[SCM] Samba Shared Repository - branch master updated

Günther Deschner gd at samba.org
Sat Sep 23 03:26:02 UTC 2017


The branch, master has been updated
       via  5f2576a lib: gpo: Put enforced GPOs at the end of the list.
       via  69410c0 lib: gpo: Fixes issue with GPOPTIONS_BLOCK_INHERITANCE.
       via  6a53177 lib: gpo: Changes order to match GPO application order.
      from  c40531d ldb: Release ldb 1.3.0

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5f2576a9af4f3c33121ad2b27a621b5f3bb34374
Author: Lutz Justen <ljusten at google.com>
Date:   Thu Sep 21 10:32:05 2017 -0700

    lib: gpo: Put enforced GPOs at the end of the list.
    
    Enforced GPOs should be applied on top of all non-enforced GPOs,
    so that they override policies set in non-enforced GPOs.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13046
    
    Signed-off-by: Lutz Justen <ljusten at google.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>
    
    Autobuild-User(master): Günther Deschner <gd at samba.org>
    Autobuild-Date(master): Sat Sep 23 05:25:19 CEST 2017 on sn-devel-144

commit 69410c0a02f7b4d7d20eadf4b4fda8ea064e4a0e
Author: Lutz Justen <ljusten at google.com>
Date:   Thu Sep 21 10:11:15 2017 -0700

    lib: gpo: Fixes issue with GPOPTIONS_BLOCK_INHERITANCE.
    
    GP links with the GPOPTIONS_BLOCK_INHERITANCE option set
    were blocking GPOs from the same link (i.e. an OU with
    the flag set would block its own GPOs). This patch makes
    sure the GPOs from the link are added to the list.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13046
    
    Signed-off-by: Lutz Justen <ljusten at google.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

commit 6a531773b841f6b713226d1166a1e7d4dbc9b282
Author: Lutz Justen <ljusten at google.com>
Date:   Thu Sep 21 10:01:58 2017 -0700

    lib: gpo: Changes order to match GPO application order.
    
    The order of GPOs in a gpo_list generated by ads_get_gpo_list
    did not match the order of application. Since GPOs are pushed
    to the FRONT of gpo_list, GPOs have to be pushed in the opposite
    order of application. (Pushing to front is useful to get
    inheritance blocking right).
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=13046
    
    Signed-off-by: Lutz Justen <ljusten at google.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Guenther Deschner <gd at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 libgpo/gpo_ldap.c | 221 +++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 142 insertions(+), 79 deletions(-)


Changeset truncated at 500 lines:

diff --git a/libgpo/gpo_ldap.c b/libgpo/gpo_ldap.c
index 4533d61..fec0005 100644
--- a/libgpo/gpo_ldap.c
+++ b/libgpo/gpo_ldap.c
@@ -554,6 +554,7 @@ ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
 static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
 					 TALLOC_CTX *mem_ctx,
 					 struct GROUP_POLICY_OBJECT **gpo_list,
+					 struct GROUP_POLICY_OBJECT **forced_gpo_list,
 					 const char *link_dn,
 					 struct GP_LINK *gp_link,
 					 enum GPO_LINK_TYPE link_type,
@@ -561,11 +562,20 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
 					 const struct security_token *token)
 {
 	ADS_STATUS status;
-	int i;
-
-	for (i = 0; i < gp_link->num_links; i++) {
-
+	uint32_t count;
+
+	/*
+	 * Note: DLIST_ADD pushes to the front,
+	 * so loop from last to first to get the
+	 * order right.
+	 */
+	for (count = gp_link->num_links; count > 0; count--) {
+		/* NB. Index into arrays is one less than counter. */
+		uint32_t i = count - 1;
+		struct GROUP_POLICY_OBJECT **target_list = NULL;
 		struct GROUP_POLICY_OBJECT *new_gpo = NULL;
+		bool is_forced =
+			(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) != 0;
 
 		if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
 			DEBUG(10,("skipping disabled GPO\n"));
@@ -574,7 +584,7 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
 
 		if (only_add_forced_gpos) {
 
-			if (!(gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
+			if (!is_forced) {
 				DEBUG(10,("skipping nonenforced GPO link "
 					"because GPOPTIONS_BLOCK_INHERITANCE "
 					"has been set\n"));
@@ -617,7 +627,8 @@ static ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
 		new_gpo->link = link_dn;
 		new_gpo->link_type = link_type;
 
-		DLIST_ADD(*gpo_list, new_gpo);
+		target_list = is_forced ? forced_gpo_list : gpo_list;
+		DLIST_ADD(*target_list, new_gpo);
 
 		DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s "
 			"to GPO list\n", i, gp_link->link_names[i]));
@@ -716,17 +727,28 @@ static ADS_STATUS add_local_policy_to_gpo_list(TALLOC_CTX *mem_ctx,
 }
 
 /****************************************************************
- get the full list of GROUP_POLICY_OBJECTs for a given dn
+ Get the full list of GROUP_POLICY_OBJECTs for a given dn.
 ****************************************************************/
 
-ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
+static ADS_STATUS ads_get_gpo_list_internal(ADS_STRUCT *ads,
 			    TALLOC_CTX *mem_ctx,
 			    const char *dn,
 			    uint32_t flags,
 			    const struct security_token *token,
-			    struct GROUP_POLICY_OBJECT **gpo_list)
+			    struct GROUP_POLICY_OBJECT **gpo_list,
+			    struct GROUP_POLICY_OBJECT **forced_gpo_list)
 {
-	/* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
+	/*
+	 * Push GPOs to gpo_list so that the traversal order of the list matches
+	 * the order of application:
+	 * (L)ocal (S)ite (D)omain (O)rganizational(U)nit
+	 * For different domains and OUs: parent-to-child.
+	 * Within same level of domains and OUs: Link order.
+	 * Since GPOs are pushed to the front of gpo_list, GPOs have to be
+	 * pushed in the opposite order of application (OUs first, local last,
+	 * child-to-parent).
+	 * Forced GPOs are appended in the end since they override all others.
+	 */
 
 	ADS_STATUS status;
 	struct GP_LINK gp_link;
@@ -734,6 +756,7 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
 	bool add_only_forced_gpos = false;
 
 	ZERO_STRUCTP(gpo_list);
+	ZERO_STRUCTP(forced_gpo_list);
 
 	if (!dn) {
 		return ADS_ERROR_NT(NT_STATUS_INVALID_PARAMETER);
@@ -745,52 +768,54 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
 
 	DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
 
-	/* (L)ocal */
-	status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
-					      GP_LINK_LOCAL);
-	if (!ADS_ERR_OK(status)) {
-		return status;
-	}
+	tmp_dn = dn;
 
-	/* (S)ite */
+	while ((parent_dn = ads_parent_dn(tmp_dn)) &&
+	       (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
 
-	/* are site GPOs valid for users as well ??? */
-	if (flags & GPO_LIST_FLAG_MACHINE) {
 
-		status = ads_site_dn_for_machine(ads, mem_ctx,
-						 ads->config.ldap_server_name,
-						 &site_dn);
-		if (!ADS_ERR_OK(status)) {
-			return status;
-		}
+		/* (O)rganizational(U)nit */
 
-		DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
-			site_dn));
+		/* An account can be a member of more OUs */
+		if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
 
-		status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
-		if (ADS_ERR_OK(status)) {
+			DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
+				parent_dn));
 
-			if (DEBUGLEVEL >= 100) {
-				dump_gplink(&gp_link);
-			}
+			status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
+						  &gp_link);
+			if (ADS_ERR_OK(status)) {
 
-			status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list,
-							site_dn, &gp_link,
-							GP_LINK_SITE,
+				if (DEBUGLEVEL >= 100) {
+					dump_gplink(&gp_link);
+				}
+
+				status = add_gplink_to_gpo_list(ads,
+							mem_ctx,
+							gpo_list,
+							forced_gpo_list,
+							parent_dn,
+							&gp_link,
+							GP_LINK_OU,
 							add_only_forced_gpos,
 							token);
-			if (!ADS_ERR_OK(status)) {
-				return status;
-			}
+				if (!ADS_ERR_OK(status)) {
+					return status;
+				}
 
-			if (flags & GPO_LIST_FLAG_SITEONLY) {
-				return ADS_ERROR(LDAP_SUCCESS);
+				/* block inheritance from now on */
+				if (gp_link.gp_opts &
+				    GPOPTIONS_BLOCK_INHERITANCE) {
+					add_only_forced_gpos = true;
+				}
 			}
-
-			/* inheritance can't be blocked at the site level */
 		}
+
+		tmp_dn = parent_dn;
+
 	}
 
+	/* reset dn again */
 	tmp_dn = dn;
 
 	while ((parent_dn = ads_parent_dn(tmp_dn)) &&
@@ -812,15 +837,10 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
 					dump_gplink(&gp_link);
 				}
 
-				/* block inheritance from now on */
-				if (gp_link.gp_opts &
-				    GPOPTIONS_BLOCK_INHERITANCE) {
-					add_only_forced_gpos = true;
-				}
-
 				status = add_gplink_to_gpo_list(ads,
 							mem_ctx,
 							gpo_list,
+							forced_gpo_list,
 							parent_dn,
 							&gp_link,
 							GP_LINK_DOMAIN,
@@ -829,58 +849,101 @@ ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
 				if (!ADS_ERR_OK(status)) {
 					return status;
 				}
+
+				/* block inheritance from now on */
+				if (gp_link.gp_opts &
+				    GPOPTIONS_BLOCK_INHERITANCE) {
+					add_only_forced_gpos = true;
+				}
 			}
 		}
 
 		tmp_dn = parent_dn;
 	}
 
-	/* reset dn again */
-	tmp_dn = dn;
-
-	while ((parent_dn = ads_parent_dn(tmp_dn)) &&
-	       (!strequal(parent_dn, ads_parent_dn(ads->config.bind_path)))) {
-
-
-		/* (O)rganizational(U)nit */
+	/* (S)ite */
 
-		/* An account can be a member of more OUs */
-		if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
+	/* are site GPOs valid for users as well ??? */
+	if (flags & GPO_LIST_FLAG_MACHINE) {
 
-			DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n",
-				parent_dn));
+		status = ads_site_dn_for_machine(ads, mem_ctx,
+						 ads->config.ldap_server_name,
+						 &site_dn);
+		if (!ADS_ERR_OK(status)) {
+			return status;
+		}
 
-			status = ads_get_gpo_link(ads, mem_ctx, parent_dn,
-						  &gp_link);
-			if (ADS_ERR_OK(status)) {
+		DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n",
+			site_dn));
 
-				if (DEBUGLEVEL >= 100) {
-					dump_gplink(&gp_link);
-				}
+		status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
+		if (ADS_ERR_OK(status)) {
 
-				/* block inheritance from now on */
-				if (gp_link.gp_opts &
-				    GPOPTIONS_BLOCK_INHERITANCE) {
-					add_only_forced_gpos = true;
-				}
+			if (DEBUGLEVEL >= 100) {
+				dump_gplink(&gp_link);
+			}
 
-				status = add_gplink_to_gpo_list(ads,
+			status = add_gplink_to_gpo_list(ads,
 							mem_ctx,
 							gpo_list,
-							parent_dn,
+							forced_gpo_list,
+							site_dn,
 							&gp_link,
-							GP_LINK_OU,
+							GP_LINK_SITE,
 							add_only_forced_gpos,
 							token);
-				if (!ADS_ERR_OK(status)) {
-					return status;
-				}
+			if (!ADS_ERR_OK(status)) {
+				return status;
+			}
+
+			if (flags & GPO_LIST_FLAG_SITEONLY) {
+				return ADS_ERROR(LDAP_SUCCESS);
 			}
+
+			/* inheritance can't be blocked at the site level */
 		}
+	}
 
-		tmp_dn = parent_dn;
+	/* (L)ocal */
+	status = add_local_policy_to_gpo_list(mem_ctx, gpo_list,
+					      GP_LINK_LOCAL);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
+
+/****************************************************************
+ Get the full list of GROUP_POLICY_OBJECTs for a given dn, wrapper
+ around ads_get_gpo_list_internal() that ensures correct ordering.
+****************************************************************/
+
+ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
+			    TALLOC_CTX *mem_ctx,
+			    const char *dn,
+			    uint32_t flags,
+			    const struct security_token *token,
+			    struct GROUP_POLICY_OBJECT **gpo_list)
+{
+	struct GROUP_POLICY_OBJECT *forced_gpo_list = NULL;
+	ADS_STATUS status;
 
-	};
+	status = ads_get_gpo_list_internal(ads,
+					   mem_ctx,
+					   dn,
+					   flags,
+					   token,
+					   gpo_list,
+					   &forced_gpo_list);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+	/*
+	 * Append |forced_gpo_list| at the end of |gpo_list|,
+	 * so that forced GPOs are applied on top of non enforced GPOs.
+	 */
+	DLIST_CONCATENATE(*gpo_list, forced_gpo_list);
 
 	return ADS_ERROR(LDAP_SUCCESS);
 }


-- 
Samba Shared Repository



More information about the samba-cvs mailing list