r13316: Let the carnage begin....

Sync with trunk as off r13315 (This used to be commit 17e63ac4ed8325c0d44fe62b2442449f3298559f)
author: Gerald Carter <jerry@samba.org> 2006-02-03 22:19:41 +0000
committer: Gerald (Jerry) Carter <jerry@samba.org> 2007-10-10 11:06:23 -0500
commit: 0af1500fc0bafe61019f1b2ab1d9e1d369221240 (patch)
tree: 653fc2533795458d5f9696402285d9f14e527a21 /source3/libads
parent: 21a30a1346c9f9a25659a0cea0d276d8c2e6ddca (diff)
download: samba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.tar.gz
samba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.tar.xz
samba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.zip
7 files changed, 1611 insertions, 32 deletions
diff --git a/source3/libads/gpo.c b/source3/libads/gpo.c
new file mode 100644
index 00000000000..9cf7aae9770
--- /dev/null
+++ b/source3/libads/gpo.c
@@ -0,0 +1,680 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Group Policy Object Support
+ *  Copyright (C) Guenther Deschner 2005
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+ADS_STATUS ads_parse_gp_ext(TALLOC_CTX *mem_ctx,
+			    const char *extension_raw,
+			    struct GP_EXT *gp_ext)
+{
+	char **ext_list;
+	char **ext_strings;
+	int i;
+
+	DEBUG(20,("ads_parse_gp_ext: %s\n", extension_raw));
+
+	ext_list = str_list_make_talloc(mem_ctx, extension_raw, "]");
+	if (ext_list == NULL) {
+		goto parse_error;
+	}
+
+	for (i = 0; ext_list[i] != NULL; i++) {
+		/* no op */
+	}
+
+	gp_ext->num_exts = i;
+	
+	gp_ext->extensions = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
+	gp_ext->extensions_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
+	gp_ext->snapins = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
+	gp_ext->snapins_guid = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_ext->num_exts);
+
+	gp_ext->gp_extension = talloc_strdup(mem_ctx, extension_raw);
+
+	if (gp_ext->extensions == NULL || gp_ext->extensions_guid == NULL || 
+	    gp_ext->snapins == NULL || gp_ext->snapins_guid == NULL || 
+	    gp_ext->gp_extension == NULL) {
+		goto parse_error;
+	}
+
+	for (i = 0; ext_list[i] != NULL; i++) {
+
+		int k;
+		char *p, *q;
+		
+		DEBUGADD(10,("extension #%d\n", i));
+
+		p = ext_list[i];
+
+		if (p[0] == '[') {
+			p++;
+		}
+
+		ext_strings = str_list_make_talloc(mem_ctx, p, "}");
+		if (ext_strings == NULL) {
+			goto parse_error;
+		}
+
+		for (k = 0; ext_strings[k] != NULL; k++) {
+			/* no op */
+		}
+
+		q = ext_strings[0];
+
+		if (q[0] == '{') {
+			q++;
+		}
+
+		gp_ext->extensions[i] = talloc_strdup(mem_ctx, cse_gpo_guid_string_to_name(q));
+		gp_ext->extensions_guid[i] = talloc_strdup(mem_ctx, q);
+
+		/* we might have no name for the guid */
+		if (gp_ext->extensions_guid[i] == NULL) {
+			goto parse_error;
+		}
+		
+		for (k = 1; ext_strings[k] != NULL; k++) {
+
+			char *m = ext_strings[k];
+
+			if (m[0] == '{') {
+				m++;
+			}
+
+			/* FIXME: theoretically there could be more than one snapin per extension */
+			gp_ext->snapins[i] = talloc_strdup(mem_ctx, cse_snapin_gpo_guid_string_to_name(m));
+			gp_ext->snapins_guid[i] = talloc_strdup(mem_ctx, m);
+
+			/* we might have no name for the guid */
+			if (gp_ext->snapins_guid[i] == NULL) {
+				goto parse_error;
+			}
+		}
+	}
+
+	if (ext_list) {
+		str_list_free_talloc(mem_ctx, &ext_list); 
+	}
+	if (ext_strings) {
+		str_list_free_talloc(mem_ctx, &ext_strings); 
+	}
+
+	return ADS_ERROR(LDAP_SUCCESS);
+
+parse_error:
+	if (ext_list) {
+		str_list_free_talloc(mem_ctx, &ext_list); 
+	}
+	if (ext_strings) {
+		str_list_free_talloc(mem_ctx, &ext_strings); 
+	}
+
+	return ADS_ERROR(LDAP_NO_MEMORY);
+}
+
+ADS_STATUS ads_parse_gplink(TALLOC_CTX *mem_ctx, 
+			    const char *gp_link_raw,
+			    uint32 options,
+			    struct GP_LINK *gp_link)
+{
+	char **link_list;
+	int i;
+	
+	DEBUG(10,("ads_parse_gplink: gPLink: %s\n", gp_link_raw));
+
+	link_list = str_list_make_talloc(mem_ctx, gp_link_raw, "]");
+	if (link_list == NULL) {
+		goto parse_error;
+	}
+
+	for (i = 0; link_list[i] != NULL; i++) {
+		/* no op */
+	}
+
+	gp_link->gp_opts = options;
+	gp_link->num_links = i;
+	
+	gp_link->link_names = TALLOC_ZERO_ARRAY(mem_ctx, char *, gp_link->num_links);
+	gp_link->link_opts = TALLOC_ZERO_ARRAY(mem_ctx, uint32, gp_link->num_links);
+	
+	gp_link->gp_link = talloc_strdup(mem_ctx, gp_link_raw);
+
+	if (gp_link->link_names == NULL || gp_link->link_opts == NULL || gp_link->gp_link == NULL) {
+		goto parse_error;
+	}
+
+	for (i = 0; link_list[i] != NULL; i++) {
+
+		char *p, *q;
+
+		DEBUGADD(10,("ads_parse_gplink: processing link #%d\n", i));
+
+		q = link_list[i];
+		if (q[0] == '[') {
+			q++;
+		};
+
+		p = strchr(q, ';');
+		
+		if (p == NULL) {
+			goto parse_error;
+		}
+
+		gp_link->link_names[i] = talloc_strdup(mem_ctx, q);
+		if (gp_link->link_names[i] == NULL) {
+			goto parse_error;
+		}
+		gp_link->link_names[i][PTR_DIFF(p, q)] = 0;
+
+		gp_link->link_opts[i] = atoi(p + 1);
+
+		DEBUGADD(10,("ads_parse_gplink: link: %s\n", gp_link->link_names[i]));
+		DEBUGADD(10,("ads_parse_gplink: opt: %d\n", gp_link->link_opts[i]));
+
+	}
+
+	if (link_list) {
+		str_list_free_talloc(mem_ctx, &link_list);
+	}
+
+	return ADS_ERROR(LDAP_SUCCESS);
+
+parse_error:
+	if (link_list) {
+		str_list_free_talloc(mem_ctx, &link_list);
+	}
+
+	return ADS_ERROR(LDAP_NO_MEMORY);
+}
+
+ADS_STATUS ads_get_gpo_link(ADS_STRUCT *ads,
+			    TALLOC_CTX *mem_ctx,
+			    const char *link_dn,
+			    struct GP_LINK *gp_link_struct)
+{
+	ADS_STATUS status;
+	const char *attrs[] = {"gPLink", "gPOptions", NULL};
+	void *res = NULL;
+	const char *gp_link;
+	uint32 gp_options;
+
+	ZERO_STRUCTP(gp_link_struct);
+
+	status = ads_search_dn(ads, &res, link_dn, attrs);
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(10,("ads_get_gpo_link: search failed with %s\n", ads_errstr(status)));
+		return status;
+	}
+
+	if (ads_count_replies(ads, res) != 1) {
+		DEBUG(10,("ads_get_gpo_link: no result\n"));
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); 
+	if (gp_link == NULL) {
+		DEBUG(10,("ads_get_gpo_link: no 'gPLink' attribute found\n"));
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);	
+	}
+
+	if (!ads_pull_uint32(ads, res, "gPOptions", &gp_options)) {
+		DEBUG(10,("ads_get_gpo_link: no 'gPOptions' attribute found\n"));
+		gp_options = 0;
+	}
+
+	ads_msgfree(ads, res);
+
+	return ads_parse_gplink(mem_ctx, gp_link, gp_options, gp_link_struct); 
+}
+
+ADS_STATUS ads_add_gpo_link(ADS_STRUCT *ads, 
+			    TALLOC_CTX *mem_ctx, 
+			    const char *link_dn, 
+			    const char *gpo_dn, 
+			    uint32 gpo_opt)
+{
+	ADS_STATUS status;
+	const char *attrs[] = {"gPLink", NULL};
+	void *res = NULL;
+	const char *gp_link, *gp_link_new;
+	ADS_MODLIST mods;
+
+
+	/* although ADS allows to set anything here, we better check here if
+	 * the gpo_dn is sane */
+
+	if (!strnequal(gpo_dn, "LDAP://CN={", strlen("LDAP://CN={")) != 0) {
+		return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);	
+	}
+
+	status = ads_search_dn(ads, &res, link_dn, attrs);
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(10,("ads_add_gpo_link: search failed with %s\n", ads_errstr(status)));
+		return status;
+	}
+
+	if (ads_count_replies(ads, res) != 1) {
+		DEBUG(10,("ads_add_gpo_link: no result\n"));
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); 
+	if (gp_link == NULL) {
+		gp_link_new = talloc_asprintf(mem_ctx, "[%s;%d]", gpo_dn, gpo_opt);
+	} else {
+		gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt);
+	}
+
+	if (gp_link_new == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	mods = ads_init_mods(mem_ctx);
+	if (mods == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	return ads_gen_mod(ads, link_dn, mods); 
+}
+
+/* untested & broken */
+ADS_STATUS ads_delete_gpo_link(ADS_STRUCT *ads, 
+			       TALLOC_CTX *mem_ctx, 
+			       const char *link_dn, 
+			       const char *gpo_dn)
+{
+	ADS_STATUS status;
+	const char *attrs[] = {"gPLink", NULL};
+	void *res = NULL;
+	const char *gp_link, *gp_link_new = NULL;
+	ADS_MODLIST mods;
+
+	/* check for a sane gpo_dn */
+	if (gpo_dn[0] != '[') {
+		DEBUG(10,("ads_delete_gpo_link: first char not: [\n"));
+		return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
+	}
+		
+	if (gpo_dn[strlen(gpo_dn)] != ']') {
+		DEBUG(10,("ads_delete_gpo_link: last char not: ]\n"));
+		return ADS_ERROR(LDAP_INVALID_DN_SYNTAX);
+	}
+
+	status = ads_search_dn(ads, &res, link_dn, attrs);
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(10,("ads_delete_gpo_link: search failed with %s\n", ads_errstr(status)));
+		return status;
+	}
+
+	if (ads_count_replies(ads, res) != 1) {
+		DEBUG(10,("ads_delete_gpo_link: no result\n"));
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	gp_link = ads_pull_string(ads, mem_ctx, res, "gPLink"); 
+	if (gp_link == NULL) {
+		return ADS_ERROR(LDAP_NO_SUCH_ATTRIBUTE);
+	}
+
+	/* find link to delete */
+//	gp_link_new = talloc_asprintf(mem_ctx, "%s[%s;%d]", gp_link, gpo_dn, gpo_opt);
+
+	if (gp_link_new == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	mods = ads_init_mods(mem_ctx);
+	if (mods == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	status = ads_mod_str(mem_ctx, &mods, "gPLink", gp_link_new);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	return ads_gen_mod(ads, link_dn, mods); 
+}
+
+ADS_STATUS ads_parse_gpo(ADS_STRUCT *ads,
+			 TALLOC_CTX *mem_ctx,
+			 void *res,
+			 const char *gpo_dn,
+			 struct GROUP_POLICY_OBJECT *gpo)
+{
+	ZERO_STRUCTP(gpo);
+
+	if (res == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	if (gpo_dn) {
+		gpo->ds_path = talloc_strdup(mem_ctx, gpo_dn);
+	} else {
+		gpo->ds_path = ads_get_dn(ads, res);
+	}
+	if (gpo->ds_path == NULL) {
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	if (!ads_pull_uint32(ads, res, "versionNumber", &gpo->version)) {
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	/* split here for convenience */
+	gpo->version_user = gpo->version >> 16;
+	gpo->version_machine = gpo->version & 0xffff;
+
+	/* sure ??? */
+	if (!ads_pull_uint32(ads, res, "flags", &gpo->options)) {
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	gpo->file_sys_path = ads_pull_string(ads, mem_ctx, res, "gPCFileSysPath");
+	if (gpo->file_sys_path == NULL) {
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	gpo->display_name = ads_pull_string(ads, mem_ctx, res, "displayName");
+	if (gpo->display_name == NULL) {
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	gpo->name = ads_pull_string(ads, mem_ctx, res, "name");
+	if (gpo->name == NULL) {
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	/* ???, this is optional to have and what does it depend on, the 'flags' ?) */
+	gpo->machine_extensions = ads_pull_string(ads, mem_ctx, res, "gPCMachineExtensionNames");
+	gpo->user_extensions = ads_pull_string(ads, mem_ctx, res, "gPCUserExtensionNames");
+
+	ads_msgfree(ads, res);
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
+
+ADS_STATUS ads_get_gpo(ADS_STRUCT *ads,
+		       TALLOC_CTX *mem_ctx,
+		       const char *gpo_dn,
+		       const char *display_name,
+		       const char *guid_name,
+		       struct GROUP_POLICY_OBJECT *gpo)
+{
+	ADS_STATUS status;
+	void *res = NULL;
+	char *dn;
+	const char *filter;
+	const char *attrs[] = { "cn", "displayName", "flags", "gPCFileSysPath", 
+				"gPCFunctionalityVersion", "gPCMachineExtensionNames", 
+				"gPCUserExtensionNames", "gPCWQLFilter", "name", 
+				"versionNumber", NULL};
+
+	ZERO_STRUCTP(gpo);
+
+	if (!gpo_dn && !display_name && !guid_name) {
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	if (gpo_dn) {
+	
+		if (strnequal(gpo_dn, "LDAP://", strlen("LDAP://")) != 0) {
+			gpo_dn = gpo_dn + strlen("LDAP://");
+		}
+
+		status = ads_search_dn(ads, &res, gpo_dn, attrs);
+		
+	} else if (display_name || guid_name) {
+
+		filter = talloc_asprintf(mem_ctx, 
+					 "(&(objectclass=groupPolicyContainer)(%s=%s))", 
+					 display_name ? "displayName" : "name",
+					 display_name ? display_name : guid_name);
+		if (filter == NULL) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+
+		status = ads_do_search_all(ads, ads->config.bind_path,
+					   LDAP_SCOPE_SUBTREE, filter, 
+					   attrs, &res);
+	}
+
+	if (!ADS_ERR_OK(status)) {
+		DEBUG(10,("ads_get_gpo: search failed with %s\n", ads_errstr(status)));
+		return status;
+	}
+
+	if (ads_count_replies(ads, res) != 1) {
+		DEBUG(10,("ads_get_gpo: no result\n"));
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	dn = ads_get_dn(ads, res);
+	if (dn == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+	
+	status = ads_parse_gpo(ads, mem_ctx, res, dn, gpo);
+	
+	ads_memfree(ads, dn);
+
+	return status;
+}
+
+ADS_STATUS add_gplink_to_gpo_list(ADS_STRUCT *ads,
+				  TALLOC_CTX *mem_ctx, 
+				  struct GROUP_POLICY_OBJECT **gpo_list,
+				  const char *link_dn,
+				  struct GP_LINK *gp_link,
+				  enum GPO_LINK_TYPE link_type,
+				  BOOL only_add_forced_gpos)
+{
+	ADS_STATUS status;
+	int i;
+
+	for (i = 0; i < gp_link->num_links; i++) {
+
+		struct GROUP_POLICY_OBJECT *new_gpo = NULL;
+
+		if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
+			DEBUG(10,("skipping disabled GPO\n"));
+			continue;
+		}
+
+		if (only_add_forced_gpos) {
+		
+			if (! (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED)) {
+				DEBUG(10,("skipping nonenforced GPO link because GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
+				continue;
+			} else {
+				DEBUG(10,("adding enforced GPO link although the GPOPTIONS_BLOCK_INHERITANCE has been set\n"));
+			}
+		}
+
+		new_gpo = TALLOC_P(mem_ctx, struct GROUP_POLICY_OBJECT);
+		if (new_gpo == NULL) {
+			return ADS_ERROR(LDAP_NO_MEMORY);
+		}
+
+		ZERO_STRUCTP(new_gpo);
+
+		status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, new_gpo);
+		if (!ADS_ERR_OK(status)) {
+			return status;
+		}
+
+		new_gpo->link = link_dn;
+		new_gpo->link_type = link_type; 
+
+		DLIST_ADD(*gpo_list, new_gpo);
+
+		DEBUG(10,("add_gplink_to_gplist: added GPLINK #%d %s to GPO list\n", 
+			i, gp_link->link_names[i]));
+	}
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
+
+ADS_STATUS ads_get_gpo_list(ADS_STRUCT *ads, 
+			    TALLOC_CTX *mem_ctx, 
+			    const char *dn,
+			    uint32 flags,
+			    struct GROUP_POLICY_OBJECT **gpo_list)
+{
+	/* (L)ocal (S)ite (D)omain (O)rganizational(U)nit */
+	
+	ADS_STATUS status;
+	struct GP_LINK gp_link;
+	const char *parent_dn, *site_dn, *tmp_dn;
+	BOOL add_only_forced_gpos = False;
+
+	ZERO_STRUCTP(gpo_list);
+
+	DEBUG(10,("ads_get_gpo_list: getting GPO list for [%s]\n", dn));
+
+	/* (L)ocal */
+	/* not yet... */
+	
+	/* (S)ite */
+
+	/* are site GPOs valid for users as well ??? */
+	if (flags & GPO_LIST_FLAG_MACHINE) {
+
+		status = ads_site_dn_for_machine(ads, mem_ctx, ads->config.ldap_server_name, &site_dn);
+		if (!ADS_ERR_OK(status)) {
+			return status;
+		}
+
+		DEBUG(10,("ads_get_gpo_list: query SITE: [%s] for GPOs\n", site_dn));
+
+		status = ads_get_gpo_link(ads, mem_ctx, site_dn, &gp_link);
+		if (ADS_ERR_OK(status)) {
+		
+			if (DEBUGLEVEL >= 100) {
+				dump_gplink(ads, mem_ctx, &gp_link);
+			}
+			
+			status = add_gplink_to_gpo_list(ads, mem_ctx, gpo_list, 
+							site_dn, &gp_link, GP_LINK_SITE, 
+							add_only_forced_gpos);
+			if (!ADS_ERR_OK(status)) {
+				return status;
+			}
+	
+			if (flags & GPO_LIST_FLAG_SITEONLY) {
+				return ADS_ERROR(LDAP_SUCCESS);
+			}
+	
+			/* inheritance can't be blocked at the site level */
+		}
+	}
+
+	tmp_dn = dn;
+
+	while ( (parent_dn = ads_parent_dn(tmp_dn)) && 
+		(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
+
+		/* (D)omain */
+
+		/* An account can just be a member of one domain */
+		if (strncmp(parent_dn, "DC=", strlen("DC=")) == 0) {
+
+			DEBUG(10,("ads_get_gpo_list: query DC: [%s] for GPOs\n", parent_dn));
+
+			status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
+			if (ADS_ERR_OK(status)) {
+				
+				if (DEBUGLEVEL >= 100) {
+					dump_gplink(ads, mem_ctx, &gp_link);
+				}
+
+				/* block inheritance from now on */
+				if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
+					add_only_forced_gpos = True;
+				}
+
+				status = add_gplink_to_gpo_list(ads, mem_ctx, 
+								gpo_list, parent_dn, 
+								&gp_link, GP_LINK_DOMAIN, 
+								add_only_forced_gpos);
+				if (!ADS_ERR_OK(status)) {
+					return status;
+				}
+			}
+		}
+
+		tmp_dn = parent_dn;
+	}
+
+	/* reset dn again */
+	tmp_dn = dn;
+	
+	while ( (parent_dn = ads_parent_dn(tmp_dn)) && 
+		(!strequal(parent_dn, ads_parent_dn(ads->config.bind_path))) ) {
+
+
+		/* (O)rganizational(U)nit */
+
+		/* An account can be a member of more OUs */
+		if (strncmp(parent_dn, "OU=", strlen("OU=")) == 0) {
+		
+			DEBUG(10,("ads_get_gpo_list: query OU: [%s] for GPOs\n", parent_dn));
+
+			status = ads_get_gpo_link(ads, mem_ctx, parent_dn, &gp_link);
+			if (ADS_ERR_OK(status)) {
+
+				if (DEBUGLEVEL >= 100) {
+					dump_gplink(ads, mem_ctx, &gp_link);
+				}
+
+				/* block inheritance from now on */
+				if (gp_link.gp_opts & GPOPTIONS_BLOCK_INHERITANCE) {
+					add_only_forced_gpos = True;
+				}
+
+				status = add_gplink_to_gpo_list(ads, mem_ctx, 
+								gpo_list, parent_dn, 
+								&gp_link, GP_LINK_OU, 
+								add_only_forced_gpos);
+				if (!ADS_ERR_OK(status)) {
+					return status;
+				}
+			}
+		}
+
+		tmp_dn = parent_dn;
+
+	};
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
diff --git a/source3/libads/gpo_util.c b/source3/libads/gpo_util.c
new file mode 100644
index 00000000000..8f913c19714
--- /dev/null
+++ b/source3/libads/gpo_util.c
@@ -0,0 +1,496 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Group Policy Object Support
+ *  Copyright (C) Guenther Deschner 2005
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+#define DEFAULT_DOMAIN_POLICY "Default Domain Policy"
+#define DEFAULT_DOMAIN_CONTROLLERS_POLICY "Default Domain Controllers Policy"
+
+/* should we store a parsed guid ? UUID_FLAT guid; */
+struct gpo_table {
+	const char *name;
+	const char *guid_string;
+};
+
+struct snapin_table {
+	const char *name;
+	const char *guid_string;
+	ADS_STATUS (*snapin_fn)(ADS_STRUCT *, TALLOC_CTX *mem_ctx, const char *, const char *);
+};
+
+static struct gpo_table gpo_default_policy[] = {
+	{ DEFAULT_DOMAIN_POLICY, 
+		"31B2F340-016D-11D2-945F-00C04FB984F9" },
+	{ DEFAULT_DOMAIN_CONTROLLERS_POLICY, 
+		"6AC1786C-016F-11D2-945F-00C04fB984F9" },
+	{ NULL, NULL }
+};
+
+
+/* the following is seen in gPCMachineExtensionNames or gPCUserExtensionNames */
+
+static struct gpo_table gpo_cse_extensions[] = {
+	{ "Administrative Templates Extension", 
+		"35378EAC-683F-11D2-A89A-00C04FBBCFA2" }, /* Registry Policy ? */
+	{ "Microsoft Disc Quota", 
+		"3610EDA5-77EF-11D2-8DC5-00C04FA31A66" },
+	{ "EFS recovery", 
+		"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A" },
+	{ "Folder Redirection", 
+		"25537BA6-77A8-11D2-9B6C-0000F8080861" },
+	{ "IP Security", 
+		"E437BC1C-AA7D-11D2-A382-00C04F991E27" },
+	{ "Internet Explorer Branding", 
+		"A2E30F80-D7DE-11d2-BBDE-00C04F86AE3B" },
+	{ "QoS Packet Scheduler", 
+		"426031c0-0b47-4852-b0ca-ac3d37bfcb39" },
+	{ "Scripts", 
+		"42B5FAAE-6536-11D2-AE5A-0000F87571E3" },
+	{ "Security", 
+		"827D319E-6EAC-11D2-A4EA-00C04F79F83A" },
+	{ "Software Installation", 
+		"C6DC5466-785A-11D2-84D0-00C04FB169F7" },
+	{ "Wireless Group Policy", 
+		"0ACDD40C-75AC-BAA0-BF6DE7E7FE63" },
+	{ NULL, NULL }
+};
+
+/* guess work */
+static struct snapin_table gpo_cse_snapin_extensions[] = {
+	{ "Administrative Templates", 
+		"0F6B957D-509E-11D1-A7CC-0000F87571E3", gpo_snapin_handler_none },
+	{ "Certificates", 
+		"53D6AB1D-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
+	{ "EFS recovery policy processing", 
+		"B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_none },
+	{ "Folder Redirection policy processing", 
+		"25537BA6-77A8-11D2-9B6C-0000F8080861", gpo_snapin_handler_none },
+	{ "Folder Redirection", 
+		"88E729D6-BDC1-11D1-BD2A-00C04FB9603F", gpo_snapin_handler_none },
+	{ "Registry policy processing", 
+		"35378EAC-683F-11D2-A89A-00C04FBBCFA2", gpo_snapin_handler_none },
+	{ "Remote Installation Services", 
+		"3060E8CE-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
+	{ "Security Settings", 
+		"803E14A0-B4FB-11D0-A0D0-00A0C90F574B", gpo_snapin_handler_security_settings },
+	{ "Security policy processing", 
+		"827D319E-6EAC-11D2-A4EA-00C04F79F83A", gpo_snapin_handler_security_settings },
+	{ "unknown", 
+		"3060E8D0-7020-11D2-842D-00C04FA372D4", gpo_snapin_handler_none },
+	{ "unknown2", 
+		"53D6AB1B-2488-11D1-A28C-00C04FB94F17", gpo_snapin_handler_none },
+	{ NULL, NULL, NULL }
+};
+
+static const char *name_to_guid_string(const char *name, struct gpo_table *table)
+{
+	int i;
+
+	for (i = 0; table[i].name; i++) {
+		if (strequal(name, table[i].name)) {
+			return table[i].guid_string;
+		}
+	}
+	
+	return NULL;
+}
+
+static const char *guid_string_to_name(const char *guid_string, struct gpo_table *table)
+{
+	int i;
+
+	for (i = 0; table[i].guid_string; i++) {
+		if (strequal(guid_string, table[i].guid_string)) {
+			return table[i].name;
+		}
+	}
+	
+	return NULL;
+}
+
+static const char *default_gpo_name_to_guid_string(const char *name)
+{
+	return name_to_guid_string(name, gpo_default_policy);
+}
+
+static const char *default_gpo_guid_string_to_name(const char *guid)
+{
+	return guid_string_to_name(guid, gpo_default_policy);
+}
+
+const char *cse_gpo_guid_string_to_name(const char *guid)
+{
+	return guid_string_to_name(guid, gpo_cse_extensions);
+}
+
+static const char *cse_gpo_name_to_guid_string(const char *name)
+{
+	return name_to_guid_string(name, gpo_cse_extensions);
+}
+
+const char *cse_snapin_gpo_guid_string_to_name(const char *guid)
+{
+	return guid_string_to_name(guid, gpo_cse_snapin_extensions);
+}
+
+void dump_gp_ext(struct GP_EXT *gp_ext)
+{
+	int lvl = 10;
+	int i;
+
+	if (gp_ext == NULL) {
+		return;
+	}
+
+	DEBUG(lvl,("---------------------\n\n"));
+	DEBUGADD(lvl,("name:\t\t\t%s\n", gp_ext->gp_extension));
+
+	for (i=0; i< gp_ext->num_exts; i++) {
+
+		DEBUGADD(lvl,("extension:\t\t\t%s\n", gp_ext->extensions_guid[i]));
+		DEBUGADD(lvl,("extension (name):\t\t\t%s\n", gp_ext->extensions[i]));
+		
+		DEBUGADD(lvl,("snapin:\t\t\t%s\n", gp_ext->snapins_guid[i]));
+		DEBUGADD(lvl,("snapin (name):\t\t\t%s\n", gp_ext->snapins[i]));
+	}
+}
+
+void dump_gpo(TALLOC_CTX *mem_ctx, struct GROUP_POLICY_OBJECT *gpo) 
+{
+	int lvl = 1;
+
+	if (gpo == NULL) {
+		return;
+	}
+
+	DEBUG(lvl,("---------------------\n\n"));
+
+	DEBUGADD(lvl,("name:\t\t\t%s\n", gpo->name));
+	DEBUGADD(lvl,("displayname:\t\t%s\n", gpo->display_name));
+	DEBUGADD(lvl,("version:\t\t%d (0x%08x)\n", gpo->version, gpo->version));
+	DEBUGADD(lvl,("version_user:\t\t%d (0x%04x)\n", gpo->version_user, gpo->version_user));
+	DEBUGADD(lvl,("version_machine:\t%d (0x%04x)\n", gpo->version_machine, gpo->version_machine));
+	DEBUGADD(lvl,("filesyspath:\t\t%s\n", gpo->file_sys_path));
+	DEBUGADD(lvl,("dspath:\t\t%s\n", gpo->ds_path));
+
+	DEBUGADD(lvl,("options:\t\t%d ", gpo->options));
+	if (gpo->options & GPFLAGS_USER_SETTINGS_DISABLED) {
+		DEBUGADD(lvl,("GPFLAGS_USER_SETTINGS_DISABLED ")); 
+	}
+	if (gpo->options & GPFLAGS_MACHINE_SETTINGS_DISABLED) {
+		DEBUGADD(lvl,("GPFLAGS_MACHINE_SETTINGS_DISABLED")); 
+	}
+	DEBUGADD(lvl,("\n"));
+
+	DEBUGADD(lvl,("link:\t\t\t%s\n", gpo->link));
+	DEBUGADD(lvl,("link_type:\t\t%d ", gpo->link_type));
+	switch (gpo->link_type) {
+	case GP_LINK_UNKOWN:
+		DEBUGADD(lvl,("GP_LINK_UNKOWN\n"));
+		break;
+	case GP_LINK_OU:
+		DEBUGADD(lvl,("GP_LINK_OU\n"));
+		break;
+	case GP_LINK_DOMAIN:
+		DEBUGADD(lvl,("GP_LINK_DOMAIN\n"));
+		break;
+	case GP_LINK_SITE:
+		DEBUGADD(lvl,("GP_LINK_SITE\n"));
+		break;
+	case GP_LINK_MACHINE:
+		DEBUGADD(lvl,("GP_LINK_MACHINE\n"));
+		break;
+	default:
+		break;
+	}
+
+	if (gpo->machine_extensions) {
+
+		struct GP_EXT gp_ext;
+		ADS_STATUS status;
+
+		DEBUGADD(lvl,("machine_extensions:\t%s\n", gpo->machine_extensions));
+
+		status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
+		if (!ADS_ERR_OK(status)) {
+			return;
+		}
+		dump_gp_ext(&gp_ext);
+	}
+	
+	if (gpo->user_extensions) {
+	
+		struct GP_EXT gp_ext;
+		ADS_STATUS status;
+		
+		DEBUGADD(lvl,("user_extensions:\t%s\n", gpo->user_extensions));
+
+		status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
+		if (!ADS_ERR_OK(status)) {
+			return;
+		}
+		dump_gp_ext(&gp_ext);
+	}
+};
+
+void dump_gplink(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, struct GP_LINK *gp_link)
+{
+	ADS_STATUS status;
+	int i;
+	int lvl = 10;
+
+	if (gp_link == NULL) {
+		return;
+	}
+
+	DEBUG(lvl,("---------------------\n\n"));
+
+	DEBUGADD(lvl,("gplink: %s\n", gp_link->gp_link));
+	DEBUGADD(lvl,("gpopts: %d ", gp_link->gp_opts));
+	switch (gp_link->gp_opts) {
+	case GPOPTIONS_INHERIT:
+		DEBUGADD(lvl,("GPOPTIONS_INHERIT\n"));
+		break;
+	case GPOPTIONS_BLOCK_INHERITANCE:
+		DEBUGADD(lvl,("GPOPTIONS_BLOCK_INHERITANCE\n"));
+		break;
+	default:
+		break;
+	}
+
+	DEBUGADD(lvl,("num links: %d\n", gp_link->num_links));
+
+	for (i = 0; i < gp_link->num_links; i++) {
+	
+		DEBUGADD(lvl,("---------------------\n\n"));
+	
+		DEBUGADD(lvl,("link: #%d\n", i + 1));
+		DEBUGADD(lvl,("name: %s\n", gp_link->link_names[i]));
+
+		DEBUGADD(lvl,("opt: %d ", gp_link->link_opts[i]));
+		if (gp_link->link_opts[i] & GPO_LINK_OPT_ENFORCED) {
+			DEBUGADD(lvl,("GPO_LINK_OPT_ENFORCED "));
+		}
+		if (gp_link->link_opts[i] & GPO_LINK_OPT_DISABLED) {
+			DEBUGADD(lvl,("GPO_LINK_OPT_DISABLED"));
+		}
+		DEBUGADD(lvl,("\n"));
+
+		if (ads != NULL && mem_ctx != NULL) {
+
+			struct GROUP_POLICY_OBJECT gpo;
+
+			status = ads_get_gpo(ads, mem_ctx, gp_link->link_names[i], NULL, NULL, &gpo);
+			if (!ADS_ERR_OK(status)) {
+				DEBUG(lvl,("get gpo for %s failed: %s\n", gp_link->link_names[i], ads_errstr(status)));
+				return;
+			}
+			dump_gpo(mem_ctx, &gpo);
+		}
+	}
+}
+
+ADS_STATUS process_extension_with_snapin(ADS_STRUCT *ads,
+					 TALLOC_CTX *mem_ctx,
+					 const char *extension_guid,
+					 const char *snapin_guid)
+{
+	int i;
+
+	for (i=0; gpo_cse_snapin_extensions[i].guid_string; i++) {
+	
+		if (strcmp(gpo_cse_snapin_extensions[i].guid_string, snapin_guid) == 0) {
+		
+			return gpo_cse_snapin_extensions[i].snapin_fn(ads, mem_ctx, 
+								      extension_guid, snapin_guid);
+		}
+	}
+
+	DEBUG(10,("process_extension_with_snapin: no snapin handler for extension %s (%s) found\n", 
+		extension_guid, snapin_guid));
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
+
+ADS_STATUS gpo_process_a_gpo(ADS_STRUCT *ads,
+			     TALLOC_CTX *mem_ctx,
+			     struct GROUP_POLICY_OBJECT *gpo,
+			     const char *extension_guid,
+			     uint32 flags)
+{
+	ADS_STATUS status;
+	struct GP_EXT gp_ext;
+	int i;
+	
+	if (flags & GPO_LIST_FLAG_MACHINE) {
+
+		if (gpo->machine_extensions) {
+
+			status = ads_parse_gp_ext(mem_ctx, gpo->machine_extensions, &gp_ext);
+
+			if (!ADS_ERR_OK(status)) {
+				return status;
+			}
+
+		} else {
+			/* nothing to apply */
+			return ADS_ERROR(LDAP_SUCCESS);
+		}
+	
+	} else {
+
+		if (gpo->user_extensions) {
+		
+			status = ads_parse_gp_ext(mem_ctx, gpo->user_extensions, &gp_ext);
+
+			if (!ADS_ERR_OK(status)) {
+				return status;
+			}
+		} else {
+			/* nothing to apply */
+			return ADS_ERROR(LDAP_SUCCESS);
+		}
+	}
+
+	for (i=0; i<gp_ext.num_exts; i++) {
+
+		if (extension_guid && !strequal(extension_guid, gp_ext.extensions_guid[i])) {
+			continue;
+		}
+
+		status = process_extension_with_snapin(ads, mem_ctx, gp_ext.extensions_guid[i], 
+						       gp_ext.snapins_guid[i]);
+		if (!ADS_ERR_OK(status)) {
+			return status;
+		}
+	}
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
+
+ADS_STATUS gpo_process_gpo_list(ADS_STRUCT *ads,
+				TALLOC_CTX *mem_ctx,
+				struct GROUP_POLICY_OBJECT **gpo_list,
+				const char *extensions_guid,
+				uint32 flags)
+{
+	ADS_STATUS status;
+	struct GROUP_POLICY_OBJECT *gpo = *gpo_list;
+
+	for (gpo = *gpo_list; gpo; gpo = gpo->next) {
+	
+		status = gpo_process_a_gpo(ads, mem_ctx, gpo, 
+					   extensions_guid, flags);
+	
+		if (!ADS_ERR_OK(status)) {
+			return status;
+		}
+
+	}
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
+
+ADS_STATUS gpo_snapin_handler_none(ADS_STRUCT *ads, 
+				   TALLOC_CTX *mem_ctx, 
+				   const char *extension_guid, 
+				   const char *snapin_guid)
+{
+	DEBUG(10,("gpo_snapin_handler_none\n"));
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
+
+ADS_STATUS gpo_snapin_handler_security_settings(ADS_STRUCT *ads, 
+						TALLOC_CTX *mem_ctx, 
+						const char *extension_guid, 
+						const char *snapin_guid)
+{
+	DEBUG(10,("gpo_snapin_handler_security_settings\n"));
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
+
+ADS_STATUS gpo_lockout_policy(ADS_STRUCT *ads,
+			      TALLOC_CTX *mem_ctx,
+			      const char *hostname,
+			      SAM_UNK_INFO_12 *lockout_policy)
+{
+	return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED);
+}
+
+ADS_STATUS gpo_password_policy(ADS_STRUCT *ads,
+			       TALLOC_CTX *mem_ctx,
+			       const char *hostname,
+			       SAM_UNK_INFO_1 *password_policy)
+{
+	ADS_STATUS status;
+	struct GROUP_POLICY_OBJECT *gpo_list;
+	const char *attrs[] = {"distinguishedName", "userAccountControl", NULL};
+	char *filter, *dn;
+	void *res = NULL;
+	uint32 uac;
+
+	return ADS_ERROR_NT(NT_STATUS_NOT_IMPLEMENTED);
+
+	filter = talloc_asprintf(mem_ctx, "(&(objectclass=user)(sAMAccountName=%s))", hostname);
+	if (filter == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	status = ads_do_search_all(ads, ads->config.bind_path,
+				   LDAP_SCOPE_SUBTREE,
+				   filter, attrs, &res);
+	
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	if (ads_count_replies(ads, res) != 1) {
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	dn = ads_get_dn(ads, res);
+	if (dn == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	if (!ads_pull_uint32(ads, res, "userAccountControl", &uac)) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	if (!(uac & UF_WORKSTATION_TRUST_ACCOUNT)) {
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	status = ads_get_gpo_list(ads, mem_ctx, dn, GPO_LIST_FLAG_MACHINE, &gpo_list);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	status = gpo_process_gpo_list(ads, mem_ctx, &gpo_list, 
+				      cse_gpo_name_to_guid_string("Security"), 
+				      GPO_LIST_FLAG_MACHINE); 
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	return ADS_ERROR(LDAP_SUCCESS);
+}
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index d5b4b11fa24..67f84337757 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -62,13 +62,17 @@ int kerberos_kinit_password(const char *principal,
 				const char *password,
 				int time_offset,
 				time_t *expire_time,
-				const char *cache_name)
+				time_t *renew_till_time,
+				const char *cache_name,
+				BOOL request_pac,
+				time_t renewable_time)
 {
 	krb5_context ctx = NULL;
 	krb5_error_code code = 0;
 	krb5_ccache cc = NULL;
 	krb5_principal me;
 	krb5_creds my_creds;
+	krb5_get_init_creds_opt opt;
 
 	initialize_krb5_error_table();
 	if ((code = krb5_init_context(&ctx)))
@@ -77,9 +81,11 @@ int kerberos_kinit_password(const char *principal,
 	if (time_offset != 0) {
 		krb5_set_real_time(ctx, time(NULL) + time_offset, 0);
 	}
-	
-	if ((code = krb5_cc_resolve(ctx, cache_name ?
-			cache_name : krb5_cc_default_name(ctx), &cc))) {
+
+	DEBUG(10,("kerberos_kinit_password: using %s as ccache\n",
+			cache_name ? cache_name: krb5_cc_default_name(ctx)));
+
+	if ((code = krb5_cc_resolve(ctx, cache_name ? cache_name : krb5_cc_default_name(ctx), &cc))) {
 		krb5_free_context(ctx);
 		return code;
 	}
@@ -88,10 +94,20 @@ int kerberos_kinit_password(const char *principal,
 		krb5_free_context(ctx);	
 		return code;
 	}
+
+	krb5_get_init_creds_opt_init(&opt);
+	krb5_get_init_creds_opt_set_renew_life(&opt, renewable_time);
+	krb5_get_init_creds_opt_set_forwardable(&opt, 1);
 	
+	if (request_pac) {
+#ifdef HAVE_KRB5_GET_INIT_CREDS_OPT_SET_PAC_REQUEST
+		krb5_get_init_creds_opt_set_pac_request(ctx, &opt, True);
+#endif
+	}
+
 	if ((code = krb5_get_init_creds_password(ctx, &my_creds, me, CONST_DISCARD(char *,password), 
 						 kerb_prompter, 
-						 NULL, 0, NULL, NULL))) {
+						 NULL, 0, NULL, &opt))) {
 		krb5_free_principal(ctx, me);
 		krb5_free_context(ctx);		
 		return code;
@@ -111,9 +127,14 @@ int kerberos_kinit_password(const char *principal,
 		krb5_free_context(ctx);		
 		return code;
 	}
-	
-	if (expire_time)
+
+	if (expire_time) {
 		*expire_time = (time_t) my_creds.times.endtime;
+	}
+
+	if (renew_till_time) {
+		*renew_till_time = (time_t) my_creds.times.renew_till;
+	}
 
 	krb5_cc_close(ctx, cc);
 	krb5_free_cred_contents(ctx, &my_creds);
@@ -157,7 +178,7 @@ int ads_kinit_password(ADS_STRUCT *ads)
 	}
 	
 	ret = kerberos_kinit_password(s, ads->auth.password, ads->auth.time_offset,
-			&ads->auth.expire, NULL);
+			&ads->auth.expire, NULL, NULL, False, ads->auth.renewable);
 
 	if (ret) {
 		DEBUG(0,("kerberos_kinit_password %s failed: %s\n", 
@@ -349,7 +370,8 @@ static krb5_error_code get_service_ticket(krb5_context ctx,
 	if (password == NULL) {
 		goto out;
 	}
-	if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, LIBADS_CCACHE_NAME)) != 0) {
+	if ((err = kerberos_kinit_password(machine_account, password, 0, NULL, NULL, 
+					   LIBADS_CCACHE_NAME, False, 0)) != 0) {
 		DEBUG(0,("get_service_ticket: kerberos_kinit_password %s@%s failed: %s\n", 
 			machine_account,
 			lp_realm(),
diff --git a/source3/libads/krb5_errs.c b/source3/libads/krb5_errs.c
new file mode 100644
index 00000000000..cd227d4377c
--- /dev/null
+++ b/source3/libads/krb5_errs.c
@@ -0,0 +1,132 @@
+/* 
+ *  Unix SMB/CIFS implementation.
+ *  Kerberos error mapping functions
+ *  Copyright (C) Guenther Deschner 2005
+ *  
+ *  This program is free software; you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation; either version 2 of the License, or
+ *  (at your option) any later version.
+ *  
+ *  This program is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *  
+ *  You should have received a copy of the GNU General Public License
+ *  along with this program; if not, write to the Free Software
+ *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+ */
+
+#include "includes.h"
+
+#ifdef HAVE_KRB5
+
+static const struct {
+	int krb5_code;
+	NTSTATUS ntstatus;
+} krb5_to_nt_status_map[] = {
+	{KRB5_CC_IO, NT_STATUS_UNEXPECTED_IO_ERROR},
+	{KRB5KDC_ERR_BADOPTION, NT_STATUS_INVALID_PARAMETER},
+	{KRB5KDC_ERR_CLIENT_REVOKED, NT_STATUS_ACCESS_DENIED},
+	{KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME},
+	{KRB5KDC_ERR_ETYPE_NOSUPP, NT_STATUS_LOGON_FAILURE},
+#if defined(KRB5KDC_ERR_KEY_EXPIRED) /* Heimdal */
+	{KRB5KDC_ERR_KEY_EXPIRED, NT_STATUS_PASSWORD_EXPIRED},
+#elif defined(KRB5KDC_ERR_KEY_EXP) /* MIT */
+	{KRB5KDC_ERR_KEY_EXP, NT_STATUS_PASSWORD_EXPIRED},
+#else 
+#error Neither KRB5KDC_ERR_KEY_EXPIRED nor KRB5KDC_ERR_KEY_EXP available
+#endif
+	{25, NT_STATUS_PASSWORD_EXPIRED}, /* FIXME: bug in heimdal 0.7 krb5_get_init_creds_password (Inappropriate ioctl for device (25)) */
+	{KRB5KDC_ERR_NULL_KEY, NT_STATUS_LOGON_FAILURE},
+	{KRB5KDC_ERR_POLICY, NT_STATUS_PASSWORD_RESTRICTION},
+	{KRB5KDC_ERR_PREAUTH_FAILED, NT_STATUS_LOGON_FAILURE},
+	{KRB5KDC_ERR_SERVICE_REVOKED, NT_STATUS_ACCESS_DENIED},
+	{KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, NT_STATUS_INVALID_ACCOUNT_NAME},
+	{KRB5KDC_ERR_SUMTYPE_NOSUPP, NT_STATUS_LOGON_FAILURE},
+	{KRB5KDC_ERR_TGT_REVOKED, NT_STATUS_ACCESS_DENIED},
+	{KRB5_KDC_UNREACH, NT_STATUS_NO_LOGON_SERVERS},
+	{KRB5KRB_AP_ERR_BAD_INTEGRITY, NT_STATUS_LOGON_FAILURE},
+	{KRB5KRB_AP_ERR_MODIFIED, NT_STATUS_LOGON_FAILURE},
+	{KRB5KRB_AP_ERR_SKEW, NT_STATUS_TIME_DIFFERENCE_AT_DC},
+	{KRB5KRB_AP_ERR_TKT_EXPIRED, NT_STATUS_LOGON_FAILURE},
+	{KRB5KRB_ERR_GENERIC, NT_STATUS_UNSUCCESSFUL},
+	{KRB5KRB_ERR_RESPONSE_TOO_BIG, NT_STATUS_PROTOCOL_UNREACHABLE},
+	{0, NT_STATUS_OK}
+};
+
+static const struct {
+	NTSTATUS ntstatus;
+	int krb5_code;
+} nt_status_to_krb5_map[] = {
+	{NT_STATUS_LOGON_FAILURE, KRB5KDC_ERR_PREAUTH_FAILED},
+	{NT_STATUS_NO_LOGON_SERVERS, KRB5_KDC_UNREACH},
+	{NT_STATUS_OK, 0}
+};
+
+/*****************************************************************************
+convert a KRB5 error to a NT status32 code
+ *****************************************************************************/
+NTSTATUS krb5_to_nt_status(int kerberos_error)
+{
+	int i;
+	
+	if (kerberos_error == 0) {
+		return NT_STATUS_OK;
+	}
+	
+	for (i=0; NT_STATUS_V(krb5_to_nt_status_map[i].ntstatus); i++) {
+		if (kerberos_error == krb5_to_nt_status_map[i].krb5_code)
+			return krb5_to_nt_status_map[i].ntstatus;
+	}
+
+	return NT_STATUS_UNSUCCESSFUL;
+}
+
+/*****************************************************************************
+convert an NT status32 code to a KRB5 error
+ *****************************************************************************/
+int nt_status_to_krb5(NTSTATUS nt_status)
+{
+	int i;
+	
+	if NT_STATUS_IS_OK(nt_status) {
+		return 0;
+	}
+	
+	for (i=0; NT_STATUS_V(nt_status_to_krb5_map[i].ntstatus); i++) {
+		if (NT_STATUS_EQUAL(nt_status,nt_status_to_krb5_map[i].ntstatus))
+			return nt_status_to_krb5_map[i].krb5_code;
+	}
+
+	return KRB5KRB_ERR_GENERIC;
+}
+
+#else 
+
+/*****************************************************************************
+convert a KRB5 error to a NT status32 code
+ *****************************************************************************/
+NTSTATUS krb5_to_nt_status(int kerberos_error)
+{
+	if (kerberos_error == 0) {
+		return NT_STATUS_OK;
+	}
+	
+	return NT_STATUS_UNSUCCESSFUL;
+}
+
+/*****************************************************************************
+convert an NT status32 code to a KRB5 error
+ *****************************************************************************/
+int nt_status_to_krb5(NTSTATUS nt_status)
+{
+	if (NT_STATUS_EQUAL(nt_status, NT_STATUS_OK)) {
+		return 0;
+	}
+	return -1; /* FIXME: what to return here ? */
+}
+
+#endif
+
diff --git a/source3/libads/krb5_setpw.c b/source3/libads/krb5_setpw.c
index 31d0a02cad0..6ffd218e966 100644
--- a/source3/libads/krb5_setpw.c
+++ b/source3/libads/krb5_setpw.c
@@ -24,9 +24,17 @@
 #ifdef HAVE_KRB5
 
 #define DEFAULT_KPASSWD_PORT	464
+
 #define KRB5_KPASSWD_VERS_CHANGEPW		1
+
 #define KRB5_KPASSWD_VERS_SETPW			0xff80
 #define KRB5_KPASSWD_VERS_SETPW_ALT		2
+
+#define KRB5_KPASSWD_SUCCESS			0
+#define KRB5_KPASSWD_MALFORMED			1
+#define KRB5_KPASSWD_HARDERROR			2
+#define KRB5_KPASSWD_AUTHERROR			3
+#define KRB5_KPASSWD_SOFTERROR			4
 #define KRB5_KPASSWD_ACCESSDENIED		5
 #define KRB5_KPASSWD_BAD_VERSION		6
 #define KRB5_KPASSWD_INITIAL_FLAG_NEEDED	7
@@ -213,6 +221,25 @@ static krb5_error_code setpw_result_code_string(krb5_context context,
         return (0);
 }
 
+ krb5_error_code kpasswd_err_to_krb5_err(krb5_error_code res_code) 
+{
+	switch(res_code) {
+		case KRB5_KPASSWD_ACCESSDENIED:
+			return KRB5KDC_ERR_BADOPTION;
+		case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
+			return KRB5KDC_ERR_BADOPTION;
+			/* return KV5M_ALT_METHOD; MIT-only define */
+		case KRB5_KPASSWD_ETYPE_NOSUPP:
+			return KRB5KDC_ERR_ETYPE_NOSUPP;
+		case KRB5_KPASSWD_BAD_PRINCIPAL:
+			return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
+		case KRB5_KPASSWD_POLICY_REJECT:
+		case KRB5_KPASSWD_SOFTERROR:
+			return KRB5KDC_ERR_POLICY;
+		default:
+			return KRB5KRB_ERR_GENERIC;
+	}
+}
 static krb5_error_code parse_setpw_reply(krb5_context context, 
 					 krb5_auth_context auth_context,
 					 krb5_data *packet)
@@ -312,23 +339,9 @@ static krb5_error_code parse_setpw_reply(krb5_context context,
 	else {
 		const char *errstr;
 		setpw_result_code_string(context, res_code, &errstr);
-		DEBUG(1, ("Error changing password: %s\n", errstr));
-
-		switch(res_code) {
-			case KRB5_KPASSWD_ACCESSDENIED:
-				return KRB5KDC_ERR_BADOPTION;
-			case KRB5_KPASSWD_INITIAL_FLAG_NEEDED:
-				return KRB5KDC_ERR_BADOPTION;
-				/* return KV5M_ALT_METHOD; MIT-only define */
-			case KRB5_KPASSWD_ETYPE_NOSUPP:
-				return KRB5KDC_ERR_ETYPE_NOSUPP;
-			case KRB5_KPASSWD_BAD_PRINCIPAL:
-				return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN;
-			case KRB5_KPASSWD_POLICY_REJECT:
-				return KRB5KDC_ERR_POLICY;
-			default:
-				return KRB5KRB_ERR_GENERIC;
-		}
+		DEBUG(1, ("Error changing password: %s (%d)\n", errstr, res_code));
+
+		return kpasswd_err_to_krb5_err(res_code);
 	}
 }
 
@@ -664,7 +677,7 @@ ADS_STATUS kerberos_set_password(const char *kpasswd_server,
 {
     int ret;
 
-    if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL))) {
+    if ((ret = kerberos_kinit_password(auth_principal, auth_password, time_offset, NULL, NULL, NULL, False, 0))) {
 	DEBUG(1,("Failed kinit for principal %s (%s)\n", auth_principal, error_message(ret)));
 	return ADS_ERROR_KRB5(ret);
     }
diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index e503da62a47..8444989bac3 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -4,6 +4,7 @@
    Copyright (C) Andrew Tridgell 2001
    Copyright (C) Remus Koos 2001
    Copyright (C) Jim McDonough <jmcd@us.ibm.com> 2002
+   Copyright (C) Guenther Deschner 2005
    
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -808,6 +809,65 @@ char *ads_get_dn(ADS_STRUCT *ads, void *msg)
 }
 
 /**
+ * Get a canonical dn from search results
+ * @param ads connection to ads server
+ * @param msg Search result
+ * @return dn string
+ **/
+char *ads_get_dn_canonical(ADS_STRUCT *ads, void *msg)
+{
+#ifdef HAVE_LDAP_DN2AD_CANONICAL
+	return ldap_dn2ad_canonical(ads_get_dn(ads, msg));
+#else
+	return NULL;
+#endif
+}
+
+
+/**
+ * Get the parent dn from a search result
+ * @param ads connection to ads server
+ * @param msg Search result
+ * @return parent dn string
+ **/
+char *ads_get_parent_dn(ADS_STRUCT *ads, void *msg)
+{
+	char *mydn, *p, *dn;
+
+	dn = ads_get_dn(ads, msg);
+	if (dn == NULL) {
+		return NULL;
+	}
+
+	mydn = dn;
+	ads_memfree(ads, dn);
+	
+	p = strchr(mydn, ',');
+
+	if (p == NULL) {
+		return NULL;
+	}
+
+	return p+1;
+}
+
+/**
+ * Get the parent from a dn
+ * @param dn the dn to return the parent from
+ * @return parent dn string
+ **/
+char *ads_parent_dn(const char *dn)
+{
+	char *p = strchr(dn, ',');
+
+	if (p == NULL) {
+		return NULL;
+	}
+
+	return p+1;
+}
+
+/**
  * Find a machine account given a hostname
  * @param ads connection to ads server
  * @param res ** which will contain results - free res* with ads_msgfree()
@@ -2700,4 +2760,167 @@ ADS_STATUS ads_workgroup_name(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *
 	return ADS_SUCCESS;
 }
 
+/**
+ * find our site name 
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param site_name Pointer to the sitename
+ * @return status of search
+ **/
+ADS_STATUS ads_site_dn(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char **site_name)
+{
+	ADS_STATUS status;
+	void *res;
+	const char *dn, *service_name;
+	const char *attrs[] = { "dsServiceName", NULL };
+
+	status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	service_name = ads_pull_string(ads, mem_ctx, res, "dsServiceName");
+	if (service_name == NULL) {
+		return ADS_ERROR(LDAP_NO_RESULTS_RETURNED);
+	}
+
+	/* go up three levels */
+	dn = ads_parent_dn(ads_parent_dn(ads_parent_dn(service_name)));
+	if (dn == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	*site_name = talloc_strdup(mem_ctx, dn);
+	if (*site_name == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	ads_msgfree(ads, res);
+
+	return status;
+	/*
+	dsServiceName: CN=NTDS Settings,CN=W2K3DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ber,DC=suse,DC=de
+	*/						 
+}
+
+/**
+ * find the site dn where a machine resides
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param computer_name name of the machine
+ * @param site_name Pointer to the sitename
+ * @return status of search
+ **/
+ADS_STATUS ads_site_dn_for_machine(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, const char *computer_name, const char **site_dn)
+{
+	ADS_STATUS status;
+	void *res;
+	const char *parent, *config_context, *filter;
+	const char *attrs[] = { "configurationNamingContext", NULL };
+	char *dn;
+
+	/* shortcut a query */
+	if (strequal(computer_name, ads->config.ldap_server_name)) {
+		return ads_site_dn(ads, mem_ctx, site_dn);
+	}
+
+	status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
+	if (config_context == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	filter = talloc_asprintf(mem_ctx, "(cn=%s)", computer_name);
+	if (filter == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	status = ads_do_search(ads, config_context, LDAP_SCOPE_SUBTREE, filter, NULL, &res);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	if (ads_count_replies(ads, res) != 1) {
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	dn = ads_get_dn(ads, res);
+	if (dn == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	/* go up three levels */
+	parent = ads_parent_dn(ads_parent_dn(ads_parent_dn(dn)));
+	if (parent == NULL) {
+		ads_memfree(ads, dn);
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	*site_dn = talloc_strdup(mem_ctx, parent);
+	if (*site_dn == NULL) {
+		ads_memfree(ads, dn);
+		ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	ads_memfree(ads, dn);
+	ads_msgfree(ads, res);
+
+	return status;
+}
+
+/**
+ * get the upn suffixes for a domain
+ * @param ads connection to ads server
+ * @param mem_ctx Pointer to talloc context
+ * @param suffixes Pointer to an array of suffixes
+ * @param site_name Pointer to the number of suffixes
+ * @return status of search
+ **/
+ADS_STATUS ads_upn_suffixes(ADS_STRUCT *ads, TALLOC_CTX *mem_ctx, char **suffixes, size_t *num_suffixes)
+{
+	ADS_STATUS status;
+	void *res;
+	const char *config_context, *base;
+	const char *attrs[] = { "configurationNamingContext", NULL };
+	const char *attrs2[] = { "uPNSuffixes", NULL };
+
+	status = ads_do_search(ads, "", LDAP_SCOPE_BASE, "(objectclass=*)", attrs, &res);
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	config_context = ads_pull_string(ads, mem_ctx, res, "configurationNamingContext");
+	if (config_context == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	base = talloc_asprintf(mem_ctx, "cn=Partitions,%s", config_context);
+	if (base == NULL) {
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	status = ads_search_dn(ads, &res, base, attrs2); 
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
+	if (ads_count_replies(ads, res) != 1) {
+		return ADS_ERROR(LDAP_NO_SUCH_OBJECT);
+	}
+
+	suffixes = ads_pull_strings(ads, mem_ctx, &res, "uPNSuffixes", num_suffixes);
+	if (suffixes == NULL) {
+		ads_msgfree(ads, res);
+		return ADS_ERROR(LDAP_NO_MEMORY);
+	}
+
+	ads_msgfree(ads, res);
+
+	return status;
+}
+
 #endif
diff --git a/source3/libads/sasl.c b/source3/libads/sasl.c
index f6adfb51086..d8d33a924f2 100644
--- a/source3/libads/sasl.c
+++ b/source3/libads/sasl.c
@@ -294,16 +294,28 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 	/* we need to fetch a service ticket as the ldap user in the
 	   servers realm, regardless of our realm */
 	asprintf(&sname, "ldap/%s@%s", ads->config.ldap_server_name, ads->config.realm);
-	krb5_init_context(&ctx);
-	krb5_set_default_tgs_ktypes(ctx, enc_types);
-	krb5_parse_name(ctx, sname, &principal);
+
+	initialize_krb5_error_table();
+	status = ADS_ERROR_KRB5(krb5_init_context(&ctx));
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+	status = ADS_ERROR_KRB5(krb5_set_default_tgs_ktypes(ctx, enc_types));
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+	status = ADS_ERROR_KRB5(krb5_parse_name(ctx, sname, &principal));
+	if (!ADS_ERR_OK(status)) {
+		return status;
+	}
+
 	free(sname);
 	krb5_free_context(ctx);	
 
 	input_name.value = &principal;
 	input_name.length = sizeof(principal);
 
-	gss_rc = gss_import_name(&minor_status,&input_name,&nt_principal, &serv_name);
+	gss_rc = gss_import_name(&minor_status, &input_name, &nt_principal, &serv_name);
 	if (gss_rc) {
 		return ADS_ERROR_GSS(gss_rc, minor_status);
 	}
@@ -375,8 +387,9 @@ static ADS_STATUS ads_sasl_gssapi_bind(ADS_STRUCT *ads)
 
 	p = (uint8 *)output_token.value;
 
+#if 0
 	file_save("sasl_gssapi.dat", output_token.value, output_token.length);
-
+#endif
 	max_msg_size = (p[1]<<16) | (p[2]<<8) | p[3];
 	sec_layer = *p;
author	Gerald Carter <jerry@samba.org>	2006-02-03 22:19:41 +0000
committer	Gerald (Jerry) Carter <jerry@samba.org>	2007-10-10 11:06:23 -0500
commit	0af1500fc0bafe61019f1b2ab1d9e1d369221240 (patch)
tree	653fc2533795458d5f9696402285d9f14e527a21 /source3/libads
parent	21a30a1346c9f9a25659a0cea0d276d8c2e6ddca (diff)
download	samba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.tar.gz samba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.tar.xz samba-0af1500fc0bafe61019f1b2ab1d9e1d369221240.zip