[PATCHES] GPO support for the AD DC itself
David Mulder
dmulder at suse.com
Mon Jul 3 15:07:03 UTC 2017
Here is a new set of patches that addresses the kerberos settings issue,
as well as disabling the service by default.
On 07/03/2017 06:14 AM, David Mulder wrote:
>
> On 07/02/2017 09:44 PM, Andrew Bartlett wrote:
>> On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
>>> I've attached a new set of patches that fix the issues that Garming
>>> pointed out (as well as a few issues I discovered).
>>>
>>> The changes to finalize_local_nt_token() have been removed. Comments
>>> have been added to the KRB5Parser and gp_log classes. Documentation
>>> has
>>> been added for the settings that are being applied. The source has
>>> been
>>> rebased against master. A build warning was silenced using
>>> discard_const_p(). Segfaults in the make test were fixed.
>>>
>>> Feedback is appreciated!
>> Thanks David.
>>
>> I'm sorry for not noticing this earlier, but the GPO settings for the
>> KDC look wrong.
>>
>> While you have set the settings into the krb5.conf, I think you
>> actually want to change the KDC in setup_kdc_setup_db_ctx():
>>
>> /* get default kdc policy */
>> lpcfg_default_kdc_policy(base_ctx->lp_ctx,
>> &kdc_db_ctx->policy.svc_tkt_lifetime,
>> &kdc_db_ctx->policy.usr_tkt_lifetime,
>> &kdc_db_ctx->policy.renewal_lifetime);
> I'll get this fixed today and submit new patches.
>
>> Currently this reads smb.conf parameters for these values. If the
>> values from the GPO should override, then these need to be stored
>> somewhere, or perhaps written to AD and read from there.
>>
>> The other challenge is that we now do have a class of administrators
>> who have become very accustomed to the 'samba-tool pwsettings' command
>> for setting the password policies, and other administrators who would
>> love to get back to the GUI tools on Windows.
>>
>> If we turned this on, would we suddenly overwrite the settings on a
>> pile of domains?
>>
>> I would be much more comfortable with this change if it were opt-in for
>> a release, off by default by skipping the entry in server services,
>> allowing us to understand how it works.
> I agree with that. Let's make it off by default for one release.
>> For example, I'm a little nervous about the idea of unapplying a
>> setting that might also have been modified directly by the
>> administrator, or applying a setting that was manually set directly.
> The whole point of GPO is to _enforce_ policy, so that if someone is
> manually making changes, they _intentionally_ get overwritten. I'd argue
> that this isn't a drawback, by the intention of this feature.
> The issue is, we need admins to get used to this, and to stop making
> manual changes.
>> Additionally there is the complexity of a mulit-master replicated
>> domain, the apply/un-apply logs would be scattered on each DC, based on
>> who wins the 15 mins timer race.
> The point of the unapply log is to be able to role back policies to a
> state prior to GPO apply. So, for example, if gpo gets turned on, and
> admin decides they don't want it anymore, they can easily role back to
> the original settings and disable gpo apply. This is not something that
> should be used regularly.
>> I guess one way out would be to have 'samba-tool domain pwsettings'
>> write group policy files, but without a replicated sysvol I can't see
>> how that works either.
>>
>> I'm sorry to drop such doubts on you at this late moment.
>>
>> Sorry,
>>
>> Andrew Bartlett
>>
>>> ctdb/common/system.h | 1 -
>>> ctdb/common/system_util.c | 49 +-----
>>> ctdb/wscript | 4 +-
>>> docs-xml/smbdotconf/base/serverservices.xml | 2 +-
>>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 17 ++
>>> dynconfig/dynconfig.c | 1 +
>>> dynconfig/dynconfig.h | 1 +
>>> dynconfig/wscript | 2 +
>>> lib/param/loadparm.c | 3 +-
>>> lib/util/mkdir_p.c | 71 ++++++++
>>> lib/util/mkdir_p.h | 22 +++
>>> lib/util/wscript_build | 5 +
>>> {source3/libgpo => libgpo}/gpo_filesync.c | 0
>>> libgpo/gpo_ldap.c | 4 +-
>>> {source3/libgpo => libgpo}/gpo_proto.h | 0
>>> {source3/libgpo => libgpo}/gpo_reg.c | 0
>>> libgpo/pygpo.c | 451
>>> +++++++++++++++++++++++++++++++++++++++++++++++
>>> libgpo/wscript_build | 12 ++
>>> python/samba/gpclass.py | 463
>>> +++++++++++++++++++++++++++++++++++++++++++++++++
>>> python/samba/krb5parse.py | 78 +++++++++
>>> python/samba/samdb.py | 18 ++
>>> selftest/target/Samba4.pm | 1 +
>>> source3/libgpo/gpext/wscript_build | 4 -
>>> source3/param/loadparm.c | 9 +-
>>> source3/utils/wscript_build | 2 +-
>>> source3/wscript_build | 19 --
>>> source4/dsdb/gpo/gpo_update.c | 191
>>> ++++++++++++++++++++
>>> source4/dsdb/wscript_build | 9 +
>>> source4/param/pyparam.c | 7 +
>>> source4/scripting/bin/samba_gpoupdate | 153
>>> ++++++++++++++++
>>> source4/scripting/bin/wscript_build | 2 +-
>>> source4/scripting/wscript_build | 2 +-
>>> source4/selftest/tests.py | 4 +
>>> source4/torture/gpo/apply.c | 165
>>> ++++++++++++++++++
>>> source4/torture/gpo/gpo.c | 36 ++++
>>> source4/torture/gpo/wscript_build | 14 ++
>>> source4/torture/wscript_build | 1 +
>>> wscript_build | 1 +
>>> 38 files changed, 1743 insertions(+), 81 deletions(-)
>>>
>>> On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
>>>> These patches were originally sent to the mailing list on 05 June
>>>> 2014.
>>>> New python bindings for getting gpo guids and correct apply order
>>>> from
>>>> libgpo. Completely rewritten samba_gpoupdate to use new python
>>>> bindings.
>>>> Added unapply.
>>>> I would love to get these into 4.7. Feedback welcome!
>>>>
>>>> ctdb/common/system.h | 1 -
>>>> ctdb/common/system_util.c | 49 +-----
>>>> ctdb/wscript | 4 +-
>>>> docs-xml/smbdotconf/base/serverservices.xml | 2 +-
>>>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 14 ++
>>>> dynconfig/dynconfig.c | 1 +
>>>> dynconfig/dynconfig.h | 1 +
>>>> dynconfig/wscript | 2 +
>>>> lib/param/loadparm.c | 3 +-
>>>> lib/util/mkdir_p.c | 71 ++++++++
>>>> lib/util/mkdir_p.h | 22 +++
>>>> lib/util/wscript_build | 5 +
>>>> {source3/libgpo => libgpo}/gpo_filesync.c | 0
>>>> libgpo/gpo_ldap.c | 4 +-
>>>> {source3/libgpo => libgpo}/gpo_proto.h | 0
>>>> {source3/libgpo => libgpo}/gpo_reg.c | 0
>>>> libgpo/pygpo.c | 448
>>>> +++++++++++++++++++++++++++++++++++++++++++++++++
>>>> libgpo/wscript_build | 12 ++
>>>> python/samba/gpclass.py | 387
>>>> ++++++++++++++++++++++++++++++++++++++++++
>>>> python/samba/krb5parse.py | 67 ++++++++
>>>> python/samba/samdb.py | 18 ++
>>>> selftest/target/Samba4.pm | 1 +
>>>> source3/auth/token_util.c | 3 +-
>>>> source3/libgpo/gpext/wscript_build | 4 -
>>>> source3/param/loadparm.c | 9 +-
>>>> source3/utils/wscript_build | 2 +-
>>>> source3/wscript_build | 19 ---
>>>> source4/dsdb/gpo/gpo_update.c | 191
>>>> +++++++++++++++++++++
>>>> source4/dsdb/wscript_build | 9 +
>>>> source4/param/pyparam.c | 7 +
>>>> source4/scripting/bin/samba_gpoupdate | 147
>>>> ++++++++++++++++
>>>> source4/scripting/bin/wscript_build | 2 +-
>>>> source4/scripting/wscript_build | 2 +-
>>>> source4/selftest/tests.py | 4 +
>>>> source4/torture/gpo/apply.c | 165
>>>> ++++++++++++++++++
>>>> source4/torture/gpo/gpo.c | 36 ++++
>>>> source4/torture/gpo/wscript_build | 14 ++
>>>> source4/torture/wscript_build | 1 +
>>>> wscript_build | 1 +
>>>> 39 files changed, 1646 insertions(+), 82 deletions(-)
>>>>
--
David Mulder
SUSE Labs Software Engineer - Samba
dmulder at suse.com
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gpo_patches.mbox
Type: application/mbox
Size: 175843 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20170703/271b7f5e/gpo_patches-0001.mbox>
More information about the samba-technical
mailing list