GPO service, deleting GPO special case, is this a security threat?

Andrew Bartlett abartlet at samba.org
Tue May 6 21:11:33 MDT 2014 

On Thu, 2014-05-01 at 01:05 -0400, Luke Morrison wrote:
> Hello Samba-Technical,
> 
> Question for Samba veterans:
> 
> When GPO get applied to Samba, I need to un-apply them when that GPO gets
> deleted completely. 

Have you confirmed this is what happens with AD?

> If the GPO simplly changes that value and is not
> deleted, it is not a problem, as it parses the GPO each time. But when it
> gets deleted there is a special case.

Have you found any documentation from Microsoft that explains what is
required here?

> Is it a "security threat" to apply the Samba4 default value for that
> attribute (password complexity), and THEN, call the script that applies the
> GPOs and update them to Samba4?
> 
> If it deletes a GPO, then it would go back to default and then if another
> one exists for password complexity for example, it gets over-written. The
> problem is that hyper-small period of time in which it is at the Samba4
> default. This may not be example what a System Admin wants. Or is it not a
> big deal? I am talking mid-script change to default value for very very
> short period of time here. The likelihood of someone doing something
> involving that GPO at that exact time is infinitesimal, however I need to
> ask before moving on.

An LDB transaction would seem to be what you need here.  However, you
should confirm what happens in Windows when you do this. 

> Or is the only real "safe" way to backwalk the hierarchy, have the service
> find the next level applied GPO (or apply to default if and only if there
> is no other current applicable GPO to Samba DC)? This is just really
> annoying to ahve to do but I will do it this way if it is fundamentally
> better.
> 
> In in both cases : I will probably need to hold the attributes in a
> backlog.txt file of a sort to hold applied GPO information -does anyone
> suggest a location for that, is there a way to hold that in a python list
> asynchronously so it does not get garbage collected after each script call?
> 
> Thank you, I could also use basic guidance with inotify and Samba if
> someone has experience with that API.

Just remember that inotify isn't a reliable way to find out about all
deletes.  You might have Samba running at the time, and so not notice.  

It may be the right tool, but I just wanted to sound a note of caution. 

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list