[patch] add OU management and new GPO commands in samba-tool

Tue Jun 19 20:52:30 MDT 2012

On Wed, Jun 20, 2012 at 12:02 AM, denis <denis.bonnenfant at diderot.org> wrote:
> Hi Amitay
>
> Le 19/06/2012 06:29, Amitay Isaacs a écrit :
>
>> Hi Denis,
>>
>> On Sun, Jun 17, 2012 at 7:02 AM, denis bonnenfant
>> <denis.bonnenfant at diderot.org>  wrote:
>>>
>>> Hello,
>>>
>>> Please find the following patches, adding new commands to samba-tool for
>>> OU
>>> and GPO. I tested it against a fresh install from git master. If they
>>> look
>>> good (these are my first patches in samba !), feel free to commit them.
>>>
>>> samba-tool gpo :
>>>
>>> sambatool gpo listallllinks<gpo>: lists all the OU for the specified gpo
>>> sambatool gpo del<gpo>  : deletes gpo, folder in syslvol and all the
>>> gplinks
>>
>> Thanks for the patches. I would prefer listgpolinks rather than
>> listalllinks since it takes gpo as an option.
>
>
> Good idea.
>
>> Also can you split the
>> second patch, so the new commands are in one patch and updates to
>> setlink are actually merged with the third patch? That will make it
>> cleaner.
>
> Of course, I will reorganize it.
>
>
>>> samba-tool ou :
>>>
>>> sambatool ou create<ou_dn>  : creates new ou
>>>                       delete<ou_dn>  : deletes ou
>>>                       list<ou_dn>  : list childs
>>>                       move<old_dn>  <new_dn>  : moves user, group or ou
>>> to
>>> new_dn
>>>
>>> Plus some bug fixes.
>>
>> This is definitely good. Would you be able to add few tests to make
>> sure we can create ou and then add users to that ou? Same goes for
>> GPO. I would like to add some tests for GPO commands and especially
>> checking acls.
>
> I can try to add ou.py and gpo.py tests, but i'm not sure to understand
> exactly how to do it. I will look at it, and maybe ask for some help if I
> have problems.

You can take a look at files under
source4/scripting/python/samba/tests/samba_tool/. Those are tests for
testing samba-tool functionality. If you face any problems, I would be
happy to help.

>
>>> While testing it (fresh git install, new provision) , I found something
>>> strange :
>>>
>>> first issue :
>>>
>>>    self.samdb.add(m)
>>>
>>> Looks like CN=system is not writable by root.
>>
>> That's because GPO operations work over LDAP and they do not directly
>> go to the SAM database. That's why you would need to specify
>> administrator account.
>
> Ok.
>>>
>>> I tried again with administrator :
>>>
>>> # /usr/local/samba/bin/samba-tool gpo create Bidon3 -U administrator
>>> ERROR(runtime): uncaught exception - (-1073741790, 'Access denied')
>>>  File
>>> "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>> line 160, in _run
>>>    return self.run(*args, **kwargs)
>>>  File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py",
>>> line 1043, in run
>>>    conn.set_acl(sharepath, fs_sd)
>>
>> This definitely needs investigation.

I found a bug in the way the security descriptor was created. That
still does not solve the problem of "Access denied". I'll investigate
further and figure out why setting ACL over SMB is failing. BTW, I am
trying with ntvfs and not s3fs. I guess we'll have to verify GPO
creation for both ntvfs and s3fs.

> See my other message. I guess that the issue is in initial s3fs acl
> mappings.
>
>> Well at least that needs to be fixed in the samba-too gpo subcommand.
>
> Yes. They are inherited from the parent directory, which doesn't have the
> good posix acl mapping after provisionning. So I will remove acl setting in
> gpo create command.

As mentioned in Andrew's email, during initial provision ACLs on
sysvol are set using extended attribute (security.NTACL) and not using
posix ACLs. But looks like s3fs uses posix ACLs when creating GPOs.

Amitay.