ADS_STATUS gp_get_machine_token(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, const char *dn, struct security_token **token) { struct security_token *ad_token = NULL; ADS_STATUS status; NTSTATUS ntstatus; #ifndef HAVE_ADS return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED); #endif status = ads_get_sid_token(ads, mem_ctx, dn, &ad_token); if (!ADS_ERR_OK(status)) { return status; } ntstatus = merge_nt_token(mem_ctx, ad_token, get_system_token(), token); if (!NT_STATUS_IS_OK(ntstatus)) { return ADS_ERROR_NT(ntstatus); } return ADS_SUCCESS; }
static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv) { ADS_STRUCT *ads; ADS_STATUS status; LDAPMessage *res = NULL; TALLOC_CTX *mem_ctx; const char *dn = NULL; uint32 uac = 0; uint32 flags = 0; struct GROUP_POLICY_OBJECT *gpo_list; struct nt_user_token *token = NULL; if (argc < 1 || c->display_usage) { d_printf("Usage:\n" "net ads gpo list <username|machinename>\n" " Lists all GPOs for machine/user\n" " username\tUser to list GPOs for\n" " machinename\tMachine to list GPOs for\n"); return -1; } mem_ctx = talloc_init("net_ads_gpo_list"); if (mem_ctx == NULL) { goto out; } status = ads_startup(c, false, &ads); if (!ADS_ERR_OK(status)) { goto out; } status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn); if (!ADS_ERR_OK(status)) { goto out; } if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { flags |= GPO_LIST_FLAG_MACHINE; } d_printf("%s: '%s' has dn: '%s'\n", (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", argv[0], dn); if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { status = gp_get_machine_token(ads, mem_ctx, dn, &token); } else { status = ads_get_sid_token(ads, mem_ctx, dn, &token); } if (!ADS_ERR_OK(status)) { goto out; } status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list); if (!ADS_ERR_OK(status)) { goto out; } dump_gpo_list(ads, mem_ctx, gpo_list, 0); out: ads_msgfree(ads, res); talloc_destroy(mem_ctx); ads_destroy(&ads); return 0; }
static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv) { TALLOC_CTX *mem_ctx; ADS_STRUCT *ads; ADS_STATUS status; const char *dn = NULL; struct GROUP_POLICY_OBJECT *gpo_list; uint32 uac = 0; uint32 flags = 0; struct nt_user_token *token = NULL; const char *filter = NULL; if (argc < 1 || c->display_usage) { d_printf("Usage:\n" "net ads gpo apply <username|machinename>\n" " Apply GPOs for machine/user\n" " username\tUsername to apply GPOs for\n" " machinename\tMachine to apply GPOs for\n"); return -1; } mem_ctx = talloc_init("net_ads_gpo_apply"); if (mem_ctx == NULL) { goto out; } if (argc >= 2) { filter = cse_gpo_name_to_guid_string(argv[1]); } status = ads_startup(c, false, &ads); if (!ADS_ERR_OK(status)) { d_printf("got: %s\n", ads_errstr(status)); goto out; } status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn); if (!ADS_ERR_OK(status)) { d_printf("failed to find samaccount for %s: %s\n", argv[0], ads_errstr(status)); goto out; } if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { flags |= GPO_LIST_FLAG_MACHINE; } if (opt_verbose) { flags |= GPO_INFO_FLAG_VERBOSE; } d_printf("%s: '%s' has dn: '%s'\n", (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", argv[0], dn); if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { status = gp_get_machine_token(ads, mem_ctx, dn, &token); } else { status = ads_get_sid_token(ads, mem_ctx, dn, &token); } if (!ADS_ERR_OK(status)) { goto out; } status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list); if (!ADS_ERR_OK(status)) { goto out; } status = gpo_process_gpo_list(ads, mem_ctx, token, gpo_list, filter, flags); if (!ADS_ERR_OK(status)) { d_printf("failed to process gpo list: %s\n", ads_errstr(status)); goto out; } out: ads_destroy(&ads); talloc_destroy(mem_ctx); return 0; }
static int net_ads_gpo_refresh(struct net_context *c, int argc, const char **argv) { TALLOC_CTX *mem_ctx; ADS_STRUCT *ads; ADS_STATUS status; const char *dn = NULL; struct GROUP_POLICY_OBJECT *gpo_list = NULL; struct GROUP_POLICY_OBJECT *read_list = NULL; uint32 uac = 0; uint32 flags = 0; struct GROUP_POLICY_OBJECT *gpo; NTSTATUS result; struct nt_user_token *token = NULL; if (argc < 1 || c->display_usage) { d_printf("Usage:\n" "net ads gpo refresh <username|machinename>\n" " Lists all GPOs assigned to an account and " "downloads them\n" " username\tUser to refresh GPOs for\n" " machinename\tMachine to refresh GPOs for\n"); return -1; } mem_ctx = talloc_init("net_ads_gpo_refresh"); if (mem_ctx == NULL) { return -1; } status = ads_startup(c, false, &ads); if (!ADS_ERR_OK(status)) { d_printf("failed to connect AD server: %s\n", ads_errstr(status)); goto out; } status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn); if (!ADS_ERR_OK(status)) { d_printf("failed to find samaccount for %s\n", argv[0]); goto out; } if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { flags |= GPO_LIST_FLAG_MACHINE; } d_printf("\n%s: '%s' has dn: '%s'\n\n", (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", argv[0], dn); d_printf("* fetching token "); if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { status = gp_get_machine_token(ads, mem_ctx, dn, &token); } else { status = ads_get_sid_token(ads, mem_ctx, dn, &token); } if (!ADS_ERR_OK(status)) { d_printf("failed: %s\n", ads_errstr(status)); goto out; } d_printf("finished\n"); d_printf("* fetching GPO List "); status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list); if (!ADS_ERR_OK(status)) { d_printf("failed: %s\n", ads_errstr(status)); goto out; } d_printf("finished\n"); d_printf("* refreshing Group Policy Data "); if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, flags, gpo_list))) { d_printf("failed: %s\n", nt_errstr(result)); goto out; } d_printf("finished\n"); d_printf("* storing GPO list to registry "); { WERROR werr = gp_reg_state_store(mem_ctx, flags, dn, token, gpo_list); if (!W_ERROR_IS_OK(werr)) { d_printf("failed: %s\n", win_errstr(werr)); goto out; } } d_printf("finished\n"); if (c->opt_verbose) { d_printf("* dumping GPO list\n"); for (gpo = gpo_list; gpo; gpo = gpo->next) { dump_gpo(ads, mem_ctx, gpo, 0); #if 0 char *server, *share, *nt_path, *unix_path; d_printf("--------------------------------------\n"); d_printf("Name:\t\t\t%s\n", gpo->display_name); d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n", gpo->version, GPO_VERSION_USER(gpo->version), GPO_VERSION_MACHINE(gpo->version)); result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, &server, &share, &nt_path, &unix_path); if (!NT_STATUS_IS_OK(result)) { d_printf("got: %s\n", nt_errstr(result)); } d_printf("GPO stored on server: %s, share: %s\n", server, share); d_printf("\tremote path:\t%s\n", nt_path); d_printf("\tlocal path:\t%s\n", unix_path); #endif } } d_printf("* re-reading GPO list from registry "); { WERROR werr = gp_reg_state_read(mem_ctx, flags, &token->user_sids[0], &read_list); if (!W_ERROR_IS_OK(werr)) { d_printf("failed: %s\n", win_errstr(werr)); goto out; } } d_printf("finished\n"); if (c->opt_verbose) { d_printf("* dumping GPO list from registry\n"); for (gpo = read_list; gpo; gpo = gpo->next) { dump_gpo(ads, mem_ctx, gpo, 0); #if 0 char *server, *share, *nt_path, *unix_path; d_printf("--------------------------------------\n"); d_printf("Name:\t\t\t%s\n", gpo->display_name); d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n", gpo->version, GPO_VERSION_USER(gpo->version), GPO_VERSION_MACHINE(gpo->version)); result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path, &server, &share, &nt_path, &unix_path); if (!NT_STATUS_IS_OK(result)) { d_printf("got: %s\n", nt_errstr(result)); } d_printf("GPO stored on server: %s, share: %s\n", server, share); d_printf("\tremote path:\t%s\n", nt_path); d_printf("\tlocal path:\t%s\n", unix_path); #endif } } out: ads_destroy(&ads); talloc_destroy(mem_ctx); return 0; }