[PATCHES] Make gpo extensible

Garming Sam garming at catalyst.net.nz
Mon Jan 22 21:59:14 UTC 2018

On 23/01/18 10:40, David Mulder wrote:
> Reading straight from the sysvol is fine on a kdc, but doesn't work on a
> client machine. That's the point of the patch. It's required for these
> follow up patches, but wasn't really necessary in 4.8 anyhow.
> On 01/22/2018 02:18 PM, Garming Sam wrote:
>> Hi,
>> I'd meant to ask you a question about the patch, but I couldn't manage
>> to do that before the 4.8 cut-off. I didn't quite understand what the
>> intent of the patch was. 
>> apply_gp reads the version from the sysvol path, and then writes it to a
>> file in the cache directory. But the gpo_version function always read it
>> from sysvol anyways (and so this cache file is never really used)? Also,
>> is the benefit of reading from a cache dir only to avoid the recurring
>> SMB connection, or is there actually another reason?
> I think you've misunderstood what the code is doing. gpo_version() reads
> the GPT.INI files via smb (connected to the sysvol), and caches them on
> the local system. It then reads the gpo versions from the cache. This is
> redundant on a kdc, but not on a client. This is actually a precursor to
> caching all relevant GPO files, which will enable offline group policy
> apply (enforcing policy even when off the domain).

Oh, I think I understand now. Cache is probably the wrong description
for the behaviour (it's more like just another intermediate step). I
think a proper comment is in order for that bit of code.

One other thing I noticed was that the os.makedirs wasn't supplying any
arguments. In Samba, these directories are usually created with
particular permissions, and I'm pretty sure that the default would be wrong.



More information about the samba-technical mailing list