmp_ctx);
session_info->info = talloc_reference(session_info, user_info_dc->info);
session_info->torture = talloc_zero(session_info, struct auth_user_info_torture);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture, tmp_ctx);
session_info->torture->num_dc_sids = user_info_dc->num_sids;
session_info->torture->dc_sids = talloc_reference(session_info, user_info_dc->sids);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->torture->dc_sids, tmp_ctx);
/* unless set otherwise, the session key is the user session
* key from the auth subsystem */
session_info->session_key = data_blob_talloc(session_info, user_info_dc->user_session_key.data, user_info_dc->user_session_key.length);
if (!session_info->session_key.data && session_info->session_key.length) {
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(session_info->session_key.data, tmp_ctx);
}
anonymous_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_ANONYMOUS);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(anonymous_sid, tmp_ctx);
system_sid = dom_sid_parse_talloc(tmp_ctx, SID_NT_SYSTEM);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(system_sid, tmp_ctx);
sids = talloc_array(tmp_ctx, struct dom_sid, user_info_dc->num_sids);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, tmp_ctx);
if (!sids) {
talloc_free(tmp_ctx);
return NT_STATUS_NO_MEMORY;
}
num_sids = user_info_dc->num_sids;
for (i=0; i < user_info_dc->num_sids; i++) {
sids[i] = user_info_dc->sids[i];
}
if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(anonymous_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (user_info_dc->num_sids > PRIMARY_USER_SID_INDEX && dom_sid_equal(system_sid, &user_info_dc->sids[PRIMARY_USER_SID_INDEX])) {
/* Don't expand nested groups of system, anonymous etc*/
} else if (sam_ctx) {
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(groupType:1.2.840.113556.1.4.803:=%u))",
GROUP_TYPE_BUILTIN_LOCAL_GROUP);
/* Search for each group in the token */
for (i = 0; i < user_info_dc->num_sids; i++) {
char *sid_string;
const char *sid_dn;
DATA_BLOB sid_blob;
sid_string = dom_sid_string(tmp_ctx,
&user_info_dc->sids[i]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_string, user_info_dc);
sid_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", sid_string);
talloc_free(sid_string);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sid_dn, user_info_dc);
sid_blob = data_blob_string_const(sid_dn);
/* This function takes in memberOf values and expands
* them, as long as they meet the filter - so only
* builtin groups
*
* We already have the SID in the token, so set
* 'only childs' flag to true */
nt_status = dsdb_expand_nested_groups(sam_ctx, &sid_blob, true, filter,
tmp_ctx, &sids, &num_sids);
if (!NT_STATUS_IS_OK(nt_status)) {
talloc_free(tmp_ctx);
return nt_status;
}
}
}
nt_status = security_token_create(session_info,
lp_ctx,
num_sids,
sids,
session_info_flags,
&session_info->security_token);
NT_STATUS_NOT_OK_RETURN_AND_FREE(nt_status, tmp_ctx);
session_info->credentials = NULL;
talloc_steal(mem_ctx, session_info);
*_session_info = session_info;
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
_PUBLIC_ NTSTATUS authsam_make_user_info_dc(TALLOC_CTX *mem_ctx,
struct ldb_context *sam_ctx,
const char *netbios_name,
const char *domain_name,
struct ldb_dn *domain_dn,
struct ldb_message *msg,
DATA_BLOB user_sess_key,
DATA_BLOB lm_sess_key,
struct auth_user_info_dc **_user_info_dc)
{
NTSTATUS status;
struct auth_user_info_dc *user_info_dc;
struct auth_user_info *info;
const char *str, *filter;
/* SIDs for the account and his primary group */
struct dom_sid *account_sid;
const char *primary_group_string;
const char *primary_group_dn;
DATA_BLOB primary_group_blob;
/* SID structures for the expanded group memberships */
struct dom_sid *sids = NULL;
unsigned int num_sids = 0, i;
struct dom_sid *domain_sid;
TALLOC_CTX *tmp_ctx;
struct ldb_message_element *el;
user_info_dc = talloc(mem_ctx, struct auth_user_info_dc);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc);
tmp_ctx = talloc_new(user_info_dc);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc, user_info_dc);
sids = talloc_array(user_info_dc, struct dom_sid, 2);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(sids, user_info_dc);
num_sids = 2;
account_sid = samdb_result_dom_sid(user_info_dc, msg, "objectSid");
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(account_sid, user_info_dc);
status = dom_sid_split_rid(tmp_ctx, account_sid, &domain_sid, NULL);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(user_info_dc);
return status;
}
sids[PRIMARY_USER_SID_INDEX] = *account_sid;
sids[PRIMARY_GROUP_SID_INDEX] = *domain_sid;
sid_append_rid(&sids[PRIMARY_GROUP_SID_INDEX], ldb_msg_find_attr_as_uint(msg, "primaryGroupID", ~0));
/* Filter out builtin groups from this token. We will search
* for builtin groups later, and not include them in the PAC
* on SamLogon validation info */
filter = talloc_asprintf(tmp_ctx, "(&(objectClass=group)(!(groupType:1.2.840.113556.1.4.803:=%u))(groupType:1.2.840.113556.1.4.803:=%u))", GROUP_TYPE_BUILTIN_LOCAL_GROUP, GROUP_TYPE_SECURITY_ENABLED);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filter, user_info_dc);
primary_group_string = dom_sid_string(tmp_ctx, &sids[PRIMARY_GROUP_SID_INDEX]);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_string, user_info_dc);
primary_group_dn = talloc_asprintf(tmp_ctx, "<SID=%s>", primary_group_string);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(primary_group_dn, user_info_dc);
primary_group_blob = data_blob_string_const(primary_group_dn);
/* Expands the primary group - this function takes in
* memberOf-like values, so we fake one up with the
* <SID=S-...> format of DN and then let it expand
* them, as long as they meet the filter - so only
* domain groups, not builtin groups
*
* The primary group is still treated specially, so we set the
* 'only childs' flag to true
*/
status = dsdb_expand_nested_groups(sam_ctx, &primary_group_blob, true, filter,
user_info_dc, &sids, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(user_info_dc);
return status;
}
/* Expands the additional groups */
el = ldb_msg_find_element(msg, "memberOf");
for (i = 0; el && i < el->num_values; i++) {
/* This function takes in memberOf values and expands
* them, as long as they meet the filter - so only
* domain groups, not builtin groups */
status = dsdb_expand_nested_groups(sam_ctx, &el->values[i], false, filter,
user_info_dc, &sids, &num_sids);
if (!NT_STATUS_IS_OK(status)) {
talloc_free(user_info_dc);
return status;
}
}
user_info_dc->sids = sids;
user_info_dc->num_sids = num_sids;
user_info_dc->info = info = talloc_zero(user_info_dc, struct auth_user_info);
NT_STATUS_HAVE_NO_MEMORY(user_info_dc->info);
info->account_name = talloc_steal(info,
ldb_msg_find_attr_as_string(msg, "sAMAccountName", NULL));
info->domain_name = talloc_strdup(info, domain_name);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->domain_name,
user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "displayName", "");
info->full_name = talloc_strdup(info, str);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->full_name, user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "scriptPath", "");
info->logon_script = talloc_strdup(info, str);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_script,
user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "profilePath", "");
info->profile_path = talloc_strdup(info, str);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->profile_path,
user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "homeDirectory", "");
info->home_directory = talloc_strdup(info, str);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_directory,
user_info_dc);
str = ldb_msg_find_attr_as_string(msg, "homeDrive", "");
info->home_drive = talloc_strdup(info, str);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->home_drive, user_info_dc);
info->logon_server = talloc_strdup(info, netbios_name);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(info->logon_server,
user_info_dc);
info->last_logon = samdb_result_nttime(msg, "lastLogon", 0);
info->last_logoff = samdb_result_last_logoff(msg);
info->acct_expiry = samdb_result_account_expires(msg);
info->last_password_change = samdb_result_nttime(msg,
"pwdLastSet", 0);
info->allow_password_change
= samdb_result_allow_password_change(sam_ctx, mem_ctx,
domain_dn, msg, "pwdLastSet");
info->force_password_change
= samdb_result_force_password_change(sam_ctx, mem_ctx,
domain_dn, msg);
info->logon_count = ldb_msg_find_attr_as_uint(msg, "logonCount", 0);
info->bad_password_count = ldb_msg_find_attr_as_uint(msg, "badPwdCount",
0);
info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx,
msg, domain_dn);
user_info_dc->user_session_key = data_blob_talloc(user_info_dc,
user_sess_key.data,
user_sess_key.length);
if (user_sess_key.data) {
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->user_session_key.data,
user_info_dc);
}
user_info_dc->lm_session_key = data_blob_talloc(user_info_dc,
lm_sess_key.data,
lm_sess_key.length);
if (lm_sess_key.data) {
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->lm_session_key.data,
user_info_dc);
}
if (info->acct_flags & ACB_SVRTRUST) {
/* the SID_NT_ENTERPRISE_DCS SID gets added into the
PAC */
user_info_dc->sids = talloc_realloc(user_info_dc,
user_info_dc->sids,
struct dom_sid,
user_info_dc->num_sids+1);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(user_info_dc->sids, user_info_dc);
user_info_dc->sids[user_info_dc->num_sids] = global_sid_Enterprise_DCs;
user_info_dc->num_sids++;
}
/*
setup a listen stream socket
if you pass *port == 0, then a port > 1024 is used
FIXME: This function is TCP/IP specific - uses an int rather than
a string for the port. Should leave allocating a port nr
to the socket implementation - JRV20070903
*/
NTSTATUS stream_setup_socket(TALLOC_CTX *mem_ctx,
struct tevent_context *event_context,
struct loadparm_context *lp_ctx,
const struct model_ops *model_ops,
const struct stream_server_ops *stream_ops,
const char *family,
const char *sock_addr,
uint16_t *port,
const char *socket_options,
void *private_data)
{
NTSTATUS status;
struct stream_socket *stream_socket;
struct socket_address *socket_address;
struct tevent_fd *fde;
int i;
struct sockaddr_storage ss;
stream_socket = talloc_zero(mem_ctx, struct stream_socket);
NT_STATUS_HAVE_NO_MEMORY(stream_socket);
if (strcmp(family, "ip") == 0) {
/* we will get the real family from the address itself */
if (!interpret_string_addr(&ss, sock_addr, 0)) {
talloc_free(stream_socket);
return NT_STATUS_INVALID_ADDRESS;
}
socket_address = socket_address_from_sockaddr_storage(stream_socket, &ss, port?*port:0);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(socket_address, stream_socket);
status = socket_create(socket_address->family, SOCKET_TYPE_STREAM, &stream_socket->sock, 0);
NT_STATUS_NOT_OK_RETURN(status);
} else {
status = socket_create(family, SOCKET_TYPE_STREAM, &stream_socket->sock, 0);
NT_STATUS_NOT_OK_RETURN(status);
/* this is for non-IP sockets, eg. unix domain sockets */
socket_address = socket_address_from_strings(stream_socket,
stream_socket->sock->backend_name,
sock_addr, port?*port:0);
NT_STATUS_HAVE_NO_MEMORY(socket_address);
}
talloc_steal(stream_socket, stream_socket->sock);
stream_socket->lp_ctx = talloc_reference(stream_socket, lp_ctx);
/* ready to listen */
status = socket_set_option(stream_socket->sock, "SO_KEEPALIVE", NULL);
NT_STATUS_NOT_OK_RETURN(status);
if (socket_options != NULL) {
status = socket_set_option(stream_socket->sock, socket_options, NULL);
NT_STATUS_NOT_OK_RETURN(status);
}
/* TODO: set socket ACL's (host allow etc) here when they're
* implemented */
/* Some sockets don't have a port, or are just described from
* the string. We are indicating this by having port == NULL */
if (!port) {
status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
} else if (*port == 0) {
for (i=SERVER_TCP_LOW_PORT;i<= SERVER_TCP_HIGH_PORT;i++) {
socket_address->port = i;
status = socket_listen(stream_socket->sock, socket_address,
SERVER_LISTEN_BACKLOG, 0);
if (NT_STATUS_IS_OK(status)) {
*port = i;
break;
}
}
} else {
status = socket_listen(stream_socket->sock, socket_address, SERVER_LISTEN_BACKLOG, 0);
}
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0,("Failed to listen on %s:%u - %s\n",
sock_addr, port ? (unsigned int)(*port) : 0,
nt_errstr(status)));
talloc_free(stream_socket);
return status;
}
/* Add the FD from the newly created socket into the event
* subsystem. it will call the accept handler whenever we get
* new connections */
fde = tevent_add_fd(event_context, stream_socket->sock,
socket_get_fd(stream_socket->sock),
TEVENT_FD_READ,
stream_accept_handler, stream_socket);
if (!fde) {
DEBUG(0,("Failed to setup fd event\n"));
talloc_free(stream_socket);
return NT_STATUS_NO_MEMORY;
}
/* we let events system to the close on the socket. This avoids
* nasty interactions with waiting for talloc to close the socket. */
tevent_fd_set_close_fn(fde, socket_tevent_fd_close_fn);
socket_set_flags(stream_socket->sock, SOCKET_FLAG_NOCLOSE);
stream_socket->private_data = talloc_reference(stream_socket, private_data);
stream_socket->ops = stream_ops;
stream_socket->event_ctx = event_context;
stream_socket->model_ops = model_ops;
return NT_STATUS_OK;
}
/*
* This function generates the transitive closure of a given SAM object "dn_val"
* (it basically expands nested memberships).
* If the object isn't located in the "res_sids" structure yet and the
* "only_childs" flag is false, we add it to "res_sids".
* Then we've always to consider the "memberOf" attributes. We invoke the
* function recursively on each of it with the "only_childs" flag set to
* "false".
* The "only_childs" flag is particularly useful if you have a user object and
* want to include all it's groups (referenced with "memberOf") but not itself
* or considering if that object matches the filter.
*
* At the beginning "res_sids" should reference to a NULL pointer.
*/
NTSTATUS dsdb_expand_nested_groups(struct ldb_context *sam_ctx,
struct ldb_val *dn_val, const bool only_childs, const char *filter,
TALLOC_CTX *res_sids_ctx, struct dom_sid **res_sids,
unsigned int *num_res_sids)
{
const char * const attrs[] = { "memberOf", NULL };
unsigned int i;
int ret;
bool already_there;
struct ldb_dn *dn;
struct dom_sid sid;
TALLOC_CTX *tmp_ctx;
struct ldb_result *res;
NTSTATUS status;
const struct ldb_message_element *el;
if (*res_sids == NULL) {
*num_res_sids = 0;
}
if (!sam_ctx) {
DEBUG(0, ("No SAM available, cannot determine local groups\n"));
return NT_STATUS_INVALID_SYSTEM_SERVICE;
}
tmp_ctx = talloc_new(res_sids_ctx);
dn = ldb_dn_from_ldb_val(tmp_ctx, sam_ctx, dn_val);
if (dn == NULL) {
talloc_free(tmp_ctx);
DEBUG(0, (__location__ ": we failed parsing DN %.*s, so we cannot calculate the group token\n",
(int)dn_val->length, dn_val->data));
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
status = dsdb_get_extended_dn_sid(dn, &sid, "SID");
if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
/* If we fail finding a SID then this is no error since it could
* be a non SAM object - e.g. a group with object class
* "groupOfNames" */
talloc_free(tmp_ctx);
return NT_STATUS_OK;
} else if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, (__location__ ": when parsing DN '%s' we failed to parse it's SID component, so we cannot calculate the group token: %s\n",
ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
nt_errstr(status)));
talloc_free(tmp_ctx);
return status;
}
if (!ldb_dn_minimise(dn)) {
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
if (only_childs) {
ret = dsdb_search_dn(sam_ctx, tmp_ctx, &res, dn, attrs,
DSDB_SEARCH_SHOW_EXTENDED_DN);
} else {
/* This is an O(n^2) linear search */
already_there = sids_contains_sid(*res_sids,
*num_res_sids, &sid);
if (already_there) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
ret = dsdb_search(sam_ctx, tmp_ctx, &res, dn, LDB_SCOPE_BASE,
attrs, DSDB_SEARCH_SHOW_EXTENDED_DN, "%s",
filter);
}
if (ret == LDB_ERR_NO_SUCH_OBJECT) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
if (ret != LDB_SUCCESS) {
DEBUG(1, (__location__ ": dsdb_search for %s failed: %s\n",
ldb_dn_get_extended_linearized(tmp_ctx, dn, 1),
ldb_errstring(sam_ctx)));
talloc_free(tmp_ctx);
return NT_STATUS_INTERNAL_DB_CORRUPTION;
}
/* We may get back 0 results, if the SID didn't match the filter - such as it wasn't a domain group, for example */
if (res->count != 1) {
talloc_free(tmp_ctx);
return NT_STATUS_OK;
}
/* We only apply this test once we know the SID matches the filter */
if (!only_childs) {
*res_sids = talloc_realloc(res_sids_ctx, *res_sids,
struct dom_sid, *num_res_sids + 1);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(*res_sids, tmp_ctx);
(*res_sids)[*num_res_sids] = sid;
++(*num_res_sids);
}
NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret)
{
struct security_descriptor *fs_sd;
NTSTATUS status;
uint32_t i;
/* Allocate the file system security descriptor */
fs_sd = talloc(mem_ctx, struct security_descriptor);
NT_STATUS_HAVE_NO_MEMORY(fs_sd);
/* Copy the basic information from the directory server security descriptor */
fs_sd->owner_sid = talloc_memdup(fs_sd, ds_sd->owner_sid, sizeof(struct dom_sid));
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd->owner_sid, fs_sd);
fs_sd->group_sid = talloc_memdup(fs_sd, ds_sd->group_sid, sizeof(struct dom_sid));
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd->group_sid, fs_sd);
fs_sd->type = ds_sd->type;
fs_sd->revision = ds_sd->revision;
/* Copy the sacl */
fs_sd->sacl = security_acl_dup(fs_sd, ds_sd->sacl);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd->sacl, fs_sd);
/* Copy the dacl */
fs_sd->dacl = talloc_zero(fs_sd, struct security_acl);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd->dacl, fs_sd);
for (i = 0; i < ds_sd->dacl->num_aces; i++) {
char *trustee = dom_sid_string(fs_sd, &ds_sd->dacl->aces[i].trustee);
struct security_ace *ace;
/* Don't add the allow for SID_BUILTIN_PREW2K */
if (!(ds_sd->dacl->aces[i].type & SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) &&
strcmp(trustee, SID_BUILTIN_PREW2K) == 0) {
talloc_free(trustee);
continue;
}
/* Copy the ace from the directory server security descriptor */
ace = talloc_memdup(fs_sd, &ds_sd->dacl->aces[i], sizeof(struct security_ace));
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ace, fs_sd);
/* Set specific inheritance flags for within the GPO */
ace->flags |= SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT;
if (strcmp(trustee, SID_CREATOR_OWNER) == 0) {
ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
}
/* Get a directory access mask from the assigned access mask on the LDAP object */
ace->access_mask = gp_ads_to_dir_access_mask(ace->access_mask);
/* Add the ace to the security descriptor DACL */
status = security_descriptor_dacl_add(fs_sd, ace);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to add a dacl to file system security descriptor\n"));
return status;
}
/* Clean up the allocated data in this iteration */
talloc_free(trustee);
}
*ret = fs_sd;
return NT_STATUS_OK;
}
NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret)
{
struct GUID guid_struct;
char *guid_str;
char *name;
struct security_descriptor *sd;
TALLOC_CTX *mem_ctx;
struct gp_object *gpo;
NTSTATUS status;
/* Create a forked memory context, as a base for everything here */
mem_ctx = talloc_new(gp_ctx);
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
/* Create the gpo struct to return later */
gpo = talloc(gp_ctx, struct gp_object);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo, mem_ctx);
/* Generate a GUID */
guid_struct = GUID_random();
guid_str = GUID_string2(mem_ctx, &guid_struct);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(guid_str, mem_ctx);
name = strupper_talloc(mem_ctx, guid_str);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(name, mem_ctx);
/* Prepare the GPO struct */
gpo->dn = NULL;
gpo->name = name;
gpo->flags = 0;
gpo->version = 0;
gpo->display_name = talloc_strdup(gpo, display_name);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->display_name, mem_ctx);
gpo->file_sys_path = talloc_asprintf(gpo, "\\\\%s\\sysvol\\%s\\Policies\\%s", lpcfg_dnsdomain(gp_ctx->lp_ctx), lpcfg_dnsdomain(gp_ctx->lp_ctx), name);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->file_sys_path, mem_ctx);
/* Create the GPT */
status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to create GPT\n"));
talloc_free(mem_ctx);
return status;
}
/* Create the LDAP GPO, including CN=User and CN=Machine */
status = gp_create_ldap_gpo(gp_ctx, gpo);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to create LDAP group policy object\n"));
talloc_free(mem_ctx);
return status;
}
/* Get the new security descriptor */
status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to fetch LDAP group policy object\n"));
talloc_free(mem_ctx);
return status;
}
/* Create matching file and DS security descriptors */
status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
talloc_free(mem_ctx);
return status;
}
/* Set the security descriptor on the filesystem for this GPO */
status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
talloc_free(mem_ctx);
return status;
}
talloc_free(mem_ctx);
*ret = gpo;
return NT_STATUS_OK;
}
NTSTATUS gp_fetch_gpt (struct gp_context *gp_ctx, struct gp_object *gpo,
const char **ret_local_path)
{
TALLOC_CTX *mem_ctx;
struct gp_list_state *state;
NTSTATUS status;
struct stat st;
int rv;
const char *local_path, *share_path;
/* Create a forked memory context, as a base for everything here */
mem_ctx = talloc_new(gp_ctx);
NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
if (gp_ctx->cli == NULL) {
status = gp_cli_connect(gp_ctx);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Failed to create cli connection to DC\n"));
talloc_free(mem_ctx);
return status;
}
}
/* Get the remote path to copy from */
share_path = gp_get_share_path(mem_ctx, gpo->file_sys_path);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(share_path, mem_ctx);
/* Get the local path to copy to */
local_path = talloc_asprintf(gp_ctx, "%s/%s", gp_tmpdir(mem_ctx), gpo->name);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(local_path, mem_ctx);
/* Prepare the state structure */
state = talloc_zero(mem_ctx, struct gp_list_state);
NT_STATUS_HAVE_NO_MEMORY_AND_FREE(state, mem_ctx);
state->tree = gp_ctx->cli->tree;
state->share_path = share_path;
/* Create the GPO dir if it does not exist */
if (stat(local_path, &st) != 0) {
rv = mkdir(local_path, 0755);
if (rv < 0) {
DEBUG(0, ("Could not create local path\n"));
talloc_free(mem_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
}
/* Get the file list */
status = gp_do_list("", state);
if (!NT_STATUS_IS_OK(status)) {
DEBUG(0, ("Could not list GPO files on remote server\n"));
talloc_free(mem_ctx);
return status;
}
/* If the list has no entries there is a problem. */
if (state->list.num_files == 0) {
DEBUG(0, ("File list is has no entries. Is the GPT directory empty?\n"));
talloc_free(mem_ctx);
return NT_STATUS_UNSUCCESSFUL;
}
/* Fetch the files */
status = gp_get_files(gp_ctx->cli->tree, share_path, local_path, &state->list);
/* Return the local path to the gpo */
*ret_local_path = local_path;
talloc_free(mem_ctx);
return NT_STATUS_OK;
}
