[PATCHES v1] GPO fixes
garming at catalyst.net.nz
Tue Jan 9 09:44:58 UTC 2018
I think I'm mostly fine with the first five patches (the docs need to be
tweaked to remove the mention to env vars though, attached as a patch).
Although most of the concerns we originally raised (in regards to the
KDC settings) have now been addressed, I still think having a release
with it off by default is sensible (and some curious users get to have a
play with it).
I think the disabling mechanism needs some more thought, I don't think
it's appropriate to put the .disabled files under the same sub-directory
as the module (and particularly in the python directory). There might
also be other issues like having it installed vs running from a
source-tree. Perhaps metze had some more thoughts on the most
appropriate location and/or format. You'd normally expect such files to
exist in an /etc/, neighbouring where our smb.conf lives.
On 09/01/18 06:05, David Mulder wrote:
> Hoping to get these into 4.8;
> Basically these are all the fixes/improvements from the machine policy
> patches, minus the machine policy.
> * Fixes a crash in gpo unapply
> * Don't stop parsing gpos if one fails
> * Cache gpo versions and read from the cache, instead of reading
> directly from the sysvol
> * Call the gpupdate command from winbind, using the interval specified
> by MS spec (random interval between 90 and 120 minutes).
> * Enable gpupdate by default (this now only has the effect of enabling
> the system access policies for the kdc).
> * NEW: Provide a method for disabling gpo extensions. An extension will
> now check if a <my filename>.disabled file is present, and the extension
> is ignored if present. This required moving the system access policies
> to their own file, which is now required for every extension.
> This patch set *does not* contain any new gpo extensions, just
> improvements to the overall gpo code (and making it easily extensible
> for adding new extensions).
> docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 11 +-
> docs-xml/smbdotconf/winbind/applygrouppolicies.xml | 19 ++++
> lib/param/loadparm.c | 1 +
> python/samba/gp_sec_ext.py | 140
> python/samba/gpclass.py | 233
> selftest/target/Samba4.pm | 2 +-
> source3/param/loadparm.c | 2 +
> source3/winbindd/winbindd.c | 2 +
> source3/winbindd/winbindd_gpupdate.c | 116
> source3/winbindd/winbindd_proto.h | 3 +
> source3/winbindd/wscript_build | 3 +-
> source4/dsdb/gpo/gpo_update.c | 193
> source4/dsdb/wscript_build | 9 --
> source4/scripting/bin/samba_gpoupdate | 49 +++++++--
> source4/scripting/bin/wscript_build | 2 +-
> source4/scripting/wscript_build | 7 +-
> source4/torture/gpo/apply.c | 258
> 17 files changed, 608 insertions(+), 442 deletions(-)
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 1012 bytes
Desc: not available
More information about the samba-technical