[PATCHES] GPO support for the AD DC itself
Andrew Bartlett
abartlet at samba.org
Mon Jul 3 03:44:49 UTC 2017
On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
> I've attached a new set of patches that fix the issues that Garming
> pointed out (as well as a few issues I discovered).
>
> The changes to finalize_local_nt_token() have been removed. Comments
> have been added to the KRB5Parser and gp_log classes. Documentation
> has
> been added for the settings that are being applied. The source has
> been
> rebased against master. A build warning was silenced using
> discard_const_p(). Segfaults in the make test were fixed.
>
> Feedback is appreciated!
Thanks David.
I'm sorry for not noticing this earlier, but the GPO settings for the
KDC look wrong.
While you have set the settings into the krb5.conf, I think you
actually want to change the KDC in setup_kdc_setup_db_ctx():
/* get default kdc policy */
lpcfg_default_kdc_policy(base_ctx->lp_ctx,
&kdc_db_ctx->policy.svc_tkt_lifetime,
&kdc_db_ctx->policy.usr_tkt_lifetime,
&kdc_db_ctx->policy.renewal_lifetime);
Currently this reads smb.conf parameters for these values. If the
values from the GPO should override, then these need to be stored
somewhere, or perhaps written to AD and read from there.
The other challenge is that we now do have a class of administrators
who have become very accustomed to the 'samba-tool pwsettings' command
for setting the password policies, and other administrators who would
love to get back to the GUI tools on Windows.
If we turned this on, would we suddenly overwrite the settings on a
pile of domains?
I would be much more comfortable with this change if it were opt-in for
a release, off by default by skipping the entry in server services,
allowing us to understand how it works.
For example, I'm a little nervous about the idea of unapplying a
setting that might also have been modified directly by the
administrator, or applying a setting that was manually set directly.
Additionally there is the complexity of a mulit-master replicated
domain, the apply/un-apply logs would be scattered on each DC, based on
who wins the 15 mins timer race.
I guess one way out would be to have 'samba-tool domain pwsettings'
write group policy files, but without a replicated sysvol I can't see
how that works either.
I'm sorry to drop such doubts on you at this late moment.
Sorry,
Andrew Bartlett
> ctdb/common/system.h | 1 -
> ctdb/common/system_util.c | 49 +-----
> ctdb/wscript | 4 +-
> docs-xml/smbdotconf/base/serverservices.xml | 2 +-
> docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 17 ++
> dynconfig/dynconfig.c | 1 +
> dynconfig/dynconfig.h | 1 +
> dynconfig/wscript | 2 +
> lib/param/loadparm.c | 3 +-
> lib/util/mkdir_p.c | 71 ++++++++
> lib/util/mkdir_p.h | 22 +++
> lib/util/wscript_build | 5 +
> {source3/libgpo => libgpo}/gpo_filesync.c | 0
> libgpo/gpo_ldap.c | 4 +-
> {source3/libgpo => libgpo}/gpo_proto.h | 0
> {source3/libgpo => libgpo}/gpo_reg.c | 0
> libgpo/pygpo.c | 451
> +++++++++++++++++++++++++++++++++++++++++++++++
> libgpo/wscript_build | 12 ++
> python/samba/gpclass.py | 463
> +++++++++++++++++++++++++++++++++++++++++++++++++
> python/samba/krb5parse.py | 78 +++++++++
> python/samba/samdb.py | 18 ++
> selftest/target/Samba4.pm | 1 +
> source3/libgpo/gpext/wscript_build | 4 -
> source3/param/loadparm.c | 9 +-
> source3/utils/wscript_build | 2 +-
> source3/wscript_build | 19 --
> source4/dsdb/gpo/gpo_update.c | 191
> ++++++++++++++++++++
> source4/dsdb/wscript_build | 9 +
> source4/param/pyparam.c | 7 +
> source4/scripting/bin/samba_gpoupdate | 153
> ++++++++++++++++
> source4/scripting/bin/wscript_build | 2 +-
> source4/scripting/wscript_build | 2 +-
> source4/selftest/tests.py | 4 +
> source4/torture/gpo/apply.c | 165
> ++++++++++++++++++
> source4/torture/gpo/gpo.c | 36 ++++
> source4/torture/gpo/wscript_build | 14 ++
> source4/torture/wscript_build | 1 +
> wscript_build | 1 +
> 38 files changed, 1743 insertions(+), 81 deletions(-)
>
> On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
> > These patches were originally sent to the mailing list on 05 June
> > 2014.
> > New python bindings for getting gpo guids and correct apply order
> > from
> > libgpo. Completely rewritten samba_gpoupdate to use new python
> > bindings.
> > Added unapply.
> > I would love to get these into 4.7. Feedback welcome!
> >
> > ctdb/common/system.h | 1 -
> > ctdb/common/system_util.c | 49 +-----
> > ctdb/wscript | 4 +-
> > docs-xml/smbdotconf/base/serverservices.xml | 2 +-
> > docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 14 ++
> > dynconfig/dynconfig.c | 1 +
> > dynconfig/dynconfig.h | 1 +
> > dynconfig/wscript | 2 +
> > lib/param/loadparm.c | 3 +-
> > lib/util/mkdir_p.c | 71 ++++++++
> > lib/util/mkdir_p.h | 22 +++
> > lib/util/wscript_build | 5 +
> > {source3/libgpo => libgpo}/gpo_filesync.c | 0
> > libgpo/gpo_ldap.c | 4 +-
> > {source3/libgpo => libgpo}/gpo_proto.h | 0
> > {source3/libgpo => libgpo}/gpo_reg.c | 0
> > libgpo/pygpo.c | 448
> > +++++++++++++++++++++++++++++++++++++++++++++++++
> > libgpo/wscript_build | 12 ++
> > python/samba/gpclass.py | 387
> > ++++++++++++++++++++++++++++++++++++++++++
> > python/samba/krb5parse.py | 67 ++++++++
> > python/samba/samdb.py | 18 ++
> > selftest/target/Samba4.pm | 1 +
> > source3/auth/token_util.c | 3 +-
> > source3/libgpo/gpext/wscript_build | 4 -
> > source3/param/loadparm.c | 9 +-
> > source3/utils/wscript_build | 2 +-
> > source3/wscript_build | 19 ---
> > source4/dsdb/gpo/gpo_update.c | 191
> > +++++++++++++++++++++
> > source4/dsdb/wscript_build | 9 +
> > source4/param/pyparam.c | 7 +
> > source4/scripting/bin/samba_gpoupdate | 147
> > ++++++++++++++++
> > source4/scripting/bin/wscript_build | 2 +-
> > source4/scripting/wscript_build | 2 +-
> > source4/selftest/tests.py | 4 +
> > source4/torture/gpo/apply.c | 165
> > ++++++++++++++++++
> > source4/torture/gpo/gpo.c | 36 ++++
> > source4/torture/gpo/wscript_build | 14 ++
> > source4/torture/wscript_build | 1 +
> > wscript_build | 1 +
> > 39 files changed, 1646 insertions(+), 82 deletions(-)
> >
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list