diff options
| author | Yassir Elley <yelley@redhat.com> | 2014-07-22 03:03:03 -0400 |
|---|---|---|
| committer | Jakub Hrozek <jhrozek@redhat.com> | 2014-07-30 10:38:32 +0200 |
| commit | b47449d8596d9573ff13e74b6984d080b414715a (patch) | |
| tree | 24b9e4d3be1a53a8eeaf3e64c7191de4285dcdc1 | |
| parent | 64074e584a56611d7563667e0fcdadd215b0c922 (diff) | |
| download | sssd-b47449d8596d9573ff13e74b6984d080b414715a.tar.gz sssd-b47449d8596d9573ff13e74b6984d080b414715a.tar.xz sssd-b47449d8596d9573ff13e74b6984d080b414715a.zip | |
AD-GPO: only download policy files if gpo version changes
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
| -rw-r--r-- | src/providers/ad/ad_gpo.c | 328 | ||||
| -rw-r--r-- | src/providers/ad/ad_gpo_child.c | 429 |
2 files changed, 560 insertions, 197 deletions
diff --git a/src/providers/ad/ad_gpo.c b/src/providers/ad/ad_gpo.c index 68a612e76..a650fa138 100644 --- a/src/providers/ad/ad_gpo.c +++ b/src/providers/ad/ad_gpo.c @@ -86,7 +86,7 @@ #define DENY_LOGON_LOCALLY "SeDenyInteractiveLogonRight" #define GP_EXT_GUID_SECURITY "{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" -#define GP_EXT_GUID_SECURITY_SUFFIX "/Microsoft/Windows NT/SecEdit/GptTmpl.inf" +#define GP_EXT_GUID_SECURITY_SUFFIX "/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf" #ifndef SSSD_LIBEXEC_PATH #error "SSSD_LIBEXEC_PATH not defined" @@ -115,9 +115,10 @@ struct gp_gpo { const char *gpo_dn; const char *gpo_guid; const char *gpo_display_name; - const char *gpo_file_sys_path; - const char *gpo_unix_path; - uint32_t gpo_container_version; + const char *smb_server; + const char *smb_share; + const char *smb_path; + uint32_t gpc_version; const char **gpo_cse_guids; int num_gpo_cse_guids; int gpo_func_version; @@ -156,10 +157,15 @@ int ad_gpo_process_gpo_recv(struct tevent_req *req, int *num_candidate_gpos); struct tevent_req *ad_gpo_process_cse_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, - char *cse_smb_uri, - char *cse_unix_path); + struct sss_domain_info *domain, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix, + const char *gpo_guid); int ad_gpo_process_cse_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + int *_sysvol_gpt_version, int *_allowed_size, char ***_allowed_sids, int *_denied_size, @@ -910,7 +916,7 @@ ad_gpo_access_send(TALLOC_CTX *mem_ctx, state->num_dacl_filtered_gpos = 0; state->cse_filtered_gpos = NULL; state->num_cse_filtered_gpos = 0; - state->cse_gpo_index = -1; + state->cse_gpo_index = 0; state->ev = ev; state->user = user; state->ldb_ctx = sysdb_ctx_get_ldb(domain->sysdb); @@ -1303,13 +1309,10 @@ ad_gpo_cse_step(struct tevent_req *req) { struct tevent_req *subreq; struct ad_gpo_access_state *state; - char *cse_smb_uri; - char *cse_unix_path; int i = 0; state = tevent_req_data(req, struct ad_gpo_access_state); - state->cse_gpo_index++; struct gp_gpo *cse_filtered_gpo = state->cse_filtered_gpos[state->cse_gpo_index]; @@ -1324,15 +1327,19 @@ ad_gpo_cse_step(struct tevent_req *req) state->cse_gpo_index, i, cse_filtered_gpo->gpo_cse_guids[i]); } - cse_smb_uri = talloc_asprintf(state, "%s%s", - cse_filtered_gpo->gpo_file_sys_path, - GP_EXT_GUID_SECURITY_SUFFIX); - - cse_unix_path = talloc_asprintf(state, "%s%s", - cse_filtered_gpo->gpo_unix_path, - GP_EXT_GUID_SECURITY_SUFFIX); + DEBUG(SSSDBG_TRACE_FUNC, "smb_server: %s\n", cse_filtered_gpo->smb_server); + DEBUG(SSSDBG_TRACE_FUNC, "smb_share: %s\n", cse_filtered_gpo->smb_share); + DEBUG(SSSDBG_TRACE_FUNC, "smb_path: %s\n", cse_filtered_gpo->smb_path); + DEBUG(SSSDBG_TRACE_FUNC, "gpo_guid: %s\n", cse_filtered_gpo->gpo_guid); - subreq = ad_gpo_process_cse_send(state, state->ev, cse_smb_uri, cse_unix_path); + subreq = ad_gpo_process_cse_send(state, + state->ev, + state->domain, + cse_filtered_gpo->smb_server, + cse_filtered_gpo->smb_share, + cse_filtered_gpo->smb_path, + GP_EXT_GUID_SECURITY_SUFFIX, + cse_filtered_gpo->gpo_guid); tevent_req_set_callback(subreq, ad_gpo_cse_done, req); return EAGAIN; @@ -1353,6 +1360,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) struct tevent_req *req; struct ad_gpo_access_state *state; int ret; + int sysvol_gpt_version; char **allowed_sids; int allowed_size; char **denied_sids; @@ -1361,13 +1369,32 @@ ad_gpo_cse_done(struct tevent_req *subreq) req = tevent_req_callback_data(subreq, struct tevent_req); state = tevent_req_data(req, struct ad_gpo_access_state); - ret = ad_gpo_process_cse_recv(subreq, state, &allowed_size, - &allowed_sids, &denied_size, &denied_sids); + struct gp_gpo *cse_filtered_gpo = + state->cse_filtered_gpos[state->cse_gpo_index]; + + const char *gpo_guid = cse_filtered_gpo->gpo_guid; + + DEBUG(SSSDBG_TRACE_FUNC, "gpo_guid: %s\n", gpo_guid); + + ret = ad_gpo_process_cse_recv(subreq, state, &sysvol_gpt_version, + &allowed_size, &allowed_sids, + &denied_size, &denied_sids); talloc_zfree(subreq); if (ret != EOK) { - /* TBD: handle ret error */ + DEBUG(SSSDBG_OP_FAILURE, "Unable to retrieve policy data: [%d](%s}\n", + ret, sss_strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "sysvol_gpt_version: %d\n", sysvol_gpt_version); + + ret = sysdb_gpo_store_gpo(state->domain, gpo_guid, sysvol_gpt_version); + + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, "Unable to store gpo cache entry: [%d](%s}\n", + ret, sss_strerror(ret)); goto done; } @@ -1383,6 +1410,7 @@ ad_gpo_cse_done(struct tevent_req *subreq) goto done; } + state->cse_gpo_index++; ret = ad_gpo_cse_step(req); done: @@ -1747,7 +1775,7 @@ ad_gpo_process_som_send(TALLOC_CTX *mem_ctx, state->sdap_op = sdap_op; state->opts = opts; state->timeout = timeout; - state->som_index = -1; + state->som_index = 0; state->allow_enforced_only = 0; ret = ad_gpo_populate_som_list(state, ldb_ctx, target_dn, @@ -1944,7 +1972,6 @@ ad_gpo_get_som_attrs_step(struct tevent_req *req) state = tevent_req_data(req, struct ad_gpo_process_som_state); - state->som_index++; struct gp_som *gp_som = state->som_list[state->som_index]; /* gp_som is NULL only after all SOMs have been processed */ @@ -2067,6 +2094,7 @@ ad_gpo_get_som_attrs_done(struct tevent_req *subreq) state->allow_enforced_only = 1; } + state->som_index++; ret = ad_gpo_get_som_attrs_step(req); done: @@ -2281,48 +2309,46 @@ ad_gpo_populate_candidate_gpos(TALLOC_CTX *mem_ctx, } /* - * This function converts the input_path to an smb uri and a unix_path, which - * are used to populate the _smb_uri and _unix_path output parameters, - * respectively. + * This function parses the input_path into its components, replaces each + * back slash ('\') with a forward slash ('/'), and populates the output params. * - * The smb_path starts with the slash immediately after the domain name, while - * the unix_path starts with the following slash (immediately after the share name). - * - * The _smb_uri output is constructed by concatenating the following elements: + * The smb_server output is constructed by concatenating the following elements: * - SMB_STANDARD_URI ("smb://") * - server_hostname (which replaces domain_name in input path) - * - smb_path - * Additionally, each forward slash ('\') is replaced with a back slash ('/') + * The smb_share and smb_path outputs are extracted from the input_path. * * Example: if input_path = "\\foo.com\SysVol\foo.com\..." and * server_hostname = "adserver.foo.com", then - * _smb_uri = "smb://adserver.foo.com/SysVol/foo.com/..."; and - * _unix_path = "/foo.com/..." + * _smb_server = "smb://adserver.foo.com" + * _smb_share = "SysVol" + * _smb_path = "/foo.com/..." * * Note that the input_path must have at least four forward slash separators. * For example, input_path = "\\foo.com\SysVol" is not a valid input_path, * because it has only three forward slash separators. */ static errno_t -ad_gpo_convert_to_smb_uri(TALLOC_CTX *mem_ctx, - char *server_hostname, - char *input_path, - const char **_smb_uri, - const char **_unix_path) +ad_gpo_extract_smb_components(TALLOC_CTX *mem_ctx, + char *server_hostname, + char *input_path, + const char **_smb_server, + const char **_smb_share, + const char **_smb_path) { char *ptr; const char delim = '\\'; int ret; int num_seps = 0; char *smb_path = NULL; - char *unix_path = NULL; + char *smb_share = NULL; DEBUG(SSSDBG_TRACE_ALL, "input_path: %s\n", input_path); if (input_path == NULL || *input_path == '\0' || - _smb_uri == NULL || - _unix_path == NULL) { + _smb_server == NULL || + _smb_share == NULL || + _smb_path == NULL) { ret = EINVAL; goto done; } @@ -2331,11 +2357,18 @@ ad_gpo_convert_to_smb_uri(TALLOC_CTX *mem_ctx, while ((ptr = strchr(ptr, delim))) { num_seps++; if (num_seps == 3) { - /* keep track of path from third slash onwards (after domain name) */ - smb_path = ptr; + /* replace the slash before the share name with null string */ + + *ptr = '\0'; + ptr++; + smb_share = ptr; + continue; } else if (num_seps == 4) { - /* keep track of path from fourth slash onwards (after share name) */ - unix_path = ptr; + /* replace the slash after the share name with null string */ + *ptr = '\0'; + ptr++; + smb_path = ptr; + continue; } *ptr = '/'; ptr++; @@ -2346,18 +2379,16 @@ ad_gpo_convert_to_smb_uri(TALLOC_CTX *mem_ctx, goto done; } - if (smb_path == NULL || unix_path == NULL) { + if (smb_path == NULL) { ret = EINVAL; goto done; } - - *_smb_uri = talloc_asprintf(mem_ctx, "%s%s%s", - SMB_STANDARD_URI, - server_hostname, - smb_path); - - *_unix_path = talloc_strdup(mem_ctx, unix_path); + *_smb_server = talloc_asprintf(mem_ctx, "%s%s", + SMB_STANDARD_URI, + server_hostname); + *_smb_share = talloc_asprintf(mem_ctx, "/%s", smb_share); + *_smb_path = talloc_asprintf(mem_ctx, "/%s", smb_path); ret = EOK; @@ -2547,7 +2578,7 @@ ad_gpo_process_gpo_send(TALLOC_CTX *mem_ctx, state->opts = opts; state->server_hostname = server_hostname; state->timeout = timeout; - state->gpo_index = -1; + state->gpo_index = 0; state->candidate_gpos = NULL; state->num_candidate_gpos = 0; @@ -2597,7 +2628,6 @@ ad_gpo_get_gpo_attrs_step(struct tevent_req *req) state = tevent_req_data(req, struct ad_gpo_process_gpo_state); - state->gpo_index++; struct gp_gpo *gp_gpo = state->candidate_gpos[state->gpo_index]; /* gp_gpo is NULL only after all GPOs have been processed */ @@ -2629,8 +2659,6 @@ ad_gpo_get_gpo_attrs_done(struct tevent_req *subreq) struct sysdb_attrs **results; struct ldb_message_element *el = NULL; const char *gpo_guid = NULL; - const char *smb_uri = NULL; - const char *unix_path = NULL; const char *gpo_display_name = NULL; const char *raw_file_sys_path = NULL; char *file_sys_path = NULL; @@ -2655,6 +2683,7 @@ ad_gpo_get_gpo_attrs_done(struct tevent_req *subreq) if ((num_results < 1) || (results == NULL)) { DEBUG(SSSDBG_OP_FAILURE, "no attrs found for GPO; try next GPO.\n"); + state->gpo_index++; ret = ad_gpo_get_gpo_attrs_step(req); goto done; } @@ -2716,32 +2745,24 @@ ad_gpo_get_gpo_attrs_done(struct tevent_req *subreq) } file_sys_path = talloc_strdup(gp_gpo, raw_file_sys_path); - ad_gpo_convert_to_smb_uri(state, state->server_hostname, file_sys_path, - &smb_uri, &unix_path); - gp_gpo->gpo_file_sys_path = talloc_asprintf(gp_gpo, "%s/Machine", - smb_uri); - if (gp_gpo->gpo_file_sys_path == NULL) { - ret = ENOMEM; - goto done; - } - - DEBUG(SSSDBG_TRACE_FUNC, "gpo_file_sys_path: %s\n", - gp_gpo->gpo_file_sys_path); - - gp_gpo->gpo_unix_path = talloc_asprintf(gp_gpo, "%s/Machine", - unix_path); - if (gp_gpo->gpo_unix_path == NULL) { - ret = ENOMEM; + ret = ad_gpo_extract_smb_components(gp_gpo, state->server_hostname, + file_sys_path, &gp_gpo->smb_server, + &gp_gpo->smb_share, &gp_gpo->smb_path); + if (ret != EOK) { + DEBUG(SSSDBG_OP_FAILURE, + "unable to extract smb components from file_sys_path: [%d](%s)\n", + ret, sss_strerror(ret)); goto done; } - DEBUG(SSSDBG_TRACE_FUNC, "gpo_unix_path: %s\n", - gp_gpo->gpo_unix_path); + DEBUG(SSSDBG_TRACE_ALL, "smb_server: %s\n", gp_gpo->smb_server); + DEBUG(SSSDBG_TRACE_ALL, "smb_share: %s\n", gp_gpo->smb_share); + DEBUG(SSSDBG_TRACE_ALL, "smb_path: %s\n", gp_gpo->smb_path); /* retrieve AD_AT_VERSION_NUMBER */ ret = sysdb_attrs_get_uint32_t(results[0], AD_AT_VERSION_NUMBER, - &gp_gpo->gpo_container_version); + &gp_gpo->gpc_version); if (ret != EOK) { DEBUG(SSSDBG_OP_FAILURE, "sysdb_attrs_get_uint32_t failed: [%d](%s)\n", @@ -2749,8 +2770,7 @@ ad_gpo_get_gpo_attrs_done(struct tevent_req *subreq) goto done; } - DEBUG(SSSDBG_TRACE_ALL, "gpo_container_version: %d\n", - gp_gpo->gpo_container_version); + DEBUG(SSSDBG_TRACE_ALL, "gpc_version: %d\n", gp_gpo->gpc_version); /* retrieve AD_AT_MACHINE_EXT_NAMES */ ret = sysdb_attrs_get_el(results[0], AD_AT_MACHINE_EXT_NAMES, &el); @@ -2822,6 +2842,7 @@ ad_gpo_get_gpo_attrs_done(struct tevent_req *subreq) goto done; } + state->gpo_index++; ret = ad_gpo_get_gpo_attrs_step(req); done: @@ -2850,20 +2871,26 @@ ad_gpo_process_gpo_recv(struct tevent_req *req, } /* == ad_gpo_process_cse_send/recv helpers ================================= */ - static errno_t create_cse_send_buffer(TALLOC_CTX *mem_ctx, - char *cse_smb_uri, - char *cse_unix_path, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix, + int cached_gpt_version, struct io_buffer **io_buf) { struct io_buffer *buf; size_t rp; - int cse_smb_uri_length; - int cse_unix_path_length; + int smb_server_length; + int smb_share_length; + int smb_path_length; + int smb_cse_suffix_length; - cse_smb_uri_length = strlen(cse_smb_uri); - cse_unix_path_length = strlen(cse_unix_path); + smb_server_length = strlen(smb_server); + smb_share_length = strlen(smb_share); + smb_path_length = strlen(smb_path); + smb_cse_suffix_length = strlen(smb_cse_suffix); buf = talloc(mem_ctx, struct io_buffer); if (buf == NULL) { @@ -2871,8 +2898,9 @@ create_cse_send_buffer(TALLOC_CTX *mem_ctx, return ENOMEM; } - buf->size = 2 * sizeof(uint32_t); - buf->size += cse_smb_uri_length + cse_unix_path_length; + buf->size = 5 * sizeof(uint32_t); + buf->size += smb_server_length + smb_share_length + smb_path_length + + smb_cse_suffix_length; DEBUG(SSSDBG_TRACE_ALL, "buffer size: %zu\n", buf->size); @@ -2884,13 +2912,24 @@ create_cse_send_buffer(TALLOC_CTX *mem_ctx, } rp = 0; - /* cse_smb_uri */ - SAFEALIGN_SET_UINT32(&buf->data[rp], cse_smb_uri_length, &rp); - safealign_memcpy(&buf->data[rp], cse_smb_uri, cse_smb_uri_length, &rp); + /* cached_gpt_version */ + SAFEALIGN_SET_UINT32(&buf->data[rp], cached_gpt_version, &rp); + + /* smb_server */ + SAFEALIGN_SET_UINT32(&buf->data[rp], smb_server_length, &rp); + safealign_memcpy(&buf->data[rp], smb_server, smb_server_length, &rp); - /* cse_unix_path */ - SAFEALIGN_SET_UINT32(&buf->data[rp], cse_unix_path_length, &rp); - safealign_memcpy(&buf->data[rp], cse_unix_path, cse_unix_path_length, &rp); + /* smb_share */ + SAFEALIGN_SET_UINT32(&buf->data[rp], smb_share_length, &rp); + safealign_memcpy(&buf->data[rp], smb_share, smb_share_length, &rp); + + /* smb_path */ + SAFEALIGN_SET_UINT32(&buf->data[rp], smb_path_length, &rp); + safealign_memcpy(&buf->data[rp], smb_path, smb_path_length, &rp); + + /* smb_cse_suffix */ + SAFEALIGN_SET_UINT32(&buf->data[rp], smb_cse_suffix_length, &rp); + safealign_memcpy(&buf->data[rp], smb_cse_suffix, smb_cse_suffix_length, &rp); *io_buf = buf; return EOK; @@ -2941,7 +2980,8 @@ parse_logon_right_with_libini(TALLOC_CTX *mem_ctx, if (ret != 0) { DEBUG(SSSDBG_CRIT_FAILURE, - "ini_get_string_config_array failed [%d][%s]\n", ret, strerror(ret)); + "ini_get_string_config_array failed [%d][%s]\n", + ret, strerror(ret)); goto done; } @@ -2984,12 +3024,12 @@ parse_logon_right_with_libini(TALLOC_CTX *mem_ctx, * allowed_sids and denied_sids */ static errno_t -ad_gpo_parse_security_cse_buffer(TALLOC_CTX *mem_ctx, - const char *filename, - char ***allowed_sids, - int *allowed_size, - char ***denied_sids, - int *denied_size) +ad_gpo_parse_policy_file(TALLOC_CTX *mem_ctx, + const char *filename, + char ***allowed_sids, + int *allowed_size, + char ***denied_sids, + int *denied_size) { struct ini_cfgfile *file_ctx = NULL; struct ini_cfgobj *ini_config = NULL; @@ -3073,17 +3113,26 @@ ad_gpo_parse_security_cse_buffer(TALLOC_CTX *mem_ctx, static errno_t ad_gpo_parse_gpo_child_response(TALLOC_CTX *mem_ctx, - uint8_t *buf, ssize_t size, uint32_t *_result) + uint8_t *buf, + ssize_t size, + uint32_t *_sysvol_gpt_version, + uint32_t *_result) { int ret; size_t p = 0; + uint32_t sysvol_gpt_version; uint32_t result; + /* sysvol_gpt_version */ + SAFEALIGN_COPY_UINT32_CHECK(&sysvol_gpt_version, buf + p, size, &p); + /* operation result code */ SAFEALIGN_COPY_UINT32_CHECK(&result, buf + p, size, &p); + *_sysvol_gpt_version = sysvol_gpt_version; *_result = result; + ret = EOK; return ret; } @@ -3092,7 +3141,8 @@ ad_gpo_parse_gpo_child_response(TALLOC_CTX *mem_ctx, struct ad_gpo_process_cse_state { struct tevent_context *ev; - const char *cse_unix_path; + const char *smb_path; + const char *smb_cse_suffix; pid_t child_pid; uint8_t *buf; ssize_t len; @@ -3148,13 +3198,19 @@ static void gpo_cse_done(struct tevent_req *subreq); struct tevent_req * ad_gpo_process_cse_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, - char *cse_smb_uri, - char *cse_unix_path) + struct sss_domain_info *domain, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix, + const char *gpo_guid) { struct tevent_req *req; struct tevent_req *subreq; struct ad_gpo_process_cse_state *state; + struct ldb_result *res; struct io_buffer *buf = NULL; + int cached_gpt_version = 0; errno_t ret; req = tevent_req_create(mem_ctx, &state, struct ad_gpo_process_cse_state); @@ -3164,10 +3220,10 @@ ad_gpo_process_cse_send(TALLOC_CTX *mem_ctx, } state->ev = ev; - state->cse_unix_path = cse_unix_path; state->buf = NULL; state->len = 0; - + state->smb_path = smb_path; + state->smb_cse_suffix = smb_cse_suffix; state->io = talloc(state, struct io); if (state->io == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "talloc failed.\n"); @@ -3179,8 +3235,33 @@ ad_gpo_process_cse_send(TALLOC_CTX *mem_ctx, state->io->read_from_child_fd = -1; talloc_set_destructor((void *) state->io, gpo_child_io_destructor); + /* retrieve cached gpt version (or set it to -1 if unavailable) */ + DEBUG(SSSDBG_TRACE_FUNC, "retrieving GPO from cache [%s]\n", gpo_guid); + ret = sysdb_gpo_get_gpo(state, domain, gpo_guid, &res); + if (ret != EOK) { + switch (ret) { + case ENOENT: + DEBUG(SSSDBG_TRACE_FUNC, "ENOENT\n"); + cached_gpt_version = -1; + break; + default: + DEBUG(SSSDBG_FATAL_FAILURE, "Could not read GPO from cache: [%s]\n", + strerror(ret)); + goto fail; + } + } + + if (cached_gpt_version != -1) { + /* cached_gpt_version is in cache, so retrieve it from cache */ + cached_gpt_version = ldb_msg_find_attr_as_int(res->msgs[0], + SYSDB_GPO_VERSION_ATTR, + 0); + } + DEBUG(SSSDBG_TRACE_FUNC, "cached_gpt_version: %d\n", cached_gpt_version); + /* prepare the data to pass to child */ - ret = create_cse_send_buffer(state, cse_smb_uri, cse_unix_path, &buf); + ret = create_cse_send_buffer(state, smb_server, smb_share, smb_path, + smb_cse_suffix, cached_gpt_version, &buf); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "create_cse_send_buffer failed.\n"); goto fail; @@ -3261,28 +3342,32 @@ static void gpo_cse_done(struct tevent_req *subreq) int ad_gpo_process_cse_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx, + int *_sysvol_gpt_version, int *_allowed_size, char ***_allowed_sids, int *_denied_size, char ***_denied_sids) { int ret; + uint32_t sysvol_gpt_version; uint32_t result; char **allowed_sids; int allowed_size; char **denied_sids; int denied_size; struct ad_gpo_process_cse_state *state; - const char *filename = NULL; + const char *policy_filename = NULL; state = tevent_req_data(req, struct ad_gpo_process_cse_state); TEVENT_REQ_RETURN_ON_ERROR(req); - ret = ad_gpo_parse_gpo_child_response(state, state->buf, state->len, &result); + ret = ad_gpo_parse_gpo_child_response(state, state->buf, state->len, + &sysvol_gpt_version, &result); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, - "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n", ret, strerror(ret)); + "ad_gpo_parse_gpo_child_response failed: [%d][%s]\n", + ret, strerror(ret)); return ret; } else if (result != 0){ DEBUG(SSSDBG_CRIT_FAILURE, @@ -3290,21 +3375,26 @@ int ad_gpo_process_cse_recv(struct tevent_req *req, return result; } - filename = talloc_asprintf(mem_ctx, GPO_CACHE_PATH"%s", state->cse_unix_path); + policy_filename = talloc_asprintf(mem_ctx, GPO_CACHE_PATH"%s%s", + state->smb_path, state->smb_cse_suffix); + + DEBUG(SSSDBG_TRACE_FUNC, "policy_filename:%s\n", policy_filename); - ret = ad_gpo_parse_security_cse_buffer(state, - filename, - &allowed_sids, - &allowed_size, - &denied_sids, - &denied_size); + ret = ad_gpo_parse_policy_file(state, + policy_filename, + &allowed_sids, + &allowed_size, + &denied_sids, + &denied_size); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, - "ad_gpo_parse_security_cse_buffer failed: [%d][%s]\n", ret, strerror(ret)); + "Cannot parse policy file: [%s][%d][%s]\n", + policy_filename, ret, strerror(ret)); return ret; } + *_sysvol_gpt_version = sysvol_gpt_version; *_allowed_size = allowed_size; *_allowed_sids = talloc_steal(mem_ctx, allowed_sids); *_denied_size = denied_size; diff --git a/src/providers/ad/ad_gpo_child.c b/src/providers/ad/ad_gpo_child.c index 22b8b5204..4bb48c047 100644 --- a/src/providers/ad/ad_gpo_child.c +++ b/src/providers/ad/ad_gpo_child.c @@ -27,6 +27,7 @@ #include <sys/stat.h> #include <popt.h> #include <libsmbclient.h> +#include <ini_configobj.h> #include <security/pam_modules.h> #include "util/util.h" @@ -34,14 +35,17 @@ #include "providers/dp_backend.h" #include "sss_cli.h" -#define RIGHTS_SECTION "Privilege Rights" -#define ALLOW_LOGON_LOCALLY "SeInteractiveLogonRight" -#define DENY_LOGON_LOCALLY "SeDenyInteractiveLogonRight" #define SMB_BUFFER_SIZE 65536 +#define GPT_INI "/GPT.INI" +#define INI_GENERAL_SECTION "General" +#define GPT_INI_VERSION "Version" struct input_buffer { - const char *smb_uri; - const char *unix_path; + int cached_gpt_version; + const char *smb_server; + const char *smb_share; + const char *smb_path; + const char *smb_cse_suffix; }; static errno_t @@ -51,34 +55,62 @@ unpack_buffer(uint8_t *buf, { size_t p = 0; uint32_t len; + uint32_t cached_gpt_version; - /* smb_uri size and length */ - SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); - - DEBUG(SSSDBG_TRACE_ALL, "smb_uri size: %d\n", len); + /* cached_gpt_version */ + SAFEALIGN_COPY_UINT32_CHECK(&cached_gpt_version, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_FUNC, "cached_gpt_version: %d\n", cached_gpt_version); + ibuf->cached_gpt_version = cached_gpt_version; + /* smb_server */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_ALL, "smb_server length: %d\n", len); if (len == 0) { return EINVAL; } else { if ((p + len ) > size) return EINVAL; - ibuf->smb_uri = talloc_strndup(ibuf, (char *)(buf + p), len); - if (ibuf->smb_uri == NULL) return ENOMEM; - DEBUG(SSSDBG_TRACE_ALL, "got smb_uri: %s\n", ibuf->smb_uri); + ibuf->smb_server = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->smb_server == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_ALL, "smb_server: %s\n", ibuf->smb_server); p += len; } - /* unix_path size and length */ + /* smb_share */ SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_ALL, "smb_share length: %d\n", len); + if (len == 0) { + return EINVAL; + } else { + if ((p + len ) > size) return EINVAL; + ibuf->smb_share = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->smb_share == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_ALL, "smb_share: %s\n", ibuf->smb_share); + p += len; + } - DEBUG(SSSDBG_TRACE_ALL, "unix_path size: %d\n", len); + /* smb_path */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_ALL, "smb_path length: %d\n", len); + if (len == 0) { + return EINVAL; + } else { + if ((p + len ) > size) return EINVAL; + ibuf->smb_path = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->smb_path == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_ALL, "smb_path: %s\n", ibuf->smb_path); + p += len; + } + /* smb_cse_suffix */ + SAFEALIGN_COPY_UINT32_CHECK(&len, buf + p, size, &p); + DEBUG(SSSDBG_TRACE_ALL, "smb_cse_suffix length: %d\n", len); if (len == 0) { return EINVAL; } else { if ((p + len ) > size) return EINVAL; - ibuf->unix_path = talloc_strndup(ibuf, (char *)(buf + p), len); - if (ibuf->unix_path == NULL) return ENOMEM; - DEBUG(SSSDBG_TRACE_ALL, "got unix_path: %s\n", ibuf->unix_path); + ibuf->smb_cse_suffix = talloc_strndup(ibuf, (char *)(buf + p), len); + if (ibuf->smb_cse_suffix == NULL) return ENOMEM; + DEBUG(SSSDBG_TRACE_ALL, "smb_cse_suffix: %s\n", ibuf->smb_cse_suffix); p += len; } @@ -88,14 +120,16 @@ unpack_buffer(uint8_t *buf, static errno_t pack_buffer(struct response *r, + int sysvol_gpt_version, int result) { size_t p = 0; /* A buffer with the following structure must be created: + * uint32_t sysvol_gpt_version (required) * uint32_t status of the request (required) */ - r->size = sizeof(uint32_t); + r->size = 2 * sizeof(uint32_t); r->buf = talloc_array(r, uint8_t, r->size); if(r->buf == NULL) { @@ -104,6 +138,9 @@ pack_buffer(struct response *r, DEBUG(SSSDBG_TRACE_FUNC, "result [%d]\n", result); + /* sysvol_gpt_version */ + SAFEALIGN_SET_UINT32(&r->buf[p], sysvol_gpt_version, &p); + /* result */ SAFEALIGN_SET_UINT32(&r->buf[p], result, &p); @@ -112,6 +149,7 @@ pack_buffer(struct response *r, static errno_t prepare_response(TALLOC_CTX *mem_ctx, + int sysvol_gpt_version, int result, struct response **rsp) { @@ -126,14 +164,14 @@ prepare_response(TALLOC_CTX *mem_ctx, r->buf = NULL; r->size = 0; - ret = pack_buffer(r, result); + ret = pack_buffer(r, sysvol_gpt_version, result); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "pack_buffer failed\n"); return ret; } *rsp = r; - DEBUG(SSSDBG_TRACE_FUNC, "r->size: %zu\n", r->size); + DEBUG(SSSDBG_TRACE_ALL, "r->size: %zu\n", r->size); return EOK; } @@ -153,12 +191,12 @@ sssd_krb_get_auth_data_fn(const char * pServer, /* * This function prepares the gpo_cache by: - * - parsing the input_unix_path into its component directories + * - parsing the input_smb_path into its component directories * - creating each component directory (if it doesn't already exist) */ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, const char *cache_dir, - const char *input_unix_path) + const char *input_smb_path_with_suffix) { char *current_dir; char *ptr; @@ -167,25 +205,27 @@ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, int i; char *first = NULL; char *last = NULL; - char *unix_path = NULL; + char *smb_path_with_suffix = NULL; - unix_path = talloc_strdup(mem_ctx, input_unix_path); - if (unix_path == NULL) { + smb_path_with_suffix = talloc_strdup(mem_ctx, input_smb_path_with_suffix); + if (smb_path_with_suffix == NULL) { return ENOMEM; } + DEBUG(SSSDBG_TRACE_ALL, "smb_path_with_suffix: %s\n", smb_path_with_suffix); + current_dir = talloc_strdup(mem_ctx, cache_dir); if (current_dir == NULL) { return ENOMEM; } - ptr = unix_path + 1; + ptr = smb_path_with_suffix + 1; while ((ptr = strchr(ptr, delim))) { ptr++; num_dirs++; } - ptr = unix_path + 1; + ptr = smb_path_with_suffix + 1; for (i = 0; i < num_dirs; i++) { first = ptr; @@ -197,6 +237,11 @@ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, last++; current_dir = talloc_asprintf(mem_ctx, "%s/%s", current_dir, first); + if (current_dir == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + return ENOMEM; + } + if ((mkdir(current_dir, 0644)) < 0 && errno != EEXIST) { return EINVAL; } @@ -210,12 +255,16 @@ static errno_t prepare_gpo_cache(TALLOC_CTX *mem_ctx, /* * This function stores the input buf to a local file, whose file path - * is constructed by concatenating GPO_CACHE_PATH to the input unix_path. - * Note that the backend will later read the policy file from the same file path. + * is constructed by concatenating: + * GPO_CACHE_PATH, + * input smb_path, + * input smb_cse_suffix + * Note that the backend will later read the file from the same file path. */ -static errno_t store_bytes_in_gpo_cache(const char *unix_path, - uint8_t *buf, - int buflen) +static errno_t gpo_cache_store_file(const char *smb_path, + const char *smb_cse_suffix, + uint8_t *buf, + int buflen) { int ret; int fd = -1; @@ -223,6 +272,7 @@ static errno_t store_bytes_in_gpo_cache(const char *unix_path, ssize_t written; mode_t old_umask; char *filename = NULL; + char *smb_path_with_suffix = NULL; TALLOC_CTX *tmp_ctx = NULL; tmp_ctx = talloc_new(NULL); @@ -231,10 +281,30 @@ static errno_t store_bytes_in_gpo_cache(const char *unix_path, goto done; } - /* create component directories of unix_path, if needed */ - ret = prepare_gpo_cache(tmp_ctx, GPO_CACHE_PATH, unix_path); + smb_path_with_suffix = + talloc_asprintf(tmp_ctx, "%s%s", smb_path, smb_cse_suffix); + if (smb_path_with_suffix == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + /* create component directories of smb_path, if needed */ + ret = prepare_gpo_cache(tmp_ctx, GPO_CACHE_PATH, smb_path_with_suffix); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "prepare_gpo_cache failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + filename = talloc_asprintf(tmp_ctx, GPO_CACHE_PATH"%s", smb_path_with_suffix); + if (filename == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } - filename = talloc_asprintf(tmp_ctx, GPO_CACHE_PATH"%s", unix_path); tmp_name = talloc_asprintf(tmp_ctx, "%sXXXXXX", filename); if (tmp_name == NULL) { DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); @@ -303,21 +373,136 @@ static errno_t store_bytes_in_gpo_cache(const char *unix_path, return ret; } +static errno_t +parse_ini_file_with_libini(struct ini_cfgobj *ini_config, + int *_gpt_version) +{ + int ret; + struct value_obj *vobj = NULL; + int gpt_version; + + ret = ini_get_config_valueobj(INI_GENERAL_SECTION, GPT_INI_VERSION, + ini_config, INI_GET_FIRST_VALUE, &vobj); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_config_valueobj failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + if (vobj == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "section/name not found: [%s][%s]\n", + INI_GENERAL_SECTION, GPT_INI_VERSION); + ret = EINVAL; + goto done; + } + + gpt_version = ini_get_int32_config_value(vobj, 0, -1, &ret); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_get_int32_config_value failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + *_gpt_version = gpt_version; + + ret = EOK; + + done: + + return ret; +} + /* - * This cse-specific function (GP_EXT_GUID_SECURITY) opens an SMB connection, - * retrieves the data referenced by the input smb_uri, and then closes the SMB - * connection. The data is then written to a file in the GPO_CACHE directory, - * to be read by the backend. + * This function parses the GPT_INI file stored in the gpo_cache, and uses the + * results to populate the output parameters ... */ static errno_t -process_security_settings_cse(TALLOC_CTX *mem_ctx, - const char *smb_uri, - const char *unix_path) +ad_gpo_parse_ini_file(const char *smb_path, + int *_gpt_version) { - SMBCCTX *context; - int ret = 0; + struct ini_cfgfile *file_ctx = NULL; + struct ini_cfgobj *ini_config = NULL; + const char *ini_filename; + int ret; + int gpt_version = -1; + TALLOC_CTX *tmp_ctx = NULL; + + tmp_ctx = talloc_new(NULL); + if (tmp_ctx == NULL) { + ret = ENOMEM; + goto done; + } + + ini_filename = talloc_asprintf(tmp_ctx, GPO_CACHE_PATH"%s%s", + smb_path, GPT_INI); + if (ini_filename == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); + ret = ENOMEM; + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "ini_filename:%s\n", ini_filename); + + ret = ini_config_create(&ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_create failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_config_file_open(ini_filename, 0, &file_ctx); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_file_open failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + ret = ini_config_parse(file_ctx, INI_STOP_ON_NONE, 0, 0, ini_config); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "ini_config_parse failed [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + ret = parse_ini_file_with_libini(ini_config, &gpt_version); + if (ret != 0) { + DEBUG(SSSDBG_CRIT_FAILURE, + "parse_ini_file_with_libini failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + *_gpt_version = gpt_version; + + done: + + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, "Error encountered: %d.\n", ret); + } + + ini_config_file_destroy(file_ctx); + ini_config_destroy(ini_config); + talloc_free(tmp_ctx); + return ret; +} + +/* + * This function uses the input smb uri components to download a sysvol file + * (e.g. INI file, policy file, etc) and store it to the GPO_CACHE directory. + */ +static errno_t +copy_smb_file_to_gpo_cache(SMBCCTX *smbc_ctx, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix) +{ + char *smb_uri = NULL; + SMBCFILE *file; + int ret; uint8_t *buf = NULL; int buflen = 0; + TALLOC_CTX *tmp_ctx = NULL; tmp_ctx = talloc_new(NULL); @@ -325,59 +510,142 @@ process_security_settings_cse(TALLOC_CTX *mem_ctx, return ENOMEM; } - DEBUG(SSSDBG_TRACE_ALL, "%s\n", smb_uri); - DEBUG(SSSDBG_TRACE_ALL, "%s\n", unix_path); - - context = smbc_new_context(); - if (context == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Could not allocate new smbc context\n"); + smb_uri = talloc_asprintf(tmp_ctx, "%s%s%s%s", smb_server, + smb_share, smb_path, smb_cse_suffix); + if (smb_uri == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_asprintf failed.\n"); ret = ENOMEM; goto done; } - smbc_setFunctionAuthData(context, sssd_krb_get_auth_data_fn); - smbc_setOptionUseKerberos(context, 1); + DEBUG(SSSDBG_TRACE_FUNC, "smb_uri: %s\n", smb_uri); - /* Initialize the context using the previously specified options */ - if (smbc_init_context(context) == NULL) { - DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize smbc context\n"); + errno = 0; + file = smbc_getFunctionOpen(smbc_ctx)(smbc_ctx, smb_uri, O_RDONLY, 0755); + if (file == NULL) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "smbc_getFunctionOpen failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + buf = talloc_array(tmp_ctx, uint8_t, SMB_BUFFER_SIZE); + if (buf == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "talloc_array failed.\n"); ret = ENOMEM; goto done; } - /* Tell the compatibility layer to use this context */ - smbc_set_context(context); + errno = 0; + buflen = smbc_getFunctionRead(smbc_ctx)(smbc_ctx, file, buf, SMB_BUFFER_SIZE); + if (buflen < 0) { + ret = errno; + DEBUG(SSSDBG_CRIT_FAILURE, "smbc_getFunctionRead failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_ALL, "smb_buflen: %d\n", buflen); - int remotehandle = smbc_open(smb_uri, O_RDONLY, 0755); - if (remotehandle < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "smbc_open failed\n"); - ret = EPIPE; + ret = gpo_cache_store_file(smb_path, smb_cse_suffix, buf, buflen); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "gpo_cache_store_file failed [%d][%s]\n", + ret, strerror(ret)); goto done; } - buf = talloc_array(tmp_ctx, uint8_t, SMB_BUFFER_SIZE); - buflen = smbc_read(remotehandle, buf, SMB_BUFFER_SIZE); - if(buflen < 0) { - DEBUG(SSSDBG_CRIT_FAILURE, "smbc_read failed\n"); - ret = EPIPE; + done: + talloc_free(tmp_ctx); + return ret; +} + + +/* + * Using its smb_uri components and cached_gpt_version inputs, this function + * does several things: + * - it downloads the GPT_INI file to GPO_CACHE + * - it parses the sysvol_gpt_version field from the GPT_INI file + * - if the sysvol_gpt_version is greater than the cached_gpt_version + * - it downloads the policy file to GPO_CACHE + * - else + * - it doesn't retrieve the policy file + * - in this case, the backend will use the existing policy file in GPO_CACHE + * - it returns the sysvol_gpt_version in the _sysvol_gpt_version output param + * + * Note that if the cached_gpt_version sent by the backend is -1 (to indicate + * that no gpt_version has been set in the cache for the corresponding gpo_guid), + * then the parsed sysvol_gpt_version (which must be at least 0) will be greater + * than the cached_gpt_version, thereby triggering a fresh download. + * + * Note that the backend will later do the following: + * - backend will save the the sysvol_gpt_version to sysdb cache + * - backend will read the policy file from the GPO_CACHE + */ +static errno_t +perform_smb_operations(int cached_gpt_version, + const char *smb_server, + const char *smb_share, + const char *smb_path, + const char *smb_cse_suffix, + int *_sysvol_gpt_version) +{ + SMBCCTX *smbc_ctx; + int ret; + int sysvol_gpt_version; + + smbc_ctx = smbc_new_context(); + if (smbc_ctx == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not allocate new smbc context\n"); + ret = ENOMEM; goto done; } - DEBUG(SSSDBG_CRIT_FAILURE, "buflen: %d\n", buflen); + smbc_setFunctionAuthData(smbc_ctx, sssd_krb_get_auth_data_fn); + smbc_setOptionUseKerberos(smbc_ctx, 1); - smbc_close(remotehandle); + /* Initialize the context using the previously specified options */ + if (smbc_init_context(smbc_ctx) == NULL) { + DEBUG(SSSDBG_CRIT_FAILURE, "Could not initialize smbc context\n"); + ret = ENOMEM; + goto done; + } - ret = store_bytes_in_gpo_cache(unix_path, buf, buflen); + /* download ini file */ + ret = copy_smb_file_to_gpo_cache(smbc_ctx, smb_server, smb_share, smb_path, + GPT_INI); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, - "store_bytes_in_gpo_cache failed [%d][%s]\n", + "copy_smb_file_to_gpo_cache failed [%d][%s]\n", ret, strerror(ret)); goto done; } + ret = ad_gpo_parse_ini_file(smb_path, &sysvol_gpt_version); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Cannot parse ini file: [%d][%s]\n", ret, strerror(ret)); + goto done; + } + + DEBUG(SSSDBG_TRACE_FUNC, "sysvol_gpt_version: %d\n", sysvol_gpt_version); + + if (sysvol_gpt_version > cached_gpt_version) { + /* download policy file */ + ret = copy_smb_file_to_gpo_cache(smbc_ctx, smb_server, smb_share, + smb_path, smb_cse_suffix); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "copy_smb_file_to_gpo_cache failed [%d][%s]\n", + ret, strerror(ret)); + goto done; + } + } + + *_sysvol_gpt_version = sysvol_gpt_version; + done: - smbc_free_context(context, 0); - talloc_free(tmp_ctx); + smbc_free_context(smbc_ctx, 0); return ret; } @@ -388,6 +656,7 @@ main(int argc, const char *argv[]) poptContext pc; int debug_fd = -1; errno_t ret; + int sysvol_gpt_version; int result; TALLOC_CTX *main_ctx = NULL; uint8_t *buf = NULL; @@ -484,18 +753,22 @@ main(int argc, const char *argv[]) goto fail; } - DEBUG(SSSDBG_TRACE_FUNC, "processing security settings\n"); + DEBUG(SSSDBG_TRACE_FUNC, "performing smb operations\n"); - result = process_security_settings_cse(main_ctx, - ibuf->smb_uri, - ibuf->unix_path); + result = perform_smb_operations(ibuf->cached_gpt_version, + ibuf->smb_server, + ibuf->smb_share, + ibuf->smb_path, + ibuf->smb_cse_suffix, + &sysvol_gpt_version); if (result != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, - "process_security_settings_cse failed.[%d][%s].\n", + "perform_smb_operations failed.[%d][%s].\n", result, strerror(result)); + goto fail; } - ret = prepare_response(main_ctx, result, &resp); + ret = prepare_response(main_ctx, sysvol_gpt_version, result, &resp); if (ret != EOK) { DEBUG(SSSDBG_CRIT_FAILURE, "prepare_response failed. [%d][%s].\n", ret, strerror(ret)); |