[PATCHES] GPO support for the AD DC itself

David Mulder dmulder at suse.com
Wed Jul 5 13:20:38 UTC 2017


I agree the smb.conf rewrite isn't ideal. I'd considered simply storing
the settings in the samdb, and doing like you said, but that was a
bigger rewrite than I had time for Monday.
 I'll see who I can get to review the source.


-- 

David Mulder

SUSE Labs Software Engineer - Samba

dmulder at suse.com

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)


>>>
Andrew Bartlett via samba-technical <samba-technical at lists.samba.org>
07/03/17 11:57 PM >>>
On Mon, 2017-07-03 at 09:07 -0600, David Mulder wrote:
> Here is a new set of patches that addresses the kerberos settings
> issue,
> as well as disabling the service by default.

Thanks.

I think that addresses my comments. I'm not super-keen on the rewrite
of the smb.conf. I think this belongs as a database that Samba reads,
and that we overwrite at startup if the smb.conf has a setting. If you
could drop that bit it would be ideal.

I'm sure others who look at this would see the second-last commit of
'rewrite' as a bit of a red flag, but considering the history of this
effort I'm not sure it can be avoided.

It did make it hard to just drop the KDC options patch however, which
was something I was considering, so as to land the majority of your
work.

If you can collect two reviewers then please do, I'm still not able to
get my head into it enough to give you that myself.

Having it off by default helps a lot, it should also get a WHATNEW
section and a manpage for samba_gpoupdate explaining what it does, and
that it is experimental at this stage.

Thank you so much for all your efforts here! I'm sorry if this doesn't
make 4.7, as you have made a valiant effort!

Thanks,

Andrew Bartlett

> On 07/03/2017 06:14 AM, David Mulder wrote:
> >
> > On 07/02/2017 09:44 PM, Andrew Bartlett wrote:
> > > On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
> > > > I've attached a new set of patches that fix the issues that
> > > > Garming
> > > > pointed out (as well as a few issues I discovered).
> > > >
> > > > The changes to finalize_local_nt_token() have been removed.
> > > > Comments
> > > > have been added to the KRB5Parser and gp_log classes.
> > > > Documentation
> > > > has
> > > > been added for the settings that are being applied. The source
> > > > has
> > > > been
> > > > rebased against master. A build warning was silenced using
> > > > discard_const_p(). Segfaults in the make test were fixed.
> > > >
> > > > Feedback is appreciated!
> > >
> > > Thanks David.
> > >
> > > I'm sorry for not noticing this earlier, but the GPO settings for
> > > the
> > > KDC look wrong.
> > >
> > > While you have set the settings into the krb5.conf, I think you
> > > actually want to change the KDC in setup_kdc_setup_db_ctx():
> > >
> > >     /* get default kdc policy */
> > >     lpcfg_default_kdc_policy(base_ctx->lp_ctx,
> > >                  &kdc_db_ctx->policy.svc_tkt_lifetime,
> > >                  &kdc_db_ctx->policy.usr_tkt_lifetime,
> > >                  &kdc_db_ctx->policy.renewal_lifetime);
> >
> > I'll get this fixed today and submit new patches.
> >
> > > Currently this reads smb.conf parameters for these values. If
> > > the
> > > values from the GPO should override, then these need to be stored
> > > somewhere, or perhaps written to AD and read from there.
> > >
> > > The other challenge is that we now do have a class of
> > > administrators
> > > who have become very accustomed to the 'samba-tool pwsettings'
> > > command
> > > for setting the password policies, and other administrators who
> > > would
> > > love to get back to the GUI tools on Windows.
> > >
> > > If we turned this on, would we suddenly overwrite the settings on
> > > a
> > > pile of domains?
> > >
> > > I would be much more comfortable with this change if it were opt-
> > > in for
> > > a release, off by default by skipping the entry in server
> > > services,
> > > allowing us to understand how it works.
> >
> > I agree with that. Let's make it off by default for one release.
> > > For example, I'm a little nervous about the idea of unapplying a
> > > setting that might also have been modified directly by the
> > > administrator, or applying a setting that was manually set
> > > directly.
> >
> > The whole point of GPO is to _enforce_ policy, so that if someone
> > is
> > manually making changes, they _intentionally_ get overwritten. I'd
> > argue
> > that this isn't a drawback, by the intention of this feature.
> > The issue is, we need admins to get used to this, and to stop
> > making
> > manual changes.
> > > Additionally there is the complexity of a mulit-master replicated
> > > domain, the apply/un-apply logs would be scattered on each DC,
> > > based on
> > > who wins the 15 mins timer race.
> >
> > The point of the unapply log is to be able to role back policies to
> > a
> > state prior to GPO apply. So, for example, if gpo gets turned on,
> > and
> > admin decides they don't want it anymore, they can easily role back
> > to
> > the original settings and disable gpo apply. This is not something
> > that
> > should be used regularly.
> > > I guess one way out would be to have 'samba-tool domain
> > > pwsettings'
> > > write group policy files, but without a replicated sysvol I can't
> > > see
> > > how that works either.
> > >
> > > I'm sorry to drop such doubts on you at this late moment.
> > >
> > > Sorry,
> > >
> > > Andrew Bartlett
> > >
> > > > ctdb/common/system.h | 1 -
> > > > ctdb/common/system_util.c | 49 +-----
> > > > ctdb/wscript | 4 +-
> > > > docs-xml/smbdotconf/base/serverservices.xml | 2 +-
> > > > docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 17 ++
> > > > dynconfig/dynconfig.c | 1 +
> > > > dynconfig/dynconfig.h | 1 +
> > > > dynconfig/wscript | 2 +
> > > > lib/param/loadparm.c | 3 +-
> > > > lib/util/mkdir_p.c | 71 ++++++++
> > > > lib/util/mkdir_p.h | 22 +++
> > > > lib/util/wscript_build | 5 +
> > > > {source3/libgpo => libgpo}/gpo_filesync.c | 0
> > > > libgpo/gpo_ldap.c | 4 +-
> > > > {source3/libgpo => libgpo}/gpo_proto.h | 0
> > > > {source3/libgpo => libgpo}/gpo_reg.c | 0
> > > > libgpo/pygpo.c | 451
> > > > +++++++++++++++++++++++++++++++++++++++++++++++
> > > > libgpo/wscript_build | 12 ++
> > > > python/samba/gpclass.py | 463
> > > > +++++++++++++++++++++++++++++++++++++++++++++++++
> > > > python/samba/krb5parse.py | 78
> > > > +++++++++
> > > > python/samba/samdb.py | 18 ++
> > > > selftest/target/Samba4.pm | 1 +
> > > > source3/libgpo/gpext/wscript_build | 4 -
> > > > source3/param/loadparm.c | 9 +-
> > > > source3/utils/wscript_build | 2 +-
> > > > source3/wscript_build | 19 --
> > > > source4/dsdb/gpo/gpo_update.c | 191
> > > > ++++++++++++++++++++
> > > > source4/dsdb/wscript_build | 9 +
> > > > source4/param/pyparam.c | 7 +
> > > > source4/scripting/bin/samba_gpoupdate | 153
> > > > ++++++++++++++++
> > > > source4/scripting/bin/wscript_build | 2 +-
> > > > source4/scripting/wscript_build | 2 +-
> > > > source4/selftest/tests.py | 4 +
> > > > source4/torture/gpo/apply.c | 165
> > > > ++++++++++++++++++
> > > > source4/torture/gpo/gpo.c | 36 ++++
> > > > source4/torture/gpo/wscript_build | 14 ++
> > > > source4/torture/wscript_build | 1 +
> > > > wscript_build | 1 +
> > > > 38 files changed, 1743 insertions(+), 81 deletions(-)
> > > >
> > > > On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
> > > > > These patches were originally sent to the mailing list on 05
> > > > > June
> > > > > 2014.
> > > > > New python bindings for getting gpo guids and correct apply
> > > > > order
> > > > > from
> > > > > libgpo. Completely rewritten samba_gpoupdate to use new
> > > > > python
> > > > > bindings.
> > > > > Added unapply.
> > > > > I would love to get these into 4.7. Feedback welcome!
> > > > >
> > > > > ctdb/common/system.h | 1 -
> > > > > ctdb/common/system_util.c | 49 +-----
> > > > > ctdb/wscript | 4 +-
> > > > > docs-xml/smbdotconf/base/serverservices.xml | 2 +-
> > > > > docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 14 ++
> > > > > dynconfig/dynconfig.c | 1 +
> > > > > dynconfig/dynconfig.h | 1 +
> > > > > dynconfig/wscript | 2 +
> > > > > lib/param/loadparm.c | 3 +-
> > > > > lib/util/mkdir_p.c | 71
> > > > > ++++++++
> > > > > lib/util/mkdir_p.h | 22 +++
> > > > > lib/util/wscript_build | 5 +
> > > > > {source3/libgpo => libgpo}/gpo_filesync.c | 0
> > > > > libgpo/gpo_ldap.c | 4 +-
> > > > > {source3/libgpo => libgpo}/gpo_proto.h | 0
> > > > > {source3/libgpo => libgpo}/gpo_reg.c | 0
> > > > > libgpo/pygpo.c | 448
> > > > > +++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > libgpo/wscript_build | 12 ++
> > > > > python/samba/gpclass.py | 387
> > > > > ++++++++++++++++++++++++++++++++++++++++++
> > > > > python/samba/krb5parse.py | 67
> > > > > ++++++++
> > > > > python/samba/samdb.py | 18 ++
> > > > > selftest/target/Samba4.pm | 1 +
> > > > > source3/auth/token_util.c | 3 +-
> > > > > source3/libgpo/gpext/wscript_build | 4 -
> > > > > source3/param/loadparm.c | 9 +-
> > > > > source3/utils/wscript_build | 2 +-
> > > > > source3/wscript_build | 19 ---
> > > > > source4/dsdb/gpo/gpo_update.c | 191
> > > > > +++++++++++++++++++++
> > > > > source4/dsdb/wscript_build | 9 +
> > > > > source4/param/pyparam.c | 7 +
> > > > > source4/scripting/bin/samba_gpoupdate | 147
> > > > > ++++++++++++++++
> > > > > source4/scripting/bin/wscript_build | 2 +-
> > > > > source4/scripting/wscript_build | 2 +-
> > > > > source4/selftest/tests.py | 4 +
> > > > > source4/torture/gpo/apply.c | 165
> > > > > ++++++++++++++++++
> > > > > source4/torture/gpo/gpo.c | 36 ++++
> > > > > source4/torture/gpo/wscript_build | 14 ++
> > > > > source4/torture/wscript_build | 1 +
> > > > > wscript_build | 1 +
> > > > > 39 files changed, 1646 insertions(+), 82 deletions(-)
> > > > >
>
>
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba








More information about the samba-technical mailing list