Samba: utils/net_ads_gpo.c ソースファイル

00001 /* 
00002    Samba Unix/Linux SMB client library 
00003    net ads commands for Group Policy
00004    Copyright (C) 2005 Guenther Deschner (gd@samba.org)
00005 
00006    This program is free software; you can redistribute it and/or modify
00007    it under the terms of the GNU General Public License as published by
00008    the Free Software Foundation; either version 2 of the License, or
00009    (at your option) any later version.
00010    
00011    This program is distributed in the hope that it will be useful,
00012    but WITHOUT ANY WARRANTY; without even the implied warranty of
00013    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
00014    GNU General Public License for more details.
00015    
00016    You should have received a copy of the GNU General Public License
00017    along with this program; if not, write to the Free Software
00018    Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  
00019 */
00020 
00021 #include "includes.h"
00022 #include "utils/net.h"
00023 
00024 #ifdef HAVE_ADS
00025 
00026 static int net_ads_gpo_usage(int argc, const char **argv)
00027 {
00028         d_printf(
00029                 "net ads gpo <COMMAND>\n"\
00030 "<COMMAND> can be either:\n"\
00031 "  ADDLINK      Link a container to a GPO\n"\
00032 /* "  APPLY        Apply all GPOs\n"\ */
00033 /* "  DELETELINK   Delete a gPLink from a container\n"\ */
00034 "  REFRESH      Lists all GPOs assigned to an account and downloads them\n"\
00035 "  GETGPO       Lists specified GPO\n"\
00036 "  GETLINK      Lists gPLink of a containter\n"\
00037 "  HELP         Prints this help message\n"\
00038 "  LIST         Lists all GPOs\n"\
00039 "\n"
00040                 );
00041         return -1;
00042 }
00043 
00044 static int net_ads_gpo_refresh(int argc, const char **argv)
00045 {
00046         TALLOC_CTX *mem_ctx;
00047         ADS_STRUCT *ads;
00048         ADS_STATUS status;
00049         const char *attrs[] = { "userAccountControl", NULL };
00050         LDAPMessage *res = NULL;
00051         const char *filter;
00052         char *dn = NULL;
00053         struct GROUP_POLICY_OBJECT *gpo_list;
00054         uint32 uac = 0;
00055         uint32 flags = 0;
00056         struct GROUP_POLICY_OBJECT *gpo;
00057         NTSTATUS result;
00058         
00059         if (argc < 1) {
00060                 printf("usage: net ads gpo refresh <username|machinename>\n");
00061                 return -1;
00062         }
00063 
00064         mem_ctx = talloc_init("net_ads_gpo_refresh");
00065         if (mem_ctx == NULL) {
00066                 return -1;
00067         }
00068 
00069         filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", argv[0]);
00070         if (filter == NULL) {
00071                 goto out;
00072         }
00073 
00074         status = ads_startup(False, &ads);
00075         if (!ADS_ERR_OK(status)) {
00076                 goto out;
00077         }
00078 
00079         status = ads_do_search_all(ads, ads->config.bind_path,
00080                                    LDAP_SCOPE_SUBTREE,
00081                                    filter, attrs, &res);
00082         
00083         if (!ADS_ERR_OK(status)) {
00084                 goto out;
00085         }
00086 
00087         if (ads_count_replies(ads, res) != 1) {
00088                 printf("no result\n");
00089                 goto out;
00090         }
00091 
00092         dn = ads_get_dn(ads, res);
00093         if (dn == NULL) {
00094                 goto out;
00095         }
00096 
00097         if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
00098                 goto out;
00099         }
00100 
00101         if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
00102                 flags |= GPO_LIST_FLAG_MACHINE;
00103         }
00104 
00105         printf("\n%s: '%s' has dn: '%s'\n\n", 
00106                 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", 
00107                 argv[0], dn);
00108 
00109         status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
00110         if (!ADS_ERR_OK(status)) {
00111                 goto out;
00112         }
00113 
00114         if (!NT_STATUS_IS_OK(result = check_refresh_gpo_list(ads, mem_ctx, gpo_list))) {
00115                 printf("failed to refresh GPOs: %s\n", nt_errstr(result));
00116                 goto out;
00117         }
00118 
00119         for (gpo = gpo_list; gpo; gpo = gpo->next) {
00120 
00121                 char *server, *share, *nt_path, *unix_path;
00122 
00123                 printf("--------------------------------------\n");
00124                 printf("Name:\t\t\t%s\n", gpo->display_name);
00125                 printf("LDAP GPO version:\t%d (user: %d, machine: %d)\n",
00126                         gpo->version,
00127                         GPO_VERSION_USER(gpo->version),
00128                         GPO_VERSION_MACHINE(gpo->version));
00129 
00130                 result = ads_gpo_explode_filesyspath(ads, mem_ctx, gpo->file_sys_path,
00131                                                      &server, &share, &nt_path, &unix_path);
00132                 if (!NT_STATUS_IS_OK(result)) {
00133                         printf("got: %s\n", nt_errstr(result));
00134                 }
00135 
00136                 printf("GPO stored on server: %s, share: %s\n", server, share);
00137                 printf("\tremote path:\t%s\n", nt_path);
00138                 printf("\tlocal path:\t%s\n", unix_path);
00139         }
00140 
00141  out:
00142         ads_memfree(ads, dn);
00143         ads_msgfree(ads, res);
00144 
00145         ads_destroy(&ads);
00146         talloc_destroy(mem_ctx);
00147         return 0;
00148 }
00149 
00150 static int net_ads_gpo_list(int argc, const char **argv)
00151 {
00152         ADS_STRUCT *ads;
00153         ADS_STATUS status;
00154         LDAPMessage *res = NULL;
00155         int num_reply = 0;
00156         LDAPMessage *msg = NULL;
00157         struct GROUP_POLICY_OBJECT gpo;
00158         TALLOC_CTX *mem_ctx;
00159         char *dn;
00160         const char *attrs[] = {
00161                 "versionNumber",
00162                 "flags",
00163                 "gPCFileSysPath",
00164                 "displayName",
00165                 "name",
00166                 "gPCMachineExtensionNames",
00167                 "gPCUserExtensionNames",
00168                 NULL
00169         };
00170 
00171         mem_ctx = talloc_init("net_ads_gpo_list");
00172         if (mem_ctx == NULL) {
00173                 return -1;
00174         }
00175 
00176         status = ads_startup(False, &ads);
00177         if (!ADS_ERR_OK(status)) {
00178                 goto out;
00179         }
00180 
00181         status = ads_do_search_all(ads, ads->config.bind_path,
00182                                    LDAP_SCOPE_SUBTREE,
00183                                    "(objectclass=groupPolicyContainer)", attrs, &res);
00184         if (!ADS_ERR_OK(status)) {
00185                 d_printf("search failed: %s\n", ads_errstr(status));
00186                 goto out;
00187         }       
00188 
00189         num_reply = ads_count_replies(ads, res);
00190         
00191         d_printf("Got %d replies\n\n", num_reply);
00192 
00193         /* dump the results */
00194         for (msg = ads_first_entry(ads, res); msg; msg = ads_next_entry(ads, msg)) {
00195 
00196                 if ((dn = ads_get_dn(ads, msg)) == NULL) {
00197                         goto out;
00198                 }
00199 
00200                 status = ads_parse_gpo(ads, mem_ctx, msg, dn, &gpo);
00201 
00202                 if (!ADS_ERR_OK(status)) {
00203                         d_printf("parse failed: %s\n", ads_errstr(status));
00204                         ads_memfree(ads, dn);
00205                         goto out;
00206                 }       
00207 
00208                 dump_gpo(mem_ctx, &gpo, 1);
00209                 ads_memfree(ads, dn);
00210         }
00211 
00212 out:
00213         ads_msgfree(ads, res);
00214 
00215         talloc_destroy(mem_ctx);
00216         ads_destroy(&ads);
00217         
00218         return 0;
00219 }
00220 
00221 #if 0 /* not yet */
00222 
00223 static int net_ads_gpo_apply(int argc, const char **argv)
00224 {
00225         TALLOC_CTX *mem_ctx;
00226         ADS_STRUCT *ads;
00227         ADS_STATUS status;
00228         const char *attrs[] = {"distinguishedName", "userAccountControl", NULL};
00229         LDAPMessage *res = NULL;
00230         const char *filter;
00231         char *dn = NULL;
00232         struct GROUP_POLICY_OBJECT *gpo_list;
00233         uint32 uac = 0;
00234         uint32 flags = 0;
00235         
00236         if (argc < 1) {
00237                 printf("usage: net ads gpo apply <username|machinename>\n");
00238                 return -1;
00239         }
00240 
00241         mem_ctx = talloc_init("net_ads_gpo_apply");
00242         if (mem_ctx == NULL) {
00243                 goto out;
00244         }
00245 
00246         filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", argv[0]);
00247         if (filter == NULL) {
00248                 goto out;
00249         }
00250 
00251         status = ads_startup(False, &ads);
00252         if (!ADS_ERR_OK(status)) {
00253                 goto out;
00254         }
00255 
00256         status = ads_do_search_all(ads, ads->config.bind_path,
00257                                    LDAP_SCOPE_SUBTREE,
00258                                    filter, attrs, &res);
00259         
00260         if (!ADS_ERR_OK(status)) {
00261                 goto out;
00262         }
00263 
00264         if (ads_count_replies(ads, res) != 1) {
00265                 printf("no result\n");
00266                 goto out;
00267         }
00268 
00269         dn = ads_get_dn(ads, res);
00270         if (dn == NULL) {
00271                 goto out;
00272         }
00273 
00274         if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
00275                 goto out;
00276         }
00277 
00278         if (uac & UF_WORKSTATION_TRUST_ACCOUNT) {
00279                 flags |= GPO_LIST_FLAG_MACHINE;
00280         }
00281 
00282         printf("%s: '%s' has dn: '%s'\n", 
00283                 (uac & UF_WORKSTATION_TRUST_ACCOUNT) ? "machine" : "user", 
00284                 argv[0], dn);
00285 
00286         status = ads_get_gpo_list(ads, mem_ctx, dn, flags, &gpo_list);
00287         if (!ADS_ERR_OK(status)) {
00288                 goto out;
00289         }
00290 
00291         /* FIXME: allow to process just a single extension */
00292         status = gpo_process_gpo_list(ads, mem_ctx, &gpo_list, NULL, flags); 
00293         if (!ADS_ERR_OK(status)) {
00294                 goto out;
00295         }
00296 
00297 out:
00298         ads_memfree(ads, dn);
00299         ads_msgfree(ads, res);
00300 
00301         ads_destroy(&ads);
00302         talloc_destroy(mem_ctx);
00303         return 0;
00304 }
00305 
00306 #endif
00307 
00308 static int net_ads_gpo_get_link(int argc, const char **argv)
00309 {
00310         ADS_STRUCT *ads;
00311         ADS_STATUS status;
00312         TALLOC_CTX *mem_ctx;
00313         struct GP_LINK gp_link;
00314 
00315         if (argc < 1) {
00316                 printf("usage: net ads gpo getlink <linkname>\n");
00317                 return -1;
00318         }
00319 
00320         mem_ctx = talloc_init("add_gpo_link");
00321         if (mem_ctx == NULL) {
00322                 return -1;
00323         }
00324 
00325         status = ads_startup(False, &ads);
00326         if (!ADS_ERR_OK(status)) {
00327                 goto out;
00328         }
00329 
00330         status = ads_get_gpo_link(ads, mem_ctx, argv[0], &gp_link);
00331         if (!ADS_ERR_OK(status)) {
00332                 d_printf("get link for %s failed: %s\n", argv[0], ads_errstr(status));
00333                 goto out;
00334         }       
00335 
00336         dump_gplink(ads, mem_ctx, &gp_link);
00337 
00338 out:
00339         talloc_destroy(mem_ctx);
00340         ads_destroy(&ads);
00341 
00342         return 0;
00343 }
00344 
00345 static int net_ads_gpo_add_link(int argc, const char **argv)
00346 {
00347         ADS_STRUCT *ads;
00348         ADS_STATUS status;
00349         uint32 gpo_opt = 0;
00350         TALLOC_CTX *mem_ctx;
00351 
00352         if (argc < 2) {
00353                 printf("usage: net ads gpo addlink <linkdn> <gpodn> [options]\n");
00354                 printf("note: DNs must be provided properly escaped.\n      See RFC 4514 for details\n");
00355                 return -1;
00356         }
00357 
00358         mem_ctx = talloc_init("add_gpo_link");
00359         if (mem_ctx == NULL) {
00360                 return -1;
00361         }
00362 
00363         if (argc == 3) {
00364                 gpo_opt = atoi(argv[2]);
00365         }
00366 
00367         status = ads_startup(False, &ads);
00368         if (!ADS_ERR_OK(status)) {
00369                 goto out;
00370         }
00371 
00372         status = ads_add_gpo_link(ads, mem_ctx, argv[0], argv[1], gpo_opt);
00373         if (!ADS_ERR_OK(status)) {
00374                 d_printf("add link failed: %s\n", ads_errstr(status));
00375                 goto out;
00376         }
00377 
00378 out:
00379         talloc_destroy(mem_ctx);
00380         ads_destroy(&ads);
00381 
00382         return 0;
00383 }
00384 
00385 #if 0 /* broken */
00386 
00387 static int net_ads_gpo_delete_link(int argc, const char **argv)
00388 {
00389         ADS_STRUCT *ads;
00390         ADS_STATUS status;
00391         TALLOC_CTX *mem_ctx;
00392 
00393         if (argc < 2) {
00394                 return -1;
00395         }
00396 
00397         mem_ctx = talloc_init("delete_gpo_link");
00398         if (mem_ctx == NULL) {
00399                 return -1;
00400         }
00401 
00402         status = ads_startup(False, &ads);
00403         if (!ADS_ERR_OK(status)) {
00404                 goto out;
00405         }
00406 
00407         status = ads_delete_gpo_link(ads, mem_ctx, argv[0], argv[1]);
00408         if (!ADS_ERR_OK(status)) {
00409                 d_printf("delete link failed: %s\n", ads_errstr(status));
00410                 goto out;
00411         }       
00412 
00413 out:
00414         talloc_destroy(mem_ctx);
00415         ads_destroy(&ads);
00416 
00417         return 0;
00418 }
00419 
00420 #endif
00421 
00422 static int net_ads_gpo_get_gpo(int argc, const char **argv)
00423 {
00424         ADS_STRUCT *ads;
00425         ADS_STATUS status;
00426         TALLOC_CTX *mem_ctx;
00427         struct GROUP_POLICY_OBJECT gpo;
00428 
00429         if (argc < 1) {
00430                 printf("usage: net ads gpo getgpo <gpo>\n");
00431                 return -1;
00432         }
00433 
00434         mem_ctx = talloc_init("add_gpo_get_gpo");
00435         if (mem_ctx == NULL) {
00436                 return -1;
00437         }
00438 
00439         status = ads_startup(False, &ads);
00440         if (!ADS_ERR_OK(status)) {
00441                 goto out;
00442         }
00443 
00444         if (strnequal(argv[0], "CN={", strlen("CN={"))) {
00445                 status = ads_get_gpo(ads, mem_ctx, argv[0], NULL, NULL, &gpo);
00446         } else {
00447                 status = ads_get_gpo(ads, mem_ctx, NULL, argv[0], NULL, &gpo);
00448         }
00449 
00450         if (!ADS_ERR_OK(status)) {
00451                 d_printf("get gpo for [%s] failed: %s\n", argv[0], ads_errstr(status));
00452                 goto out;
00453         }       
00454 
00455         dump_gpo(mem_ctx, &gpo, 1);
00456 
00457 out:
00458         talloc_destroy(mem_ctx);
00459         ads_destroy(&ads);
00460 
00461         return 0;
00462 }
00463 
00464 int net_ads_gpo(int argc, const char **argv)
00465 {
00466         struct functable func[] = {
00467                 {"LIST", net_ads_gpo_list},
00468                 {"REFRESH", net_ads_gpo_refresh},
00469                 {"ADDLINK", net_ads_gpo_add_link},
00470                 /* {"DELETELINK", net_ads_gpo_delete_link}, */
00471                 {"GETLINK", net_ads_gpo_get_link},
00472                 {"GETGPO", net_ads_gpo_get_gpo},
00473                 {"HELP", net_ads_gpo_usage},
00474                 /* {"APPLY", net_ads_gpo_apply}, */
00475                 {NULL, NULL}
00476         };
00477 
00478         return net_run_function(argc, argv, func, net_ads_gpo_usage);
00479 }
00480 
00481 #endif /* HAVE_ADS */