From 4d1517c57fee366acc349fa164921231f3918cd2 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Tue, 10 Apr 2018 15:04:53 -0600 Subject: [PATCH 01/13] libgpo: Add python bindings for check_refresh_gpo_list Signed-off-by: David Mulder --- libgpo/pygpo.c | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index 60220a6bc2a..1c05d071608 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -296,6 +296,93 @@ static PyObject* py_ads_connect(ADS *self) /* Parameter mapping and functions for the GP_EXT struct */ void initgpo(void); +static PyTypeObject ads_ADSType; + +static PyObject *py_check_refresh_gpo_list(PyObject * self, + PyObject * args) +{ + TALLOC_CTX *frame = talloc_stackframe(); + ADS *ads = NULL; + const char *cache_dir = NULL; + struct GROUP_POLICY_OBJECT *gpo_front = NULL; + struct GROUP_POLICY_OBJECT *gpo_ptr = NULL; + PyObject *gpo_list = NULL; + PyObject *gpo_obj = NULL; + NTSTATUS status; + PyObject *ret = NULL; + Py_ssize_t gp_list_len = 0; + int success = 0; + int i; + + if (!PyArg_ParseTuple(args, "OO|s", &ads, &gpo_list, &cache_dir)) { + goto out; + } + success = PyObject_TypeCheck(gpo_list, &PyList_Type); + if (!success) { + PyErr_SetString(PyExc_TypeError, "A gpo list was expected"); + goto out; + } + gp_list_len = PyList_Size(gpo_list); + if (gp_list_len == 0) { + ret = Py_True; + goto out; + } + for (i = 0; i < gp_list_len; i++) { + struct GROUP_POLICY_OBJECT *gpo = NULL; + + gpo_obj = PyList_GetItem(gpo_list, i); + if (!gpo_obj) { + goto out; + } + + success = PyObject_TypeCheck(gpo_obj, &GPOType); + if (!success) { + PyErr_SetString(PyExc_TypeError, + "A gpo type was expected"); + goto out; + } + gpo = (struct GROUP_POLICY_OBJECT *)pytalloc_get_ptr(gpo_obj); + if (gpo_ptr) { + gpo_ptr->next = talloc_memdup(frame, gpo, + sizeof(struct GROUP_POLICY_OBJECT)); + gpo_ptr->next->prev = gpo_ptr; + gpo_ptr = gpo_ptr->next; + } else { + gpo_ptr = talloc_memdup(frame, gpo, + sizeof(struct GROUP_POLICY_OBJECT)); + gpo_front = gpo_ptr; + } + } + gpo_ptr->next = NULL; + + success = PyObject_TypeCheck(ads, &ads_ADSType); + if (!success) { + PyErr_SetString(PyExc_TypeError, "An ADS type was expected"); + goto out; + } + + if (!cache_dir) { + cache_dir = cache_path(GPO_CACHE_DIR); + if (!cache_dir) { + PyErr_SetString(PyExc_MemoryError, + "Failed to determine gpo cache dir"); + goto out; + } + } + + status = check_refresh_gpo_list(ads->ads_ptr, frame, cache_dir, 0, + gpo_front); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + goto out; + } + + ret = Py_True; +out: + TALLOC_FREE(frame); + return ret; +} + /* Global methods aka do not need a special pyobject type */ static PyObject *py_gpo_get_sysvol_gpt_version(PyObject * self, PyObject * args) @@ -503,6 +590,9 @@ static PyMethodDef py_gpo_methods[] = { {"gpo_get_sysvol_gpt_version", (PyCFunction)py_gpo_get_sysvol_gpt_version, METH_VARARGS, NULL}, + {"check_refresh_gpo_list", + (PyCFunction)py_check_refresh_gpo_list, + METH_VARARGS, NULL}, {NULL} }; From bb778588b28af3fa6814b3dedc546cab4786e571 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Mon, 8 Jan 2018 07:17:29 -0700 Subject: [PATCH 02/13] gpo: Read GPO versions locally, not from sysvol This patch does not change current functionality for the kdc. Non-kdc clients cannot read directly from the sysvol, so we need to store the GPT.INI file locally to read each gpo version. Signed-off-by: David Mulder --- python/samba/gpclass.py | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py index 0966611b686..b9c376bf75a 100644 --- a/python/samba/gpclass.py +++ b/python/samba/gpclass.py @@ -421,7 +421,18 @@ def get_gpo_list(dc_hostname, creds, lp): ads = gpo.ADS_STRUCT(dc_hostname, lp, creds) if ads.connect(): gpos = ads.get_gpo_list(creds.get_username()) - return gpos + return (ads, gpos) + +def gpo_version(lp, path, sysvol): + # gpo.gpo_get_sysvol_gpt_version() reads the GPT.INI from a local file. + # If we don't have a sysvol path locally (if we're not a kdc), then + # read from the gpo client cache. + if sysvol: + local_path = os.path.join(sysvol, path, 'GPT.INI') + else: + gpt_path = lp.cache_path(os.path.join('gpo_cache', path)) + local_path = os.path.join(gpt_path, 'GPT.INI') + return int(gpo.gpo_get_sysvol_gpt_version(os.path.dirname(local_path))[1]) def apply_gp(lp, creds, test_ldb, logger, store, gp_extensions): gp_db = store.get_gplog(creds.get_username()) @@ -431,15 +442,17 @@ def apply_gp(lp, creds, test_ldb, logger, store, gp_extensions): except: logger.error('Error connecting to \'%s\' using SMB' % dc_hostname) raise - gpos = get_gpo_list(dc_hostname, creds, lp) + ads, gpos = get_gpo_list(dc_hostname, creds, lp) + sysvol = lp.get("path", "sysvol") + if not sysvol: + gpo.check_refresh_gpo_list(ads, gpos) for gpo_obj in gpos: guid = gpo_obj.name if guid == 'Local Policy': continue path = os.path.join(lp.get('realm').lower(), 'Policies', guid) - local_path = os.path.join(lp.get("path", "sysvol"), path) - version = int(gpo.gpo_get_sysvol_gpt_version(local_path)[1]) + version = gpo_version(lp, path, sysvol) if version != store.get_int(guid): logger.info('GPO %s has changed' % guid) gp_db.state(GPOSTATE.APPLY) From 9191942e4a330393652cad8d0da715823d7f2920 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 4 May 2018 14:09:30 -0600 Subject: [PATCH 03/13] gpo: gp_sec_ext should check whether to apply Whether an extension should apply should be determined by the extension, not by the calling script. Signed-off-by: David Mulder --- python/samba/gp_sec_ext.py | 2 ++ source4/scripting/bin/samba_gpoupdate | 3 +-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py index bbd385f73c6..2637f72590f 100644 --- a/python/samba/gp_sec_ext.py +++ b/python/samba/gp_sec_ext.py @@ -127,6 +127,8 @@ def listuserpol(self, rootpath): return os.path.join(rootpath, "User/Registry.pol") def apply_map(self): + if not self.ldb: + return {} return {"System Access": {"MinimumPasswordAge": ("minPwdAge", inf_to_ldb), "MaximumPasswordAge": ("maxPwdAge", diff --git a/source4/scripting/bin/samba_gpoupdate b/source4/scripting/bin/samba_gpoupdate index 89b3ed77616..a7fe641973d 100755 --- a/source4/scripting/bin/samba_gpoupdate +++ b/source4/scripting/bin/samba_gpoupdate @@ -86,8 +86,7 @@ if __name__ == "__main__": gp_extensions = [] if opts.machine: - if lp.get('server role') == 'active directory domain controller': - gp_extensions.append(gp_sec_ext(logger)) + gp_extensions.append(gp_sec_ext(logger)) else: pass # User extensions From 0341d409c1f8362970130c2d10056cdb994ba14f Mon Sep 17 00:00:00 2001 From: David Mulder Date: Thu, 12 Apr 2018 14:31:54 -0600 Subject: [PATCH 04/13] libgpo: add py_register_gp_extension for registering gp extensions Signed-off-by: David Mulder --- libgpo/pygpo.c | 65 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 65 insertions(+) diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index 1c05d071608..87d2fdc07ad 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -28,6 +28,11 @@ #include "auth/credentials/pycredentials.h" #include "libcli/util/pyerrors.h" #include "python/py3compat.h" +#include "libgpo/gpo_proto.h" +#include "registry.h" +#include "registry/reg_api.h" +#include "../libcli/registry/util_reg.h" +#include "../libgpo/gpext/gpext.h" /* A Python C API module to use LIBGPO */ @@ -383,6 +388,64 @@ static PyObject *py_check_refresh_gpo_list(PyObject * self, return ret; } +static void get_gp_registry_context(TALLOC_CTX *ctx, + uint32_t desired_access, + struct gp_registry_context **reg_ctx) +{ + struct security_token *token; + WERROR werr; + + lp_load_initial_only(get_dyn_CONFIGFILE()); + + token = registry_create_system_token(ctx); + if (!token) { + PyErr_SetString(PyExc_MemoryError, + "Failed to create system token"); + return; + } + werr = gp_init_reg_ctx(ctx, KEY_WINLOGON_GPEXT_PATH, desired_access, + token, reg_ctx); + if (!W_ERROR_IS_OK(werr)) { + PyErr_SetNTSTATUS(werror_to_ntstatus(werr)); + return; + } +} + +static PyObject *py_register_gp_extension(PyObject * self, PyObject * args) +{ + TALLOC_CTX *frame = talloc_stackframe(); + const char *module_path = NULL; + const char *guid_name = NULL; + WERROR werr; + struct gp_registry_context *reg_ctx = NULL; + struct registry_key *key = NULL; + PyObject *ret = NULL; + + if (!PyArg_ParseTuple(args, "ss", &guid_name, &module_path)) { + return NULL; + } + + get_gp_registry_context(frame, REG_KEY_WRITE, ®_ctx); + if (!reg_ctx) { + goto out; + } + + werr = gp_store_reg_subkey(frame, guid_name, + reg_ctx->curr_key, &key); + if (!W_ERROR_IS_OK(werr)) { + goto out; + } + werr = gp_store_reg_val_sz(frame, key, "DllName", module_path); + if (!W_ERROR_IS_OK(werr)) { + goto out; + } + + ret = Py_True; +out: + TALLOC_FREE(frame); + return ret; +} + /* Global methods aka do not need a special pyobject type */ static PyObject *py_gpo_get_sysvol_gpt_version(PyObject * self, PyObject * args) @@ -587,6 +650,8 @@ static PyTypeObject ads_ADSType = { }; static PyMethodDef py_gpo_methods[] = { + {"register_gp_extension", (PyCFunction)py_register_gp_extension, + METH_VARARGS, NULL}, {"gpo_get_sysvol_gpt_version", (PyCFunction)py_gpo_get_sysvol_gpt_version, METH_VARARGS, NULL}, From dab4822445cf072ca2817a6337dc6e8cae89dc04 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 13 Apr 2018 15:14:06 -0600 Subject: [PATCH 05/13] libgpo: add py_unregister_gp_extension for unregistering gp extensions Signed-off-by: David Mulder --- libgpo/pygpo.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index 87d2fdc07ad..b4ebf17b808 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -411,6 +411,34 @@ static void get_gp_registry_context(TALLOC_CTX *ctx, } } +static PyObject *py_unregister_gp_extension(PyObject * self, PyObject * args) +{ + TALLOC_CTX *frame = talloc_stackframe(); + const char *guid_name = NULL; + struct gp_registry_context *reg_ctx = NULL; + WERROR werr; + PyObject *ret = Py_False; + + if (!PyArg_ParseTuple(args, "s", &guid_name)) { + return NULL; + } + + get_gp_registry_context(frame, REG_KEY_WRITE, ®_ctx); + if (!reg_ctx) { + goto out; + } + + werr = reg_deletekey_recursive(reg_ctx->curr_key, guid_name); + if (!W_ERROR_IS_OK(werr)) { + goto out; + } + + ret = Py_True; +out: + TALLOC_FREE(frame); + return ret; +} + static PyObject *py_register_gp_extension(PyObject * self, PyObject * args) { TALLOC_CTX *frame = talloc_stackframe(); @@ -652,6 +680,8 @@ static PyTypeObject ads_ADSType = { static PyMethodDef py_gpo_methods[] = { {"register_gp_extension", (PyCFunction)py_register_gp_extension, METH_VARARGS, NULL}, + {"unregister_gp_extension", (PyCFunction)py_unregister_gp_extension, + METH_VARARGS, NULL}, {"gpo_get_sysvol_gpt_version", (PyCFunction)py_gpo_get_sysvol_gpt_version, METH_VARARGS, NULL}, From d16eb769512d9ee457d35cf26dcbb637bf03f56e Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 4 May 2018 10:41:16 -0600 Subject: [PATCH 06/13] libgpo: add py_list_gp_extensions for listing registered gp extensions Signed-off-by: David Mulder --- libgpo/pygpo.c | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index b4ebf17b808..e3378f08816 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -33,6 +33,7 @@ #include "registry/reg_api.h" #include "../libcli/registry/util_reg.h" #include "../libgpo/gpext/gpext.h" +#include "registry/reg_objects.h" /* A Python C API module to use LIBGPO */ @@ -411,6 +412,54 @@ static void get_gp_registry_context(TALLOC_CTX *ctx, } } +static PyObject *py_list_gp_extensions(PyObject * self, PyObject * args) +{ + TALLOC_CTX *frame = talloc_stackframe(); + struct gp_registry_context *reg_ctx = NULL; + WERROR werr; + PyObject *ret = NULL; + struct registry_key *parent; + int i; + + get_gp_registry_context(frame, REG_KEY_READ, ®_ctx); + if (!reg_ctx) { + goto out; + } + + parent = reg_ctx->curr_key; + + ret = PyDict_New(); + if (ret == NULL) { + goto out; + } + + for (i = regsubkey_ctr_numkeys(parent->subkeys); i > 0; i--) { + struct registry_key *subkey; + char *subkey_name = NULL; + const char *subkey_val = NULL; + PyObject *val = NULL; + + subkey_name = regsubkey_ctr_specific_key(parent->subkeys, i-1); + werr = gp_read_reg_subkey(frame, reg_ctx, + subkey_name, &subkey); + if (!W_ERROR_IS_OK(werr)) { + goto out; + } + werr = gp_read_reg_val_sz(frame, subkey, + "DllName", &subkey_val); + if (!W_ERROR_IS_OK(werr)) { + ret = NULL; + goto out; + } + val = PyStr_FromString(subkey_val); + PyDict_SetItemString(ret, subkey_name, val); + } + +out: + TALLOC_FREE(frame); + return ret; +} + static PyObject *py_unregister_gp_extension(PyObject * self, PyObject * args) { TALLOC_CTX *frame = talloc_stackframe(); @@ -682,6 +731,8 @@ static PyMethodDef py_gpo_methods[] = { METH_VARARGS, NULL}, {"unregister_gp_extension", (PyCFunction)py_unregister_gp_extension, METH_VARARGS, NULL}, + {"list_gp_extensions", (PyCFunction)py_list_gp_extensions, + METH_NOARGS, NULL}, {"gpo_get_sysvol_gpt_version", (PyCFunction)py_gpo_get_sysvol_gpt_version, METH_VARARGS, NULL}, From 9f251b87214050f8a7ddd28e9ab9173ae0fd4413 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Wed, 9 May 2018 09:24:37 -0600 Subject: [PATCH 07/13] libgpo: Tests for gp_ext register/unregister Adds testing for the gp_ext register and unregister functions, as well as testing the list function. Signed-off-by: David Mulder --- libgpo/pygpo.c | 24 ++++++++++++++++-------- python/samba/tests/gpo.py | 15 +++++++++++++++ 2 files changed, 31 insertions(+), 8 deletions(-) diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index e3378f08816..3f714ae1508 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -391,12 +391,13 @@ static PyObject *py_check_refresh_gpo_list(PyObject * self, static void get_gp_registry_context(TALLOC_CTX *ctx, uint32_t desired_access, - struct gp_registry_context **reg_ctx) + struct gp_registry_context **reg_ctx, + const char *smb_conf) { struct security_token *token; WERROR werr; - lp_load_initial_only(get_dyn_CONFIGFILE()); + lp_load_initial_only(smb_conf ? smb_conf : get_dyn_CONFIGFILE()); token = registry_create_system_token(ctx); if (!token) { @@ -420,8 +421,13 @@ static PyObject *py_list_gp_extensions(PyObject * self, PyObject * args) PyObject *ret = NULL; struct registry_key *parent; int i; + const char *smb_conf = NULL; - get_gp_registry_context(frame, REG_KEY_READ, ®_ctx); + if (!PyArg_ParseTuple(args, "|s", &smb_conf)) { + return NULL; + } + + get_gp_registry_context(frame, REG_KEY_READ, ®_ctx, smb_conf); if (!reg_ctx) { goto out; } @@ -467,12 +473,13 @@ static PyObject *py_unregister_gp_extension(PyObject * self, PyObject * args) struct gp_registry_context *reg_ctx = NULL; WERROR werr; PyObject *ret = Py_False; + const char *smb_conf = NULL; - if (!PyArg_ParseTuple(args, "s", &guid_name)) { + if (!PyArg_ParseTuple(args, "s|s", &guid_name, &smb_conf)) { return NULL; } - get_gp_registry_context(frame, REG_KEY_WRITE, ®_ctx); + get_gp_registry_context(frame, REG_KEY_WRITE, ®_ctx, smb_conf); if (!reg_ctx) { goto out; } @@ -497,12 +504,13 @@ static PyObject *py_register_gp_extension(PyObject * self, PyObject * args) struct gp_registry_context *reg_ctx = NULL; struct registry_key *key = NULL; PyObject *ret = NULL; + const char *smb_conf = NULL; - if (!PyArg_ParseTuple(args, "ss", &guid_name, &module_path)) { + if (!PyArg_ParseTuple(args, "ss|s", &guid_name, &module_path, &smb_conf)) { return NULL; } - get_gp_registry_context(frame, REG_KEY_WRITE, ®_ctx); + get_gp_registry_context(frame, REG_KEY_WRITE, ®_ctx, smb_conf); if (!reg_ctx) { goto out; } @@ -732,7 +740,7 @@ static PyMethodDef py_gpo_methods[] = { {"unregister_gp_extension", (PyCFunction)py_unregister_gp_extension, METH_VARARGS, NULL}, {"list_gp_extensions", (PyCFunction)py_list_gp_extensions, - METH_NOARGS, NULL}, + METH_VARARGS, NULL}, {"gpo_get_sysvol_gpt_version", (PyCFunction)py_gpo_get_sysvol_gpt_version, METH_VARARGS, NULL}, diff --git a/python/samba/tests/gpo.py b/python/samba/tests/gpo.py index 796a5cb06cb..fa788ca4142 100644 --- a/python/samba/tests/gpo.py +++ b/python/samba/tests/gpo.py @@ -75,3 +75,18 @@ def test_gpt_version(self): assert gpo.gpo_get_sysvol_gpt_version(gpo_path)[1] == old_vers, \ 'gpo_get_sysvol_gpt_version() did not return the expected version' + def test_gpt_ext_register(self): + ext_path = '/home/dmulder/code/samba/bin/python/samba/gp_sec_ext.py' + ext_guid = '{827D319E-6EAC-11D2-A4EA-00C04F79F83A}' + gpo.register_gp_extension(ext_guid, ext_path, self.lp.configfile) + gp_exts = gpo.list_gp_extensions(self.lp.configfile) + assert ext_guid in gp_exts.keys(), \ + 'Failed to list gp exts from registry' + assert gp_exts[ext_guid] == ext_path, \ + 'Failed to list gp exts from registry' + + gpo.unregister_gp_extension(ext_guid) + gp_exts = gpo.list_gp_extensions(self.lp.configfile) + assert ext_guid not in gp_exts.keys(), \ + 'Failed to unregister gp exts from registry' + From 200947b8e6759c0a0d26c7effa67a24cf52f1a0c Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 4 May 2018 13:38:44 -0600 Subject: [PATCH 08/13] gpo: Dynamically load gp_exts from registry This loads Group Policy Client Side Extensions in the same way that they are loaded on a Windows client. Extensions are installed via the registry at HKLM/Software/Microsoft/Windows NT/ CurrentVersion/Winlogon/GPExtensions where they receive a unique GUID matched with the path to the python gp_ext file. Classes which inherit from the gp_ext class (as defined in gpclass.py) will be dynamically loaded. Signed-off-by: David Mulder --- python/samba/gp_ext_loader.py | 68 +++++++++++++++++++++++++++++++++++ python/samba/gp_sec_ext.py | 2 +- source4/scripting/bin/samba_gpoupdate | 6 ++-- 3 files changed, 73 insertions(+), 3 deletions(-) create mode 100644 python/samba/gp_ext_loader.py diff --git a/python/samba/gp_ext_loader.py b/python/samba/gp_ext_loader.py new file mode 100644 index 00000000000..1a849b0118b --- /dev/null +++ b/python/samba/gp_ext_loader.py @@ -0,0 +1,68 @@ +# Group Policy Client Side Extension Loader +# Copyright (C) David Mulder 2018 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import os +from samba import gpo + +try: + import importlib.util + def import_file(name, location): + try: + spec = importlib.util.spec_from_file_location(name, location) + module = importlib.util.module_from_spec(spec) + spec.loader.exec_module(module) + except AttributeError: + from importlib.machinery import SourceFileLoader + module = SourceFileLoader(name, location).load_module() + return module +except ImportError: + import imp + def import_file(name, location): + return imp.load_source(name, location) + +def check_base(cls, base_names=['gp_ext']): + bases = cls.__bases__ + for base in bases: + if base.__name__ in base_names: + return base.__name__ + else: + return check_base(base, base_names) + return None + +def get_gp_exts_from_module(mod): + import inspect + machine_exts = [] + clses = inspect.getmembers(mod, inspect.isclass) + for cls in clses: + base = check_base(cls[-1]) + if base == 'gp_ext' and cls[-1].__module__ == mod.__name__: + machine_exts.append(cls[-1]) + return {'machine_exts': machine_exts} + +def get_gp_client_side_extensions(logger): + machine_exts = [] + gp_exts = gpo.list_gp_extensions() + for gp_ext_file in gp_exts.values(): + gp_ext_name = os.path.splitext(os.path.basename(gp_ext_file))[0] + module = import_file(gp_ext_name, gp_ext_file) + exts = get_gp_exts_from_module(module) + machine_exts.extend(exts['machine_exts']) + if len(exts['machine_exts']) > 0: + logger.info('Loaded machine extensions from %s: %s' + % (gp_ext_file, + ' '.join([cls.__name__ for cls in exts['machine_exts']]))) + return machine_exts + diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py index 2637f72590f..8df95440ba3 100644 --- a/python/samba/gp_sec_ext.py +++ b/python/samba/gp_sec_ext.py @@ -16,7 +16,7 @@ # along with this program. If not, see . import os.path -from gpclass import gp_ext_setter, gp_inf_ext +from samba.gpclass import gp_ext_setter, gp_inf_ext class inf_to_kdc_tdb(gp_ext_setter): def mins_to_hours(self): diff --git a/source4/scripting/bin/samba_gpoupdate b/source4/scripting/bin/samba_gpoupdate index a7fe641973d..73d2786d129 100755 --- a/source4/scripting/bin/samba_gpoupdate +++ b/source4/scripting/bin/samba_gpoupdate @@ -35,7 +35,7 @@ try: except: SamDB = None from samba.gpclass import apply_gp, unapply_gp, GPOStorage -from samba.gp_sec_ext import gp_sec_ext +from samba.gp_ext_loader import get_gp_client_side_extensions import logging if __name__ == "__main__": @@ -84,9 +84,11 @@ if __name__ == "__main__": cache_dir = lp.get('cache directory') store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) + machine_exts = get_gp_client_side_extensions(logger) gp_extensions = [] if opts.machine: - gp_extensions.append(gp_sec_ext(logger)) + for ext in machine_exts: + gp_extensions.append(ext(logger)) else: pass # User extensions From fde484e7ed2d56510aa8451582569e56c0b4bdf0 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Fri, 4 May 2018 13:25:25 -0600 Subject: [PATCH 09/13] gpo: Add user policy extensions Signed-off-by: David Mulder --- python/samba/gp_ext_loader.py | 15 ++++++++++++--- python/samba/gpclass.py | 5 +++++ source4/scripting/bin/samba_gpoupdate | 5 +++-- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/python/samba/gp_ext_loader.py b/python/samba/gp_ext_loader.py index 1a849b0118b..f2123f14067 100644 --- a/python/samba/gp_ext_loader.py +++ b/python/samba/gp_ext_loader.py @@ -33,7 +33,7 @@ def import_file(name, location): def import_file(name, location): return imp.load_source(name, location) -def check_base(cls, base_names=['gp_ext']): +def check_base(cls, base_names=['gp_ext', 'gp_user_ext']): bases = cls.__bases__ for base in bases: if base.__name__ in base_names: @@ -44,15 +44,19 @@ def check_base(cls, base_names=['gp_ext']): def get_gp_exts_from_module(mod): import inspect + user_exts = [] machine_exts = [] clses = inspect.getmembers(mod, inspect.isclass) for cls in clses: base = check_base(cls[-1]) if base == 'gp_ext' and cls[-1].__module__ == mod.__name__: machine_exts.append(cls[-1]) - return {'machine_exts': machine_exts} + elif base == 'gp_user_ext' and cls[-1].__module__ == mod.__name__: + user_exts.append(cls[-1]) + return {'machine_exts': machine_exts, 'user_exts': user_exts} def get_gp_client_side_extensions(logger): + user_exts = [] machine_exts = [] gp_exts = gpo.list_gp_extensions() for gp_ext_file in gp_exts.values(): @@ -64,5 +68,10 @@ def get_gp_client_side_extensions(logger): logger.info('Loaded machine extensions from %s: %s' % (gp_ext_file, ' '.join([cls.__name__ for cls in exts['machine_exts']]))) - return machine_exts + user_exts.extend(exts['user_exts']) + if len(exts['user_exts']) > 0: + logger.info('Loaded user extensions from %s: %s' + % (gp_ext_file, + ' '.join([cls.__name__ for cls in exts['user_exts']]))) + return (machine_exts, user_exts) diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py index b9c376bf75a..fbad3bee109 100644 --- a/python/samba/gpclass.py +++ b/python/samba/gpclass.py @@ -336,6 +336,11 @@ def parse(self, afile, ldb, conn, gp_db, lp): def __str__(self): pass +class gp_user_ext(gp_ext): + def __init__(self, logger, creds): + super(gp_user_ext, self).__init__(logger) + self.creds = creds + class gp_ext_setter(): __metaclass__ = ABCMeta diff --git a/source4/scripting/bin/samba_gpoupdate b/source4/scripting/bin/samba_gpoupdate index 73d2786d129..d78fdf48775 100755 --- a/source4/scripting/bin/samba_gpoupdate +++ b/source4/scripting/bin/samba_gpoupdate @@ -84,13 +84,14 @@ if __name__ == "__main__": cache_dir = lp.get('cache directory') store = GPOStorage(os.path.join(cache_dir, 'gpo.tdb')) - machine_exts = get_gp_client_side_extensions(logger) + machine_exts, user_exts = get_gp_client_side_extensions(logger) gp_extensions = [] if opts.machine: for ext in machine_exts: gp_extensions.append(ext(logger)) else: - pass # User extensions + for ext in user_exts: + gp_extensions.append(ext(logger, creds)) # Get a live instance of Samba if SamDB: From b91eb40f3ba74f2cbc9ee497eb31e4b1746a4403 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Mon, 7 May 2018 09:45:32 -0600 Subject: [PATCH 10/13] samba_gpoupdate: Rename the command to gpupdate On a Windows client, this command is called 'gpupdate' Signed-off-by: David Mulder --- docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 4 ++-- lib/param/loadparm.c | 2 +- selftest/target/Samba4.pm | 2 +- source3/param/loadparm.c | 2 +- source4/scripting/bin/{samba_gpoupdate => gpupdate} | 4 ++-- source4/scripting/bin/wscript_build | 2 +- .../scripting/man/{samba_gpoupdate.8.xml => gpupdate.8.xml} | 10 +++++----- source4/scripting/wscript_build | 4 ++-- 8 files changed, 15 insertions(+), 15 deletions(-) rename source4/scripting/bin/{samba_gpoupdate => gpupdate} (96%) rename source4/scripting/man/{samba_gpoupdate.8.xml => gpupdate.8.xml} (94%) diff --git a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml index 3ce26d78287..6832201c288 100644 --- a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml +++ b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml @@ -5,7 +5,7 @@ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> This option sets the command that is called to apply GPO policies. - The samba_gpoupdate script applies System Access and Kerberos Policies + The gpupdate script applies System Access and Kerberos Policies to the KDC. System Access policies set minPwdAge, maxPwdAge, minPwdLength, and pwdProperties in the samdb. Kerberos Policies set kdc:service ticket lifetime, kdc:user ticket lifetime, and kdc:renewal @@ -13,6 +13,6 @@ -&pathconfig.SCRIPTSBINDIR;/samba_gpoupdate +&pathconfig.SCRIPTSBINDIR;/gpupdate /usr/local/sbin/gpoupdate diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 0c1b28babbc..d6524ab859f 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2734,7 +2734,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "require strong key", "True"); lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR); lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); - lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba_gpoupdate", dyn_SCRIPTSBINDIR); + lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/gpupdate", dyn_SCRIPTSBINDIR); lpcfg_do_global_parameter_var(lp_ctx, "apply group policies", "False"); lpcfg_do_global_parameter_var(lp_ctx, "dns update command", "%s/samba_dnsupdate", dyn_SCRIPTSBINDIR); lpcfg_do_global_parameter_var(lp_ctx, "spn update command", "%s/samba_spnupdate", dyn_SCRIPTSBINDIR); diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 51a175b25e8..2d4edb6ee9e 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -641,7 +641,7 @@ sub provision_raw_step1($$) rndc command = true dns update command = $ctx->{samba_dnsupdate} spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf} - gpo update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_gpoupdate -s $ctx->{smb_conf} -H $ctx->{privatedir}/sam.ldb --machine + gpo update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/gpupdate -s $ctx->{smb_conf} -H $ctx->{privatedir}/sam.ldb --machine dreplsrv:periodic_startup_interval = 0 dsdb:schema update allowed = yes diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index 520d0660ccf..f2e8e29e3c0 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -917,7 +917,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) Globals.dns_update_command = str_list_make_v3_const(NULL, s, NULL); TALLOC_FREE(s); - s = talloc_asprintf(talloc_tos(), "%s/samba_gpoupdate", get_dyn_SCRIPTSBINDIR()); + s = talloc_asprintf(talloc_tos(), "%s/gpupdate", get_dyn_SCRIPTSBINDIR()); if (s == NULL) { smb_panic("init_globals: ENOMEM"); } diff --git a/source4/scripting/bin/samba_gpoupdate b/source4/scripting/bin/gpupdate similarity index 96% rename from source4/scripting/bin/samba_gpoupdate rename to source4/scripting/bin/gpupdate index d78fdf48775..0602ced446e 100755 --- a/source4/scripting/bin/samba_gpoupdate +++ b/source4/scripting/bin/gpupdate @@ -39,7 +39,7 @@ from samba.gp_ext_loader import get_gp_client_side_extensions import logging if __name__ == "__main__": - parser = optparse.OptionParser('samba_gpoupdate [options]') + parser = optparse.OptionParser('gpupdate [options]') sambaopts = options.SambaOptions(parser) # Get the command line options @@ -68,7 +68,7 @@ if __name__ == "__main__": session = system_session() # Set up logging - logger = logging.getLogger('samba_gpoupdate') + logger = logging.getLogger('gpupdate') logger.addHandler(logging.StreamHandler(sys.stdout)) logger.setLevel(logging.CRITICAL) log_level = lp.log_level() diff --git a/source4/scripting/bin/wscript_build b/source4/scripting/bin/wscript_build index 043442b3407..a1dbd558703 100644 --- a/source4/scripting/bin/wscript_build +++ b/source4/scripting/bin/wscript_build @@ -9,4 +9,4 @@ if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): 'samba_upgradedns', 'gen_output.py']: bld.SAMBA_SCRIPT(script, pattern=script, installdir='.') -bld.SAMBA_SCRIPT('samba_gpoupdate', pattern='samba_gpoupdate', installdir='.') +bld.SAMBA_SCRIPT('gpupdate', pattern='gpupdate', installdir='.') diff --git a/source4/scripting/man/samba_gpoupdate.8.xml b/source4/scripting/man/gpupdate.8.xml similarity index 94% rename from source4/scripting/man/samba_gpoupdate.8.xml rename to source4/scripting/man/gpupdate.8.xml index 0c3a0a812a1..5ac93f469fd 100644 --- a/source4/scripting/man/samba_gpoupdate.8.xml +++ b/source4/scripting/man/gpupdate.8.xml @@ -1,6 +1,6 @@ - + 2017-07-11 @@ -12,17 +12,17 @@ - samba_gpoupdate + gpupdate apply group policy - samba_gpoupdate + gpupdate - samba_gpoupdate + gpupdate options @@ -37,7 +37,7 @@ samba 1 suite. - samba_gpoupdate a script for + gpupdate a script for applying and unapplying Group Policy. Group Policy application is experimental. Currently this applies password policies (minimum/maximum password age, diff --git a/source4/scripting/wscript_build b/source4/scripting/wscript_build index 2f53cce12b7..b20ff9bc103 100644 --- a/source4/scripting/wscript_build +++ b/source4/scripting/wscript_build @@ -5,8 +5,8 @@ from samba_utils import MODE_755 sbin_files = '' if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): sbin_files = 'bin/samba_dnsupdate bin/samba_spnupdate bin/samba_upgradedns bin/samba_kcc ' -sbin_files += 'bin/samba_gpoupdate' -man_files = 'man/samba_gpoupdate.8' +sbin_files += 'bin/gpupdate' +man_files = 'man/gpupdate.8' if sbin_files: bld.INSTALL_FILES('${SBINDIR}', From f1582cacc7e2e50958c81fda527769e0555ef5f3 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Mon, 7 May 2018 09:48:32 -0600 Subject: [PATCH 11/13] gpupdate: Change machine option to target On a Windows client, you designate machine/user apply with a 'target' parameter. This change makes gpupdate work more like that command. Signed-off-by: David Mulder --- selftest/target/Samba4.pm | 2 +- source3/winbindd/winbindd_gpupdate.c | 2 +- source4/scripting/bin/gpupdate | 8 ++++---- source4/scripting/man/gpupdate.8.xml | 3 +++ 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 2d4edb6ee9e..e01bf4ec1e0 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -641,7 +641,7 @@ sub provision_raw_step1($$) rndc command = true dns update command = $ctx->{samba_dnsupdate} spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf} - gpo update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/gpupdate -s $ctx->{smb_conf} -H $ctx->{privatedir}/sam.ldb --machine + gpo update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/gpupdate -s $ctx->{smb_conf} -H $ctx->{privatedir}/sam.ldb --target=Computer dreplsrv:periodic_startup_interval = 0 dsdb:schema update allowed = yes diff --git a/source3/winbindd/winbindd_gpupdate.c b/source3/winbindd/winbindd_gpupdate.c index c86c007be12..75772ea4feb 100644 --- a/source3/winbindd/winbindd_gpupdate.c +++ b/source3/winbindd/winbindd_gpupdate.c @@ -62,7 +62,7 @@ static void gpupdate_callback(struct tevent_context *ev, gpupdate_cmd, "-s", smbconf, - "--machine", + "--target=Computer", "--machine-pass", NULL); if (req == NULL) { diff --git a/source4/scripting/bin/gpupdate b/source4/scripting/bin/gpupdate index 0602ced446e..bbf0c93e1de 100755 --- a/source4/scripting/bin/gpupdate +++ b/source4/scripting/bin/gpupdate @@ -49,8 +49,8 @@ if __name__ == "__main__": parser.add_option('-H', '--url', dest='url', help='URL for the samdb') parser.add_option('-X', '--unapply', help='Unapply Group Policy', action='store_true') - parser.add_option('-M', '--machine', help='Apply machine policy', - action='store_true', default=False) + parser.add_option('--target', default='Computer', help='{Computer | User}', + choices=['Computer', 'User']) parser.add_option_group(credopts) # Set the options and the arguments @@ -86,10 +86,10 @@ if __name__ == "__main__": machine_exts, user_exts = get_gp_client_side_extensions(logger) gp_extensions = [] - if opts.machine: + if opts.target == 'Computer': for ext in machine_exts: gp_extensions.append(ext(logger)) - else: + elif opts.target == 'User': for ext in user_exts: gp_extensions.append(ext(logger, creds)) diff --git a/source4/scripting/man/gpupdate.8.xml b/source4/scripting/man/gpupdate.8.xml index 5ac93f469fd..be70a70ca7f 100644 --- a/source4/scripting/man/gpupdate.8.xml +++ b/source4/scripting/man/gpupdate.8.xml @@ -59,6 +59,9 @@ , Unapply Group Policy + + {Computer | User} + Samba Common Options: FILE, =FILE From 537be49b4790f90ee2a324387b03aa4f661c578c Mon Sep 17 00:00:00 2001 From: David Mulder Date: Mon, 7 May 2018 10:18:00 -0600 Subject: [PATCH 12/13] gpupdate: Don't fail with dc installed Don't fail if the dc is installed, but we're joined as a client. Signed-off-by: David Mulder --- source4/scripting/bin/gpupdate | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/source4/scripting/bin/gpupdate b/source4/scripting/bin/gpupdate index bbf0c93e1de..dc2338b3c78 100755 --- a/source4/scripting/bin/gpupdate +++ b/source4/scripting/bin/gpupdate @@ -94,10 +94,15 @@ if __name__ == "__main__": gp_extensions.append(ext(logger, creds)) # Get a live instance of Samba + test_ldb = None if SamDB: - test_ldb = SamDB(url, session_info=session, credentials=creds, lp=lp) - else: - test_ldb = None + try: + test_ldb = SamDB(url, + session_info=session, + credentials=creds, + lp=lp) + except: + test_ldb = None if not opts.unapply: apply_gp(lp, creds, test_ldb, logger, store, gp_extensions) From bfe026cd13279946915eb8e8a5032c416eef2325 Mon Sep 17 00:00:00 2001 From: David Mulder Date: Wed, 9 May 2018 10:39:06 -0600 Subject: [PATCH 13/13] gpo: Remove old gp_ext and net ads gpo code Signed-off-by: David Mulder --- source3/libgpo/gpext/registry.c | 428 -------------------------------- source3/libgpo/gpext/scripts.c | 487 ------------------------------------- source3/libgpo/gpext/security.c | 297 ---------------------- source3/libgpo/gpext/wscript_build | 23 -- source3/utils/net_ads_gpo.c | 94 ------- source3/wscript_build | 1 - 6 files changed, 1330 deletions(-) delete mode 100644 source3/libgpo/gpext/registry.c delete mode 100644 source3/libgpo/gpext/scripts.c delete mode 100644 source3/libgpo/gpext/security.c delete mode 100644 source3/libgpo/gpext/wscript_build diff --git a/source3/libgpo/gpext/registry.c b/source3/libgpo/gpext/registry.c deleted file mode 100644 index ceb05f030b6..00000000000 --- a/source3/libgpo/gpext/registry.c +++ /dev/null @@ -1,428 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Support - * Copyright (C) Guenther Deschner 2007-2008,2010 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include "includes.h" -#include "../libgpo/gpo_ini.h" -#include "../libgpo/gpo.h" -#include "libgpo/gpo_proto.h" -#include "registry.h" -#include "../librpc/gen_ndr/ndr_preg.h" -#include "libgpo/gpext/gpext.h" - -#define GP_EXT_NAME "registry" - -/* more info can be found at: - * http://msdn2.microsoft.com/en-us/library/aa374407.aspx */ - -#define GP_REGPOL_FILE "Registry.pol" - -#define GP_REGPOL_FILE_SIGNATURE 0x67655250 /* 'PReg' */ -#define GP_REGPOL_FILE_VERSION 1 - -static TALLOC_CTX *ctx = NULL; - -NTSTATUS gpext_registry_init(TALLOC_CTX *mem_ctx); - -/**************************************************************** -****************************************************************/ - -static bool reg_parse_value(TALLOC_CTX *mem_ctx, - const char **value, - enum gp_reg_action *action) -{ - if (!*value) { - *action = GP_REG_ACTION_ADD_KEY; - return true; - } - - if (strncmp(*value, "**", 2) != 0) { - *action = GP_REG_ACTION_ADD_VALUE; - return true; - } - - if (strnequal(*value, "**DelVals.", 10)) { - *action = GP_REG_ACTION_DEL_ALL_VALUES; - return true; - } - - if (strnequal(*value, "**Del.", 6)) { - *value = talloc_strdup(mem_ctx, *value + 6); - *action = GP_REG_ACTION_DEL_VALUE; - return true; - } - - if (strnequal(*value, "**SecureKey", 11)) { - if (strnequal(*value, "**SecureKey=1", 13)) { - *action = GP_REG_ACTION_SEC_KEY_SET; - return true; - } - - /*************** not tested from here on ***************/ - if (strnequal(*value, "**SecureKey=0", 13)) { - smb_panic("not supported: **SecureKey=0"); - *action = GP_REG_ACTION_SEC_KEY_RESET; - return true; - } - DEBUG(0,("unknown: SecureKey: %s\n", *value)); - smb_panic("not supported SecureKey method"); - return false; - } - - if (strnequal(*value, "**DeleteValues", strlen("**DeleteValues"))) { - smb_panic("not supported: **DeleteValues"); - *action = GP_REG_ACTION_DEL_VALUES; - return false; - } - - if (strnequal(*value, "**DeleteKeys", strlen("**DeleteKeys"))) { - smb_panic("not supported: **DeleteKeys"); - *action = GP_REG_ACTION_DEL_KEYS; - return false; - } - - DEBUG(0,("unknown value: %s\n", *value)); - smb_panic(*value); - return false; -} - -/**************************************************************** -****************************************************************/ - -static bool gp_reg_entry_from_file_entry(TALLOC_CTX *mem_ctx, - struct preg_entry *r, - struct gp_registry_entry **reg_entry) -{ - struct registry_value *data = NULL; - struct gp_registry_entry *entry = NULL; - enum gp_reg_action action = GP_REG_ACTION_NONE; - - ZERO_STRUCTP(*reg_entry); - - data = talloc_zero(mem_ctx, struct registry_value); - if (!data) - return false; - - data->type = r->type; - data->data = data_blob_talloc(data, r->data, r->size); - - entry = talloc_zero(mem_ctx, struct gp_registry_entry); - if (!entry) - return false; - - if (!reg_parse_value(mem_ctx, &r->valuename, &action)) - return false; - - entry->key = talloc_strdup(entry, r->keyname); - entry->value = talloc_strdup(entry, r->valuename); - entry->data = data; - entry->action = action; - - *reg_entry = entry; - - return true; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS reg_parse_registry(TALLOC_CTX *mem_ctx, - uint32_t flags, - const char *filename, - struct gp_registry_entry **entries_p, - size_t *num_entries_p) -{ - DATA_BLOB blob; - NTSTATUS status; - enum ndr_err_code ndr_err; - const char *real_filename = NULL; - struct preg_file r; - struct gp_registry_entry *entries = NULL; - size_t num_entries = 0; - int i; - - status = gp_find_file(mem_ctx, - flags, - filename, - GP_REGPOL_FILE, - &real_filename); - if (!NT_STATUS_IS_OK(status)) { - return status; - } - - blob.data = (uint8_t *)file_load(real_filename, &blob.length, 0, NULL); - if (!blob.data) { - return NT_STATUS_CANNOT_LOAD_REGISTRY_FILE; - } - - ndr_err = ndr_pull_struct_blob(&blob, mem_ctx, &r, - (ndr_pull_flags_fn_t)ndr_pull_preg_file); - if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { - status = ndr_map_error2ntstatus(ndr_err); - goto out; - } - - if (flags & GPO_INFO_FLAG_VERBOSE) { - NDR_PRINT_DEBUG(preg_file, &r); - } - - if (!strequal(r.header.signature, "PReg")) { - status = NT_STATUS_INVALID_PARAMETER; - goto out; - } - - if (r.header.version != GP_REGPOL_FILE_VERSION) { - status = NT_STATUS_INVALID_PARAMETER; - goto out; - } - - for (i=0; i < r.num_entries; i++) { - - struct gp_registry_entry *r_entry = NULL; - - if (!gp_reg_entry_from_file_entry(mem_ctx, - &r.entries[i], - &r_entry)) { - status = NT_STATUS_NO_MEMORY; - goto out; - } - - if (!add_gp_registry_entry_to_array(mem_ctx, - r_entry, - &entries, - &num_entries)) { - status = NT_STATUS_NO_MEMORY; - goto out; - } - } - - *entries_p = entries; - *num_entries_p = num_entries; - - status = NT_STATUS_OK; - - out: - data_blob_free(&blob); - return status; -} - -/**************************************************************** -****************************************************************/ - -static WERROR reg_apply_registry(TALLOC_CTX *mem_ctx, - const struct security_token *token, - struct registry_key *root_key, - uint32_t flags, - struct gp_registry_entry *entries, - size_t num_entries) -{ - struct gp_registry_context *reg_ctx = NULL; - WERROR werr; - size_t i; - - if (num_entries == 0) { - return WERR_OK; - } - -#if 0 - if (flags & GPO_LIST_FLAG_MACHINE) { - werr = gp_init_reg_ctx(mem_ctx, KEY_HKLM, REG_KEY_WRITE, - get_system_token(), - ®_ctx); - } else { - werr = gp_init_reg_ctx(mem_ctx, KEY_HKCU, REG_KEY_WRITE, - token, - ®_ctx); - } - W_ERROR_NOT_OK_RETURN(werr); -#endif - for (i=0; inext) { - } - - */ - - for (gpo = changed_gpo_list; gpo; gpo = gpo->next) { - - gpext_debug_header(0, "registry_process_group_policy", flags, - gpo, GP_EXT_GUID_REGISTRY, NULL); - - status = gpo_get_unix_path(mem_ctx, gpo_cache_path, - gpo, &unix_path); - if (!NT_STATUS_IS_OK(status)) { - goto err_cache_path_free; - } - - status = reg_parse_registry(mem_ctx, - flags, - unix_path, - &entries, - &num_entries); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("failed to parse registry: %s\n", - nt_errstr(status))); - goto err_cache_path_free; - } - - dump_reg_entries(flags, "READ", entries, num_entries); - - werr = reg_apply_registry(mem_ctx, token, root_key, flags, - entries, num_entries); - if (!W_ERROR_IS_OK(werr)) { - DEBUG(0,("failed to apply registry: %s\n", - win_errstr(werr))); - status = werror_to_ntstatus(werr); - goto err_cache_path_free; - } - } - status = NT_STATUS_OK; - -err_cache_path_free: - talloc_free(gpo_cache_path); - talloc_free(entries); - return status; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS registry_get_reg_config(TALLOC_CTX *mem_ctx, - struct gp_extension_reg_info **reg_info) -{ - NTSTATUS status; - struct gp_extension_reg_info *info = NULL; - struct gp_extension_reg_table table[] = { - { "ProcessGroupPolicy", REG_SZ, "registry_process_group_policy" }, - { NULL, REG_NONE, NULL } - }; - - info = talloc_zero(mem_ctx, struct gp_extension_reg_info); - NT_STATUS_HAVE_NO_MEMORY(info); - - status = gpext_info_add_entry(mem_ctx, GP_EXT_NAME, - GP_EXT_GUID_REGISTRY, - table, info); - NT_STATUS_NOT_OK_RETURN(status); - - *reg_info = info; - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS registry_initialize(TALLOC_CTX *mem_ctx) -{ - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS registry_shutdown(void) -{ - NTSTATUS status; - - status = gpext_unregister_gp_extension(GP_EXT_NAME); - if (NT_STATUS_IS_OK(status)) { - return status; - } - - TALLOC_FREE(ctx); - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static struct gp_extension_methods registry_methods = { - .initialize = registry_initialize, - .process_group_policy = registry_process_group_policy, - .get_reg_config = registry_get_reg_config, - .shutdown = registry_shutdown -}; - -/**************************************************************** -****************************************************************/ - -NTSTATUS gpext_registry_init(TALLOC_CTX *mem_ctx) -{ - NTSTATUS status; - - ctx = talloc_init("gpext_registry_init"); - NT_STATUS_HAVE_NO_MEMORY(ctx); - - status = gpext_register_gp_extension(ctx, SMB_GPEXT_INTERFACE_VERSION, - GP_EXT_NAME, GP_EXT_GUID_REGISTRY, - ®istry_methods); - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(ctx); - } - - return status; -} diff --git a/source3/libgpo/gpext/scripts.c b/source3/libgpo/gpext/scripts.c deleted file mode 100644 index de664133b87..00000000000 --- a/source3/libgpo/gpext/scripts.c +++ /dev/null @@ -1,487 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Support - * Copyright (C) Guenther Deschner 2007 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include "includes.h" -#include "../libgpo/gpo_ini.h" -#include "../libgpo/gpo.h" -#include "libgpo/gpo_proto.h" -#include "registry.h" -#include "registry/reg_api.h" -#include "../libcli/registry/util_reg.h" -#include "libgpo/gpext/gpext.h" - -#define GP_EXT_NAME "scripts" - -#define KEY_GP_SCRIPTS "Software\\Policies\\Microsoft\\Windows\\System\\Scripts" - -#define GP_SCRIPTS_INI "Scripts/scripts.ini" - -#define GP_SCRIPTS_INI_STARTUP "Startup" -#define GP_SCRIPTS_INI_SHUTDOWN "Shutdown" -#define GP_SCRIPTS_INI_LOGON "Logon" -#define GP_SCRIPTS_INI_LOGOFF "Logoff" - -#define GP_SCRIPTS_SECTION_CMDLINE "cmdline" -#define GP_SCRIPTS_SECTION_PARAMETERS "parameters" - -#define GP_SCRIPTS_REG_VAL_SCRIPT "Script" -#define GP_SCRIPTS_REG_VAL_PARAMETERS "Parameters" -#define GP_SCRIPTS_REG_VAL_EXECTIME "ExecTime" - -NTSTATUS gpext_scripts_init(TALLOC_CTX *mem_ctx); - -static TALLOC_CTX *ctx = NULL; - -/**************************************************************** -****************************************************************/ - -static NTSTATUS scripts_get_reg_config(TALLOC_CTX *mem_ctx, - struct gp_extension_reg_info **reg_info) -{ - NTSTATUS status; - struct gp_extension_reg_info *info = NULL; - - struct gp_extension_reg_table table[] = { - { "ProcessGroupPolicy", REG_SZ, "scripts_process_group_policy" }, - { "NoGPOListChanges", REG_DWORD, "1" }, - { "NoSlowLink", REG_DWORD, "1" }, - { "NotifyLinkTransition", REG_DWORD, "1" }, - { NULL, REG_NONE, NULL }, - }; - - info = talloc_zero(mem_ctx, struct gp_extension_reg_info); - NT_STATUS_HAVE_NO_MEMORY(info); - - status = gpext_info_add_entry(mem_ctx, GP_EXT_NAME, - GP_EXT_GUID_SCRIPTS, - table, info); - NT_STATUS_NOT_OK_RETURN(status); - - *reg_info = info; - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS generate_gp_registry_entry(TALLOC_CTX *mem_ctx, - const char *key, - const char *value, - uint32_t data_type, - DATA_BLOB *blob, - enum gp_reg_action action, - struct gp_registry_entry **entry_out) -{ - struct gp_registry_entry *entry = NULL; - struct registry_value *data = NULL; - - entry = talloc_zero(mem_ctx, struct gp_registry_entry); - NT_STATUS_HAVE_NO_MEMORY(entry); - - data = talloc_zero(mem_ctx, struct registry_value); - NT_STATUS_HAVE_NO_MEMORY(data); - - data->type = data_type; - data->data = *blob; - - entry->key = key; - entry->data = data; - entry->action = action; - entry->value = talloc_strdup(mem_ctx, value); - NT_STATUS_HAVE_NO_MEMORY(entry->value); - - *entry_out = entry; - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS scripts_parse_ini_section(struct gp_inifile_context *ini_ctx, - uint32_t flags, - const char *section, - struct gp_registry_entry **entries, - size_t *num_entries) -{ - NTSTATUS status = NT_STATUS_OBJECT_NAME_NOT_FOUND; - NTSTATUS result; - int i = 0; - - while (1) { - - const char *key = NULL; - const char *script = NULL; - const char *count = NULL; - const char *parameters = NULL; - DATA_BLOB blob; - bool ok; - - count = talloc_asprintf(ini_ctx->mem_ctx, "%d", i); - NT_STATUS_HAVE_NO_MEMORY(count); - - key = talloc_asprintf(ini_ctx->mem_ctx, "%s:%s%s", - section, count, - GP_SCRIPTS_SECTION_CMDLINE); - NT_STATUS_HAVE_NO_MEMORY(key); - - result = gp_inifile_getstring(ini_ctx, key, &script); - if (!NT_STATUS_IS_OK(result)) { - break; - } - - key = talloc_asprintf(ini_ctx->mem_ctx, "%s:%s%s", - section, count, - GP_SCRIPTS_SECTION_PARAMETERS); - NT_STATUS_HAVE_NO_MEMORY(key); - - result = gp_inifile_getstring(ini_ctx, key, ¶meters); - if (!NT_STATUS_IS_OK(result)) { - break; - } - - { - struct gp_registry_entry *entry = NULL; - - ok = push_reg_sz(ini_ctx->mem_ctx, &blob, script); - if (!ok) { - return NT_STATUS_NO_MEMORY; - } - - status = generate_gp_registry_entry(ini_ctx->mem_ctx, - count, - GP_SCRIPTS_REG_VAL_SCRIPT, - REG_SZ, - &blob, - GP_REG_ACTION_ADD_VALUE, - &entry); - NT_STATUS_NOT_OK_RETURN(status); - if (!add_gp_registry_entry_to_array(ini_ctx->mem_ctx, - entry, - entries, - num_entries)) { - return NT_STATUS_NO_MEMORY; - } - } - { - struct gp_registry_entry *entry = NULL; - - ok = push_reg_sz(ini_ctx->mem_ctx, &blob, parameters); - if (!ok) { - return NT_STATUS_NO_MEMORY; - } - - status = generate_gp_registry_entry(ini_ctx->mem_ctx, - count, - GP_SCRIPTS_REG_VAL_PARAMETERS, - REG_SZ, - &blob, - GP_REG_ACTION_ADD_VALUE, - &entry); - NT_STATUS_NOT_OK_RETURN(status); - if (!add_gp_registry_entry_to_array(ini_ctx->mem_ctx, - entry, - entries, - num_entries)) { - return NT_STATUS_NO_MEMORY; - } - } - { - struct gp_registry_entry *entry = NULL; - - blob = data_blob_talloc_zero(ini_ctx->mem_ctx, 8); - - status = generate_gp_registry_entry(ini_ctx->mem_ctx, - count, - GP_SCRIPTS_REG_VAL_EXECTIME, - REG_QWORD, - &blob, - GP_REG_ACTION_ADD_VALUE, - &entry); - NT_STATUS_NOT_OK_RETURN(status); - if (!add_gp_registry_entry_to_array(ini_ctx->mem_ctx, - entry, - entries, - num_entries)) { - return NT_STATUS_NO_MEMORY; - } - } - status = NT_STATUS_OK; - i++; - } - - return status; -} - -/**************************************************************** -****************************************************************/ - -static WERROR scripts_store_reg_gpovals(TALLOC_CTX *mem_ctx, - struct registry_key *key, - const struct GROUP_POLICY_OBJECT *gpo) -{ - WERROR werr; - - if (!key || !gpo) { - return WERR_INVALID_PARAMETER; - } - - werr = gp_store_reg_val_sz(mem_ctx, key, "DisplayName", - gpo->display_name); - W_ERROR_NOT_OK_RETURN(werr); - - werr = gp_store_reg_val_sz(mem_ctx, key, "FileSysPath", - gpo->file_sys_path); - W_ERROR_NOT_OK_RETURN(werr); - - werr = gp_store_reg_val_sz(mem_ctx, key, "GPO-ID", - gpo->ds_path); - W_ERROR_NOT_OK_RETURN(werr); - - werr = gp_store_reg_val_sz(mem_ctx, key, "GPOName", - gpo->name); - W_ERROR_NOT_OK_RETURN(werr); - - werr = gp_store_reg_val_sz(mem_ctx, key, "SOM-ID", - gpo->link); - W_ERROR_NOT_OK_RETURN(werr); - - return werr; -} - -/**************************************************************** -****************************************************************/ - -static WERROR scripts_apply(TALLOC_CTX *mem_ctx, - const struct security_token *token, - struct registry_key *root_key, - uint32_t flags, - const char *section, - const struct GROUP_POLICY_OBJECT *gpo, - struct gp_registry_entry *entries, - size_t num_entries) -{ - struct gp_registry_context *reg_ctx = NULL; - WERROR werr; - size_t i; - const char *keystr = NULL; - int count = 0; - - if (num_entries == 0) { - return WERR_OK; - } - -#if 0 - if (flags & GPO_INFO_FLAG_MACHINE) { - struct security_token *tmp_token; - - tmp_token = registry_create_system_token(mem_ctx); - W_ERROR_HAVE_NO_MEMORY(tmp_token); - - werr = gp_init_reg_ctx(mem_ctx, KEY_HKLM, REG_KEY_WRITE, - tmp_token, - ®_ctx); - } else { - werr = gp_init_reg_ctx(mem_ctx, KEY_HKCU, REG_KEY_WRITE, - token, - ®_ctx); - } - W_ERROR_NOT_OK_RETURN(werr); -#endif - - keystr = talloc_asprintf(mem_ctx, "%s\\%s\\%d", KEY_GP_SCRIPTS, - section, count++); - W_ERROR_HAVE_NO_MEMORY(keystr); - - reg_deletekey_recursive(root_key, keystr); - - werr = gp_store_reg_subkey(mem_ctx, keystr, - root_key, &root_key); - if (!W_ERROR_IS_OK(werr)) { - goto done; - } - - werr = scripts_store_reg_gpovals(mem_ctx, root_key, gpo); - if (!W_ERROR_IS_OK(werr)) { - goto done; - } - - for (i=0; inext) { - } - - */ - - for (gpo = changed_gpo_list; gpo; gpo = gpo->next) { - - gpext_debug_header(0, "scripts_process_group_policy", flags, - gpo, GP_EXT_GUID_SCRIPTS, NULL); - - status = gpo_get_unix_path(mem_ctx, gpo_cache_path, - gpo, &unix_path); - if (!NT_STATUS_IS_OK(status)) { - goto err_cache_path_free; - } - - status = gp_inifile_init_context(mem_ctx, flags, unix_path, - GP_SCRIPTS_INI, &ini_ctx); - if (!NT_STATUS_IS_OK(status)) { - goto err_cache_path_free; - } - - for (i = 0; i < ARRAY_SIZE(list); i++) { - - TALLOC_FREE(entries); - num_entries = 0; - - status = scripts_parse_ini_section(ini_ctx, flags, list[i], - &entries, &num_entries); - if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) { - continue; - } - - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(ini_ctx); - goto err_cache_path_free; - } - - dump_reg_entries(flags, "READ", entries, num_entries); - - werr = scripts_apply(ini_ctx->mem_ctx, token, root_key, - flags, list[i], gpo, entries, num_entries); - if (!W_ERROR_IS_OK(werr)) { - continue; /* FIXME: finally fix storing emtpy strings and REG_QWORD! */ - } - } - - TALLOC_FREE(ini_ctx); - } - status = NT_STATUS_OK; - -err_cache_path_free: - talloc_free(gpo_cache_path); - return status; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS scripts_initialize(TALLOC_CTX *mem_ctx) -{ - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS scripts_shutdown(void) -{ - NTSTATUS status; - - status = gpext_unregister_gp_extension(GP_EXT_NAME); - if (NT_STATUS_IS_OK(status)) { - return status; - } - - TALLOC_FREE(ctx); - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static struct gp_extension_methods scripts_methods = { - .initialize = scripts_initialize, - .process_group_policy = scripts_process_group_policy, - .get_reg_config = scripts_get_reg_config, - .shutdown = scripts_shutdown -}; - -/**************************************************************** -****************************************************************/ - -NTSTATUS gpext_scripts_init(TALLOC_CTX *mem_ctx) -{ - NTSTATUS status; - - ctx = talloc_init("gpext_scripts_init"); - NT_STATUS_HAVE_NO_MEMORY(ctx); - - status = gpext_register_gp_extension(ctx, SMB_GPEXT_INTERFACE_VERSION, - GP_EXT_NAME, GP_EXT_GUID_SCRIPTS, - &scripts_methods); - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(ctx); - } - - return status; -} diff --git a/source3/libgpo/gpext/security.c b/source3/libgpo/gpext/security.c deleted file mode 100644 index b6b7ca08e62..00000000000 --- a/source3/libgpo/gpext/security.c +++ /dev/null @@ -1,297 +0,0 @@ -/* - * Unix SMB/CIFS implementation. - * Group Policy Support - * Copyright (C) Guenther Deschner 2005-2008 - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 3 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, see . - */ - -#include "includes.h" -#include "../libgpo/gpo_ini.h" -#include "../libgpo/gpo.h" -#include "libgpo/gpo_proto.h" -#include "libgpo/gpext/gpext.h" - -#define GP_EXT_NAME "security" - -#define GPTTMPL_UNIX_PATH "Microsoft/Windows NT/SecEdit/GptTmpl.inf" - -#define GPTTMPL_SECTION_UNICODE "Unicode" -#define GPTTMPL_SECTION_VERSION "Version" - -#define GPTTMPL_SECTION_REGISTRY_VALUES "Registry Values" -#define GPTTMPL_SECTION_SYSTEM_ACCESS "System Access" -#define GPTTMPL_SECTION_KERBEROS_POLICY "Kerberos Policy" -#define GPTTMPL_SECTION_EVENT_AUDIT "Event Audit" -#define GPTTMPL_SECTION_PRIVILEGE_RIGHTS "Privilege Rights" -#define GPTTMPL_SECTION_APPLICATION_LOG "Application Log" -#define GPTTMPL_SECTION_SECURITY_LOG "Security Log" -#define GPTTMPL_SECTION_SYSTEM_LOG "System Log" -#define GPTTMPL_SECTION_GROUP_MEMBERSHIP "Group Membership" -#define GPTTMPL_SECTION_FILE_SECURITY "File Security" -#define GPTTMPL_SECTION_SERVICE_GENERAL_SETTING "Service General Setting" - -NTSTATUS gpext_security_init(TALLOC_CTX *mem_ctx); - -static TALLOC_CTX *ctx = NULL; - -struct gpttmpl_table { - const char *section; - const char *parameter; - enum winreg_Type type; -}; - -/**************************************************************** - parse the Version section from gpttmpl file -****************************************************************/ - -#define GPTTMPL_PARAMETER_REVISION "Revision" -#define GPTTMPL_PARAMETER_SIGNATURE "signature" -#define GPTTMPL_VALUE_CHICAGO "\"$CHICAGO$\"" /* whatever this is good for... */ -#define GPTTMPL_PARAMETER_UNICODE "Unicode" - -static NTSTATUS gpttmpl_parse_header(struct gp_inifile_context *ini_ctx, - uint32_t *version_out) -{ - const char *signature = NULL; - NTSTATUS result; - int version; - bool is_unicode = false; - - if (!ini_ctx) { - return NT_STATUS_INVALID_PARAMETER; - } - - result = gp_inifile_getstring(ini_ctx, GPTTMPL_SECTION_VERSION - ":"GPTTMPL_PARAMETER_SIGNATURE, &signature); - if (!NT_STATUS_IS_OK(result)) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (!strequal(signature, GPTTMPL_VALUE_CHICAGO)) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - result = gp_inifile_getint(ini_ctx, GPTTMPL_SECTION_VERSION - ":"GPTTMPL_PARAMETER_REVISION, &version); - if (!NT_STATUS_IS_OK(result)) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - if (version_out) { - *version_out = version; - } - - result = gp_inifile_getbool(ini_ctx, GPTTMPL_SECTION_UNICODE - ":"GPTTMPL_PARAMETER_UNICODE, &is_unicode); - if (!NT_STATUS_IS_OK(result) || !is_unicode) { - return NT_STATUS_INTERNAL_DB_CORRUPTION; - } - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS gpttmpl_init_context(TALLOC_CTX *mem_ctx, - uint32_t flags, - const char *unix_path, - struct gp_inifile_context **ini_ctx) -{ - NTSTATUS status; - uint32_t version; - struct gp_inifile_context *tmp_ctx = NULL; - - status = gp_inifile_init_context(mem_ctx, flags, unix_path, - GPTTMPL_UNIX_PATH, &tmp_ctx); - NT_STATUS_NOT_OK_RETURN(status); - - status = gpttmpl_parse_header(tmp_ctx, &version); - if (!NT_STATUS_IS_OK(status)) { - DEBUG(1,("gpttmpl_init_context: failed: %s\n", - nt_errstr(status))); - TALLOC_FREE(tmp_ctx); - return status; - } - - *ini_ctx = tmp_ctx; - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS gpttmpl_process(struct gp_inifile_context *ini_ctx, - struct registry_key *root_key, - uint32_t flags) -{ - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS security_process_group_policy(TALLOC_CTX *mem_ctx, - uint32_t flags, - struct registry_key *root_key, - const struct security_token *token, - const struct GROUP_POLICY_OBJECT *deleted_gpo_list, - const struct GROUP_POLICY_OBJECT *changed_gpo_list) -{ - NTSTATUS status = NT_STATUS_OK; - char *unix_path = NULL; - struct gp_inifile_context *ini_ctx = NULL; - const struct GROUP_POLICY_OBJECT *gpo; - char *gpo_cache_path = cache_path(GPO_CACHE_DIR); - if (gpo_cache_path == NULL) { - return NT_STATUS_NO_MEMORY; - } - - /* implementation of the policy callback function, see - * http://msdn.microsoft.com/en-us/library/aa373494%28v=vs.85%29.aspx - * for details - gd */ - - /* for now do not process the list of deleted group policies - - for (gpo = deleted_gpo_list; gpo; gpo = gpo->next) { - } - - */ - - for (gpo = changed_gpo_list; gpo; gpo = gpo->next) { - - gpext_debug_header(0, "security_process_group_policy", flags, - gpo, GP_EXT_GUID_SECURITY, NULL); - - /* this handler processes the gpttmpl files and merge output to the - * registry */ - - status = gpo_get_unix_path(mem_ctx, gpo_cache_path, - gpo, &unix_path); - if (!NT_STATUS_IS_OK(status)) { - goto out; - } - - status = gpttmpl_init_context(mem_ctx, flags, unix_path, - &ini_ctx); - if (!NT_STATUS_IS_OK(status)) { - goto out; - } - - status = gpttmpl_process(ini_ctx, root_key, flags); - if (!NT_STATUS_IS_OK(status)) { - goto out; - } - - TALLOC_FREE(ini_ctx); - } - - out: - if (!NT_STATUS_IS_OK(status)) { - DEBUG(0,("security_process_group_policy: %s\n", - nt_errstr(status))); - } - TALLOC_FREE(ini_ctx); - talloc_free(gpo_cache_path); - - return status; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS security_get_reg_config(TALLOC_CTX *mem_ctx, - struct gp_extension_reg_info **reg_info) -{ - NTSTATUS status; - struct gp_extension_reg_info *info = NULL; - - struct gp_extension_reg_table table[] = { - /* FIXME: how can we store the "(Default)" value ??? */ - /* { "", REG_SZ, "Security" }, */ - { "ProcessGroupPolicy", REG_SZ, "security_process_group_policy" }, - { "NoUserPolicy", REG_DWORD, "1" }, - { "ExtensionDebugLevel", REG_DWORD, "1" }, - { NULL, REG_NONE, NULL } - }; - - info = talloc_zero(mem_ctx, struct gp_extension_reg_info); - NT_STATUS_HAVE_NO_MEMORY(info); - - status = gpext_info_add_entry(mem_ctx, GP_EXT_NAME, - GP_EXT_GUID_SECURITY, - table, info); - NT_STATUS_NOT_OK_RETURN(status); - - *reg_info = info; - - return NT_STATUS_OK; -} - - -/**************************************************************** -****************************************************************/ - -static NTSTATUS security_initialize(TALLOC_CTX *mem_ctx) -{ - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static NTSTATUS security_shutdown(void) -{ - NTSTATUS status; - - status = gpext_unregister_gp_extension(GP_EXT_NAME); - if (NT_STATUS_IS_OK(status)) { - return status; - } - - TALLOC_FREE(ctx); - - return NT_STATUS_OK; -} - -/**************************************************************** -****************************************************************/ - -static struct gp_extension_methods security_methods = { - .initialize = security_initialize, - .process_group_policy = security_process_group_policy, - .get_reg_config = security_get_reg_config, - .shutdown = security_shutdown -}; - -/**************************************************************** -****************************************************************/ - -NTSTATUS gpext_security_init(TALLOC_CTX *mem_ctx) -{ - NTSTATUS status; - - ctx = talloc_init("gpext_security_init"); - NT_STATUS_HAVE_NO_MEMORY(ctx); - - status = gpext_register_gp_extension(ctx, SMB_GPEXT_INTERFACE_VERSION, - GP_EXT_NAME, GP_EXT_GUID_SECURITY, - &security_methods); - if (!NT_STATUS_IS_OK(status)) { - TALLOC_FREE(ctx); - } - - return status; -} diff --git a/source3/libgpo/gpext/wscript_build b/source3/libgpo/gpext/wscript_build deleted file mode 100644 index 365b4203f91..00000000000 --- a/source3/libgpo/gpext/wscript_build +++ /dev/null @@ -1,23 +0,0 @@ -#!/usr/bin/env python - -bld.SAMBA3_MODULE('gpext_registry', - subsystem='gpext', - source='registry.c', - deps='NDR_PREG', - init_function='', - internal_module=bld.SAMBA3_IS_STATIC_MODULE('gpext_registry'), - enabled=bld.SAMBA3_IS_ENABLED_MODULE('gpext_registry')) - -bld.SAMBA3_MODULE('gpext_scripts', - subsystem='gpext', - source='scripts.c', - init_function='', - internal_module=bld.SAMBA3_IS_STATIC_MODULE('gpext_scripts'), - enabled=bld.SAMBA3_IS_ENABLED_MODULE('gpext_scripts')) - -bld.SAMBA3_MODULE('gpext_security', - subsystem='gpext', - source='security.c', - init_function='', - internal_module=bld.SAMBA3_IS_STATIC_MODULE('gpext_security'), - enabled=bld.SAMBA3_IS_ENABLED_MODULE('gpext_security')) diff --git a/source3/utils/net_ads_gpo.c b/source3/utils/net_ads_gpo.c index f2f65c8790e..b56b44252c7 100644 --- a/source3/utils/net_ads_gpo.c +++ b/source3/utils/net_ads_gpo.c @@ -369,92 +369,6 @@ static int net_ads_gpo_list(struct net_context *c, int argc, const char **argv) return 0; } -static int net_ads_gpo_apply(struct net_context *c, int argc, const char **argv) -{ - TALLOC_CTX *mem_ctx; - ADS_STRUCT *ads; - ADS_STATUS status; - const char *dn = NULL; - struct GROUP_POLICY_OBJECT *gpo_list; - uint32_t uac = 0; - uint32_t flags = 0; - struct security_token *token = NULL; - const char *filter = NULL; - - if (argc < 1 || c->display_usage) { - d_printf("Usage:\n" - "net ads gpo apply \n" - " Apply GPOs for machine/user\n" - " username\tUsername to apply GPOs for\n" - " machinename\tMachine to apply GPOs for\n"); - return -1; - } - - mem_ctx = talloc_init("net_ads_gpo_apply"); - if (mem_ctx == NULL) { - goto out; - } - - if (argc >= 2) { - filter = cse_gpo_name_to_guid_string(argv[1]); - } - - status = ads_startup(c, false, &ads); - /* filter = cse_gpo_name_to_guid_string("Security"); */ - - if (!ADS_ERR_OK(status)) { - d_printf("got: %s\n", ads_errstr(status)); - goto out; - } - - status = ads_find_samaccount(ads, mem_ctx, argv[0], &uac, &dn); - if (!ADS_ERR_OK(status)) { - d_printf("failed to find samaccount for %s: %s\n", - argv[0], ads_errstr(status)); - goto out; - } - - if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { - flags |= GPO_LIST_FLAG_MACHINE; - } - - if (c->opt_verbose) { - flags |= GPO_INFO_FLAG_VERBOSE; - } - - d_printf("%s: '%s' has dn: '%s'\n", - (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", - argv[0], dn); - - if (uac & UF_WORKSTATION_TRUST_ACCOUNT) { - status = gp_get_machine_token(ads, mem_ctx, dn, &token); - } else { - status = ads_get_sid_token(ads, mem_ctx, dn, &token); - } - - if (!ADS_ERR_OK(status)) { - goto out; - } - - status = ads_get_gpo_list(ads, mem_ctx, dn, flags, token, &gpo_list); - if (!ADS_ERR_OK(status)) { - goto out; - } - - status = ADS_ERROR_NT(gpo_process_gpo_list(mem_ctx, token, NULL, gpo_list, - filter, flags)); - if (!ADS_ERR_OK(status)) { - d_printf("failed to process gpo list: %s\n", - ads_errstr(status)); - goto out; - } - -out: - ads_destroy(&ads); - talloc_destroy(mem_ctx); - return 0; -} - static int net_ads_gpo_link_get(struct net_context *c, int argc, const char **argv) { ADS_STRUCT *ads; @@ -635,14 +549,6 @@ static int net_ads_gpo_get_gpo(struct net_context *c, int argc, const char **arg int net_ads_gpo(struct net_context *c, int argc, const char **argv) { struct functable func[] = { - { - "apply", - net_ads_gpo_apply, - NET_TRANSPORT_ADS, - "Apply GPO to container", - "net ads gpo apply\n" - " Apply GPO to container" - }, { "getgpo", net_ads_gpo_get_gpo, diff --git a/source3/wscript_build b/source3/wscript_build index 03d5724ee11..3dcf438b70a 100644 --- a/source3/wscript_build +++ b/source3/wscript_build @@ -1328,7 +1328,6 @@ bld.SAMBA3_BINARY('spotlight2sparql', ########################## INCLUDES ################################# bld.RECURSE('auth') -bld.RECURSE('libgpo/gpext') bld.RECURSE('librpc') bld.RECURSE('librpc/idl') bld.RECURSE('libsmb')