[PATCHES] GPO support for the AD DC itself
Andrew Bartlett
abartlet at samba.org
Mon Jul 3 03:56:19 UTC 2017
On Mon, 2017-07-03 at 15:44 +1200, Andrew Bartlett via samba-technical
wrote:
> On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
> > I've attached a new set of patches that fix the issues that Garming
> > pointed out (as well as a few issues I discovered).
> >
> > The changes to finalize_local_nt_token() have been removed.
> > Comments
> > have been added to the KRB5Parser and gp_log classes. Documentation
> > has
> > been added for the settings that are being applied. The source has
> > been
> > rebased against master. A build warning was silenced using
> > discard_const_p(). Segfaults in the make test were fixed.
> >
> > Feedback is appreciated!
>
> Thanks David.
>
> I'm sorry for not noticing this earlier, but the GPO settings for the
> KDC look wrong.
>
> While you have set the settings into the krb5.conf, I think you
> actually want to change the KDC in setup_kdc_setup_db_ctx():
>
> /* get default kdc policy */
> lpcfg_default_kdc_policy(base_ctx->lp_ctx,
> &kdc_db_ctx->policy.svc_tkt_lifetime,
> &kdc_db_ctx->policy.usr_tkt_lifetime,
> &kdc_db_ctx->policy.renewal_lifetime);
>
> Currently this reads smb.conf parameters for these values. If the
> values from the GPO should override, then these need to be stored
> somewhere, or perhaps written to AD and read from there.
>
> The other challenge is that we now do have a class of administrators
> who have become very accustomed to the 'samba-tool pwsettings'
> command
> for setting the password policies, and other administrators who would
> love to get back to the GUI tools on Windows.
>
> If we turned this on, would we suddenly overwrite the settings on a
> pile of domains?
>
> I would be much more comfortable with this change if it were opt-in
> for
> a release, off by default by skipping the entry in server services,
> allowing us to understand how it works.
>
> For example, I'm a little nervous about the idea of unapplying a
> setting that might also have been modified directly by the
> administrator, or applying a setting that was manually set directly.
>
>
> Additionally there is the complexity of a mulit-master replicated
> domain, the apply/un-apply logs would be scattered on each DC, based
> on
> who wins the 15 mins timer race.
>
> I guess one way out would be to have 'samba-tool domain pwsettings'
> write group policy files, but without a replicated sysvol I can't see
> how that works either.
>
> I'm sorry to drop such doubts on you at this late moment.
A way out would be to re-position this tool as something
the administrator runs manually after a change on their GPO master
server. (Most Samba sites run one GPO master).
Thanks,
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list