GPO service, deleting GPO special case, is this a security threat?

Luke Morrison lukemo132 at gmail.com
Wed Apr 30 23:05:42 MDT 2014


Hello Samba-Technical,

Question for Samba veterans:

When GPO get applied to Samba, I need to un-apply them when that GPO gets
deleted completely. If the GPO simplly changes that value and is not
deleted, it is not a problem, as it parses the GPO each time. But when it
gets deleted there is a special case.

Is it a "security threat" to apply the Samba4 default value for that
attribute (password complexity), and THEN, call the script that applies the
GPOs and update them to Samba4?

If it deletes a GPO, then it would go back to default and then if another
one exists for password complexity for example, it gets over-written. The
problem is that hyper-small period of time in which it is at the Samba4
default. This may not be example what a System Admin wants. Or is it not a
big deal? I am talking mid-script change to default value for very very
short period of time here. The likelihood of someone doing something
involving that GPO at that exact time is infinitesimal, however I need to
ask before moving on.

Or is the only real "safe" way to backwalk the hierarchy, have the service
find the next level applied GPO (or apply to default if and only if there
is no other current applicable GPO to Samba DC)? This is just really
annoying to ahve to do but I will do it this way if it is fundamentally
better.

In in both cases : I will probably need to hold the attributes in a
backlog.txt file of a sort to hold applied GPO information -does anyone
suggest a location for that, is there a way to hold that in a python list
asynchronously so it does not get garbage collected after each script call?

Thank you, I could also use basic guidance with inotify and Samba if
someone has experience with that API.

CC: abartlet, ekacnet


More information about the samba-technical mailing list