[PATCHES] GPO support for the AD DC itself
David Mulder
dmulder at suse.com
Mon Jul 3 12:14:46 UTC 2017
On 07/02/2017 09:44 PM, Andrew Bartlett wrote:
> On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
>> I've attached a new set of patches that fix the issues that Garming
>> pointed out (as well as a few issues I discovered).
>>
>> The changes to finalize_local_nt_token() have been removed. Comments
>> have been added to the KRB5Parser and gp_log classes. Documentation
>> has
>> been added for the settings that are being applied. The source has
>> been
>> rebased against master. A build warning was silenced using
>> discard_const_p(). Segfaults in the make test were fixed.
>>
>> Feedback is appreciated!
> Thanks David.
>
> I'm sorry for not noticing this earlier, but the GPO settings for the
> KDC look wrong.
>
> While you have set the settings into the krb5.conf, I think you
> actually want to change the KDC in setup_kdc_setup_db_ctx():
>
> /* get default kdc policy */
> lpcfg_default_kdc_policy(base_ctx->lp_ctx,
> &kdc_db_ctx->policy.svc_tkt_lifetime,
> &kdc_db_ctx->policy.usr_tkt_lifetime,
> &kdc_db_ctx->policy.renewal_lifetime);
I'll get this fixed today and submit new patches.
>
> Currently this reads smb.conf parameters for these values. If the
> values from the GPO should override, then these need to be stored
> somewhere, or perhaps written to AD and read from there.
>
> The other challenge is that we now do have a class of administrators
> who have become very accustomed to the 'samba-tool pwsettings' command
> for setting the password policies, and other administrators who would
> love to get back to the GUI tools on Windows.
>
> If we turned this on, would we suddenly overwrite the settings on a
> pile of domains?
>
> I would be much more comfortable with this change if it were opt-in for
> a release, off by default by skipping the entry in server services,
> allowing us to understand how it works.
I agree with that. Let's make it off by default for one release.
>
> For example, I'm a little nervous about the idea of unapplying a
> setting that might also have been modified directly by the
> administrator, or applying a setting that was manually set directly.
The whole point of GPO is to _enforce_ policy, so that if someone is
manually making changes, they _intentionally_ get overwritten. I'd argue
that this isn't a drawback, by the intention of this feature.
The issue is, we need admins to get used to this, and to stop making
manual changes.
>
> Additionally there is the complexity of a mulit-master replicated
> domain, the apply/un-apply logs would be scattered on each DC, based on
> who wins the 15 mins timer race.
The point of the unapply log is to be able to role back policies to a
state prior to GPO apply. So, for example, if gpo gets turned on, and
admin decides they don't want it anymore, they can easily role back to
the original settings and disable gpo apply. This is not something that
should be used regularly.
>
> I guess one way out would be to have 'samba-tool domain pwsettings'
> write group policy files, but without a replicated sysvol I can't see
> how that works either.
>
> I'm sorry to drop such doubts on you at this late moment.
>
> Sorry,
>
> Andrew Bartlett
>
>> ctdb/common/system.h | 1 -
>> ctdb/common/system_util.c | 49 +-----
>> ctdb/wscript | 4 +-
>> docs-xml/smbdotconf/base/serverservices.xml | 2 +-
>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 17 ++
>> dynconfig/dynconfig.c | 1 +
>> dynconfig/dynconfig.h | 1 +
>> dynconfig/wscript | 2 +
>> lib/param/loadparm.c | 3 +-
>> lib/util/mkdir_p.c | 71 ++++++++
>> lib/util/mkdir_p.h | 22 +++
>> lib/util/wscript_build | 5 +
>> {source3/libgpo => libgpo}/gpo_filesync.c | 0
>> libgpo/gpo_ldap.c | 4 +-
>> {source3/libgpo => libgpo}/gpo_proto.h | 0
>> {source3/libgpo => libgpo}/gpo_reg.c | 0
>> libgpo/pygpo.c | 451
>> +++++++++++++++++++++++++++++++++++++++++++++++
>> libgpo/wscript_build | 12 ++
>> python/samba/gpclass.py | 463
>> +++++++++++++++++++++++++++++++++++++++++++++++++
>> python/samba/krb5parse.py | 78 +++++++++
>> python/samba/samdb.py | 18 ++
>> selftest/target/Samba4.pm | 1 +
>> source3/libgpo/gpext/wscript_build | 4 -
>> source3/param/loadparm.c | 9 +-
>> source3/utils/wscript_build | 2 +-
>> source3/wscript_build | 19 --
>> source4/dsdb/gpo/gpo_update.c | 191
>> ++++++++++++++++++++
>> source4/dsdb/wscript_build | 9 +
>> source4/param/pyparam.c | 7 +
>> source4/scripting/bin/samba_gpoupdate | 153
>> ++++++++++++++++
>> source4/scripting/bin/wscript_build | 2 +-
>> source4/scripting/wscript_build | 2 +-
>> source4/selftest/tests.py | 4 +
>> source4/torture/gpo/apply.c | 165
>> ++++++++++++++++++
>> source4/torture/gpo/gpo.c | 36 ++++
>> source4/torture/gpo/wscript_build | 14 ++
>> source4/torture/wscript_build | 1 +
>> wscript_build | 1 +
>> 38 files changed, 1743 insertions(+), 81 deletions(-)
>>
>> On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
>>> These patches were originally sent to the mailing list on 05 June
>>> 2014.
>>> New python bindings for getting gpo guids and correct apply order
>>> from
>>> libgpo. Completely rewritten samba_gpoupdate to use new python
>>> bindings.
>>> Added unapply.
>>> I would love to get these into 4.7. Feedback welcome!
>>>
>>> ctdb/common/system.h | 1 -
>>> ctdb/common/system_util.c | 49 +-----
>>> ctdb/wscript | 4 +-
>>> docs-xml/smbdotconf/base/serverservices.xml | 2 +-
>>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 14 ++
>>> dynconfig/dynconfig.c | 1 +
>>> dynconfig/dynconfig.h | 1 +
>>> dynconfig/wscript | 2 +
>>> lib/param/loadparm.c | 3 +-
>>> lib/util/mkdir_p.c | 71 ++++++++
>>> lib/util/mkdir_p.h | 22 +++
>>> lib/util/wscript_build | 5 +
>>> {source3/libgpo => libgpo}/gpo_filesync.c | 0
>>> libgpo/gpo_ldap.c | 4 +-
>>> {source3/libgpo => libgpo}/gpo_proto.h | 0
>>> {source3/libgpo => libgpo}/gpo_reg.c | 0
>>> libgpo/pygpo.c | 448
>>> +++++++++++++++++++++++++++++++++++++++++++++++++
>>> libgpo/wscript_build | 12 ++
>>> python/samba/gpclass.py | 387
>>> ++++++++++++++++++++++++++++++++++++++++++
>>> python/samba/krb5parse.py | 67 ++++++++
>>> python/samba/samdb.py | 18 ++
>>> selftest/target/Samba4.pm | 1 +
>>> source3/auth/token_util.c | 3 +-
>>> source3/libgpo/gpext/wscript_build | 4 -
>>> source3/param/loadparm.c | 9 +-
>>> source3/utils/wscript_build | 2 +-
>>> source3/wscript_build | 19 ---
>>> source4/dsdb/gpo/gpo_update.c | 191
>>> +++++++++++++++++++++
>>> source4/dsdb/wscript_build | 9 +
>>> source4/param/pyparam.c | 7 +
>>> source4/scripting/bin/samba_gpoupdate | 147
>>> ++++++++++++++++
>>> source4/scripting/bin/wscript_build | 2 +-
>>> source4/scripting/wscript_build | 2 +-
>>> source4/selftest/tests.py | 4 +
>>> source4/torture/gpo/apply.c | 165
>>> ++++++++++++++++++
>>> source4/torture/gpo/gpo.c | 36 ++++
>>> source4/torture/gpo/wscript_build | 14 ++
>>> source4/torture/wscript_build | 1 +
>>> wscript_build | 1 +
>>> 39 files changed, 1646 insertions(+), 82 deletions(-)
>>>
>>
--
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
More information about the samba-technical
mailing list