[patch] add OU management and new GPO commands in samba-tool

denis denis.bonnenfant at diderot.org
Tue Jun 19 08:02:42 MDT 2012

Hi Amitay

Le 19/06/2012 06:29, Amitay Isaacs a écrit :
> Hi Denis,
> On Sun, Jun 17, 2012 at 7:02 AM, denis bonnenfant
> <denis.bonnenfant at diderot.org>  wrote:
>> Hello,
>> Please find the following patches, adding new commands to samba-tool for OU
>> and GPO. I tested it against a fresh install from git master. If they look
>> good (these are my first patches in samba !), feel free to commit them.
>> samba-tool gpo :
>> sambatool gpo listallllinks<gpo>: lists all the OU for the specified gpo
>> sambatool gpo del<gpo>  : deletes gpo, folder in syslvol and all the gplinks
> Thanks for the patches. I would prefer listgpolinks rather than
> listalllinks since it takes gpo as an option.

Good idea.
> Also can you split the
> second patch, so the new commands are in one patch and updates to
> setlink are actually merged with the third patch? That will make it
> cleaner.
Of course, I will reorganize it.

>> samba-tool ou :
>> sambatool ou create<ou_dn>  : creates new ou
>>                        delete<ou_dn>  : deletes ou
>>                        list<ou_dn>  : list childs
>>                        move<old_dn>  <new_dn>  : moves user, group or ou to
>> new_dn
>> Plus some bug fixes.
> This is definitely good. Would you be able to add few tests to make
> sure we can create ou and then add users to that ou? Same goes for
> GPO. I would like to add some tests for GPO commands and especially
> checking acls.
I can try to add ou.py and gpo.py tests, but i'm not sure to understand 
exactly how to do it. I will look at it, and maybe ask for some help if 
I have problems.

>> While testing it (fresh git install, new provision) , I found something
>> strange :
>> first issue :
>>     self.samdb.add(m)
>> Looks like CN=system is not writable by root.
> That's because GPO operations work over LDAP and they do not directly
> go to the SAM database. That's why you would need to specify
> administrator account.
>> I tried again with administrator :
>> # /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
>> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
>>   File
>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>> line 160, in _run
>>     return self.run(*args, **kwargs)
>>   File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
>> line 1043, in run
>>     conn.set_acl(sharepath, fs_sd)
> This definitely needs investigation.

See my other message. I guess that the issue is in initial s3fs acl 
> Well at least that needs to be fixed in the samba-too gpo subcommand.
Yes. They are inherited from the parent directory, which doesn't have 
the good posix acl mapping after provisionning. So I will remove acl 
setting in gpo create command.


More information about the samba-technical mailing list