Group Policy Ordering

Joe Dillon joseph at outurnate.com
Thu Dec 28 01:03:11 UTC 2023 

On Thu, Dec 14, 2023, at 10:25 AM, David Mulder via samba-technical wrote:
> 
> On 12/13/23 5:20 PM, Joe Dillon via samba-technical wrote:
> > Suppose I link a policy called "Test Policy 1".  When samba-gpupdate runs, this policy will be in changed_gpo_list.  Suppose it sets the contents of /etc/test.txt to "testpolicy1".  The second time samba-gpupdate runs, it will not be in changed_gpo_list, and the CSE won't rewrite the file.  So far so good.  Now, I toggle "Test Policy 1" to enforced.  Rerunning samba-gpupdate does not process the policy.  Again, so far so good.  Suppose I link "Test Policy 2", unenforced.  Let's say the CSE for "Test Policy 2" would set the content of /etc/test.txt to "testpolicy2".  I would expect, since "Test Policy 1" has a higher priority, the contents of /etc/test.txt after a samba-gpupdate to be "testpolicy1".  When I run samba-gpupdate,  only "Test Policy 2" is processed, since it is the only one that changed.  "--force" obviously corrects the issue.
> >
> > Is this intended behaviour or a bug?
> This behavior changed significantly in recent versions of Samba. Which 
> version are you referring to? Also, policy enforcement is handled 
> per-extension, so you may see different behavior for each extension. 
> From your description, I would expect that there may be a bug in 
> processing the changed_gpo_list?
> > Second question: is it valid for GPOs based on .pol files to not write the registry entries to the local registry?  The above behaviour could be avoided if every gpupdate wrote all changes from all applicable GPOs to the registry and deferred processing to the end.
> This was in the works 4 years ago, but was never completed. The current 
> approach is for each extension to write their overlapping changes to a 
> tdb file, and apply the appropriate policy from there.
> 
> -- 
> David Mulder
> Labs Software Engineer, Samba
> SUSE
> 1221 S Valley Grove Way, Suite 500
> Pleasant Grove, UT 84062
> (P)+1 385.208.2989
> dmulder at suse.com
> http://www.suse.com
> 

I'm at 4.19.3.  I'm missing any commits between its release and today.  Would the changes be in those commits?  From my testing, which is using a policy extension that just prints the contents of the changed_gpo_list, it appears a GPO that changes enforcement status isn't being passed in.

>From my read of the certificate client extension, it appears this tdb contains a custom json representation of the client extension's state.  So, in essence, an extension must parse the pol file, read the current tdb settings, merge them with changed/deleted GPO settings, persist them to the tdb, then apply the settings to the local system (in whatever way the current GPO extension does so)

Out of curiosity, why was the work to apply .pol files to samba's registry not completed?  Refactoring time/effort?  Or was there a blocker that couldn't be overcome?

Thanks,
Joe Dillon

More information about the samba-technical mailing list