winbind: Enforce user group policy when enabled

This only enforces user group policy at logon.
We should also enforce this policy every 90 to
120 minutes, but a logoff will need to cancel the
timer and we cannot have multiple timers if there
are multiple sessions for the same user.

Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Oct 21 18:48:18 UTC 2022 on sn-devel-184

diff --git a/source3/winbindd/winbindd_gpupdate.c b/source3/winbindd/winbindd_gpupdate.c
index ead611fdafdc526f3bd5b454ebb0b2fca37fdfcd..475569ee9b4e918fc67782e367014a9b86a2f920 100644 (file)
--- a/source3/winbindd/winbindd_gpupdate.c
+++ b/source3/winbindd/winbindd_gpupdate.c
@@ -119,6 +119,52 @@ void gpupdate_init(void)
        }
 }
 
+void gpupdate_user_init(const char *user)
+{
+       struct tevent_req *req = NULL;
+       TALLOC_CTX *ctx = talloc_new(global_event_context());
+       struct loadparm_context *lp_ctx =
+               loadparm_init_s3(NULL, loadparm_s3_helpers());
+       const char *const *gpupdate_cmd = lpcfg_gpo_update_command(lp_ctx);
+       const char *smbconf = lpcfg_configfile(lp_ctx);
+
+       if (ctx == NULL) {
+               DBG_ERR("talloc_new failed\n");
+               return;
+       }
+
+       /*
+        * Check if gpupdate is enabled for winbind, if not
+        * return without applying user policy.
+        */
+       if (!lpcfg_apply_group_policies(lp_ctx)) {
+               return;
+       }
+
+       /*
+        * Execute gpupdate for the user immediately.
+        * TODO: This should be scheduled to reapply every 90 to 120 minutes.
+        * Logoff will need to handle cancelling these events though, and
+        * multiple timers cannot be run for the same user, even if there are
+        * multiple active sessions.
+        */
+       req = samba_runcmd_send(ctx, global_event_context(),
+                               timeval_zero(), 2, 0,
+                               gpupdate_cmd,
+                               "-s",
+                               smbconf,
+                               "--target=User",
+                               "-U",
+                               user,
+                               NULL);
+       if (req == NULL) {
+               DBG_ERR("Failed to execute the gpupdate command\n");
+               return;
+       }
+
+       tevent_req_set_callback(req, gpupdate_cmd_done, NULL);
+}
+
 static void gpupdate_cmd_done(struct tevent_req *subreq)
 {
        int sys_errno;

diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c
index 9805d90fef0330e6b2c3fb7dc892d880e26255e9..f306bdad0f899f687db4c82dc6a477893a289c50 100644 (file)
--- a/source3/winbindd/winbindd_pam.c
+++ b/source3/winbindd/winbindd_pam.c
@@ -2580,6 +2580,10 @@ done:
            local,
            result);
 
+       if (NT_STATUS_IS_OK(result)) {
+               gpupdate_user_init(r->in.info->username);
+       }
+
        return result;
 }
 

diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h
index 0da731d564decbd0d2335914b1d9a7ddf47fee0a..bfa114c32916f18593857c418993172b03fe0362 100644 (file)
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -987,6 +987,7 @@ bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain);
 
 /* The following definitions come from winbindd/winbindd_gpupdate.c  */
 void gpupdate_init(void);
+void gpupdate_user_init(const char *user);
 
 /* The following comes from winbindd/winbindd_dual_srv.c */
 bool reset_cm_connection_on_error(struct winbindd_domain *domain,