[PATCHES] GPO support for client machine policy

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
These patches add Group Policy support for client machines. Adds a
winbind event that calls samba_gpoupdate to apply local machine
policies. Adds the option "winbind gpupdate" to smb.conf, which
determines whether group policy will be applied to the client. This is
*disabled* by default for now. Users will need to manually enable this
to see the new functionality.
To start off, we only have Environment Variable policies.

 auth/credentials/pycredentials.c                |  14 +++++
 docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  11 ++--
 docs-xml/smbdotconf/winbind/winbindgpupdate.xml |  18 ++++++
 lib/param/loadparm.c                            |   1 +
 python/samba/gp_env_var_ext.py                  |  86
++++++++++++++++++++++++++
 python/samba/gp_file_append.py                  |  86
++++++++++++++++++++++++++
 python/samba/gpclass.py                         | 163
+++++++++++++++++++++++++------------------------
 source3/param/loadparm.c                        |   2 +
 source3/winbindd/winbindd.c                     |   2 +
 source3/winbindd/winbindd_gpupdate.c            | 116
+++++++++++++++++++++++++++++++++++
 source3/winbindd/winbindd_proto.h               |   3 +
 source3/winbindd/wscript_build                  |   3 +-
 source4/scripting/bin/samba_gpoupdate           |  49 ++++++++++++---
 source4/scripting/bin/wscript_build             |   2 +-
 source4/scripting/wscript_build                 |   7 ++-
 15 files changed, 465 insertions(+), 98 deletions(-)

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


machine_policies.mbox (42K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
Hi,

So, on a DC, does this actually run simultaneously with the gpo service
that was written earlier? Having two running together doesn't sound like
a good idea. Should the earlier one just be removed instead?

Cheers,

Garming


On 03/12/17 04:54, David Mulder wrote:

> These patches add Group Policy support for client machines. Adds a
> winbind event that calls samba_gpoupdate to apply local machine
> policies. Adds the option "winbind gpupdate" to smb.conf, which
> determines whether group policy will be applied to the client. This is
> *disabled* by default for now. Users will need to manually enable this
> to see the new functionality.
> To start off, we only have Environment Variable policies.
>
>  auth/credentials/pycredentials.c                |  14 +++++
>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  11 ++--
>  docs-xml/smbdotconf/winbind/winbindgpupdate.xml |  18 ++++++
>  lib/param/loadparm.c                            |   1 +
>  python/samba/gp_env_var_ext.py                  |  86
> ++++++++++++++++++++++++++
>  python/samba/gp_file_append.py                  |  86
> ++++++++++++++++++++++++++
>  python/samba/gpclass.py                         | 163
> +++++++++++++++++++++++++------------------------
>  source3/param/loadparm.c                        |   2 +
>  source3/winbindd/winbindd.c                     |   2 +
>  source3/winbindd/winbindd_gpupdate.c            | 116
> +++++++++++++++++++++++++++++++++++
>  source3/winbindd/winbindd_proto.h               |   3 +
>  source3/winbindd/wscript_build                  |   3 +-
>  source4/scripting/bin/samba_gpoupdate           |  49 ++++++++++++---
>  source4/scripting/bin/wscript_build             |   2 +-
>  source4/scripting/wscript_build                 |   7 ++-
>  15 files changed, 465 insertions(+), 98 deletions(-)
>


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
Yes, they would run simultaneously, but they apply different things.
They also run on different intervals.
If you look at samba_gpoupdate where it sets gp_extensions, you'll see
it sets the extensions to apply based on the type of apply (KDC, client
machine, or user which isn't available yet).
I had considered removing the KDC service, but I think it is fine as is.
The way it is now, if they choose not to configure winbind, kdc policy
is still applied. The client policy is then only applied if they
configure winbind and treat the kdc as a client also.
But, this also means an extra setup step for group policy on a KDC. You
must enable both the service service for the KDC, and winbind gpupdate
for the client policy.

On 12/05/2017 04:31 PM, Garming Sam wrote:

> Hi,
>
> So, on a DC, does this actually run simultaneously with the gpo service
> that was written earlier? Having two running together doesn't sound like
> a good idea. Should the earlier one just be removed instead?
>
> Cheers,
>
> Garming
>
>
> On 03/12/17 04:54, David Mulder wrote:
>> These patches add Group Policy support for client machines. Adds a
>> winbind event that calls samba_gpoupdate to apply local machine
>> policies. Adds the option "winbind gpupdate" to smb.conf, which
>> determines whether group policy will be applied to the client. This is
>> *disabled* by default for now. Users will need to manually enable this
>> to see the new functionality.
>> To start off, we only have Environment Variable policies.
>>
>>  auth/credentials/pycredentials.c                |  14 +++++
>>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  11 ++--
>>  docs-xml/smbdotconf/winbind/winbindgpupdate.xml |  18 ++++++
>>  lib/param/loadparm.c                            |   1 +
>>  python/samba/gp_env_var_ext.py                  |  86
>> ++++++++++++++++++++++++++
>>  python/samba/gp_file_append.py                  |  86
>> ++++++++++++++++++++++++++
>>  python/samba/gpclass.py                         | 163
>> +++++++++++++++++++++++++------------------------
>>  source3/param/loadparm.c                        |   2 +
>>  source3/winbindd/winbindd.c                     |   2 +
>>  source3/winbindd/winbindd_gpupdate.c            | 116
>> +++++++++++++++++++++++++++++++++++
>>  source3/winbindd/winbindd_proto.h               |   3 +
>>  source3/winbindd/wscript_build                  |   3 +-
>>  source4/scripting/bin/samba_gpoupdate           |  49 ++++++++++++---
>>  source4/scripting/bin/wscript_build             |   2 +-
>>  source4/scripting/wscript_build                 |   7 ++-
>>  15 files changed, 465 insertions(+), 98 deletions(-)
>>
>

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
> Yes, they would run simultaneously, but they apply different things.
> They also run on different intervals.
> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
> it sets the extensions to apply based on the type of apply (KDC, client
> machine, or user which isn't available yet).
> I had considered removing the KDC service, but I think it is fine as is.
> The way it is now, if they choose not to configure winbind, kdc policy
> is still applied.

To be clear, winbindd is a mandatory part of the AD DC.

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
Right. Then maybe Garming is right, we probably don't need the KDC
service, just the one attached to winbind.

On 12/06/2017 11:02 AM, Andrew Bartlett wrote:

> On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
>> Yes, they would run simultaneously, but they apply different things.
>> They also run on different intervals.
>> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
>> it sets the extensions to apply based on the type of apply (KDC, client
>> machine, or user which isn't available yet).
>> I had considered removing the KDC service, but I think it is fine as is.
>> The way it is now, if they choose not to configure winbind, kdc policy
>> is still applied.
> To be clear, winbindd is a mandatory part of the AD DC.
>
> Andrew Bartlett

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
Hi David,

is it also possible to have something useful as a domain member?
It would be nice if we could remove the lockout_policy() and
password_policy() hooks from winbindd_methods and make sure
the gpo code applies the correct settings to the local
account_policy.tdb

metze

Am 06.12.2017 um 19:10 schrieb David Mulder via samba-technical:

> Right. Then maybe Garming is right, we probably don't need the KDC
> service, just the one attached to winbind.
>
> On 12/06/2017 11:02 AM, Andrew Bartlett wrote:
>> On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
>>> Yes, they would run simultaneously, but they apply different things.
>>> They also run on different intervals.
>>> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
>>> it sets the extensions to apply based on the type of apply (KDC, client
>>> machine, or user which isn't available yet).
>>> I had considered removing the KDC service, but I think it is fine as is.
>>> The way it is now, if they choose not to configure winbind, kdc policy
>>> is still applied.
>> To be clear, winbindd is a mandatory part of the AD DC.
>>
>> Andrew Bartlett
>


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
You add the -M', '--machine' option.

I think you should replace
elsif creds.machine_account():
with
elsif opts.machine:

And --machine should be mandatory until we also implement --user.

I think we should not add pycredentials creds.machine_account()

I think the gp_file_append.py code should be extended to include
a checksum in self.section_end and only update the settings
if the checksum of stuff between self.section and self.section_end
still matches the checksum.

In addition to the "winbind gpupdate" option it might
be good to configure which policies the admin wants to be evaluated.
As admin I'd like to disable any policies that modify /etc/*,
while keeping the stuff that applies to samba internals.

As we now only install samba_gpoupdate, when we install the AD DC,
we need to either remove that limitation or make it clear in the
documentation that this is only evaluated on an AD DC.

Commands like 'wbinfo --gpoupdate-status', 'wbinfo --gpoupdate-check'
and 'wbinfo --gpoupdate-force' would be good.

Would it make sense to support third party gpo evaluation scripts?
So that admins could write their own stuff to manage
/etc/someapplication.conf

metze

Am 02.12.2017 um 16:54 schrieb David Mulder via samba-technical:

> These patches add Group Policy support for client machines. Adds a
> winbind event that calls samba_gpoupdate to apply local machine
> policies. Adds the option "winbind gpupdate" to smb.conf, which
> determines whether group policy will be applied to the client. This is
> *disabled* by default for now. Users will need to manually enable this
> to see the new functionality.
> To start off, we only have Environment Variable policies.
>
>  auth/credentials/pycredentials.c                |  14 +++++
>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  11 ++--
>  docs-xml/smbdotconf/winbind/winbindgpupdate.xml |  18 ++++++
>  lib/param/loadparm.c                            |   1 +
>  python/samba/gp_env_var_ext.py                  |  86
> ++++++++++++++++++++++++++
>  python/samba/gp_file_append.py                  |  86
> ++++++++++++++++++++++++++
>  python/samba/gpclass.py                         | 163
> +++++++++++++++++++++++++------------------------
>  source3/param/loadparm.c                        |   2 +
>  source3/winbindd/winbindd.c                     |   2 +
>  source3/winbindd/winbindd_gpupdate.c            | 116
> +++++++++++++++++++++++++++++++++++
>  source3/winbindd/winbindd_proto.h               |   3 +
>  source3/winbindd/wscript_build                  |   3 +-
>  source4/scripting/bin/samba_gpoupdate           |  49 ++++++++++++---
>  source4/scripting/bin/wscript_build             |   2 +-
>  source4/scripting/wscript_build                 |   7 ++-
>  15 files changed, 465 insertions(+), 98 deletions(-)
>


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Am 06.12.2017 um 19:10 schrieb David Mulder via samba-technical:
> Right. Then maybe Garming is right, we probably don't need the KDC
> service, just the one attached to winbind.

Yes, only one please.

Maybe we should have the different evaluation scripts in a generic way
similar to ctdb event scripts, so one .py file for each task.
where an admin could use something like 'touch
/path/to/python/samba/gpoupdate/scripts/machine/50.kdc_policy.py.disabled'
in order to
disable the evaluation of that policy.

I think it should also be on by default on an AD DC.

metze

> On 12/06/2017 11:02 AM, Andrew Bartlett wrote:
>> On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
>>> Yes, they would run simultaneously, but they apply different things.
>>> They also run on different intervals.
>>> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
>>> it sets the extensions to apply based on the type of apply (KDC, client
>>> machine, or user which isn't available yet).
>>> I had considered removing the KDC service, but I think it is fine as is.
>>> The way it is now, if they choose not to configure winbind, kdc policy
>>> is still applied.
>> To be clear, winbindd is a mandatory part of the AD DC.
>>
>> Andrew Bartlett
>


signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list


On 12/06/2017 11:57 PM, Stefan Metzmacher wrote:
> Hi David,
>
> is it also possible to have something useful as a domain member?
> It would be nice if we could remove the lockout_policy() and
> password_policy() hooks from winbindd_methods and make sure
> the gpo code applies the correct settings to the local
> account_policy.tdb
I think this will need to be covered in follow up patches, but I agree,
within client machine gpo update is exactly where these should be done.
This will require adding some more python-c bindings I think. I'll look
into this next.

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list

> As we now only install samba_gpoupdate, when we install the AD DC,
> we need to either remove that limitation or make it clear in the
> documentation that this is only evaluated on an AD DC.
Look at the changes to source4/scripting/bin/wscript_build and
source4/scripting/wscript_build. These force the install to happen
everywhere, instead of just on the AD DC.

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for client machine policy

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list

> I think it should also be on by default on an AD DC.
I don't see where we'd set winbind gpupdate to on by default just for
the AD DC. If I set the default to True, then it will just always be on
(even on a client machine).

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)