[PATCHES] GPO support for the AD DC itself

Mon Jul 3 04:46:45 UTC 2017

I don't think we'd need to go as far as making it a purely manual 
change, otherwise it defeats the purpose of aiming to administrate from 
a Windows machine. I do agree that it likely needs to be opt-in though, 
at least until we figure out this across multiple DCs (SYSVOL 
replication?) as well as how it should work with our existing client 
tools. As it is, I think switching on the gpoupdate in the server 
services is an admission that 'yes I am using this in this way' so that 
if they mix the use of samba-tool and the GPO editor, then that's their 
own problem.

Cheers,

Garming

On 03/07/17 15:56, Andrew Bartlett via samba-technical wrote:
> On Mon, 2017-07-03 at 15:44 +1200, Andrew Bartlett via samba-technical
> wrote:
>>
>> Thanks David.
>>
>> I'm sorry for not noticing this earlier, but the GPO settings for the
>> KDC look wrong.
>>
>> While you have set the settings into the krb5.conf, I think you
>> actually want to change the KDC in setup_kdc_setup_db_ctx():
>>
>> 	/* get default kdc policy */
>> 	lpcfg_default_kdc_policy(base_ctx->lp_ctx,
>> 				 &kdc_db_ctx->policy.svc_tkt_lifetime,
>> 				 &kdc_db_ctx->policy.usr_tkt_lifetime,
>> 				 &kdc_db_ctx->policy.renewal_lifetime);
>>
>> Currently this reads smb.conf parameters for these values.  If the
>> values from the GPO should override, then these need to be stored
>> somewhere, or perhaps written to AD and read from there.
>>
>> The other challenge is that we now do have a class of administrators
>> who have become very accustomed to the 'samba-tool pwsettings'
>> command
>> for setting the password policies, and other administrators who would
>> love to get back to the GUI tools on Windows.
>>
>> If we turned this on, would we suddenly overwrite the settings on a
>> pile of domains?
>>
>> I would be much more comfortable with this change if it were opt-in
>> for
>> a release, off by default by skipping the entry in server services,
>> allowing us to understand how it works.
>>
>> For example, I'm a little nervous about the idea of unapplying a
>> setting that might also have been modified directly by the
>> administrator, or applying a setting that was manually set directly.
>>   
>>
>> Additionally there is the complexity of a mulit-master replicated
>> domain, the apply/un-apply logs would be scattered on each DC, based
>> on
>> who wins the 15 mins timer race.
>>
>> I guess one way out would be to have 'samba-tool domain pwsettings'
>> write group policy files, but without a replicated sysvol I can't see
>> how that works either.
>>
>> I'm sorry to drop such doubts on you at this late moment.
> A way out would be to re-position this tool as something
> the administrator runs manually after a change on their GPO master
> server.  (Most Samba sites run one GPO master).
>
> Thanks,
>
> Andrew Bartlett