[patch] add OU management and new GPO commands in samba-tool
denis.bonnenfant at diderot.org
Tue Jun 19 08:02:42 MDT 2012
Le 19/06/2012 06:29, Amitay Isaacs a écrit :
> Hi Denis,
> On Sun, Jun 17, 2012 at 7:02 AM, denis bonnenfant
> <denis.bonnenfant at diderot.org> wrote:
>> Please find the following patches, adding new commands to samba-tool for OU
>> and GPO. I tested it against a fresh install from git master. If they look
>> good (these are my first patches in samba !), feel free to commit them.
>> samba-tool gpo :
>> sambatool gpo listallllinks<gpo>: lists all the OU for the specified gpo
>> sambatool gpo del<gpo> : deletes gpo, folder in syslvol and all the gplinks
> Thanks for the patches. I would prefer listgpolinks rather than
> listalllinks since it takes gpo as an option.
> Also can you split the
> second patch, so the new commands are in one patch and updates to
> setlink are actually merged with the third patch? That will make it
Of course, I will reorganize it.
>> samba-tool ou :
>> sambatool ou create<ou_dn> : creates new ou
>> delete<ou_dn> : deletes ou
>> list<ou_dn> : list childs
>> move<old_dn> <new_dn> : moves user, group or ou to
>> Plus some bug fixes.
> This is definitely good. Would you be able to add few tests to make
> sure we can create ou and then add users to that ou? Same goes for
> GPO. I would like to add some tests for GPO commands and especially
> checking acls.
I can try to add ou.py and gpo.py tests, but i'm not sure to understand
exactly how to do it. I will look at it, and maybe ask for some help if
I have problems.
>> While testing it (fresh git install, new provision) , I found something
>> strange :
>> first issue :
>> Looks like CN=system is not writable by root.
> That's because GPO operations work over LDAP and they do not directly
> go to the SAM database. That's why you would need to specify
> administrator account.
>> I tried again with administrator :
>> # /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
>> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
>> line 160, in _run
>> return self.run(*args, **kwargs)
>> File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
>> line 1043, in run
>> conn.set_acl(sharepath, fs_sd)
> This definitely needs investigation.
See my other message. I guess that the issue is in initial s3fs acl
> Well at least that needs to be fixed in the samba-too gpo subcommand.
Yes. They are inherited from the parent directory, which doesn't have
the good posix acl mapping after provisionning. So I will remove acl
setting in gpo create command.
More information about the samba-technical