[PATCHES] GPO support for client machine policy

[David Mulder]

Yes, they would run simultaneously, but they apply different things.
They also run on different intervals.
If you look at samba_gpoupdate where it sets gp_extensions, you'll see
it sets the extensions to apply based on the type of apply (KDC, client
machine, or user which isn't available yet).
I had considered removing the KDC service, but I think it is fine as is.
The way it is now, if they choose not to configure winbind, kdc policy
is still applied. The client policy is then only applied if they
configure winbind and treat the kdc as a client also.
But, this also means an extra setup step for group policy on a KDC. You
must enable both the service service for the KDC, and winbind gpupdate
for the client policy.

On 12/05/2017 04:31 PM, Garming Sam wrote:
> Hi,
>
> So, on a DC, does this actually run simultaneously with the gpo service
> that was written earlier? Having two running together doesn't sound like
> a good idea. Should the earlier one just be removed instead?
>
> Cheers,
>
> Garming
>
>
> On 03/12/17 04:54, David Mulder wrote:
>> These patches add Group Policy support for client machines. Adds a
>> winbind event that calls samba_gpoupdate to apply local machine
>> policies. Adds the option "winbind gpupdate" to smb.conf, which
>> determines whether group policy will be applied to the client. This is
>> *disabled* by default for now. Users will need to manually enable this
>> to see the new functionality.
>> To start off, we only have Environment Variable policies.
>>
>>  auth/credentials/pycredentials.c                |  14 +++++
>>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  11 ++--
>>  docs-xml/smbdotconf/winbind/winbindgpupdate.xml |  18 ++++++
>>  lib/param/loadparm.c                            |   1 +
>>  python/samba/gp_env_var_ext.py                  |  86
>> ++++++++++++++++++++++++++
>>  python/samba/gp_file_append.py                  |  86
>> ++++++++++++++++++++++++++
>>  python/samba/gpclass.py                         | 163
>> +++++++++++++++++++++++++------------------------
>>  source3/param/loadparm.c                        |   2 +
>>  source3/winbindd/winbindd.c                     |   2 +
>>  source3/winbindd/winbindd_gpupdate.c            | 116
>> +++++++++++++++++++++++++++++++++++
>>  source3/winbindd/winbindd_proto.h               |   3 +
>>  source3/winbindd/wscript_build                  |   3 +-
>>  source4/scripting/bin/samba_gpoupdate           |  49 ++++++++++++---
>>  source4/scripting/bin/wscript_build             |   2 +-
>>  source4/scripting/wscript_build                 |   7 ++-
>>  15 files changed, 465 insertions(+), 98 deletions(-)
>>
>

-- 
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)