Willing to work for Samba GSOC 2011 ideas(George)

Matthieu Patou mat at samba.org
Tue Mar 29 12:05:34 MDT 2011

Hi Georges,
>> Most of the GPO are targeted to alter the behavior of the client
>> (workstation, server, domain controller) but some are not: Server side GPO.
>> Server side GPO as I called them are GPO (Group POlicies) that are targeted
>> for active directory database of DCs (Domain Controllers) and that most of
>> the time result in a change in the sam database where all the objects of the
>> Active Directory domain are stored.
>> The example I always gave is the number of days for password validity, by
>> default it's 42 (;-). With gpmc.msc (you need the administration tools for
>> windows server, it's "free") you can set the entry: Computer Configuration
>> ->  Windows Settings ->  Security Settings ->  Account Policies ->  Password
>> Policy ->  Maximum password age and it sets the maxPwdAge to -36288000000000
>> on root DN of the domain (the one that's stats with DC=) after you wait for
>> the gpo to be reread by the DC (or if you force it with gpupdate /force).
>> The value is stored in GptTmpl.inf in
>> \\domain.tld\SYSVOL\domain.tld\Policies\{id_policy}\MACHINE\Microsoft\Windows
>> NT\SecEdit.
> I looked up in the internet about the windows series GPO
> implementation doc, but it turns about there is no clue over there. So
> I suppose that there is no standard specification about this part,
> since it is a internal mechanism varies from different projects
> implementation, which gives us more flexibility.
Well this format is quite "standard" as it is the one used by Windows 
and they expects (the clients and the DCs) to find it in this format at 
least for up to 
\\domain.tld\SYSVOL\domain.tld\Policies\{id_policy}\MACHINE then it 
depends on the GPO that is set.
>> We expect to have the same behavior with samba4 that is to say when you edit
>> with gpmc.msc this entry you expect within a couple of minutes to have the
>> attribute changed as well on a samba4 DC.
>  From the description above, I am just curious about the implementation
> of the Samba3. I suppose that the GPO update has definitely
> implemented in Samba3. But is it now manually updated in samba3 or
> automatically?
I'm not a Samba3 expert but first GPO are something new with Active 
Directory, there was another mechanism before: System Policy. They were 
mostly (only ?) targeted to client, I'm supposing that libgpo from 
samba3 is to read and apply GPO from server that should impact s3 and 
also to see and manipulate GPO.
>> The goal is to implement server side GPO so that setting those GPO would
>> effectively alter the sam database.
>> This project is rated medium in difficulty, if I was about to implement it I
>> would do the following:
> Below I will talk about some opinions top of my head, please correct
> me if I am wrong, and forgive me if I bring up some stupid question.
> Thank!
>> 1) create an as exhaustive as it can be list of server side GPO (password
>> age, password length, password complexity, ...)
>> 2) create a task in samba4 with a timeout of x seconds, take inspiration on
>> the task that is doing the dns record update
> Creating the list and task will be a really nice thought. It will be
> separated from the other threads, and won't have vital impact of other
> running tasks.
Well the list is more to list in a document what are the GPO will have 
to worry about in the implementation.
Making a task like is to my mind the simpliest way to do it.
> Another thought is that is it possible to update it during the
> altering of the GPO? Which I guess will have some performance affect
> to the system.
Well first it's not exactly like this that windows works as potentially 
when you are editing a GPO you touch the file storing it a lot of time 
within a couple of minutes. That's not very efficient to keep modifying 
the system, it's better to wait a 5/10 minutes for the situation to 
settle and then update the configuration.
Also while not the case currently the change could come from another DC 
you can also modify the file not under the control of samba (ie. by 
editing them directly on Linux/Unix, or think about backup/restore 
> For this though I am not sure about it, I guess I need to dive in the
> code, and complete the though after that.
>> 3) make the task look for the different files known to hold serverside GPO
>> (there is GptTmpl.inf for sure) in the different GPO directories.
> Read the GPO file in the serverside will not be a hard task. Besides
> the concerning to get it done, do we have any performance requirement?
No but you can remove the sleep in the code :-)
>> 4) for each file extract the parameters that needs to be set in the sam
>> database
>> 5) for each parameter, update the sam if needed
> Update the sam db will bring up the mutual-exclusive visit issue, I
> guess to come up with a check list of all possible visit of the sam db
> is the priority one task once we get to this part.
I'm not sure to understand your remark can you remake it ?
>> Step 2 is in C for sure, steps 4-5 could be done in python as it is our
>> language for scripting (usually scripting is quicker than pure C in terms of
>> "time to product") as we have already some helpers in python to set some of
>> this parameters (in samba-tool) so we can do some code reuse.
> Step 4 and 5, I can also do it in perl, if the result of the python is
> not good enough. But of course it is just a backup plan, since we have
> already got some helper from python.
Python definitely, if speed is not enough then C, but python should be 
enough especially if you run it times to times.
>>  From my point of view the project will be considered as fulfilled if for a
>> given set of settings in GPMC they are automatically updated. Then there is
>> subtlety that would be nice to have like taking care of the priority and
>> whether or not the GPO is enabled and maybe some other stuff that we will
>> discover.
>> Concerning your skills, I guess it's ok as a lot of things can be done by
>> duplicating/adapting code that has already be done for similar things, with
>> the description that I made it's more up to you to see how you feel with the
>> project.
>> As for login/logout there is another student willing to work on this so I
>> would say that it's better if you can do the GPO ;-).
> I will definitely be glad to switch to the GPO task, which I believe
> will give me more opportunity to catch up with the core code of the
> sambs4. Thanks for reminding me this potential conflict. Beside the
> competition, after all, the GSOC is design to give more student the
> opportunity to practice their knowledge and skills, and also
> contribute to the open source organization worldwide.
> Really appreciate it that you bring up this great idea to the GSOC for us!
Ok !
> Have a good day!
> George
The same to you.

Note: try to put the list in copy.
>> Matthieu.
>> On 25/03/2011 01:08, George zhao wrote:
>>> Hi Matthieu Patou, Wilco Baan Hofman, and Andrew Bartlett,
>>> This is George, and I am a computer science PhD student in USA now. I
>>> intent
>>> to work for your project during GSOC 2011, I am really interested in
>>> your project ideas.
>>>     * Implement server side GPO in Samba4
>>>     * Implement login / logout related counter update
>>> Please allow me to introduce some of my background and the reason why
>>> I choose these ideas here for your reference.
>>> Before I was involved in the current PhD program, I have worked on two
>>> platforms for two companies(Huawei and SIEMENS), for around 5 years.
>>> The first platform is a large scale router platform, I've been involve
>>> in some protocol implementations of the transport layer, like PPPOE,
>>> PPOA, and some application layer servers, like RADIUS and TACACS, in
>>> 4-tier TCP/IP protocol stack.
>>> The second one is a test platform for a device called RNC in WCDMA
>>> network, which is an wireless network based project.
>>> Both of them are developed by C programming language.
>>> I saw you are the mentors of these two projects, can you guys give me
>>> some feedback about my background, and am I qualified for these two
>>> projects.
>>> The requirement in the samba idea page is C and network, both of them
>>> are in my skill set, but for the whole samba system, I am afraid that
>>> I am a freshman. Hopefully, I still have the chance to give it a shot.
>>> Thanks again for your time!
>>> Have a good day!
>>> George
>> --
>> Matthieu Patou
>> Samba Teamhttp://samba.org
>> Private repohttp://git.samba.org/?p=mat/samba.git;a=summary

Matthieu Patou
Samba Teamhttp://samba.org
Private repohttp://git.samba.org/?p=mat/samba.git;a=summary

More information about the samba-technical mailing list