summaryrefslogtreecommitdiff
path: root/libgpo/gpo.h
blob: 35adc9425b31ca24d6dbd19332b53f3a6aa397de (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
/*
 *  Unix SMB/CIFS implementation.
 *  Group Policy Object Support
 *  Copyright (C) Guenther Deschner 2005-2008
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, see <http://www.gnu.org/licenses/>.
 */

#ifndef __GPO_H__
#define __GPO_H__

#if _SAMBA_BUILD_ == 4
#include "source4/libgpo/ads_convenience.h"
#endif

enum GPO_LINK_TYPE {
	GP_LINK_UNKOWN	= 0,
	GP_LINK_MACHINE	= 1,
	GP_LINK_SITE	= 2,
	GP_LINK_DOMAIN	= 3,
	GP_LINK_OU	= 4,
	GP_LINK_LOCAL	= 5 /* for convenience */
};

/* GPO_OPTIONS */
#define GPO_FLAG_DISABLE	0x00000001
#define GPO_FLAG_FORCE		0x00000002

/* GPO_LIST_FLAGS */
#define GPO_LIST_FLAG_MACHINE	0x00000001
#define GPO_LIST_FLAG_SITEONLY	0x00000002

/* following flags from http://support.microsoft.com/kb/312164/EN-US/ */
#define GPO_INFO_FLAG_MACHINE			0x00000001
#define GPO_INFO_FLAG_BACKGROUND	 	0x00000010
#define GPO_INFO_FLAG_SLOWLINK			0x00000020
#define GPO_INFO_FLAG_VERBOSE			0x00000040
#define GPO_INFO_FLAG_NOCHANGES			0x00000080
#define GPO_INFO_FLAG_LINKTRANSITION		0x00000100
#define GPO_INFO_FLAG_LOGRSOP_TRANSITION	0x00000200
#define GPO_INFO_FLAG_FORCED_REFRESH		0x00000400
#define GPO_INFO_FLAG_SAFEMODE_BOOT		0x00000800

#define GPO_VERSION_USER(x) (x >> 16)
#define GPO_VERSION_MACHINE(x) (x & 0xffff)

struct GROUP_POLICY_OBJECT {
	uint32_t options;	/* GPFLAGS_* */
	uint32_t version;
	const char *ds_path;
	const char *file_sys_path;
	const char *display_name;
	const char *name;
	const char *link;
	enum GPO_LINK_TYPE link_type;
	const char *user_extensions;
	const char *machine_extensions;
	struct security_descriptor *security_descriptor;
	struct GROUP_POLICY_OBJECT *next, *prev;
};

/* the following is seen on the DS (see adssearch.pl for details) */

/* the type field in a 'gPLink', the same as GPO_FLAG ? */
#define GPO_LINK_OPT_NONE	0x00000000
#define GPO_LINK_OPT_DISABLED	0x00000001
#define GPO_LINK_OPT_ENFORCED	0x00000002

/* GPO_LINK_OPT_ENFORCED takes precedence over GPOPTIONS_BLOCK_INHERITANCE */

/* 'gPOptions', maybe a bitmask as well */
enum GPO_INHERIT {
	GPOPTIONS_INHERIT		= 0,
	GPOPTIONS_BLOCK_INHERITANCE	= 1
};

/* 'flags' in a 'groupPolicyContainer' object */
#define GPFLAGS_ALL_ENABLED			0x00000000
#define GPFLAGS_USER_SETTINGS_DISABLED		0x00000001
#define GPFLAGS_MACHINE_SETTINGS_DISABLED	0x00000002
#define GPFLAGS_ALL_DISABLED (GPFLAGS_USER_SETTINGS_DISABLED | \
			      GPFLAGS_MACHINE_SETTINGS_DISABLED)

struct GP_LINK {
	const char *gp_link;	/* raw link name */
	uint32_t gp_opts;		/* inheritance options GPO_INHERIT */
	uint32_t num_links;	/* number of links */
	char **link_names;	/* array of parsed link names */
	uint32_t *link_opts;	/* array of parsed link opts GPO_LINK_OPT_* */
};

struct GP_EXT {
	const char *gp_extension;	/* raw extension name */
	uint32_t num_exts;
	char **extensions;
	char **extensions_guid;
	char **snapins;
	char **snapins_guid;
	struct GP_EXT *next, *prev;
};

#define GPO_CACHE_DIR "gpo_cache"
#define GPT_INI "GPT.INI"
#define GPO_REFRESH_INTERVAL 60*90

#define GPO_REG_STATE_MACHINE "State\\Machine"

enum gp_reg_action {
	GP_REG_ACTION_NONE = 0,
	GP_REG_ACTION_ADD_VALUE = 1,
	GP_REG_ACTION_ADD_KEY = 2,
	GP_REG_ACTION_DEL_VALUES = 3,
	GP_REG_ACTION_DEL_VALUE = 4,
	GP_REG_ACTION_DEL_ALL_VALUES = 5,
	GP_REG_ACTION_DEL_KEYS = 6,
	GP_REG_ACTION_SEC_KEY_SET = 7,
	GP_REG_ACTION_SEC_KEY_RESET = 8
};

struct gp_registry_entry {
	enum gp_reg_action action;
	const char *key;
	const char *value;
	struct registry_value *data;
};

struct gp_registry_value {
	const char *value;
	struct registry_value *data;
};

struct gp_registry_entry2 {
	enum gp_reg_action action;
	const char *key;
	size_t num_values;
	struct gp_registry_value **values;
};

struct gp_registry_entries {
	size_t num_entries;
	struct gp_registry_entry **entries;
};

struct gp_registry_context {
	const NT_USER_TOKEN *token;
	const char *path;
	struct registry_key *curr_key;
};

#define GP_EXT_GUID_SECURITY "827D319E-6EAC-11D2-A4EA-00C04F79F83A"
#define GP_EXT_GUID_REGISTRY "35378EAC-683F-11D2-A89A-00C04FBBCFA2"
#define GP_EXT_GUID_SCRIPTS  "42B5FAAE-6536-11D2-AE5A-0000F87571E3"
#define ADS_EXTENDED_RIGHT_APPLY_GROUP_POLICY "edacfd8f-ffb3-11d1-b41d-00a0c968f939"


struct cli_state;

/* The following definitions come from libgpo/gpo_fetch.c  */

NTSTATUS gpo_explode_filesyspath(TALLOC_CTX *mem_ctx,
                                 const char *cache_path,
				 const char *file_sys_path,
				 char **server,
				 char **service,
				 char **nt_path,
				 char **unix_path);
NTSTATUS gpo_fetch_files(TALLOC_CTX *mem_ctx,
                         const char *cache_path,
			 struct cli_state *cli,
			 struct GROUP_POLICY_OBJECT *gpo);
NTSTATUS gpo_get_sysvol_gpt_version(TALLOC_CTX *mem_ctx,
				    const char *unix_path,
				    uint32_t *sysvol_version,
				    char **display_name);

/* The following definitions come from libgpo/gpo_ldap.c  */

bool ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
		      const char *extension_raw,
		      struct GP_EXT **gp_ext);
ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
			    TALLOC_CTX *mem_ctx,
			    const char *link_dn,
			    struct GP_LINK *gp_link_struct);
ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads,
			    TALLOC_CTX *mem_ctx,
			    const char *link_dn,
			    const char *gpo_dn,
			    uint32_t gpo_opt);
ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads,
			       TALLOC_CTX *mem_ctx,
			       const char *link_dn,
			       const char *gpo_dn);
ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
		       TALLOC_CTX *mem_ctx,
		       const char *gpo_dn,
		       const char *display_name,
		       const char *guid_name,
		       struct GROUP_POLICY_OBJECT *gpo);
ADS_STATUS ads_get_sid_token(ADS_STRUCT *ads,
			     TALLOC_CTX *mem_ctx,
			     const char *dn,
			     NT_USER_TOKEN **token);
ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads,
			    TALLOC_CTX *mem_ctx,
			    const char *dn,
			    uint32_t flags,
			    const NT_USER_TOKEN *token,
			    struct GROUP_POLICY_OBJECT **gpo_list);

/* The following definitions come from libgpo/gpo_sec.c  */

NTSTATUS gpo_apply_security_filtering(const struct GROUP_POLICY_OBJECT *gpo,
				      const NT_USER_TOKEN *token);

/* The following definitions come from libgpo/gpo_util.c  */

const char *cse_gpo_guid_string_to_name(const char *guid);
const char *cse_gpo_name_to_guid_string(const char *name);
const char *cse_snapin_gpo_guid_string_to_name(const char *guid);
void dump_gp_ext(struct GP_EXT *gp_ext, int debuglevel);
void dump_gpo(ADS_STRUCT *ads,
	      TALLOC_CTX *mem_ctx,
	      struct GROUP_POLICY_OBJECT *gpo,
	      int debuglevel);
void dump_gpo_list(ADS_STRUCT *ads,
		   TALLOC_CTX *mem_ctx,
		   struct GROUP_POLICY_OBJECT *gpo_list,
		   int debuglevel);
void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link);
ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
			     TALLOC_CTX *mem_ctx,
			     const NT_USER_TOKEN *token,
			     struct registry_key *root_key,
			     struct GROUP_POLICY_OBJECT *gpo,
			     const char *extension_guid_filter,
			     uint32_t flags);
ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
				TALLOC_CTX *mem_ctx,
				const NT_USER_TOKEN *token,
				struct GROUP_POLICY_OBJECT *gpo_list,
				const char *extensions_guid_filter,
				uint32_t flags);
NTSTATUS check_refresh_gpo(ADS_STRUCT *ads,
			   TALLOC_CTX *mem_ctx,
                           const char *cache_path,
			   uint32_t flags,
			   struct GROUP_POLICY_OBJECT *gpo,
			   struct cli_state **cli_out);
NTSTATUS check_refresh_gpo_list(ADS_STRUCT *ads,
				TALLOC_CTX *mem_ctx,
                                const char *cache_path,
				uint32_t flags,
				struct GROUP_POLICY_OBJECT *gpo_list);
NTSTATUS gpo_get_unix_path(TALLOC_CTX *mem_ctx,
			   struct GROUP_POLICY_OBJECT *gpo,
			   char **unix_path);
char *gpo_flag_str(uint32_t flags);
NTSTATUS gp_find_file(TALLOC_CTX *mem_ctx,
		      uint32_t flags,
		      const char *filename,
		      const char *suffix,
		      const char **filename_out);
ADS_STATUS gp_get_machine_token(ADS_STRUCT *ads,
				TALLOC_CTX *mem_ctx,
				const char *dn,
				NT_USER_TOKEN **token);


#include "../libgpo/gpext/gpext.h"

#endif