[patch] add OU management and new GPO commands in samba-tool

Amitay Isaacs amitay at gmail.com
Mon Jun 18 22:29:44 MDT 2012 

Hi Denis,

On Sun, Jun 17, 2012 at 7:02 AM, denis bonnenfant
<denis.bonnenfant at diderot.org> wrote:
> Hello,
>
> Please find the following patches, adding new commands to samba-tool for OU
> and GPO. I tested it against a fresh install from git master. If they look
> good (these are my first patches in samba !), feel free to commit them.
>
> samba-tool gpo :
>
> sambatool gpo listallllinks <gpo>: lists all the OU for the specified gpo
> sambatool gpo del <gpo> : deletes gpo, folder in syslvol and all the gplinks

Thanks for the patches. I would prefer listgpolinks rather than
listalllinks since it takes gpo as an option. Also can you split the
second patch, so the new commands are in one patch and updates to
setlink are actually merged with the third patch? That will make it
cleaner.

> samba-tool ou :
>
> sambatool ou create <ou_dn> : creates new ou
>                       delete <ou_dn> : deletes ou
>                       list <ou_dn> : list childs
>                       move <old_dn> <new_dn> : moves user, group or ou to
> new_dn
>
> Plus some bug fixes.

This is definitely good. Would you be able to add few tests to make
sure we can create ou and then add users to that ou? Same goes for
GPO. I would like to add some tests for GPO commands and especially
checking acls.

> While testing it (fresh git install, new provision) , I found something
> strange :
>
> first issue :
>
> when creating a new GPO from windows interface, I got an error message
> "access denied".
> I tried with samba-tool gpo create, with root user, and got this :
>
> # /usr/local/samba/bin/samba-tool gpo create Bidon3
> ERROR(ldb): uncaught exception - LDAP error 50
> LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on
> CN=Policies,CN=System,DC=diderot,DC=org> <>
>  File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 160, in _run
>    return self.run(*args, **kwargs)
>  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 1014, in run
>    self.samdb.add(m)
>
> Looks like CN=system is not writable by root.

That's because GPO operations work over LDAP and they do not directly
go to the SAM database. That's why you would need to specify
administrator account.

> I tried again with administrator :
>
> # /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
>  File
> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> line 160, in _run
>    return self.run(*args, **kwargs)
>  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
> line 1043, in run
>    conn.set_acl(sharepath, fs_sd)
>
> But in this case, GPO is created :
>
> GPO          : {7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> display name : Bidon3
> path         :
> \\diderot.org\sysvol\diderot.org\Policies\{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> dn           :
> CN={7E077E42-6F95-456A-ABFF-4AECD2AAFD2C},CN=Policies,CN=System,DC=diderot,DC=org
> version      : 0
> flags        : NONE

This definitely needs investigation.

> # getfacl
> /usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file:
> usr/local/samba/var/locks/sysvol/diderot.org/Policies/{7E077E42-6F95-456A-ABFF-4AECD2AAFD2C}
> # owner: root
> # group: users
> # flags: -s-
> user::rwx
> user:root:rwx
> group::---
> group:adm:rwx
> group:users:---
> group:3000003:r-x
> group:3000012:rwx
> group:3000016:r-x
> group:3000017:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:user:root:rwx
> default:group::---
> default:group:adm:rwx
> default:group:users:---
> default:group:3000003:r-x
> default:group:3000012:rwx
> default:group:3000016:r-x
> default:group:3000017:rwx
> default:mask::rwx
> default:other::---
>
> This GPO can be modified from windows interface without errors.


>
>
> Another issue : the defaut domain and domain controller GPO folders doesn't
> have the good acls, and can't be modified with windows tools :
>
> # getfacl
> /usr/local/samba/var/locks/sysvol/diderot.org/Policies/\{31B2F340-016D-11D2-945F-00C04FB984F9\}
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file:
> usr/local/samba/var/locks/sysvol/diderot.org/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}
> # owner: root
> # group: adm
> # flags: -s-
> user::rwx
> group::r-x
> other::r-x
>
> # getfacl
> /usr/local/samba/var/locks/sysvol/diderot.org/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/
> getfacl : suppression du premier « / » des noms de chemins absolus
> # file:
> usr/local/samba/var/locks/sysvol/diderot.org/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/
> # owner: root
> # group: adm
> # flags: -s-
> user::rwx
> group::r-x
> other::r-x
>
>
> This looks like something wrong in provisioning, I tried to find the
> problem, but the acl code really is too  hard for me ! I can provide logs if
> needed.
>
> regards,
>
> Denis Bonnenfant

I have a feeling that ACLs might not be set on all the subdirectories.
Well at least that needs to be fixed in the samba-too gpo subcommand.

Amitay.

More information about the samba-technical mailing list