samba-gpoupdate

Stefan Metzmacher metze at samba.org
Thu Apr 25 16:17:24 UTC 2024 

Hi David,

I'm currently try to implement some gpo updates for AD DCs.
'[Privilege Rights]' from within 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf'.

While doing that I noticed that 'samba-gpoupdate' running on the AD DC
tries to process 'Google/Chromium' and 'Google/Chrome'.

Then I found this:

     machine_exts, user_exts = get_gp_client_side_extensions(lp.configfile)
     gp_extensions = []
     if opts.target == 'Computer':
         gp_extensions.append(gp_access_ext)
         gp_extensions.append(gp_privilege_rights_ext)
         gp_extensions.append(gp_krb_ext)
         gp_extensions.append(gp_scripts_ext)
         gp_extensions.append(gp_sudoers_ext)
         gp_extensions.append(vgp_sudoers_ext)
         gp_extensions.append(gp_centrify_sudoers_ext)
         gp_extensions.append(gp_centrify_crontab_ext)
         gp_extensions.append(gp_smb_conf_ext)
         gp_extensions.append(gp_msgs_ext)
         gp_extensions.append(vgp_symlink_ext)
         gp_extensions.append(vgp_files_ext)
         gp_extensions.append(vgp_openssh_ext)
         gp_extensions.append(vgp_motd_ext)
         gp_extensions.append(vgp_issue_ext)
         gp_extensions.append(vgp_startup_scripts_ext)
         gp_extensions.append(vgp_access_ext)
         gp_extensions.append(gp_gnome_settings_ext)
         gp_extensions.append(gp_cert_auto_enroll_ext)
         gp_extensions.append(gp_firefox_ext)
         gp_extensions.append(gp_chromium_ext)
         gp_extensions.append(gp_chrome_ext)
         gp_extensions.append(gp_firewalld_ext)
         gp_extensions.extend(machine_exts)
     elif opts.target == 'User':
         gp_extensions.append(gp_user_scripts_ext)
         gp_extensions.append(gp_user_centrify_crontab_ext)
         gp_extensions.append(gp_drive_maps_user_ext)
         gp_extensions.extend(user_exts)


Do we really want to apply all those gp_extensions by default?
I would have assumed that the admin needs to configure them explicitly.

Pure ad dc samba internal stuff like gp_access_ext, gp_krb_ext
and my new gp_privilege_rights_ext should run by default on an ad dc
and only there (the server role is checked in the code).

But all others messing with critical stuff in /etc looks dangerous
without explicitly selecting them.

I'm also not sure how the things from get_gp_client_side_extensions() work.

Also 'apply group policies = yes' meaning we apply computer and user gpo's
looks also very unflexible.

Maybe we could have a 'samba-gpoupdate --ad-dc-computer' that runs
from a task forked from 'samba' instead of winbindd.
And that will only do ad dc specific stuff.

And the current mode would only work on domain members?

Also note this seems to fail badly for users not from the primary domain...

What do you think?

Thanks!
metze

More information about the samba-technical mailing list