[patch] add OU management and new GPO commands in samba-tool

denis bonnenfant denis.bonnenfant at diderot.org
Sat Jun 16 15:02:45 MDT 2012 

Hello,

Please find the following patches, adding new commands to samba-tool for 
OU and GPO. I tested it against a fresh install from git master. If they 
look good (these are my first patches in samba !), feel free to commit them.

samba-tool gpo :

sambatool gpo listallllinks <gpo>: lists all the OU for the specified gpo
sambatool gpo del <gpo> : deletes gpo, folder in syslvol and all the gplinks

samba-tool ou :

sambatool ou create <ou_dn> : creates new ou
                        delete <ou_dn> : deletes ou
                        list <ou_dn> : list childs
                        move <old_dn> <new_dn> : moves user, group or ou 
to new_dn

Plus some bug fixes.

While testing it (fresh git install, new provision) , I found something 
strange :

first issue :

when creating a new GPO from windows interface, I got an error message 
"access denied".
I tried with samba-tool gpo create, with root user, and got this :

# /usr/local/samba/bin/samba-tool gpo create Bidon3
ERROR(ldb): uncaught exception - LDAP error 50 
LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on 
CN=Policies,CN=System,DC=diderot,DC=org> <>
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 160, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 
1014, in run
     self.samdb.add(m)

Looks like CN=system is not writable by root.

I tried again with administrator :

# /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 160, in _run
     return self.run(*args, **kwargs)
   File 
"/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py", line 
1043, in run
     conn.set_acl(sharepath, fs_sd)

But in this case, GPO is created :

GPO          : {7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
display name : Bidon3
path         : 
\\diderot.org\sysvol\diderot.org\Policies\{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
dn           : 
CN={7E077E42-6F95-456A-ABFF-4AECD2AAFD2C},CN=Policies,CN=System,DC=diderot,DC=org
version      : 0
flags        : NONE

# getfacl 
/usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
getfacl : suppression du premier « / » des noms de chemins absolus
# file: 
usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
# owner: root
# group: users
# flags: -s-
user::rwx
user:root:rwx
group::---
group:adm:rwx
group:users:---
group:3000003:r-x
group:3000012:rwx
group:3000016:r-x
group:3000017:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::---
default:group:adm:rwx
default:group:users:---
default:group:3000003:r-x
default:group:3000012:rwx
default:group:3000016:r-x
default:group:3000017:rwx
default:mask::rwx
default:other::---

This GPO can be modified from windows interface without errors.


Another issue : the defaut domain and domain controller GPO folders 
doesn't have the good acls, and can't be modified with windows tools :

# getfacl 
/usr/local/samba/var/locks/sysvol/diderot.org/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}
getfacl : suppression du premier « / » des noms de chemins absolus
# file: 
usr/local/samba/var/locks/sysvol/diderot.org/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
# owner: root
# group: adm
# flags: -s-
user::rwx
group::r-x
other::r-x

# getfacl 
/usr/local/samba/var/locks/sysvol/diderot.org/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/
getfacl : suppression du premier « / » des noms de chemins absolus
# file: 
usr/local/samba/var/locks/sysvol/diderot.org/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/
# owner: root
# group: adm
# flags: -s-
user::rwx
group::r-x
other::r-x


This looks like something wrong in provisioning, I tried to find the 
problem, but the acl code really is too  hard for me ! I can provide 
logs if needed.

regards,

Denis Bonnenfant
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Fix-typos-ans-indentation.patch
Type: text/x-patch
Size: 2493 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120616/4688512f/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-add-new-commands-to-samba-tool-gpo.patch
Type: text/x-patch
Size: 10137 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120616/4688512f/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Fix-errors-in-samba-tool-gpo-setlink.patch
Type: text/x-patch
Size: 2488 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120616/4688512f/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0004-Adds-a-new-command-samba-tool-ou-for-Organisation-Un.patch
Type: text/x-patch
Size: 9182 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20120616/4688512f/attachment-0003.bin>

More information about the samba-technical mailing list