From: David Mulder Date: Fri, 14 Oct 2022 15:00:45 +0000 (-0600) Subject: winbind: Enforce user group policy when enabled X-Git-Tag: talloc-2.4.0~673 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=284afec29ff5a97612aa5950e08ac8104997a596;p=thirdparty%2Fsamba.git winbind: Enforce user group policy when enabled This only enforces user group policy at logon. We should also enforce this policy every 90 to 120 minutes, but a logoff will need to cancel the timer and we cannot have multiple timers if there are multiple sessions for the same user. Signed-off-by: David Mulder Reviewed-by: Jeremy Allison Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Fri Oct 21 18:48:18 UTC 2022 on sn-devel-184 --- diff --git a/source3/winbindd/winbindd_gpupdate.c b/source3/winbindd/winbindd_gpupdate.c index ead611fdafd..475569ee9b4 100644 --- a/source3/winbindd/winbindd_gpupdate.c +++ b/source3/winbindd/winbindd_gpupdate.c @@ -119,6 +119,52 @@ void gpupdate_init(void) } } +void gpupdate_user_init(const char *user) +{ + struct tevent_req *req = NULL; + TALLOC_CTX *ctx = talloc_new(global_event_context()); + struct loadparm_context *lp_ctx = + loadparm_init_s3(NULL, loadparm_s3_helpers()); + const char *const *gpupdate_cmd = lpcfg_gpo_update_command(lp_ctx); + const char *smbconf = lpcfg_configfile(lp_ctx); + + if (ctx == NULL) { + DBG_ERR("talloc_new failed\n"); + return; + } + + /* + * Check if gpupdate is enabled for winbind, if not + * return without applying user policy. + */ + if (!lpcfg_apply_group_policies(lp_ctx)) { + return; + } + + /* + * Execute gpupdate for the user immediately. + * TODO: This should be scheduled to reapply every 90 to 120 minutes. + * Logoff will need to handle cancelling these events though, and + * multiple timers cannot be run for the same user, even if there are + * multiple active sessions. + */ + req = samba_runcmd_send(ctx, global_event_context(), + timeval_zero(), 2, 0, + gpupdate_cmd, + "-s", + smbconf, + "--target=User", + "-U", + user, + NULL); + if (req == NULL) { + DBG_ERR("Failed to execute the gpupdate command\n"); + return; + } + + tevent_req_set_callback(req, gpupdate_cmd_done, NULL); +} + static void gpupdate_cmd_done(struct tevent_req *subreq) { int sys_errno; diff --git a/source3/winbindd/winbindd_pam.c b/source3/winbindd/winbindd_pam.c index 9805d90fef0..f306bdad0f8 100644 --- a/source3/winbindd/winbindd_pam.c +++ b/source3/winbindd/winbindd_pam.c @@ -2580,6 +2580,10 @@ done: local, result); + if (NT_STATUS_IS_OK(result)) { + gpupdate_user_init(r->in.info->username); + } + return result; } diff --git a/source3/winbindd/winbindd_proto.h b/source3/winbindd/winbindd_proto.h index 0da731d564d..bfa114c3291 100644 --- a/source3/winbindd/winbindd_proto.h +++ b/source3/winbindd/winbindd_proto.h @@ -987,6 +987,7 @@ bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain); /* The following definitions come from winbindd/winbindd_gpupdate.c */ void gpupdate_init(void); +void gpupdate_user_init(const char *user); /* The following comes from winbindd/winbindd_dual_srv.c */ bool reset_cm_connection_on_error(struct winbindd_domain *domain,