ADS_STATUS gp_get_machine_token(ADS_STRUCT *ads,
TALLOC_CTX *mem_ctx,
struct loadparm_context *lp_ctx,
const char *dn,
struct security_token **token)
{
struct security_token *ad_token = NULL;
ADS_STATUS status;
NTSTATUS ntstatus;
#ifndef HAVE_ADS
return ADS_ERROR_NT(NT_STATUS_NOT_SUPPORTED);
#endif
status = ads_get_sid_token(ads, mem_ctx, dn, &ad_token);
if (!ADS_ERR_OK(status)) {
return status;
}
ntstatus = merge_nt_token(mem_ctx, ad_token, get_system_token(),
token);
if (!NT_STATUS_IS_OK(ntstatus)) {
return ADS_ERROR_NT(ntstatus);
}
return ADS_SUCCESS;
}
static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv)
{
ADS_STRUCT *ads;
ADS_STATUS status;
LDAPMessage *res = NULL;
TALLOC_CTX *mem_ctx;
const char *dn = NULL;
uint32 uac = 0;
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo_list;
struct nt_user_token *token = NULL;
if (argc < 1 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo list <username|machinename>\n"
" Lists all GPOs for machine/user\n"
" username\tUser to list GPOs for\n"
" machinename\tMachine to list GPOs for\n");
return -1;
}
mem_ctx = talloc_init("net_ads_gpo_list");
if (mem_ctx == NULL) {
goto out;
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
if (!ADS_ERR_OK(status)) {
goto out;
}
if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
flags |= GPO_LIST_FLAG_MACHINE;
}
d_printf("%s: '%s' has dn: '%s'\n",
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
status = gp_get_machine_token(ads, mem_ctx, dn, &token);
} else {
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
}
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}
dump_gpo_list(ads, mem_ctx, gpo_list, 0);
out:
ads_msgfree(ads, res);
talloc_destroy(mem_ctx);
ads_destroy(&ads);
return 0;
}
static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv)
{
TALLOC_CTX *mem_ctx;
ADS_STRUCT *ads;
ADS_STATUS status;
const char *dn = NULL;
struct GROUP_POLICY_OBJECT *gpo_list;
uint32 uac = 0;
uint32 flags = 0;
struct nt_user_token *token = NULL;
const char *filter = NULL;
if (argc < 1 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo apply <username|machinename>\n"
" Apply GPOs for machine/user\n"
" username\tUsername to apply GPOs for\n"
" machinename\tMachine to apply GPOs for\n");
return -1;
}
mem_ctx = talloc_init("net_ads_gpo_apply");
if (mem_ctx == NULL) {
goto out;
}
if (argc >= 2) {
filter = cse_gpo_name_to_guid_string(argv[1]);
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
d_printf("got: %s\n", ads_errstr(status));
goto out;
}
status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
if (!ADS_ERR_OK(status)) {
d_printf("failed to find samaccount for %s: %s\n",
argv[0], ads_errstr(status));
goto out;
}
if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
flags |= GPO_LIST_FLAG_MACHINE;
}
if (opt_verbose) {
flags |= GPO_INFO_FLAG_VERBOSE;
}
d_printf("%s: '%s' has dn: '%s'\n",
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
status = gp_get_machine_token(ads, mem_ctx, dn, &token);
} else {
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
}
if (!ADS_ERR_OK(status)) {
goto out;
}
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
goto out;
}
status = gpo_process_gpo_list(ads, mem_ctx, token, gpo_list,
filter, flags);
if (!ADS_ERR_OK(status)) {
d_printf("failed to process gpo list: %s\n",
ads_errstr(status));
goto out;
}
out:
ads_destroy(&ads);
talloc_destroy(mem_ctx);
return 0;
}
static int net_ads_gpo_refresh(struct net_context *c, int argc, const char **argv)
{
TALLOC_CTX *mem_ctx;
ADS_STRUCT *ads;
ADS_STATUS status;
const char *dn = NULL;
struct GROUP_POLICY_OBJECT *gpo_list = NULL;
struct GROUP_POLICY_OBJECT *read_list = NULL;
uint32 uac = 0;
uint32 flags = 0;
struct GROUP_POLICY_OBJECT *gpo;
NTSTATUS result;
struct nt_user_token *token = NULL;
if (argc < 1 || c->display_usage) {
d_printf("Usage:\n"
"net ads gpo refresh <username|machinename>\n"
" Lists all GPOs assigned to an account and "
"downloads them\n"
" username\tUser to refresh GPOs for\n"
" machinename\tMachine to refresh GPOs for\n");
return -1;
}
mem_ctx = talloc_init("net_ads_gpo_refresh");
if (mem_ctx == NULL) {
return -1;
}
status = ads_startup(c, false, &ads);
if (!ADS_ERR_OK(status)) {
d_printf("failed to connect AD server: %s\n", ads_errstr(status));
goto out;
}
status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn);
if (!ADS_ERR_OK(status)) {
d_printf("failed to find samaccount for %s\n", argv[0]);
goto out;
}
if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
flags |= GPO_LIST_FLAG_MACHINE;
}
d_printf("\n%s: '%s' has dn: '%s'\n\n",
(uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user",
argv[0], dn);
d_printf("* fetching token ");
if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
status = gp_get_machine_token(ads, mem_ctx, dn, &token);
} else {
status = ads_get_sid_token(ads, mem_ctx, dn, &token);
}
if (!ADS_ERR_OK(status)) {
d_printf("failed: %s\n", ads_errstr(status));
goto out;
}
d_printf("finished\n");
d_printf("* fetching GPO List ");
status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list);
if (!ADS_ERR_OK(status)) {
d_printf("failed: %s\n", ads_errstr(status));
goto out;
}
d_printf("finished\n");
d_printf("* refreshing Group Policy Data ");
if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx,
flags,
gpo_list))) {
d_printf("failed: %s\n", nt_errstr(result));
goto out;
}
d_printf("finished\n");
d_printf("* storing GPO list to registry ");
{
WERROR werr = gp_reg_state_store(mem_ctx, flags, dn,
token, gpo_list);
if (!W_ERROR_IS_OK(werr)) {
d_printf("failed: %s\n", win_errstr(werr));
goto out;
}
}
d_printf("finished\n");
if (c->opt_verbose) {
d_printf("* dumping GPO list\n");
for (gpo = gpo_list; gpo; gpo = gpo->next) {
dump_gpo(ads, mem_ctx, gpo, 0);
#if 0
char *server, *share, *nt_path, *unix_path;
d_printf("--------------------------------------\n");
d_printf("Name:\t\t\t%s\n", gpo->display_name);
d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
gpo->version,
GPO_VERSION_USER(gpo->version),
GPO_VERSION_MACHINE(gpo->version));
result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
&server, &share, &nt_path,
&unix_path);
if (!NT_STATUS_IS_OK(result)) {
d_printf("got: %s\n", nt_errstr(result));
}
d_printf("GPO stored on server: %s, share: %s\n", server, share);
d_printf("\tremote path:\t%s\n", nt_path);
d_printf("\tlocal path:\t%s\n", unix_path);
#endif
}
}
d_printf("* re-reading GPO list from registry ");
{
WERROR werr = gp_reg_state_read(mem_ctx, flags,
&token->user_sids[0],
&read_list);
if (!W_ERROR_IS_OK(werr)) {
d_printf("failed: %s\n", win_errstr(werr));
goto out;
}
}
d_printf("finished\n");
if (c->opt_verbose) {
d_printf("* dumping GPO list from registry\n");
for (gpo = read_list; gpo; gpo = gpo->next) {
dump_gpo(ads, mem_ctx, gpo, 0);
#if 0
char *server, *share, *nt_path, *unix_path;
d_printf("--------------------------------------\n");
d_printf("Name:\t\t\t%s\n", gpo->display_name);
d_printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
gpo->version,
GPO_VERSION_USER(gpo->version),
GPO_VERSION_MACHINE(gpo->version));
result = gpo_explode_filesyspath(mem_ctx, gpo->file_sys_path,
&server, &share, &nt_path,
&unix_path);
if (!NT_STATUS_IS_OK(result)) {
d_printf("got: %s\n", nt_errstr(result));
}
d_printf("GPO stored on server: %s, share: %s\n", server, share);
d_printf("\tremote path:\t%s\n", nt_path);
d_printf("\tlocal path:\t%s\n", unix_path);
#endif
}
}
out:
ads_destroy(&ads);
talloc_destroy(mem_ctx);
return 0;
}
