[PATCH 05/18] gpo: Create the gpo update service

Thu Feb 23 20:21:57 UTC 2017

From: Luke Morrison <luc785 at hotmail.com>

Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder

Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Luke Morrison <luke at hubtrek.com>
---
 docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  14 ++
 lib/param/loadparm.c                            |   3 +-
 source4/dsdb/gpo/gpo_update.c                   | 191 ++++++++++++++++++++++++
 3 files changed, 207 insertions(+), 1 deletion(-)
 create mode 100644 docs-xml/smbdotconf/domain/gpoupdatecommand.xml
 create mode 100644 source4/dsdb/gpo/gpo_update.c

diff --git a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
new file mode 100644
index 0000000..cbfd662
--- /dev/null
+++ b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="gpo update command"
+                 context="G"
+                 type="list"
+                 advanced="1"
+                 xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+	<para>This option sets the command that is called when there are
+		GPO updates.
+	</para>
+</description>
+
+<value type="default">&pathconfig.SCRIPTSBINDIR;/samba_gpoupdate</value>
+<value type="example">/usr/local/sbin/gpoupdate</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 335c54a..efbd1d7 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2613,7 +2613,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
 
 	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
-	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns gpoupdate");
 	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
 	/* the winbind method for domain controllers is for both RODC
 	   auth forwarding and for trusted domains */
@@ -2692,6 +2692,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
 	lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
 	lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
 	lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
+	lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba_gpoupdate", dyn_SCRIPTSBINDIR);
 	lpcfg_do_global_parameter_var(lp_ctx, "dns update command", "%s/samba_dnsupdate", dyn_SCRIPTSBINDIR);
 	lpcfg_do_global_parameter_var(lp_ctx, "spn update command", "%s/samba_spnupdate", dyn_SCRIPTSBINDIR);
 	lpcfg_do_global_parameter_var(lp_ctx, "samba kcc command",
diff --git a/source4/dsdb/gpo/gpo_update.c b/source4/dsdb/gpo/gpo_update.c
new file mode 100644
index 0000000..5abc109
--- /dev/null
+++ b/source4/dsdb/gpo/gpo_update.c
@@ -0,0 +1,191 @@
+/*
+   Unix SMB/CIFS mplementation.
+   GPO update service
+
+   Copyright (C) Luke Morrison 2013
+
+   Inspired by dns_updates.c written by Andrew Trigell 2009
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/
+
+*/
+
+#include "includes.h"
+#include "dsdb/samdb/samdb.h"
+#include "auth/auth.h"
+#include "smbd/service.h"
+#include "lib/messaging/irpc.h"
+#include "param/param.h"
+#include "system/filesys.h"
+#include "dsdb/common/util.h"
+#include "libcli/composite/composite.h"
+#include "libcli/security/dom_sid.h"
+#include "librpc/gen_ndr/ndr_irpc.h"
+#include "libds/common/roles.h"
+
+NTSTATUS server_service_gpoupdate_init(void);
+
+struct gpoupdate_service {
+	struct auth_session_info *system_session_info;
+	struct task_server *task;
+	struct ldb_context *samdb;
+
+	/* status for periodic sysvol/GPO scan update - >sysvscan */
+	struct {
+		uint32_t interval;
+		struct tevent_timer *te;
+		struct tevent_req *subreq;
+		NTSTATUS status;
+	} sysvscan;
+};
+
+/*
+Called when the sysvol scan has finished
+*/
+static void gpoupdate_sysvscan_done(struct tevent_req *subreq)
+{
+	struct gpoupdate_service *service = tevent_req_callback_data(subreq,
+								     struct
+								     gpoupdate_service);
+	int ret;
+	int sys_errno;
+
+	service->sysvscan.subreq = NULL;
+
+	ret = samba_runcmd_recv(subreq, &sys_errno);
+	TALLOC_FREE(subreq);
+	if (ret != 0) {
+		service->sysvscan.status =
+		    map_nt_error_from_unix_common(sys_errno);
+	} else {
+		service->sysvscan.status = NT_STATUS_OK;
+	}
+
+	if (!NT_STATUS_IS_OK(service->sysvscan.status)) {
+		DEBUG(0, (__location__ ": Failed GPO update - %s\n",
+			  nt_errstr(service->sysvscan.status)));
+	} else {
+		DEBUG(3, ("Completed GPO update check OK\n"));
+	}
+}
+
+static NTSTATUS gpoupdate_sysvscan_schedule(struct gpoupdate_service *service);
+
+static void gpoupdate_scan_apply(struct gpoupdate_service *service);
+
+static void gpoupdate_sysvscan_handler_te(struct tevent_context *ev,
+					  struct tevent_timer *te,
+					  struct timeval t, void *ptr)
+{
+	struct gpoupdate_service *service =
+	    talloc_get_type(ptr, struct gpoupdate_service);
+
+	gpoupdate_scan_apply(service);
+	gpoupdate_sysvscan_schedule(service);
+}
+
+static NTSTATUS gpoupdate_sysvscan_schedule(struct gpoupdate_service *service)
+{
+	/* For the moment the interval is hard coded to 5 sec */
+	DEBUG(0,
+	      ("calling %s interval = %d\n", __FUNCTION__,
+	       service->sysvscan.interval));
+	service->sysvscan.te =
+	    tevent_add_timer(service->task->event_ctx, service,
+			     timeval_current_ofs(service->sysvscan.interval, 0),
+			     gpoupdate_sysvscan_handler_te, service);
+	NT_STATUS_HAVE_NO_MEMORY(service->sysvscan.te);
+	return NT_STATUS_OK;
+}
+
+static void gpoupdate_scan_apply(struct gpoupdate_service *service)
+{
+	const char *const *gpo_update_command =
+	    lpcfg_gpo_update_command(service->task->lp_ctx);
+	const char *smbconf = lpcfg_configfile(service->task->lp_ctx);
+	/* /home/john/samba/samba/source4/scripting/bin/gpoupdate */
+	TALLOC_FREE(service->sysvscan.subreq);
+	DEBUG(3, ("Calling GPO update script\n"));
+	service->sysvscan.subreq = samba_runcmd_send(service,
+						     service->task->event_ctx,
+						     timeval_current_ofs(20, 0),
+						     2, 0,
+						     gpo_update_command,
+						     smbconf, NULL);
+	if (service->sysvscan.subreq == NULL) {
+		DEBUG(0,
+		      (__location__
+		       ": samba_runcmd_send() failed with no memory\n"));
+		return;
+	}
+	tevent_req_set_callback(service->sysvscan.subreq,
+				gpoupdate_sysvscan_done, service);
+}
+
+static void gpoupdate_task_init(struct task_server *task)
+{
+	NTSTATUS status;
+	struct gpoupdate_service *service;
+
+	if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
+		/* not useful for non-DC */
+		return;
+	}
+
+	task_server_set_title(task, "task[gpoupdate]");
+
+	service = talloc_zero(task, struct gpoupdate_service);
+	if (!service) {
+		task_server_terminate(task,
+				      "gpoupdate_task_init: out of memory",
+				      true);
+		return;
+	}
+	service->task = task;
+	task->private_data = service;
+
+	service->system_session_info = system_session(service->task->lp_ctx);
+	if (!service->system_session_info) {
+		task_server_terminate(task,
+				      "gpoupdate: Failed to obtain server credentials\n",
+				      true);
+		return;
+	}
+
+	/*FIXME maybe I should remove this if I don't need to do queries in C */
+	service->samdb =
+	    samdb_connect(service, service->task->event_ctx, task->lp_ctx,
+			  service->system_session_info, 0);
+	if (!service->samdb) {
+		task_server_terminate(task,
+				      "gpoupdate: Failed to connect to local samdb\n",
+				      true);
+		return;
+	}
+
+	service->sysvscan.interval = lpcfg_parm_int(task->lp_ctx, NULL, "gpoupdate", "config interval", 30);	/* in seconds */
+	status = gpoupdate_sysvscan_schedule(service);
+	if (!NT_STATUS_IS_OK(status)) {
+		task_server_terminate(task, talloc_asprintf(task,
+							    "gpoupdate: Failed to update sysvol scan schedule: %s\n",
+							    nt_errstr(status)),
+				      true);
+		return;
+	}
+}
+
+NTSTATUS server_service_gpoupdate_init(void)
+{
+	return register_server_service("gpoupdate", gpoupdate_task_init);
+}
-- 
2.10.2


