Willing to work for Samba GSOC 2011 ideas(George)

George zhao raimann.zhao at gmail.com
Wed Mar 30 20:20:17 MDT 2011 

Hi Matthieu,

On Tue, Mar 29, 2011 at 2:05 PM, Matthieu Patou <mat at samba.org> wrote:
> Hi Georges,
>>>
>>> Most of the GPO are targeted to alter the behavior of the client
>>> (workstation, server, domain controller) but some are not: Server side
>>> GPO.
>>> Server side GPO as I called them are GPO (Group POlicies) that are
>>> targeted
>>> for active directory database of DCs (Domain Controllers) and that most
>>> of
>>> the time result in a change in the sam database where all the objects of
>>> the
>>> Active Directory domain are stored.
>>>
>>> The example I always gave is the number of days for password validity, by
>>> default it's 42 (;-). With gpmc.msc (you need the administration tools
>>> for
>>> windows server, it's "free") you can set the entry: Computer
>>> Configuration
>>> ->  Windows Settings ->  Security Settings ->  Account Policies ->
>>>  Password
>>> Policy ->  Maximum password age and it sets the maxPwdAge to
>>> -36288000000000
>>> on root DN of the domain (the one that's stats with DC=) after you wait
>>> for
>>> the gpo to be reread by the DC (or if you force it with gpupdate /force).
>>>
>>> The value is stored in GptTmpl.inf in
>>>
>>> \\domain.tld\SYSVOL\domain.tld\Policies\{id_policy}\MACHINE\Microsoft\Windows
>>> NT\SecEdit.
>>
>> I looked up in the internet about the windows series GPO
>> implementation doc, but it turns about there is no clue over there. So
>> I suppose that there is no standard specification about this part,
>> since it is a internal mechanism varies from different projects
>> implementation, which gives us more flexibility.
>>
> Well this format is quite "standard" as it is the one used by Windows and
> they expects (the clients and the DCs) to find it in this format at least
> for up to \\domain.tld\SYSVOL\domain.tld\Policies\{id_policy}\MACHINE then
> it depends on the GPO that is set.
You are right, the format is quite standard. I guess we need to gather
enough information about it at the beginning, by applying the as more
setting as possible.

>>>
>>> We expect to have the same behavior with samba4 that is to say when you
>>> edit
>>> with gpmc.msc this entry you expect within a couple of minutes to have
>>> the
>>> attribute changed as well on a samba4 DC.
>>
>>  From the description above, I am just curious about the implementation
>> of the Samba3. I suppose that the GPO update has definitely
>> implemented in Samba3. But is it now manually updated in samba3 or
>> automatically?
>>
> I'm not a Samba3 expert but first GPO are something new with Active
> Directory, there was another mechanism before: System Policy. They were
> mostly (only ?) targeted to client, I'm supposing that libgpo from samba3 is
> to read and apply GPO from server that should impact s3 and also to see and
> manipulate GPO.
Thanks, I got you. Do you think it is necessary to look into the
System Policy part in samba3 in the future?

>>>
>>> The goal is to implement server side GPO so that setting those GPO would
>>> effectively alter the sam database.
>>> This project is rated medium in difficulty, if I was about to implement
>>> it I
>>> would do the following:
>>
>> Below I will talk about some opinions top of my head, please correct
>> me if I am wrong, and forgive me if I bring up some stupid question.
>> Thank!
>>
>>> 1) create an as exhaustive as it can be list of server side GPO (password
>>> age, password length, password complexity, ...)
>>>
>>> 2) create a task in samba4 with a timeout of x seconds, take inspiration
>>> on
>>> the task that is doing the dns record update
>>
>> Creating the list and task will be a really nice thought. It will be
>> separated from the other threads, and won't have vital impact of other
>> running tasks.
>
> Well the list is more to list in a document what are the GPO will have to
> worry about in the implementation.
> Making a task like is to my mind the simpliest way to do it.
>>
>> Another thought is that is it possible to update it during the
>> altering of the GPO? Which I guess will have some performance affect
>> to the system.
>
> Well first it's not exactly like this that windows works as potentially when
> you are editing a GPO you touch the file storing it a lot of time within a
> couple of minutes. That's not very efficient to keep modifying the system,
> it's better to wait a 5/10 minutes for the situation to settle and then
> update the configuration.
> Also while not the case currently the change could come from another DC you
> can also modify the file not under the control of samba (ie. by editing them
> directly on Linux/Unix, or think about backup/restore scenario).
I reconsidered your comment. Based on my current knowledge background,
your task though will be the best one, since it wouldn't change some
current api, and is totally manageable in the future. I guess we can
stick on your thought, if you like.

>>
>> For this though I am not sure about it, I guess I need to dive in the
>> code, and complete the though after that.
>>
>>> 3) make the task look for the different files known to hold serverside
>>> GPO
>>> (there is GptTmpl.inf for sure) in the different GPO directories.
>>
>> Read the GPO file in the serverside will not be a hard task. Besides
>> the concerning to get it done, do we have any performance requirement?
>
> No but you can remove the sleep in the code :-)
Hehe, I am just thinking about the system resource and is there any
requirement, like max time to finish the reading of some particular
file, regarding some particular file size. But that is just a
performance issue, I think it won't be matter too much at this stage.

>>>
>>> 4) for each file extract the parameters that needs to be set in the sam
>>> database
>>> 5) for each parameter, update the sam if needed
>>
>> Update the sam db will bring up the mutual-exclusive visit issue, I
>> guess to come up with a check list of all possible visit of the sam db
>> is the priority one task once we get to this part.
>
> I'm not sure to understand your remark can you remake it ?
I mean is there any other task will visit the sam db at the same time,
if there is, whether the data we modify will cause some deadlock issue
or race condition, which I am not sure about.
Usually if we have a shared db file, we need to consider about the
mutual exclusive issue, right? Applying some mechanism, like the Mutex
lock in the concurrent system, or system Semaphore in operating
system, to guarantee the write operation won't cause some trouble.

>>>
>>> Step 2 is in C for sure, steps 4-5 could be done in python as it is our
>>> language for scripting (usually scripting is quicker than pure C in terms
>>> of
>>> "time to product") as we have already some helpers in python to set some
>>> of
>>> this parameters (in samba-tool) so we can do some code reuse.
>>
>> Step 4 and 5, I can also do it in perl, if the result of the python is
>> not good enough. But of course it is just a backup plan, since we have
>> already got some helper from python.
>
> Python definitely, if speed is not enough then C, but python should be
> enough especially if you run it times to times.
It will definitely up to you:)

>>>
>>>  From my point of view the project will be considered as fulfilled if for
>>> a
>>> given set of settings in GPMC they are automatically updated. Then there
>>> is
>>> subtlety that would be nice to have like taking care of the priority and
>>> whether or not the GPO is enabled and maybe some other stuff that we will
>>> discover.
>>>
>>> Concerning your skills, I guess it's ok as a lot of things can be done by
>>> duplicating/adapting code that has already be done for similar things,
>>> with
>>> the description that I made it's more up to you to see how you feel with
>>> the
>>> project.
>>>
>>> As for login/logout there is another student willing to work on this so I
>>> would say that it's better if you can do the GPO ;-).
>>
>> I will definitely be glad to switch to the GPO task, which I believe
>> will give me more opportunity to catch up with the core code of the
>> sambs4. Thanks for reminding me this potential conflict. Beside the
>> competition, after all, the GSOC is design to give more student the
>> opportunity to practice their knowledge and skills, and also
>> contribute to the open source organization worldwide.
>>
>> Really appreciate it that you bring up this great idea to the GSOC for us!
>>
> Ok !
I will try to dive into the source code this weekend, but honestly
speaking really don't have time to read it thoroughly, because I
should start to worry about the proposal now.
With your kindly help, I believe that the big picture here is good
enough, the implementation details is just the matter of time in the
coming days. Thanks!

>>
>> Have a good day!
>> George
>>
> The same to you.
Thanks!

>
> Note: try to put the list in copy.
> Matthieu.

Have a good night!
George

>>>
>>> Matthieu.
>>>
>>> On 25/03/2011 01:08, George zhao wrote:
>>>>
>>>> Hi Matthieu Patou, Wilco Baan Hofman, and Andrew Bartlett,
>>>>
>>>> This is George, and I am a computer science PhD student in USA now. I
>>>> intent
>>>> to work for your project during GSOC 2011, I am really interested in
>>>> your project ideas.
>>>>
>>>>    * Implement server side GPO in Samba4
>>>>    * Implement login / logout related counter update
>>>>
>>>> Please allow me to introduce some of my background and the reason why
>>>> I choose these ideas here for your reference.
>>>>
>>>> Before I was involved in the current PhD program, I have worked on two
>>>> platforms for two companies(Huawei and SIEMENS), for around 5 years.
>>>>
>>>> The first platform is a large scale router platform, I've been involve
>>>> in some protocol implementations of the transport layer, like PPPOE,
>>>> PPOA, and some application layer servers, like RADIUS and TACACS, in
>>>> 4-tier TCP/IP protocol stack.
>>>>
>>>> The second one is a test platform for a device called RNC in WCDMA
>>>> network, which is an wireless network based project.
>>>>
>>>> Both of them are developed by C programming language.
>>>>
>>>> I saw you are the mentors of these two projects, can you guys give me
>>>> some feedback about my background, and am I qualified for these two
>>>> projects.
>>>>
>>>> The requirement in the samba idea page is C and network, both of them
>>>> are in my skill set, but for the whole samba system, I am afraid that
>>>> I am a freshman. Hopefully, I still have the chance to give it a shot.
>>>>
>>>> Thanks again for your time!
>>>>
>>>>
>>>> Have a good day!
>>>> George
>>>
>>> --
>>> Matthieu Patou
>>> Samba Teamhttp://samba.org
>>> Private repohttp://git.samba.org/?p=mat/samba.git;a=summary
>>>
>>>
>>>
>
>
> --
> Matthieu Patou
> Samba Teamhttp://samba.org
> Private repohttp://git.samba.org/?p=mat/samba.git;a=summary
>
>

More information about the samba-technical mailing list