[PATCH 05/18] gpo: Create the gpo update service
David Mulder
dmulder at suse.com
Thu Feb 23 20:21:57 UTC 2017
From: Luke Morrison <luc785 at hotmail.com>
Split from "Initial commit for GPO work done by Luke Morrison" by David Mulder
Signed-off-by: Garming Sam <garming at catalyst.net.nz>
Signed-off-by: Luke Morrison <luke at hubtrek.com>
---
docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 14 ++
lib/param/loadparm.c | 3 +-
source4/dsdb/gpo/gpo_update.c | 191 ++++++++++++++++++++++++
3 files changed, 207 insertions(+), 1 deletion(-)
create mode 100644 docs-xml/smbdotconf/domain/gpoupdatecommand.xml
create mode 100644 source4/dsdb/gpo/gpo_update.c
diff --git a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
new file mode 100644
index 0000000..cbfd662
--- /dev/null
+++ b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
@@ -0,0 +1,14 @@
+<samba:parameter name="gpo update command"
+ context="G"
+ type="list"
+ advanced="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>This option sets the command that is called when there are
+ GPO updates.
+ </para>
+</description>
+
+<value type="default">&pathconfig.SCRIPTSBINDIR;/samba_gpoupdate</value>
+<value type="example">/usr/local/sbin/gpoupdate</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 335c54a..efbd1d7 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2613,7 +2613,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
- lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+ lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns gpoupdate");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
auth forwarding and for trusted domains */
@@ -2692,6 +2692,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
+ lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba_gpoupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "dns update command", "%s/samba_dnsupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "spn update command", "%s/samba_spnupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "samba kcc command",
diff --git a/source4/dsdb/gpo/gpo_update.c b/source4/dsdb/gpo/gpo_update.c
new file mode 100644
index 0000000..5abc109
--- /dev/null
+++ b/source4/dsdb/gpo/gpo_update.c
@@ -0,0 +1,191 @@
+/*
+ Unix SMB/CIFS mplementation.
+ GPO update service
+
+ Copyright (C) Luke Morrison 2013
+
+ Inspired by dns_updates.c written by Andrew Trigell 2009
+
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/
+
+*/
+
+#include "includes.h"
+#include "dsdb/samdb/samdb.h"
+#include "auth/auth.h"
+#include "smbd/service.h"
+#include "lib/messaging/irpc.h"
+#include "param/param.h"
+#include "system/filesys.h"
+#include "dsdb/common/util.h"
+#include "libcli/composite/composite.h"
+#include "libcli/security/dom_sid.h"
+#include "librpc/gen_ndr/ndr_irpc.h"
+#include "libds/common/roles.h"
+
+NTSTATUS server_service_gpoupdate_init(void);
+
+struct gpoupdate_service {
+ struct auth_session_info *system_session_info;
+ struct task_server *task;
+ struct ldb_context *samdb;
+
+ /* status for periodic sysvol/GPO scan update - >sysvscan */
+ struct {
+ uint32_t interval;
+ struct tevent_timer *te;
+ struct tevent_req *subreq;
+ NTSTATUS status;
+ } sysvscan;
+};
+
+/*
+Called when the sysvol scan has finished
+*/
+static void gpoupdate_sysvscan_done(struct tevent_req *subreq)
+{
+ struct gpoupdate_service *service = tevent_req_callback_data(subreq,
+ struct
+ gpoupdate_service);
+ int ret;
+ int sys_errno;
+
+ service->sysvscan.subreq = NULL;
+
+ ret = samba_runcmd_recv(subreq, &sys_errno);
+ TALLOC_FREE(subreq);
+ if (ret != 0) {
+ service->sysvscan.status =
+ map_nt_error_from_unix_common(sys_errno);
+ } else {
+ service->sysvscan.status = NT_STATUS_OK;
+ }
+
+ if (!NT_STATUS_IS_OK(service->sysvscan.status)) {
+ DEBUG(0, (__location__ ": Failed GPO update - %s\n",
+ nt_errstr(service->sysvscan.status)));
+ } else {
+ DEBUG(3, ("Completed GPO update check OK\n"));
+ }
+}
+
+static NTSTATUS gpoupdate_sysvscan_schedule(struct gpoupdate_service *service);
+
+static void gpoupdate_scan_apply(struct gpoupdate_service *service);
+
+static void gpoupdate_sysvscan_handler_te(struct tevent_context *ev,
+ struct tevent_timer *te,
+ struct timeval t, void *ptr)
+{
+ struct gpoupdate_service *service =
+ talloc_get_type(ptr, struct gpoupdate_service);
+
+ gpoupdate_scan_apply(service);
+ gpoupdate_sysvscan_schedule(service);
+}
+
+static NTSTATUS gpoupdate_sysvscan_schedule(struct gpoupdate_service *service)
+{
+ /* For the moment the interval is hard coded to 5 sec */
+ DEBUG(0,
+ ("calling %s interval = %d\n", __FUNCTION__,
+ service->sysvscan.interval));
+ service->sysvscan.te =
+ tevent_add_timer(service->task->event_ctx, service,
+ timeval_current_ofs(service->sysvscan.interval, 0),
+ gpoupdate_sysvscan_handler_te, service);
+ NT_STATUS_HAVE_NO_MEMORY(service->sysvscan.te);
+ return NT_STATUS_OK;
+}
+
+static void gpoupdate_scan_apply(struct gpoupdate_service *service)
+{
+ const char *const *gpo_update_command =
+ lpcfg_gpo_update_command(service->task->lp_ctx);
+ const char *smbconf = lpcfg_configfile(service->task->lp_ctx);
+ /* /home/john/samba/samba/source4/scripting/bin/gpoupdate */
+ TALLOC_FREE(service->sysvscan.subreq);
+ DEBUG(3, ("Calling GPO update script\n"));
+ service->sysvscan.subreq = samba_runcmd_send(service,
+ service->task->event_ctx,
+ timeval_current_ofs(20, 0),
+ 2, 0,
+ gpo_update_command,
+ smbconf, NULL);
+ if (service->sysvscan.subreq == NULL) {
+ DEBUG(0,
+ (__location__
+ ": samba_runcmd_send() failed with no memory\n"));
+ return;
+ }
+ tevent_req_set_callback(service->sysvscan.subreq,
+ gpoupdate_sysvscan_done, service);
+}
+
+static void gpoupdate_task_init(struct task_server *task)
+{
+ NTSTATUS status;
+ struct gpoupdate_service *service;
+
+ if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
+ /* not useful for non-DC */
+ return;
+ }
+
+ task_server_set_title(task, "task[gpoupdate]");
+
+ service = talloc_zero(task, struct gpoupdate_service);
+ if (!service) {
+ task_server_terminate(task,
+ "gpoupdate_task_init: out of memory",
+ true);
+ return;
+ }
+ service->task = task;
+ task->private_data = service;
+
+ service->system_session_info = system_session(service->task->lp_ctx);
+ if (!service->system_session_info) {
+ task_server_terminate(task,
+ "gpoupdate: Failed to obtain server credentials\n",
+ true);
+ return;
+ }
+
+ /*FIXME maybe I should remove this if I don't need to do queries in C */
+ service->samdb =
+ samdb_connect(service, service->task->event_ctx, task->lp_ctx,
+ service->system_session_info, 0);
+ if (!service->samdb) {
+ task_server_terminate(task,
+ "gpoupdate: Failed to connect to local samdb\n",
+ true);
+ return;
+ }
+
+ service->sysvscan.interval = lpcfg_parm_int(task->lp_ctx, NULL, "gpoupdate", "config interval", 30); /* in seconds */
+ status = gpoupdate_sysvscan_schedule(service);
+ if (!NT_STATUS_IS_OK(status)) {
+ task_server_terminate(task, talloc_asprintf(task,
+ "gpoupdate: Failed to update sysvol scan schedule: %s\n",
+ nt_errstr(status)),
+ true);
+ return;
+ }
+}
+
+NTSTATUS server_service_gpoupdate_init(void)
+{
+ return register_server_service("gpoupdate", gpoupdate_task_init);
+}
--
2.10.2
More information about the samba-technical
mailing list