source: trunk/server/source4/lib/policy/gp_manage.c

Last change on this file was 745, checked in by Silvan Scherrer, 13 years ago

Samba Server: updated trunk to 3.6.0
File size: 9.6 KB
Line 
1/*
2 * Unix SMB/CIFS implementation.
3 * Group Policy Object Support
4 * Copyright (C) Wilco Baan Hofman 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19#include "includes.h"
20#include "../libcli/security/dom_sid.h"
21#include "../libcli/security/security_descriptor.h"
22#include "../librpc/ndr/libndr.h"
23#include "../lib/util/charset/charset.h"
24#include "param/param.h"
25#include "lib/policy/policy.h"
26
27static uint32_t gp_ads_to_dir_access_mask(uint32_t access_mask)
28{
29 uint32_t fs_mask;
30
31 /* Copy the standard access mask */
32 fs_mask = access_mask & 0x001F0000;
33
34 /* When READ_PROP and LIST_CONTENTS are set, read access is granted on the GPT */
35 if (access_mask & SEC_ADS_READ_PROP && access_mask & SEC_ADS_LIST) {
36 fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_LIST | SEC_DIR_READ_ATTRIBUTE |
37 SEC_DIR_READ_EA | SEC_DIR_TRAVERSE;
38 }
39
40 /* When WRITE_PROP is set, full write access is granted on the GPT */
41 if (access_mask & SEC_ADS_WRITE_PROP) {
42 fs_mask |= SEC_STD_SYNCHRONIZE | SEC_DIR_WRITE_ATTRIBUTE |
43 SEC_DIR_WRITE_EA | SEC_DIR_ADD_FILE |
44 SEC_DIR_ADD_SUBDIR;
45 }
46
47 /* Map CREATE_CHILD to add file and add subdir */
48 if (access_mask & SEC_ADS_CREATE_CHILD)
49 fs_mask |= SEC_DIR_ADD_FILE | SEC_DIR_ADD_SUBDIR;
50
51 /* Map ADS delete child to dir delete child */
52 if (access_mask & SEC_ADS_DELETE_CHILD)
53 fs_mask |= SEC_DIR_DELETE_CHILD;
54
55 return fs_mask;
56}
57
58NTSTATUS gp_create_gpt_security_descriptor (TALLOC_CTX *mem_ctx, struct security_descriptor *ds_sd, struct security_descriptor **ret)
59{
60 struct security_descriptor *fs_sd;
61 NTSTATUS status;
62 uint32_t i;
63
64 /* Allocate the file system security descriptor */
65 fs_sd = talloc(mem_ctx, struct security_descriptor);
66 NT_STATUS_HAVE_NO_MEMORY(fs_sd);
67
68 /* Copy the basic information from the directory server security descriptor */
69 fs_sd->owner_sid = talloc_memdup(fs_sd, ds_sd->owner_sid, sizeof(struct dom_sid));
70 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd->owner_sid, fs_sd);
71
72 fs_sd->group_sid = talloc_memdup(fs_sd, ds_sd->group_sid, sizeof(struct dom_sid));
73 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd->group_sid, fs_sd);
74
75 fs_sd->type = ds_sd->type;
76 fs_sd->revision = ds_sd->revision;
77
78 /* Copy the sacl */
79 fs_sd->sacl = security_acl_dup(fs_sd, ds_sd->sacl);
80 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd->sacl, fs_sd);
81
82 /* Copy the dacl */
83 fs_sd->dacl = talloc_zero(fs_sd, struct security_acl);
84 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(fs_sd->dacl, fs_sd);
85
86 for (i = 0; i < ds_sd->dacl->num_aces; i++) {
87 char *trustee = dom_sid_string(fs_sd, &ds_sd->dacl->aces[i].trustee);
88 struct security_ace *ace;
89
90 /* Don't add the allow for SID_BUILTIN_PREW2K */
91 if (!(ds_sd->dacl->aces[i].type & SEC_ACE_TYPE_ACCESS_ALLOWED_OBJECT) &&
92 strcmp(trustee, SID_BUILTIN_PREW2K) == 0) {
93 talloc_free(trustee);
94 continue;
95 }
96
97 /* Copy the ace from the directory server security descriptor */
98 ace = talloc_memdup(fs_sd, &ds_sd->dacl->aces[i], sizeof(struct security_ace));
99 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(ace, fs_sd);
100
101 /* Set specific inheritance flags for within the GPO */
102 ace->flags |= SEC_ACE_FLAG_OBJECT_INHERIT | SEC_ACE_FLAG_CONTAINER_INHERIT;
103 if (strcmp(trustee, SID_CREATOR_OWNER) == 0) {
104 ace->flags |= SEC_ACE_FLAG_INHERIT_ONLY;
105 }
106
107 /* Get a directory access mask from the assigned access mask on the LDAP object */
108 ace->access_mask = gp_ads_to_dir_access_mask(ace->access_mask);
109
110 /* Add the ace to the security descriptor DACL */
111 status = security_descriptor_dacl_add(fs_sd, ace);
112 if (!NT_STATUS_IS_OK(status)) {
113 DEBUG(0, ("Failed to add a dacl to file system security descriptor\n"));
114 return status;
115 }
116
117 /* Clean up the allocated data in this iteration */
118 talloc_free(trustee);
119 }
120
121 *ret = fs_sd;
122 return NT_STATUS_OK;
123}
124
125
126NTSTATUS gp_create_gpo (struct gp_context *gp_ctx, const char *display_name, struct gp_object **ret)
127{
128 struct GUID guid_struct;
129 char *guid_str;
130 char *name;
131 struct security_descriptor *sd;
132 TALLOC_CTX *mem_ctx;
133 struct gp_object *gpo;
134 NTSTATUS status;
135
136 /* Create a forked memory context, as a base for everything here */
137 mem_ctx = talloc_new(gp_ctx);
138 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
139
140 /* Create the gpo struct to return later */
141 gpo = talloc(gp_ctx, struct gp_object);
142 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo, mem_ctx);
143
144 /* Generate a GUID */
145 guid_struct = GUID_random();
146 guid_str = GUID_string2(mem_ctx, &guid_struct);
147 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(guid_str, mem_ctx);
148 name = strupper_talloc(mem_ctx, guid_str);
149 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(name, mem_ctx);
150
151 /* Prepare the GPO struct */
152 gpo->dn = NULL;
153 gpo->name = name;
154 gpo->flags = 0;
155 gpo->version = 0;
156 gpo->display_name = talloc_strdup(gpo, display_name);
157 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->display_name, mem_ctx);
158
159 gpo->file_sys_path = talloc_asprintf(gpo, "\\\\%s\\sysvol\\%s\\Policies\\%s", lpcfg_dnsdomain(gp_ctx->lp_ctx), lpcfg_dnsdomain(gp_ctx->lp_ctx), name);
160 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(gpo->file_sys_path, mem_ctx);
161
162 /* Create the GPT */
163 status = gp_create_gpt(gp_ctx, name, gpo->file_sys_path);
164 if (!NT_STATUS_IS_OK(status)) {
165 DEBUG(0, ("Failed to create GPT\n"));
166 talloc_free(mem_ctx);
167 return status;
168 }
169
170
171 /* Create the LDAP GPO, including CN=User and CN=Machine */
172 status = gp_create_ldap_gpo(gp_ctx, gpo);
173 if (!NT_STATUS_IS_OK(status)) {
174 DEBUG(0, ("Failed to create LDAP group policy object\n"));
175 talloc_free(mem_ctx);
176 return status;
177 }
178
179 /* Get the new security descriptor */
180 status = gp_get_gpo_info(gp_ctx, gpo->dn, &gpo);
181 if (!NT_STATUS_IS_OK(status)) {
182 DEBUG(0, ("Failed to fetch LDAP group policy object\n"));
183 talloc_free(mem_ctx);
184 return status;
185 }
186
187 /* Create matching file and DS security descriptors */
188 status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &sd);
189 if (!NT_STATUS_IS_OK(status)) {
190 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
191 talloc_free(mem_ctx);
192 return status;
193 }
194
195 /* Set the security descriptor on the filesystem for this GPO */
196 status = gp_set_gpt_security_descriptor(gp_ctx, gpo, sd);
197 if (!NT_STATUS_IS_OK(status)) {
198 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
199 talloc_free(mem_ctx);
200 return status;
201 }
202
203 talloc_free(mem_ctx);
204
205 *ret = gpo;
206 return NT_STATUS_OK;
207}
208
209NTSTATUS gp_set_acl (struct gp_context *gp_ctx, const char *dn_str, const struct security_descriptor *sd)
210{
211 TALLOC_CTX *mem_ctx;
212 struct security_descriptor *fs_sd;
213 struct gp_object *gpo;
214 NTSTATUS status;
215
216 /* Create a forked memory context, as a base for everything here */
217 mem_ctx = talloc_new(gp_ctx);
218 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
219
220 /* Set the ACL on LDAP database */
221 status = gp_set_ads_acl(gp_ctx, dn_str, sd);
222 if (!NT_STATUS_IS_OK(status)) {
223 DEBUG(0, ("Failed to set ACL on ADS\n"));
224 talloc_free(mem_ctx);
225 return status;
226 }
227
228 /* Get the group policy object information, for filesystem location and merged sd */
229 status = gp_get_gpo_info(gp_ctx, dn_str, &gpo);
230 if (!NT_STATUS_IS_OK(status)) {
231 DEBUG(0, ("Failed to set ACL on ADS\n"));
232 talloc_free(mem_ctx);
233 return status;
234 }
235
236 /* Create matching file and DS security descriptors */
237 status = gp_create_gpt_security_descriptor(mem_ctx, gpo->security_descriptor, &fs_sd);
238 if (!NT_STATUS_IS_OK(status)) {
239 DEBUG(0, ("Failed to convert ADS security descriptor to filesystem security descriptor\n"));
240 talloc_free(mem_ctx);
241 return status;
242 }
243
244 /* Set the security descriptor on the filesystem for this GPO */
245 status = gp_set_gpt_security_descriptor(gp_ctx, gpo, fs_sd);
246 if (!NT_STATUS_IS_OK(status)) {
247 DEBUG(0, ("Failed to set security descriptor (ACL) on the file system\n"));
248 talloc_free(mem_ctx);
249 return status;
250 }
251
252 talloc_free(mem_ctx);
253 return NT_STATUS_OK;
254}
255
256NTSTATUS gp_push_gpo (struct gp_context *gp_ctx, const char *local_path, struct gp_object *gpo)
257{
258 NTSTATUS status;
259 TALLOC_CTX *mem_ctx;
260 struct gp_ini_context *ini;
261 char *filename;
262
263 mem_ctx = talloc_new(gp_ctx);
264 NT_STATUS_HAVE_NO_MEMORY(mem_ctx);
265
266 /* Get version from ini file */
267 /* FIXME: The local file system may be case sensitive */
268 filename = talloc_asprintf(mem_ctx, "%s/%s", local_path, "GPT.INI");
269 NT_STATUS_HAVE_NO_MEMORY_AND_FREE(filename, mem_ctx);
270 status = gp_parse_ini(mem_ctx, gp_ctx, local_path, &ini);
271 if (!NT_STATUS_IS_OK(status)) {
272 DEBUG(0, ("Failed to parse GPT.INI.\n"));
273 talloc_free(mem_ctx);
274 return status;
275 }
276
277 /* Push the GPT to the remote sysvol */
278 status = gp_push_gpt(gp_ctx, local_path, gpo->file_sys_path);
279 if (!NT_STATUS_IS_OK(status)) {
280 DEBUG(0, ("Failed to push GPT to DC's sysvol share.\n"));
281 talloc_free(mem_ctx);
282 return status;
283 }
284
285 /* Write version to LDAP */
286 status = gp_set_ldap_gpo(gp_ctx, gpo);
287 if (!NT_STATUS_IS_OK(status)) {
288 DEBUG(0, ("Failed to set GPO options in DC's LDAP.\n"));
289 talloc_free(mem_ctx);
290 return status;
291 }
292
293 talloc_free(mem_ctx);
294 return NT_STATUS_OK;
295}
Note: See TracBrowser for help on using the repository browser.