[PATCHES v1] GPO fixes

David Mulder dmulder at suse.com
Tue Jan 9 14:24:12 UTC 2018



On 01/09/2018 02:44 AM, Garming Sam wrote:
> Hi,
>
> I think I'm mostly fine with the first five patches (the docs need to
> be tweaked to remove the mention to env vars though, attached as a
> patch). Although most of the concerns we originally raised (in regards
> to the KDC settings) have now been addressed, I still think having a
> release with it off by default is sensible (and some curious users get
> to have a play with it).
Sounds ok with me. Let's plan on leaving it disabled then.
>
> I think the disabling mechanism needs some more thought, I don't think
> it's appropriate to put the .disabled files under the same
> sub-directory as the module (and particularly in the python
> directory). There might also be other issues like having it installed
> vs running from a source-tree.
Currently it's setup to follow the .py file wherever it might be
installed, so I don't think the installed vs running directory would be
an issue.
> Perhaps metze had some more thoughts on the most appropriate location
> and/or format. You'd normally expect such files to exist in an /etc/,
> neighbouring where our smb.conf lives.
Yes, I wasn't really sure about the proper location for these, but
having them in the same directory as the .py files was what metze
suggested. Maybe let's leave the disable patch out for now? It isn't
particularly useful at this point anyway, since there is only one gp_ext.
>
>
> Cheers,
>
> Garming
>
> On 09/01/18 06:05, David Mulder wrote:
>> Hoping to get these into 4.8;
>> Basically these are all the fixes/improvements from the machine policy
>> patches, minus the machine policy.
>> Includes:
>> * Fixes a crash in gpo unapply
>> * Don't stop parsing gpos if one fails
>> * Cache gpo versions and read from the cache, instead of reading
>> directly from the sysvol
>> * Call the gpupdate command from winbind, using the interval specified
>> by MS spec (random interval between 90 and 120 minutes).
>> * Enable gpupdate by default (this now only has the effect of enabling
>> the system access policies for the kdc).
>> * NEW: Provide a method for disabling gpo extensions. An extension will
>> now check if a <my filename>.disabled file is present, and the extension
>> is ignored if present. This required moving the system access policies
>> to their own file, which is now required for every extension.
>>
>> This patch set *does not* contain any new gpo extensions, just
>> improvements to the overall gpo code (and making it easily extensible
>> for adding new extensions).
>>
>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml    |  11 +-
>>   docs-xml/smbdotconf/winbind/applygrouppolicies.xml |  19 ++++
>>   lib/param/loadparm.c                               |   1 +
>>   python/samba/gp_sec_ext.py                         | 140
>> +++++++++++++++++++++++++
>>   python/samba/gpclass.py                            | 233
>> +++++++++++------------------------------
>>   selftest/target/Samba4.pm                          |   2 +-
>>   source3/param/loadparm.c                           |   2 +
>>   source3/winbindd/winbindd.c                        |   2 +
>>   source3/winbindd/winbindd_gpupdate.c               | 116
>> +++++++++++++++++++++
>>   source3/winbindd/winbindd_proto.h                  |   3 +
>>   source3/winbindd/wscript_build                     |   3 +-
>>   source4/dsdb/gpo/gpo_update.c                      | 193
>> ----------------------------------
>>   source4/dsdb/wscript_build                         |   9 --
>>   source4/scripting/bin/samba_gpoupdate              |  49 +++++++--
>>   source4/scripting/bin/wscript_build                |   2 +-
>>   source4/scripting/wscript_build                    |   7 +-
>>   source4/torture/gpo/apply.c                        | 258
>> +++++++++++++++++++++++++++++++++++++---------
>>   17 files changed, 608 insertions(+), 442 deletions(-)
>>
>

-- 
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)




More information about the samba-technical mailing list