[PATCHES] GPO support for client machine policy

Thu Dec 7 07:26:24 UTC 2017

You add the -M', '--machine' option.

I think you should replace
elsif creds.machine_account():
with
elsif opts.machine:

And --machine should be mandatory until we also implement --user.

I think we should not add pycredentials creds.machine_account()

I think the gp_file_append.py code should be extended to include
a checksum in self.section_end and only update the settings
if the checksum of stuff between self.section and self.section_end
still matches the checksum.

In addition to the "winbind gpupdate" option it might
be good to configure which policies the admin wants to be evaluated.
As admin I'd like to disable any policies that modify /etc/*,
while keeping the stuff that applies to samba internals.

As we now only install samba_gpoupdate, when we install the AD DC,
we need to either remove that limitation or make it clear in the
documentation that this is only evaluated on an AD DC.

Commands like 'wbinfo --gpoupdate-status', 'wbinfo --gpoupdate-check'
and 'wbinfo --gpoupdate-force' would be good.

Would it make sense to support third party gpo evaluation scripts?
So that admins could write their own stuff to manage
/etc/someapplication.conf

metze

Am 02.12.2017 um 16:54 schrieb David Mulder via samba-technical:
> These patches add Group Policy support for client machines. Adds a
> winbind event that calls samba_gpoupdate to apply local machine
> policies. Adds the option "winbind gpupdate" to smb.conf, which
> determines whether group policy will be applied to the client. This is
> *disabled* by default for now. Users will need to manually enable this
> to see the new functionality.
> To start off, we only have Environment Variable policies.
> 
>  auth/credentials/pycredentials.c                |  14 +++++
>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  11 ++--
>  docs-xml/smbdotconf/winbind/winbindgpupdate.xml |  18 ++++++
>  lib/param/loadparm.c                            |   1 +
>  python/samba/gp_env_var_ext.py                  |  86
> ++++++++++++++++++++++++++
>  python/samba/gp_file_append.py                  |  86
> ++++++++++++++++++++++++++
>  python/samba/gpclass.py                         | 163
> +++++++++++++++++++++++++------------------------
>  source3/param/loadparm.c                        |   2 +
>  source3/winbindd/winbindd.c                     |   2 +
>  source3/winbindd/winbindd_gpupdate.c            | 116
> +++++++++++++++++++++++++++++++++++
>  source3/winbindd/winbindd_proto.h               |   3 +
>  source3/winbindd/wscript_build                  |   3 +-
>  source4/scripting/bin/samba_gpoupdate           |  49 ++++++++++++---
>  source4/scripting/bin/wscript_build             |   2 +-
>  source4/scripting/wscript_build                 |   7 ++-
>  15 files changed, 465 insertions(+), 98 deletions(-)
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171207/e34beaae/signature.sig>