samba-gpoupdate

David Mulder dmulder at suse.com
Thu Apr 25 19:10:21 UTC 2024 

On 4/25/24 10:17 AM, Stefan Metzmacher wrote:
> Hi David,
>
> I'm currently try to implement some gpo updates for AD DCs.
> '[Privilege Rights]' from within 'MACHINE/Microsoft/Windows 
> NT/SecEdit/GptTmpl.inf'.
>
> While doing that I noticed that 'samba-gpoupdate' running on the AD DC
> tries to process 'Google/Chromium' and 'Google/Chrome'.
>
> Then I found this:
>
>     machine_exts, user_exts = 
> get_gp_client_side_extensions(lp.configfile)
>     gp_extensions = []
>     if opts.target == 'Computer':
>         gp_extensions.append(gp_access_ext)
>         gp_extensions.append(gp_privilege_rights_ext)
>         gp_extensions.append(gp_krb_ext)
>         gp_extensions.append(gp_scripts_ext)
>         gp_extensions.append(gp_sudoers_ext)
>         gp_extensions.append(vgp_sudoers_ext)
>         gp_extensions.append(gp_centrify_sudoers_ext)
>         gp_extensions.append(gp_centrify_crontab_ext)
>         gp_extensions.append(gp_smb_conf_ext)
>         gp_extensions.append(gp_msgs_ext)
>         gp_extensions.append(vgp_symlink_ext)
>         gp_extensions.append(vgp_files_ext)
>         gp_extensions.append(vgp_openssh_ext)
>         gp_extensions.append(vgp_motd_ext)
>         gp_extensions.append(vgp_issue_ext)
>         gp_extensions.append(vgp_startup_scripts_ext)
>         gp_extensions.append(vgp_access_ext)
>         gp_extensions.append(gp_gnome_settings_ext)
>         gp_extensions.append(gp_cert_auto_enroll_ext)
>         gp_extensions.append(gp_firefox_ext)
>         gp_extensions.append(gp_chromium_ext)
>         gp_extensions.append(gp_chrome_ext)
>         gp_extensions.append(gp_firewalld_ext)
>         gp_extensions.extend(machine_exts)
>     elif opts.target == 'User':
>         gp_extensions.append(gp_user_scripts_ext)
>         gp_extensions.append(gp_user_centrify_crontab_ext)
>         gp_extensions.append(gp_drive_maps_user_ext)
>         gp_extensions.extend(user_exts)
>
>
> Do we really want to apply all those gp_extensions by default?
> I would have assumed that the admin needs to configure them explicitly.
>
> Pure ad dc samba internal stuff like gp_access_ext, gp_krb_ext
> and my new gp_privilege_rights_ext should run by default on an ad dc
> and only there (the server role is checked in the code).
>
> But all others messing with critical stuff in /etc looks dangerous
> without explicitly selecting them.
>
> I'm also not sure how the things from get_gp_client_side_extensions() 
> work.

That's for loading custom client extensions (for example, if a company 
has internal policies they want applied). I'm not sure if anyone is 
using this.

See 
https://dmulder.github.io/group-policy-book/writing-group-policy-extensions.html#cse

The `register_gp_extension` and `unregister_gp_extension` functions 
control the policies added by get_gp_client_side_extensions().

Notice the `samba-tool gpo cse register` and `samba-tool gpo cse 
unregister` commands also.

> Also 'apply group policies = yes' meaning we apply computer and user 
> gpo's
> looks also very unflexible.
Agreed. This could use some work.
> Maybe we could have a 'samba-gpoupdate --ad-dc-computer' that runs
> from a task forked from 'samba' instead of winbindd.
> And that will only do ad dc specific stuff.
> And the current mode would only work on domain members?
Fine with me. Also, if an admin would really like to have a certain gpo 
apply to the ADDC, they can always re-enable it with `samba-tool gpo cse 
register`.
>
> Also note this seems to fail badly for users not from the primary 
> domain...
I wasn't aware of that. What error are you getting?

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com

More information about the samba-technical mailing list