DWORD
ADUSetPolicyVersionInAD(
PGROUP_POLICY_OBJECT pGPO,
DWORD dwVersion)
{
DWORD dwError = 0;
PSTR pszDomainName = NULL;
PSTR pszSourcePath = NULL;
PSTR pszPolicyIdentifier = NULL;
HANDLE hDirectory = (HANDLE)NULL;
dwError = ADUCrackFileSysPath(pGPO->pszgPCFileSysPath,
&pszDomainName,
&pszSourcePath,
&pszPolicyIdentifier);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUOpenLwLdapDirectory(pszDomainName, &hDirectory);
BAIL_ON_MAC_ERROR(dwError);
dwError = LwLdapPutUInt32(hDirectory, pGPO->pszPolicyDN, ADU_VERSION_NUMBER_ATTR, dwVersion);
BAIL_ON_MAC_ERROR(dwError);
cleanup:
LW_SAFE_FREE_STRING(pszDomainName);
LW_SAFE_FREE_STRING(pszSourcePath);
LW_SAFE_FREE_STRING(pszPolicyIdentifier);
if (hDirectory)
LwLdapCloseDirectory(hDirectory);
return dwError;
error:
goto cleanup;
}
DWORD
CollectCurrentADAttributesForUser(
PSTR pszUserUPN,
PSTR pszUserDomain,
PSTR pszMessage,
BOOLEAN bOnlineLogon
)
{
DWORD dwError = MAC_AD_ERROR_SUCCESS;
PGPUSER_AD_ATTRS pUserADAttrs = NULL;
PADU_CRED_CONTEXT pCredContext = NULL;
BOOLEAN bDeactivateCredContext = FALSE;
PSTR pszOrigCachePath = NULL;
HANDLE hDirectory = (HANDLE)NULL;
dwError = ADUBuildCredContext(
NULL,
pszUserUPN,
bOnlineLogon,
&pCredContext);
BAIL_ON_MAC_ERROR(dwError);
/* Update user logon message which is accessed and reported with LoginHook script */
dwError = CacheUserLoginMessage(pCredContext->pszHomeDirPath, pszMessage);
BAIL_ON_MAC_ERROR(dwError);
if (bOnlineLogon)
{
LOG("Connecting to AD using these credentials: path: %s, user: %s, domain: %s", pCredContext->pszCachePath, pszUserUPN, pszUserDomain);
/* Set default credentials to the user's */
dwError = ADUInitKrb5(pszUserDomain);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUKrb5SetDefaultCachePath(
pCredContext->pszCachePath,
&pszOrigCachePath);
BAIL_ON_MAC_ERROR(dwError);
dwError = ADUActivateCredContext(pCredContext);
BAIL_ON_MAC_ERROR(dwError);
bDeactivateCredContext = TRUE;
dwError = ADUOpenLwLdapDirectory(pszUserDomain, &hDirectory);
BAIL_ON_MAC_ERROR(dwError);
dwError = GetUserAttributes(hDirectory,
pCredContext->pszSID,
pszUserDomain,
&pUserADAttrs);
if (dwError)
{
LOG("Error (%d) while reading user AD attributes from domain DC", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = CacheUserAttributes(pCredContext->uid, pUserADAttrs);
if (dwError)
{
LOG("Error (%d) while saving user AD attributes to cache", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
dwError = FlushDirectoryServiceCache();
if (dwError)
{
LOG("Failed to flush the Mac DirectoryService cache. Error: %d", dwError);
BAIL_ON_MAC_ERROR(dwError);
}
}
else
{
LOG("Offline logon, can't refresh AD user attributes for: user: %s, domain: %s", pszUserUPN, pszUserDomain);
}
cleanup:
FreeUserAttributes(pUserADAttrs);
if (hDirectory != (HANDLE)NULL)
{
LwLdapCloseDirectory(hDirectory);
}
if (pCredContext)
{
if (bDeactivateCredContext)
{
ADUDeactivateCredContext(pCredContext);
}
ADUFreeCredContext(pCredContext);
}
if (pszOrigCachePath)
{
DWORD dwError2 = ADUKrb5SetDefaultCachePath(pszOrigCachePath, NULL);
if (dwError2)
{
LOG_ERROR("Failed to revert kerberos cache path [code:%d]", dwError2);
}
LwFreeMemory(pszOrigCachePath);
}
return LWGetMacError(dwError);
error:
goto cleanup;
}
