[PATCHES] GPO support for the AD DC itself

Andrew Bartlett abartlet at samba.org
Mon Jul 3 03:56:19 UTC 2017 

On Mon, 2017-07-03 at 15:44 +1200, Andrew Bartlett via samba-technical
wrote:
> On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
> > I've attached a new set of patches that fix the issues that Garming
> > pointed out (as well as a few issues I discovered).
> > 
> > The changes to finalize_local_nt_token() have been removed.
> > Comments
> > have been added to the KRB5Parser and gp_log classes. Documentation
> > has
> > been added for the settings that are being applied. The source has
> > been
> > rebased against master. A build warning was silenced using
> > discard_const_p(). Segfaults in the make test were fixed.
> > 
> > Feedback is appreciated!
> 
> Thanks David. 
> 
> I'm sorry for not noticing this earlier, but the GPO settings for the
> KDC look wrong. 
> 
> While you have set the settings into the krb5.conf, I think you
> actually want to change the KDC in setup_kdc_setup_db_ctx():
> 
> 	/* get default kdc policy */
> 	lpcfg_default_kdc_policy(base_ctx->lp_ctx,
> 				 &kdc_db_ctx->policy.svc_tkt_lifetime,
> 				 &kdc_db_ctx->policy.usr_tkt_lifetime,
> 				 &kdc_db_ctx->policy.renewal_lifetime);
> 
> Currently this reads smb.conf parameters for these values.  If the
> values from the GPO should override, then these need to be stored
> somewhere, or perhaps written to AD and read from there.
> 
> The other challenge is that we now do have a class of administrators
> who have become very accustomed to the 'samba-tool pwsettings'
> command
> for setting the password policies, and other administrators who would
> love to get back to the GUI tools on Windows. 
> 
> If we turned this on, would we suddenly overwrite the settings on a
> pile of domains?  
> 
> I would be much more comfortable with this change if it were opt-in
> for
> a release, off by default by skipping the entry in server services,
> allowing us to understand how it works.
> 
> For example, I'm a little nervous about the idea of unapplying a
> setting that might also have been modified directly by the
> administrator, or applying a setting that was manually set directly.
>  
> 
> Additionally there is the complexity of a mulit-master replicated
> domain, the apply/un-apply logs would be scattered on each DC, based
> on
> who wins the 15 mins timer race.
> 
> I guess one way out would be to have 'samba-tool domain pwsettings'
> write group policy files, but without a replicated sysvol I can't see
> how that works either.
> 
> I'm sorry to drop such doubts on you at this late moment. 

A way out would be to re-position this tool as something 
the administrator runs manually after a change on their GPO master
server.  (Most Samba sites run one GPO master). 

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list