[PATCHES] GPO support for the AD DC itself

classic Classic list List threaded Threaded
34 messages Options
12
Reply | Threaded
Open this post in threaded view
|

[PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
These patches were originally sent to the mailing list on 05 June 2014.
New python bindings for getting gpo guids and correct apply order from
libgpo. Completely rewritten samba_gpoupdate to use new python bindings.
Added unapply.
I would love to get these into 4.7. Feedback welcome!

 ctdb/common/system.h                            |   1 -
 ctdb/common/system_util.c                       |  49 +-----
 ctdb/wscript                                    |   4 +-
 docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
 docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  14 ++
 dynconfig/dynconfig.c                           |   1 +
 dynconfig/dynconfig.h                           |   1 +
 dynconfig/wscript                               |   2 +
 lib/param/loadparm.c                            |   3 +-
 lib/util/mkdir_p.c                              |  71 ++++++++
 lib/util/mkdir_p.h                              |  22 +++
 lib/util/wscript_build                          |   5 +
 {source3/libgpo => libgpo}/gpo_filesync.c       |   0
 libgpo/gpo_ldap.c                               |   4 +-
 {source3/libgpo => libgpo}/gpo_proto.h          |   0
 {source3/libgpo => libgpo}/gpo_reg.c            |   0
 libgpo/pygpo.c                                  | 448
+++++++++++++++++++++++++++++++++++++++++++++++++
 libgpo/wscript_build                            |  12 ++
 python/samba/gpclass.py                         | 387
++++++++++++++++++++++++++++++++++++++++++
 python/samba/krb5parse.py                       |  67 ++++++++
 python/samba/samdb.py                           |  18 ++
 selftest/target/Samba4.pm                       |   1 +
 source3/auth/token_util.c                       |   3 +-
 source3/libgpo/gpext/wscript_build              |   4 -
 source3/param/loadparm.c                        |   9 +-
 source3/utils/wscript_build                     |   2 +-
 source3/wscript_build                           |  19 ---
 source4/dsdb/gpo/gpo_update.c                   | 191 +++++++++++++++++++++
 source4/dsdb/wscript_build                      |   9 +
 source4/param/pyparam.c                         |   7 +
 source4/scripting/bin/samba_gpoupdate           | 147 ++++++++++++++++
 source4/scripting/bin/wscript_build             |   2 +-
 source4/scripting/wscript_build                 |   2 +-
 source4/selftest/tests.py                       |   4 +
 source4/torture/gpo/apply.c                     | 165 ++++++++++++++++++
 source4/torture/gpo/gpo.c                       |  36 ++++
 source4/torture/gpo/wscript_build               |  14 ++
 source4/torture/wscript_build                   |   1 +
 wscript_build                                   |   1 +
 39 files changed, 1646 insertions(+), 82 deletions(-)


patches.mbox (236K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
Hi David,

I've just taken an initial look and it's looking reasonably good.

In the patch 'libgpo: Add libgpo python bindings' you remove a return
case in finalize_local_nt_token. Can you explain why? Where were you
using it and why is this necessary?

On the whole, it looks much improved. But there needs to be some more
comments (either in the code or the commit message) on what you're
actually doing. For instance, I notice that you've introduced GPO
unapply and it uses an xml log file. How is this file actually formatted
and used? Similarly, in applying krb5 settings, which settings does it
alter and how does it alter them? There needs to be some more high level
documentation, both for other developers and for users.
docs-xml/smbdotconf/domain/gpoupdatecommand.xml probably needs an
extensive list of what is and is not being applied for example because
it's not obvious at a glance.


Cheers,

Garming

On 17/06/17 04:04, David Mulder via samba-technical wrote:

> These patches were originally sent to the mailing list on 05 June 2014.
> New python bindings for getting gpo guids and correct apply order from
> libgpo. Completely rewritten samba_gpoupdate to use new python bindings.
> Added unapply.
> I would love to get these into 4.7. Feedback welcome!
>
>  ctdb/common/system.h                            |   1 -
>  ctdb/common/system_util.c                       |  49 +-----
>  ctdb/wscript                                    |   4 +-
>  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  14 ++
>  dynconfig/dynconfig.c                           |   1 +
>  dynconfig/dynconfig.h                           |   1 +
>  dynconfig/wscript                               |   2 +
>  lib/param/loadparm.c                            |   3 +-
>  lib/util/mkdir_p.c                              |  71 ++++++++
>  lib/util/mkdir_p.h                              |  22 +++
>  lib/util/wscript_build                          |   5 +
>  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
>  libgpo/gpo_ldap.c                               |   4 +-
>  {source3/libgpo => libgpo}/gpo_proto.h          |   0
>  {source3/libgpo => libgpo}/gpo_reg.c            |   0
>  libgpo/pygpo.c                                  | 448
> +++++++++++++++++++++++++++++++++++++++++++++++++
>  libgpo/wscript_build                            |  12 ++
>  python/samba/gpclass.py                         | 387
> ++++++++++++++++++++++++++++++++++++++++++
>  python/samba/krb5parse.py                       |  67 ++++++++
>  python/samba/samdb.py                           |  18 ++
>  selftest/target/Samba4.pm                       |   1 +
>  source3/auth/token_util.c                       |   3 +-
>  source3/libgpo/gpext/wscript_build              |   4 -
>  source3/param/loadparm.c                        |   9 +-
>  source3/utils/wscript_build                     |   2 +-
>  source3/wscript_build                           |  19 ---
>  source4/dsdb/gpo/gpo_update.c                   | 191 +++++++++++++++++++++
>  source4/dsdb/wscript_build                      |   9 +
>  source4/param/pyparam.c                         |   7 +
>  source4/scripting/bin/samba_gpoupdate           | 147 ++++++++++++++++
>  source4/scripting/bin/wscript_build             |   2 +-
>  source4/scripting/wscript_build                 |   2 +-
>  source4/selftest/tests.py                       |   4 +
>  source4/torture/gpo/apply.c                     | 165 ++++++++++++++++++
>  source4/torture/gpo/gpo.c                       |  36 ++++
>  source4/torture/gpo/wscript_build               |  14 ++
>  source4/torture/wscript_build                   |   1 +
>  wscript_build                                   |   1 +
>  39 files changed, 1646 insertions(+), 82 deletions(-)
>


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list

> In the patch 'libgpo: Add libgpo python bindings' you remove a return
> case in finalize_local_nt_token. Can you explain why? Where were you
> using it and why is this necessary?
Oh, yes. I believe that happens inside the gp_get_machine_token() call
in py_ads_get_gpo_list(). This call always fails for a computer object
that's a DC. I'm not certain why, but I can look into that more.

>
> On the whole, it looks much improved. But there needs to be some more
> comments (either in the code or the commit message) on what you're
> actually doing. For instance, I notice that you've introduced GPO
> unapply and it uses an xml log file. How is this file actually formatted
> and used? Similarly, in applying krb5 settings, which settings does it
> alter and how does it alter them? There needs to be some more high level
> documentation, both for other developers and for users.
> docs-xml/smbdotconf/domain/gpoupdatecommand.xml probably needs an
> extensive list of what is and is not being applied for example because
> it's not obvious at a glance.
I'll add some better documentation in gpoupdatecommand.xml.
I suppose the best place to document the new xml unapply log would be in
comments.
I'll add more comments in general to make all of it more clear.

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
Compiling the patches, I noticed that you haven't rebased on master
recently (at least from what you've given). There are some interface
changes which mean that there is a TALLOC_CTX * being supplied into some
functions.

There is also a compiler warning in torture/gpo/apply.c:

execv(cmd[0], (char * const *)&(cmd[1]))

Instead of casting, I think you should use a discard_const_p.


Cheers,

Garming

On 21/06/17 01:12, David Mulder wrote:

>> In the patch 'libgpo: Add libgpo python bindings' you remove a return
>> case in finalize_local_nt_token. Can you explain why? Where were you
>> using it and why is this necessary?
> Oh, yes. I believe that happens inside the gp_get_machine_token() call
> in py_ads_get_gpo_list(). This call always fails for a computer object
> that's a DC. I'm not certain why, but I can look into that more.
>> On the whole, it looks much improved. But there needs to be some more
>> comments (either in the code or the commit message) on what you're
>> actually doing. For instance, I notice that you've introduced GPO
>> unapply and it uses an xml log file. How is this file actually formatted
>> and used? Similarly, in applying krb5 settings, which settings does it
>> alter and how does it alter them? There needs to be some more high level
>> documentation, both for other developers and for users.
>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml probably needs an
>> extensive list of what is and is not being applied for example because
>> it's not obvious at a glance.
> I'll add some better documentation in gpoupdatecommand.xml.
> I suppose the best place to document the new xml unapply log would be in
> comments.
> I'll add more comments in general to make all of it more clear.
>


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
I'm also seeing segfaults during make test due to create_local_nt_token
inside samba_gpoupdate when it is run. It appears that it tries to open
my local database (to little avail and may be the cause of the
segfault), not the one intended for the test environment.

In my case, I was running 'make testenv', and watching the output.


Cheers,

Garming

On 21/06/17 14:15, Garming Sam wrote:

> Compiling the patches, I noticed that you haven't rebased on master
> recently (at least from what you've given). There are some interface
> changes which mean that there is a TALLOC_CTX * being supplied into some
> functions.
>
> There is also a compiler warning in torture/gpo/apply.c:
>
> execv(cmd[0], (char * const *)&(cmd[1]))
>
> Instead of casting, I think you should use a discard_const_p.
>
>
> Cheers,
>
> Garming
>
> On 21/06/17 01:12, David Mulder wrote:
>>> In the patch 'libgpo: Add libgpo python bindings' you remove a return
>>> case in finalize_local_nt_token. Can you explain why? Where were you
>>> using it and why is this necessary?
>> Oh, yes. I believe that happens inside the gp_get_machine_token() call
>> in py_ads_get_gpo_list(). This call always fails for a computer object
>> that's a DC. I'm not certain why, but I can look into that more.
>>> On the whole, it looks much improved. But there needs to be some more
>>> comments (either in the code or the commit message) on what you're
>>> actually doing. For instance, I notice that you've introduced GPO
>>> unapply and it uses an xml log file. How is this file actually formatted
>>> and used? Similarly, in applying krb5 settings, which settings does it
>>> alter and how does it alter them? There needs to be some more high level
>>> documentation, both for other developers and for users.
>>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml probably needs an
>>> extensive list of what is and is not being applied for example because
>>> it's not obvious at a glance.
>> I'll add some better documentation in gpoupdatecommand.xml.
>> I suppose the best place to document the new xml unapply log would be in
>> comments.
>> I'll add more comments in general to make all of it more clear.
>>


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
> In the patch 'libgpo: Add libgpo python bindings' you remove a return
> case in finalize_local_nt_token. Can you explain why? Where were you
> using it and why is this necessary?
Tracked this one down, it was just a problem with my environment that
I've fixed now. So that change is wrong.

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
looks like the test hangs, I suppose because the service dies. It dies
in pdb_get_methods() where it throws a smb_panic with the message
"pdb_get_methods: failed to get pdb methods for backend samba_dsdb".
This is drilled down inside of create_local_nt_token(), so I think this
is the same issue you mentioned.

I'd try running in testenv, but my box doesn't have a gui, and I can't
figure out how the screen code works (tried passing the SCREEN=1 param,
but it never attaches to my screen session). I'll need to setup another
build box.

On 06/25/2017 03:44 PM, Garming Sam wrote:

> It's supposed to 'hang', it sets up a fresh AD test environment enclosed
> inside an xterm where you can run any tests manually. It will run
> gpoupdate in the background much like a standard setup, but it appears
> to fail.
>
>
> On 24/06/17 07:07, David Mulder wrote:
>> Hmm, the test just hangs for me.
>>
>>
>> On 06/21/2017 05:49 PM, Garming Sam wrote:
>>> I'm also seeing segfaults during make test due to create_local_nt_token
>>> inside samba_gpoupdate when it is run. It appears that it tries to open
>>> my local database (to little avail and may be the cause of the
>>> segfault), not the one intended for the test environment.
>>>
>>> In my case, I was running 'make testenv', and watching the output.
>>>
>>>
>>> Cheers,
>>>
>>> Garming
>>>
>>> On 21/06/17 14:15, Garming Sam wrote:
>>>> Compiling the patches, I noticed that you haven't rebased on master
>>>> recently (at least from what you've given). There are some interface
>>>> changes which mean that there is a TALLOC_CTX * being supplied into some
>>>> functions.
>>>>
>>>> There is also a compiler warning in torture/gpo/apply.c:
>>>>
>>>> execv(cmd[0], (char * const *)&(cmd[1]))
>>>>
>>>> Instead of casting, I think you should use a discard_const_p.
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Garming
>>>>
>>>> On 21/06/17 01:12, David Mulder wrote:
>>>>>> In the patch 'libgpo: Add libgpo python bindings' you remove a return
>>>>>> case in finalize_local_nt_token. Can you explain why? Where were you
>>>>>> using it and why is this necessary?
>>>>> Oh, yes. I believe that happens inside the gp_get_machine_token() call
>>>>> in py_ads_get_gpo_list(). This call always fails for a computer object
>>>>> that's a DC. I'm not certain why, but I can look into that more.
>>>>>> On the whole, it looks much improved. But there needs to be some more
>>>>>> comments (either in the code or the commit message) on what you're
>>>>>> actually doing. For instance, I notice that you've introduced GPO
>>>>>> unapply and it uses an xml log file. How is this file actually formatted
>>>>>> and used? Similarly, in applying krb5 settings, which settings does it
>>>>>> alter and how does it alter them? There needs to be some more high level
>>>>>> documentation, both for other developers and for users.
>>>>>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml probably needs an
>>>>>> extensive list of what is and is not being applied for example because
>>>>>> it's not obvious at a glance.
>>>>> I'll add some better documentation in gpoupdatecommand.xml.
>>>>> I suppose the best place to document the new xml unapply log would be in
>>>>> comments.
>>>>> I'll add more comments in general to make all of it more clear.
>>>>>
>

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
Ah, there's the bug. In libgpo/pygpo.c on line 207, I loaded the default
smb.conf (/etc/samba/smb.conf) into the lp. I should be pulling the
settings from the smb.conf specified on the command line.
Hard coding the correct smb.conf allows the test to succeed.

On 06/26/2017 02:16 PM, David Mulder via samba-technical wrote:

> looks like the test hangs, I suppose because the service dies. It dies
> in pdb_get_methods() where it throws a smb_panic with the message
> "pdb_get_methods: failed to get pdb methods for backend samba_dsdb".
> This is drilled down inside of create_local_nt_token(), so I think this
> is the same issue you mentioned.
>
> I'd try running in testenv, but my box doesn't have a gui, and I can't
> figure out how the screen code works (tried passing the SCREEN=1 param,
> but it never attaches to my screen session). I'll need to setup another
> build box.
>
> On 06/25/2017 03:44 PM, Garming Sam wrote:
>> It's supposed to 'hang', it sets up a fresh AD test environment enclosed
>> inside an xterm where you can run any tests manually. It will run
>> gpoupdate in the background much like a standard setup, but it appears
>> to fail.
>>
>>
>> On 24/06/17 07:07, David Mulder wrote:
>>> Hmm, the test just hangs for me.
>>>
>>>
>>> On 06/21/2017 05:49 PM, Garming Sam wrote:
>>>> I'm also seeing segfaults during make test due to create_local_nt_token
>>>> inside samba_gpoupdate when it is run. It appears that it tries to open
>>>> my local database (to little avail and may be the cause of the
>>>> segfault), not the one intended for the test environment.
>>>>
>>>> In my case, I was running 'make testenv', and watching the output.
>>>>
>>>>
>>>> Cheers,
>>>>
>>>> Garming
>>>>
>>>> On 21/06/17 14:15, Garming Sam wrote:
>>>>> Compiling the patches, I noticed that you haven't rebased on master
>>>>> recently (at least from what you've given). There are some interface
>>>>> changes which mean that there is a TALLOC_CTX * being supplied into some
>>>>> functions.
>>>>>
>>>>> There is also a compiler warning in torture/gpo/apply.c:
>>>>>
>>>>> execv(cmd[0], (char * const *)&(cmd[1]))
>>>>>
>>>>> Instead of casting, I think you should use a discard_const_p.
>>>>>
>>>>>
>>>>> Cheers,
>>>>>
>>>>> Garming
>>>>>
>>>>> On 21/06/17 01:12, David Mulder wrote:
>>>>>>> In the patch 'libgpo: Add libgpo python bindings' you remove a return
>>>>>>> case in finalize_local_nt_token. Can you explain why? Where were you
>>>>>>> using it and why is this necessary?
>>>>>> Oh, yes. I believe that happens inside the gp_get_machine_token() call
>>>>>> in py_ads_get_gpo_list(). This call always fails for a computer object
>>>>>> that's a DC. I'm not certain why, but I can look into that more.
>>>>>>> On the whole, it looks much improved. But there needs to be some more
>>>>>>> comments (either in the code or the commit message) on what you're
>>>>>>> actually doing. For instance, I notice that you've introduced GPO
>>>>>>> unapply and it uses an xml log file. How is this file actually formatted
>>>>>>> and used? Similarly, in applying krb5 settings, which settings does it
>>>>>>> alter and how does it alter them? There needs to be some more high level
>>>>>>> documentation, both for other developers and for users.
>>>>>>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml probably needs an
>>>>>>> extensive list of what is and is not being applied for example because
>>>>>>> it's not obvious at a glance.
>>>>>> I'll add some better documentation in gpoupdatecommand.xml.
>>>>>> I suppose the best place to document the new xml unapply log would be in
>>>>>> comments.
>>>>>> I'll add more comments in general to make all of it more clear.
>>>>>>

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
I've attached a new set of patches that fix the issues that Garming
pointed out (as well as a few issues I discovered).

The changes to finalize_local_nt_token() have been removed. Comments
have been added to the KRB5Parser and gp_log classes. Documentation has
been added for the settings that are being applied. The source has been
rebased against master. A build warning was silenced using
discard_const_p(). Segfaults in the make test were fixed.

Feedback is appreciated!

 ctdb/common/system.h                            |   1 -
 ctdb/common/system_util.c                       |  49 +-----
 ctdb/wscript                                    |   4 +-
 docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
 docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  17 ++
 dynconfig/dynconfig.c                           |   1 +
 dynconfig/dynconfig.h                           |   1 +
 dynconfig/wscript                               |   2 +
 lib/param/loadparm.c                            |   3 +-
 lib/util/mkdir_p.c                              |  71 ++++++++
 lib/util/mkdir_p.h                              |  22 +++
 lib/util/wscript_build                          |   5 +
 {source3/libgpo => libgpo}/gpo_filesync.c       |   0
 libgpo/gpo_ldap.c                               |   4 +-
 {source3/libgpo => libgpo}/gpo_proto.h          |   0
 {source3/libgpo => libgpo}/gpo_reg.c            |   0
 libgpo/pygpo.c                                  | 451
+++++++++++++++++++++++++++++++++++++++++++++++
 libgpo/wscript_build                            |  12 ++
 python/samba/gpclass.py                         | 463
+++++++++++++++++++++++++++++++++++++++++++++++++
 python/samba/krb5parse.py                       |  78 +++++++++
 python/samba/samdb.py                           |  18 ++
 selftest/target/Samba4.pm                       |   1 +
 source3/libgpo/gpext/wscript_build              |   4 -
 source3/param/loadparm.c                        |   9 +-
 source3/utils/wscript_build                     |   2 +-
 source3/wscript_build                           |  19 --
 source4/dsdb/gpo/gpo_update.c                   | 191 ++++++++++++++++++++
 source4/dsdb/wscript_build                      |   9 +
 source4/param/pyparam.c                         |   7 +
 source4/scripting/bin/samba_gpoupdate           | 153 ++++++++++++++++
 source4/scripting/bin/wscript_build             |   2 +-
 source4/scripting/wscript_build                 |   2 +-
 source4/selftest/tests.py                       |   4 +
 source4/torture/gpo/apply.c                     | 165 ++++++++++++++++++
 source4/torture/gpo/gpo.c                       |  36 ++++
 source4/torture/gpo/wscript_build               |  14 ++
 source4/torture/wscript_build                   |   1 +
 wscript_build                                   |   1 +
 38 files changed, 1743 insertions(+), 81 deletions(-)

On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:

> These patches were originally sent to the mailing list on 05 June 2014.
> New python bindings for getting gpo guids and correct apply order from
> libgpo. Completely rewritten samba_gpoupdate to use new python bindings.
> Added unapply.
> I would love to get these into 4.7. Feedback welcome!
>
>  ctdb/common/system.h                            |   1 -
>  ctdb/common/system_util.c                       |  49 +-----
>  ctdb/wscript                                    |   4 +-
>  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  14 ++
>  dynconfig/dynconfig.c                           |   1 +
>  dynconfig/dynconfig.h                           |   1 +
>  dynconfig/wscript                               |   2 +
>  lib/param/loadparm.c                            |   3 +-
>  lib/util/mkdir_p.c                              |  71 ++++++++
>  lib/util/mkdir_p.h                              |  22 +++
>  lib/util/wscript_build                          |   5 +
>  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
>  libgpo/gpo_ldap.c                               |   4 +-
>  {source3/libgpo => libgpo}/gpo_proto.h          |   0
>  {source3/libgpo => libgpo}/gpo_reg.c            |   0
>  libgpo/pygpo.c                                  | 448
> +++++++++++++++++++++++++++++++++++++++++++++++++
>  libgpo/wscript_build                            |  12 ++
>  python/samba/gpclass.py                         | 387
> ++++++++++++++++++++++++++++++++++++++++++
>  python/samba/krb5parse.py                       |  67 ++++++++
>  python/samba/samdb.py                           |  18 ++
>  selftest/target/Samba4.pm                       |   1 +
>  source3/auth/token_util.c                       |   3 +-
>  source3/libgpo/gpext/wscript_build              |   4 -
>  source3/param/loadparm.c                        |   9 +-
>  source3/utils/wscript_build                     |   2 +-
>  source3/wscript_build                           |  19 ---
>  source4/dsdb/gpo/gpo_update.c                   | 191 +++++++++++++++++++++
>  source4/dsdb/wscript_build                      |   9 +
>  source4/param/pyparam.c                         |   7 +
>  source4/scripting/bin/samba_gpoupdate           | 147 ++++++++++++++++
>  source4/scripting/bin/wscript_build             |   2 +-
>  source4/scripting/wscript_build                 |   2 +-
>  source4/selftest/tests.py                       |   4 +
>  source4/torture/gpo/apply.c                     | 165 ++++++++++++++++++
>  source4/torture/gpo/gpo.c                       |  36 ++++
>  source4/torture/gpo/wscript_build               |  14 ++
>  source4/torture/wscript_build                   |   1 +
>  wscript_build                                   |   1 +
>  39 files changed, 1646 insertions(+), 82 deletions(-)
>
--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


gpo_patches.mbox (242K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:

> I've attached a new set of patches that fix the issues that Garming
> pointed out (as well as a few issues I discovered).
>
> The changes to finalize_local_nt_token() have been removed. Comments
> have been added to the KRB5Parser and gp_log classes. Documentation
> has
> been added for the settings that are being applied. The source has
> been
> rebased against master. A build warning was silenced using
> discard_const_p(). Segfaults in the make test were fixed.
>
> Feedback is appreciated!

Thanks David.

I'm sorry for not noticing this earlier, but the GPO settings for the
KDC look wrong.

While you have set the settings into the krb5.conf, I think you
actually want to change the KDC in setup_kdc_setup_db_ctx():

        /* get default kdc policy */
        lpcfg_default_kdc_policy(base_ctx->lp_ctx,
                                 &kdc_db_ctx->policy.svc_tkt_lifetime,
                                 &kdc_db_ctx->policy.usr_tkt_lifetime,
                                 &kdc_db_ctx->policy.renewal_lifetime);

Currently this reads smb.conf parameters for these values.  If the
values from the GPO should override, then these need to be stored
somewhere, or perhaps written to AD and read from there.

The other challenge is that we now do have a class of administrators
who have become very accustomed to the 'samba-tool pwsettings' command
for setting the password policies, and other administrators who would
love to get back to the GUI tools on Windows.

If we turned this on, would we suddenly overwrite the settings on a
pile of domains?  

I would be much more comfortable with this change if it were opt-in for
a release, off by default by skipping the entry in server services,
allowing us to understand how it works.

For example, I'm a little nervous about the idea of unapplying a
setting that might also have been modified directly by the
administrator, or applying a setting that was manually set directly.  

Additionally there is the complexity of a mulit-master replicated
domain, the apply/un-apply logs would be scattered on each DC, based on
who wins the 15 mins timer race.

I guess one way out would be to have 'samba-tool domain pwsettings'
write group policy files, but without a replicated sysvol I can't see
how that works either.

I'm sorry to drop such doubts on you at this late moment.

Sorry,

Andrew Bartlett

>  ctdb/common/system.h                            |   1 -
>  ctdb/common/system_util.c                       |  49 +-----
>  ctdb/wscript                                    |   4 +-
>  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  17 ++
>  dynconfig/dynconfig.c                           |   1 +
>  dynconfig/dynconfig.h                           |   1 +
>  dynconfig/wscript                               |   2 +
>  lib/param/loadparm.c                            |   3 +-
>  lib/util/mkdir_p.c                              |  71 ++++++++
>  lib/util/mkdir_p.h                              |  22 +++
>  lib/util/wscript_build                          |   5 +
>  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
>  libgpo/gpo_ldap.c                               |   4 +-
>  {source3/libgpo => libgpo}/gpo_proto.h          |   0
>  {source3/libgpo => libgpo}/gpo_reg.c            |   0
>  libgpo/pygpo.c                                  | 451
> +++++++++++++++++++++++++++++++++++++++++++++++
>  libgpo/wscript_build                            |  12 ++
>  python/samba/gpclass.py                         | 463
> +++++++++++++++++++++++++++++++++++++++++++++++++
>  python/samba/krb5parse.py                       |  78 +++++++++
>  python/samba/samdb.py                           |  18 ++
>  selftest/target/Samba4.pm                       |   1 +
>  source3/libgpo/gpext/wscript_build              |   4 -
>  source3/param/loadparm.c                        |   9 +-
>  source3/utils/wscript_build                     |   2 +-
>  source3/wscript_build                           |  19 --
>  source4/dsdb/gpo/gpo_update.c                   | 191
> ++++++++++++++++++++
>  source4/dsdb/wscript_build                      |   9 +
>  source4/param/pyparam.c                         |   7 +
>  source4/scripting/bin/samba_gpoupdate           | 153
> ++++++++++++++++
>  source4/scripting/bin/wscript_build             |   2 +-
>  source4/scripting/wscript_build                 |   2 +-
>  source4/selftest/tests.py                       |   4 +
>  source4/torture/gpo/apply.c                     | 165
> ++++++++++++++++++
>  source4/torture/gpo/gpo.c                       |  36 ++++
>  source4/torture/gpo/wscript_build               |  14 ++
>  source4/torture/wscript_build                   |   1 +
>  wscript_build                                   |   1 +
>  38 files changed, 1743 insertions(+), 81 deletions(-)
>
> On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
> > These patches were originally sent to the mailing list on 05 June
> > 2014.
> > New python bindings for getting gpo guids and correct apply order
> > from
> > libgpo. Completely rewritten samba_gpoupdate to use new python
> > bindings.
> > Added unapply.
> > I would love to get these into 4.7. Feedback welcome!
> >
> >  ctdb/common/system.h                            |   1 -
> >  ctdb/common/system_util.c                       |  49 +-----
> >  ctdb/wscript                                    |   4 +-
> >  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
> >  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  14 ++
> >  dynconfig/dynconfig.c                           |   1 +
> >  dynconfig/dynconfig.h                           |   1 +
> >  dynconfig/wscript                               |   2 +
> >  lib/param/loadparm.c                            |   3 +-
> >  lib/util/mkdir_p.c                              |  71 ++++++++
> >  lib/util/mkdir_p.h                              |  22 +++
> >  lib/util/wscript_build                          |   5 +
> >  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
> >  libgpo/gpo_ldap.c                               |   4 +-
> >  {source3/libgpo => libgpo}/gpo_proto.h          |   0
> >  {source3/libgpo => libgpo}/gpo_reg.c            |   0
> >  libgpo/pygpo.c                                  | 448
> > +++++++++++++++++++++++++++++++++++++++++++++++++
> >  libgpo/wscript_build                            |  12 ++
> >  python/samba/gpclass.py                         | 387
> > ++++++++++++++++++++++++++++++++++++++++++
> >  python/samba/krb5parse.py                       |  67 ++++++++
> >  python/samba/samdb.py                           |  18 ++
> >  selftest/target/Samba4.pm                       |   1 +
> >  source3/auth/token_util.c                       |   3 +-
> >  source3/libgpo/gpext/wscript_build              |   4 -
> >  source3/param/loadparm.c                        |   9 +-
> >  source3/utils/wscript_build                     |   2 +-
> >  source3/wscript_build                           |  19 ---
> >  source4/dsdb/gpo/gpo_update.c                   | 191
> > +++++++++++++++++++++
> >  source4/dsdb/wscript_build                      |   9 +
> >  source4/param/pyparam.c                         |   7 +
> >  source4/scripting/bin/samba_gpoupdate           | 147
> > ++++++++++++++++
> >  source4/scripting/bin/wscript_build             |   2 +-
> >  source4/scripting/wscript_build                 |   2 +-
> >  source4/selftest/tests.py                       |   4 +
> >  source4/torture/gpo/apply.c                     | 165
> > ++++++++++++++++++
> >  source4/torture/gpo/gpo.c                       |  36 ++++
> >  source4/torture/gpo/wscript_build               |  14 ++
> >  source4/torture/wscript_build                   |   1 +
> >  wscript_build                                   |   1 +
> >  39 files changed, 1646 insertions(+), 82 deletions(-)
> >
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
On Mon, 2017-07-03 at 15:44 +1200, Andrew Bartlett via samba-technical
wrote:

> On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
> > I've attached a new set of patches that fix the issues that Garming
> > pointed out (as well as a few issues I discovered).
> >
> > The changes to finalize_local_nt_token() have been removed.
> > Comments
> > have been added to the KRB5Parser and gp_log classes. Documentation
> > has
> > been added for the settings that are being applied. The source has
> > been
> > rebased against master. A build warning was silenced using
> > discard_const_p(). Segfaults in the make test were fixed.
> >
> > Feedback is appreciated!
>
> Thanks David. 
>
> I'm sorry for not noticing this earlier, but the GPO settings for the
> KDC look wrong. 
>
> While you have set the settings into the krb5.conf, I think you
> actually want to change the KDC in setup_kdc_setup_db_ctx():
>
> /* get default kdc policy */
> lpcfg_default_kdc_policy(base_ctx->lp_ctx,
>  &kdc_db_ctx->policy.svc_tkt_lifetime,
>  &kdc_db_ctx->policy.usr_tkt_lifetime,
>  &kdc_db_ctx->policy.renewal_lifetime);
>
> Currently this reads smb.conf parameters for these values.  If the
> values from the GPO should override, then these need to be stored
> somewhere, or perhaps written to AD and read from there.
>
> The other challenge is that we now do have a class of administrators
> who have become very accustomed to the 'samba-tool pwsettings'
> command
> for setting the password policies, and other administrators who would
> love to get back to the GUI tools on Windows. 
>
> If we turned this on, would we suddenly overwrite the settings on a
> pile of domains?  
>
> I would be much more comfortable with this change if it were opt-in
> for
> a release, off by default by skipping the entry in server services,
> allowing us to understand how it works.
>
> For example, I'm a little nervous about the idea of unapplying a
> setting that might also have been modified directly by the
> administrator, or applying a setting that was manually set directly.
>  
>
> Additionally there is the complexity of a mulit-master replicated
> domain, the apply/un-apply logs would be scattered on each DC, based
> on
> who wins the 15 mins timer race.
>
> I guess one way out would be to have 'samba-tool domain pwsettings'
> write group policy files, but without a replicated sysvol I can't see
> how that works either.
>
> I'm sorry to drop such doubts on you at this late moment. 

A way out would be to re-position this tool as something
the administrator runs manually after a change on their GPO master
server.  (Most Samba sites run one GPO master).

Thanks,

Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
I don't think we'd need to go as far as making it a purely manual
change, otherwise it defeats the purpose of aiming to administrate from
a Windows machine. I do agree that it likely needs to be opt-in though,
at least until we figure out this across multiple DCs (SYSVOL
replication?) as well as how it should work with our existing client
tools. As it is, I think switching on the gpoupdate in the server
services is an admission that 'yes I am using this in this way' so that
if they mix the use of samba-tool and the GPO editor, then that's their
own problem.

Cheers,

Garming

On 03/07/17 15:56, Andrew Bartlett via samba-technical wrote:

> On Mon, 2017-07-03 at 15:44 +1200, Andrew Bartlett via samba-technical
> wrote:
>>
>> Thanks David.
>>
>> I'm sorry for not noticing this earlier, but the GPO settings for the
>> KDC look wrong.
>>
>> While you have set the settings into the krb5.conf, I think you
>> actually want to change the KDC in setup_kdc_setup_db_ctx():
>>
>> /* get default kdc policy */
>> lpcfg_default_kdc_policy(base_ctx->lp_ctx,
>> &kdc_db_ctx->policy.svc_tkt_lifetime,
>> &kdc_db_ctx->policy.usr_tkt_lifetime,
>> &kdc_db_ctx->policy.renewal_lifetime);
>>
>> Currently this reads smb.conf parameters for these values.  If the
>> values from the GPO should override, then these need to be stored
>> somewhere, or perhaps written to AD and read from there.
>>
>> The other challenge is that we now do have a class of administrators
>> who have become very accustomed to the 'samba-tool pwsettings'
>> command
>> for setting the password policies, and other administrators who would
>> love to get back to the GUI tools on Windows.
>>
>> If we turned this on, would we suddenly overwrite the settings on a
>> pile of domains?
>>
>> I would be much more comfortable with this change if it were opt-in
>> for
>> a release, off by default by skipping the entry in server services,
>> allowing us to understand how it works.
>>
>> For example, I'm a little nervous about the idea of unapplying a
>> setting that might also have been modified directly by the
>> administrator, or applying a setting that was manually set directly.
>>  
>>
>> Additionally there is the complexity of a mulit-master replicated
>> domain, the apply/un-apply logs would be scattered on each DC, based
>> on
>> who wins the 15 mins timer race.
>>
>> I guess one way out would be to have 'samba-tool domain pwsettings'
>> write group policy files, but without a replicated sysvol I can't see
>> how that works either.
>>
>> I'm sorry to drop such doubts on you at this late moment.
> A way out would be to re-position this tool as something
> the administrator runs manually after a change on their GPO master
> server.  (Most Samba sites run one GPO master).
>
> Thanks,
>
> Andrew Bartlett


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
On Monday, 26 June 2017 22:16:11 CEST David Mulder via samba-technical wrote:

> looks like the test hangs, I suppose because the service dies. It dies
> in pdb_get_methods() where it throws a smb_panic with the message
> "pdb_get_methods: failed to get pdb methods for backend samba_dsdb".
> This is drilled down inside of create_local_nt_token(), so I think this
> is the same issue you mentioned.
>
> I'd try running in testenv, but my box doesn't have a gui, and I can't
> figure out how the screen code works (tried passing the SCREEN=1 param,
> but it never attaches to my screen session). I'll need to setup another
> build box.

You either start screen or tmux. In screen or tmux you change to the samba
source directory and run:

make testenv SCREEN=1


        Andreas

--
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             [hidden email]
www.samba.org

Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
On Mon, 2017-07-03 at 08:28 +0200, Andreas Schneider via samba-
technical wrote:

> On Monday, 26 June 2017 22:16:11 CEST David Mulder via samba-technical wrote:
> > looks like the test hangs, I suppose because the service dies. It dies
> > in pdb_get_methods() where it throws a smb_panic with the message
> > "pdb_get_methods: failed to get pdb methods for backend samba_dsdb".
> > This is drilled down inside of create_local_nt_token(), so I think this
> > is the same issue you mentioned.
> >
> > I'd try running in testenv, but my box doesn't have a gui, and I can't
> > figure out how the screen code works (tried passing the SCREEN=1 param,
> > but it never attaches to my screen session). I'll need to setup another
> > build box.
>
> You either start screen or tmux. In screen or tmux you change to the samba
> source directory and run:
>
> make testenv SCREEN=1

Thanks Andreas!  I always wondered how that was meant to work!

Can we get this documented somewhere, or perhaps some clues in the --
help or error messages?

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list


On 07/02/2017 09:44 PM, Andrew Bartlett wrote:

> On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
>> I've attached a new set of patches that fix the issues that Garming
>> pointed out (as well as a few issues I discovered).
>>
>> The changes to finalize_local_nt_token() have been removed. Comments
>> have been added to the KRB5Parser and gp_log classes. Documentation
>> has
>> been added for the settings that are being applied. The source has
>> been
>> rebased against master. A build warning was silenced using
>> discard_const_p(). Segfaults in the make test were fixed.
>>
>> Feedback is appreciated!
> Thanks David.
>
> I'm sorry for not noticing this earlier, but the GPO settings for the
> KDC look wrong.
>
> While you have set the settings into the krb5.conf, I think you
> actually want to change the KDC in setup_kdc_setup_db_ctx():
>
> /* get default kdc policy */
> lpcfg_default_kdc_policy(base_ctx->lp_ctx,
> &kdc_db_ctx->policy.svc_tkt_lifetime,
> &kdc_db_ctx->policy.usr_tkt_lifetime,
> &kdc_db_ctx->policy.renewal_lifetime);
I'll get this fixed today and submit new patches.

>
> Currently this reads smb.conf parameters for these values.  If the
> values from the GPO should override, then these need to be stored
> somewhere, or perhaps written to AD and read from there.
>
> The other challenge is that we now do have a class of administrators
> who have become very accustomed to the 'samba-tool pwsettings' command
> for setting the password policies, and other administrators who would
> love to get back to the GUI tools on Windows.
>
> If we turned this on, would we suddenly overwrite the settings on a
> pile of domains?  
>
> I would be much more comfortable with this change if it were opt-in for
> a release, off by default by skipping the entry in server services,
> allowing us to understand how it works.
I agree with that. Let's make it off by default for one release.
>
> For example, I'm a little nervous about the idea of unapplying a
> setting that might also have been modified directly by the
> administrator, or applying a setting that was manually set directly.  
The whole point of GPO is to _enforce_ policy, so that if someone is
manually making changes, they _intentionally_ get overwritten. I'd argue
that this isn't a drawback, by the intention of this feature.
The issue is, we need admins to get used to this, and to stop making
manual changes.
>
> Additionally there is the complexity of a mulit-master replicated
> domain, the apply/un-apply logs would be scattered on each DC, based on
> who wins the 15 mins timer race.
The point of the unapply log is to be able to role back policies to a
state prior to GPO apply. So, for example, if gpo gets turned on, and
admin decides they don't want it anymore, they can easily role back to
the original settings and disable gpo apply. This is not something that
should be used regularly.

>
> I guess one way out would be to have 'samba-tool domain pwsettings'
> write group policy files, but without a replicated sysvol I can't see
> how that works either.
>
> I'm sorry to drop such doubts on you at this late moment.
>
> Sorry,
>
> Andrew Bartlett
>
>>  ctdb/common/system.h                            |   1 -
>>  ctdb/common/system_util.c                       |  49 +-----
>>  ctdb/wscript                                    |   4 +-
>>  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
>>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  17 ++
>>  dynconfig/dynconfig.c                           |   1 +
>>  dynconfig/dynconfig.h                           |   1 +
>>  dynconfig/wscript                               |   2 +
>>  lib/param/loadparm.c                            |   3 +-
>>  lib/util/mkdir_p.c                              |  71 ++++++++
>>  lib/util/mkdir_p.h                              |  22 +++
>>  lib/util/wscript_build                          |   5 +
>>  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
>>  libgpo/gpo_ldap.c                               |   4 +-
>>  {source3/libgpo => libgpo}/gpo_proto.h          |   0
>>  {source3/libgpo => libgpo}/gpo_reg.c            |   0
>>  libgpo/pygpo.c                                  | 451
>> +++++++++++++++++++++++++++++++++++++++++++++++
>>  libgpo/wscript_build                            |  12 ++
>>  python/samba/gpclass.py                         | 463
>> +++++++++++++++++++++++++++++++++++++++++++++++++
>>  python/samba/krb5parse.py                       |  78 +++++++++
>>  python/samba/samdb.py                           |  18 ++
>>  selftest/target/Samba4.pm                       |   1 +
>>  source3/libgpo/gpext/wscript_build              |   4 -
>>  source3/param/loadparm.c                        |   9 +-
>>  source3/utils/wscript_build                     |   2 +-
>>  source3/wscript_build                           |  19 --
>>  source4/dsdb/gpo/gpo_update.c                   | 191
>> ++++++++++++++++++++
>>  source4/dsdb/wscript_build                      |   9 +
>>  source4/param/pyparam.c                         |   7 +
>>  source4/scripting/bin/samba_gpoupdate           | 153
>> ++++++++++++++++
>>  source4/scripting/bin/wscript_build             |   2 +-
>>  source4/scripting/wscript_build                 |   2 +-
>>  source4/selftest/tests.py                       |   4 +
>>  source4/torture/gpo/apply.c                     | 165
>> ++++++++++++++++++
>>  source4/torture/gpo/gpo.c                       |  36 ++++
>>  source4/torture/gpo/wscript_build               |  14 ++
>>  source4/torture/wscript_build                   |   1 +
>>  wscript_build                                   |   1 +
>>  38 files changed, 1743 insertions(+), 81 deletions(-)
>>
>> On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
>>> These patches were originally sent to the mailing list on 05 June
>>> 2014.
>>> New python bindings for getting gpo guids and correct apply order
>>> from
>>> libgpo. Completely rewritten samba_gpoupdate to use new python
>>> bindings.
>>> Added unapply.
>>> I would love to get these into 4.7. Feedback welcome!
>>>
>>>  ctdb/common/system.h                            |   1 -
>>>  ctdb/common/system_util.c                       |  49 +-----
>>>  ctdb/wscript                                    |   4 +-
>>>  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
>>>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  14 ++
>>>  dynconfig/dynconfig.c                           |   1 +
>>>  dynconfig/dynconfig.h                           |   1 +
>>>  dynconfig/wscript                               |   2 +
>>>  lib/param/loadparm.c                            |   3 +-
>>>  lib/util/mkdir_p.c                              |  71 ++++++++
>>>  lib/util/mkdir_p.h                              |  22 +++
>>>  lib/util/wscript_build                          |   5 +
>>>  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
>>>  libgpo/gpo_ldap.c                               |   4 +-
>>>  {source3/libgpo => libgpo}/gpo_proto.h          |   0
>>>  {source3/libgpo => libgpo}/gpo_reg.c            |   0
>>>  libgpo/pygpo.c                                  | 448
>>> +++++++++++++++++++++++++++++++++++++++++++++++++
>>>  libgpo/wscript_build                            |  12 ++
>>>  python/samba/gpclass.py                         | 387
>>> ++++++++++++++++++++++++++++++++++++++++++
>>>  python/samba/krb5parse.py                       |  67 ++++++++
>>>  python/samba/samdb.py                           |  18 ++
>>>  selftest/target/Samba4.pm                       |   1 +
>>>  source3/auth/token_util.c                       |   3 +-
>>>  source3/libgpo/gpext/wscript_build              |   4 -
>>>  source3/param/loadparm.c                        |   9 +-
>>>  source3/utils/wscript_build                     |   2 +-
>>>  source3/wscript_build                           |  19 ---
>>>  source4/dsdb/gpo/gpo_update.c                   | 191
>>> +++++++++++++++++++++
>>>  source4/dsdb/wscript_build                      |   9 +
>>>  source4/param/pyparam.c                         |   7 +
>>>  source4/scripting/bin/samba_gpoupdate           | 147
>>> ++++++++++++++++
>>>  source4/scripting/bin/wscript_build             |   2 +-
>>>  source4/scripting/wscript_build                 |   2 +-
>>>  source4/selftest/tests.py                       |   4 +
>>>  source4/torture/gpo/apply.c                     | 165
>>> ++++++++++++++++++
>>>  source4/torture/gpo/gpo.c                       |  36 ++++
>>>  source4/torture/gpo/wscript_build               |  14 ++
>>>  source4/torture/wscript_build                   |   1 +
>>>  wscript_build                                   |   1 +
>>>  39 files changed, 1646 insertions(+), 82 deletions(-)
>>>
>>

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)



Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
Here is a new set of patches that addresses the kerberos settings issue,
as well as disabling the service by default.

On 07/03/2017 06:14 AM, David Mulder wrote:

>
> On 07/02/2017 09:44 PM, Andrew Bartlett wrote:
>> On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
>>> I've attached a new set of patches that fix the issues that Garming
>>> pointed out (as well as a few issues I discovered).
>>>
>>> The changes to finalize_local_nt_token() have been removed. Comments
>>> have been added to the KRB5Parser and gp_log classes. Documentation
>>> has
>>> been added for the settings that are being applied. The source has
>>> been
>>> rebased against master. A build warning was silenced using
>>> discard_const_p(). Segfaults in the make test were fixed.
>>>
>>> Feedback is appreciated!
>> Thanks David.
>>
>> I'm sorry for not noticing this earlier, but the GPO settings for the
>> KDC look wrong.
>>
>> While you have set the settings into the krb5.conf, I think you
>> actually want to change the KDC in setup_kdc_setup_db_ctx():
>>
>> /* get default kdc policy */
>> lpcfg_default_kdc_policy(base_ctx->lp_ctx,
>> &kdc_db_ctx->policy.svc_tkt_lifetime,
>> &kdc_db_ctx->policy.usr_tkt_lifetime,
>> &kdc_db_ctx->policy.renewal_lifetime);
> I'll get this fixed today and submit new patches.
>
>> Currently this reads smb.conf parameters for these values.  If the
>> values from the GPO should override, then these need to be stored
>> somewhere, or perhaps written to AD and read from there.
>>
>> The other challenge is that we now do have a class of administrators
>> who have become very accustomed to the 'samba-tool pwsettings' command
>> for setting the password policies, and other administrators who would
>> love to get back to the GUI tools on Windows.
>>
>> If we turned this on, would we suddenly overwrite the settings on a
>> pile of domains?  
>>
>> I would be much more comfortable with this change if it were opt-in for
>> a release, off by default by skipping the entry in server services,
>> allowing us to understand how it works.
> I agree with that. Let's make it off by default for one release.
>> For example, I'm a little nervous about the idea of unapplying a
>> setting that might also have been modified directly by the
>> administrator, or applying a setting that was manually set directly.  
> The whole point of GPO is to _enforce_ policy, so that if someone is
> manually making changes, they _intentionally_ get overwritten. I'd argue
> that this isn't a drawback, by the intention of this feature.
> The issue is, we need admins to get used to this, and to stop making
> manual changes.
>> Additionally there is the complexity of a mulit-master replicated
>> domain, the apply/un-apply logs would be scattered on each DC, based on
>> who wins the 15 mins timer race.
> The point of the unapply log is to be able to role back policies to a
> state prior to GPO apply. So, for example, if gpo gets turned on, and
> admin decides they don't want it anymore, they can easily role back to
> the original settings and disable gpo apply. This is not something that
> should be used regularly.
>> I guess one way out would be to have 'samba-tool domain pwsettings'
>> write group policy files, but without a replicated sysvol I can't see
>> how that works either.
>>
>> I'm sorry to drop such doubts on you at this late moment.
>>
>> Sorry,
>>
>> Andrew Bartlett
>>
>>>  ctdb/common/system.h                            |   1 -
>>>  ctdb/common/system_util.c                       |  49 +-----
>>>  ctdb/wscript                                    |   4 +-
>>>  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
>>>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  17 ++
>>>  dynconfig/dynconfig.c                           |   1 +
>>>  dynconfig/dynconfig.h                           |   1 +
>>>  dynconfig/wscript                               |   2 +
>>>  lib/param/loadparm.c                            |   3 +-
>>>  lib/util/mkdir_p.c                              |  71 ++++++++
>>>  lib/util/mkdir_p.h                              |  22 +++
>>>  lib/util/wscript_build                          |   5 +
>>>  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
>>>  libgpo/gpo_ldap.c                               |   4 +-
>>>  {source3/libgpo => libgpo}/gpo_proto.h          |   0
>>>  {source3/libgpo => libgpo}/gpo_reg.c            |   0
>>>  libgpo/pygpo.c                                  | 451
>>> +++++++++++++++++++++++++++++++++++++++++++++++
>>>  libgpo/wscript_build                            |  12 ++
>>>  python/samba/gpclass.py                         | 463
>>> +++++++++++++++++++++++++++++++++++++++++++++++++
>>>  python/samba/krb5parse.py                       |  78 +++++++++
>>>  python/samba/samdb.py                           |  18 ++
>>>  selftest/target/Samba4.pm                       |   1 +
>>>  source3/libgpo/gpext/wscript_build              |   4 -
>>>  source3/param/loadparm.c                        |   9 +-
>>>  source3/utils/wscript_build                     |   2 +-
>>>  source3/wscript_build                           |  19 --
>>>  source4/dsdb/gpo/gpo_update.c                   | 191
>>> ++++++++++++++++++++
>>>  source4/dsdb/wscript_build                      |   9 +
>>>  source4/param/pyparam.c                         |   7 +
>>>  source4/scripting/bin/samba_gpoupdate           | 153
>>> ++++++++++++++++
>>>  source4/scripting/bin/wscript_build             |   2 +-
>>>  source4/scripting/wscript_build                 |   2 +-
>>>  source4/selftest/tests.py                       |   4 +
>>>  source4/torture/gpo/apply.c                     | 165
>>> ++++++++++++++++++
>>>  source4/torture/gpo/gpo.c                       |  36 ++++
>>>  source4/torture/gpo/wscript_build               |  14 ++
>>>  source4/torture/wscript_build                   |   1 +
>>>  wscript_build                                   |   1 +
>>>  38 files changed, 1743 insertions(+), 81 deletions(-)
>>>
>>> On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
>>>> These patches were originally sent to the mailing list on 05 June
>>>> 2014.
>>>> New python bindings for getting gpo guids and correct apply order
>>>> from
>>>> libgpo. Completely rewritten samba_gpoupdate to use new python
>>>> bindings.
>>>> Added unapply.
>>>> I would love to get these into 4.7. Feedback welcome!
>>>>
>>>>  ctdb/common/system.h                            |   1 -
>>>>  ctdb/common/system_util.c                       |  49 +-----
>>>>  ctdb/wscript                                    |   4 +-
>>>>  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
>>>>  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  14 ++
>>>>  dynconfig/dynconfig.c                           |   1 +
>>>>  dynconfig/dynconfig.h                           |   1 +
>>>>  dynconfig/wscript                               |   2 +
>>>>  lib/param/loadparm.c                            |   3 +-
>>>>  lib/util/mkdir_p.c                              |  71 ++++++++
>>>>  lib/util/mkdir_p.h                              |  22 +++
>>>>  lib/util/wscript_build                          |   5 +
>>>>  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
>>>>  libgpo/gpo_ldap.c                               |   4 +-
>>>>  {source3/libgpo => libgpo}/gpo_proto.h          |   0
>>>>  {source3/libgpo => libgpo}/gpo_reg.c            |   0
>>>>  libgpo/pygpo.c                                  | 448
>>>> +++++++++++++++++++++++++++++++++++++++++++++++++
>>>>  libgpo/wscript_build                            |  12 ++
>>>>  python/samba/gpclass.py                         | 387
>>>> ++++++++++++++++++++++++++++++++++++++++++
>>>>  python/samba/krb5parse.py                       |  67 ++++++++
>>>>  python/samba/samdb.py                           |  18 ++
>>>>  selftest/target/Samba4.pm                       |   1 +
>>>>  source3/auth/token_util.c                       |   3 +-
>>>>  source3/libgpo/gpext/wscript_build              |   4 -
>>>>  source3/param/loadparm.c                        |   9 +-
>>>>  source3/utils/wscript_build                     |   2 +-
>>>>  source3/wscript_build                           |  19 ---
>>>>  source4/dsdb/gpo/gpo_update.c                   | 191
>>>> +++++++++++++++++++++
>>>>  source4/dsdb/wscript_build                      |   9 +
>>>>  source4/param/pyparam.c                         |   7 +
>>>>  source4/scripting/bin/samba_gpoupdate           | 147
>>>> ++++++++++++++++
>>>>  source4/scripting/bin/wscript_build             |   2 +-
>>>>  source4/scripting/wscript_build                 |   2 +-
>>>>  source4/selftest/tests.py                       |   4 +
>>>>  source4/torture/gpo/apply.c                     | 165
>>>> ++++++++++++++++++
>>>>  source4/torture/gpo/gpo.c                       |  36 ++++
>>>>  source4/torture/gpo/wscript_build               |  14 ++
>>>>  source4/torture/wscript_build                   |   1 +
>>>>  wscript_build                                   |   1 +
>>>>  39 files changed, 1646 insertions(+), 82 deletions(-)
>>>>
--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


gpo_patches.mbox (235K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
On Mon, 2017-07-03 at 09:07 -0600, David Mulder wrote:
> Here is a new set of patches that addresses the kerberos settings
> issue,
> as well as disabling the service by default.

Thanks.

I think that addresses my comments.  I'm not super-keen on the rewrite
of the smb.conf.  I think this belongs as a database that Samba reads,
and that we overwrite at startup if the smb.conf has a setting.  If you
could drop that bit it would be ideal.

I'm sure others who look at this would see the second-last commit of
'rewrite' as a bit of a red flag, but considering the history of this
effort I'm not sure it can be avoided.  

It did make it hard to just drop the KDC options patch however, which
was something I was considering, so as to land the majority of your
work.

If you can collect two reviewers then please do, I'm still not able to
get my head into it enough to give you that myself.  

Having it off by default helps a lot, it should also get a WHATNEW
section and a manpage for samba_gpoupdate explaining what it does, and
that it is experimental at this stage.

Thank you so much for all your efforts here!  I'm sorry if this doesn't
make 4.7, as you have made a valiant effort!

Thanks,

Andrew Bartlett

> On 07/03/2017 06:14 AM, David Mulder wrote:
> >
> > On 07/02/2017 09:44 PM, Andrew Bartlett wrote:
> > > On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
> > > > I've attached a new set of patches that fix the issues that
> > > > Garming
> > > > pointed out (as well as a few issues I discovered).
> > > >
> > > > The changes to finalize_local_nt_token() have been removed.
> > > > Comments
> > > > have been added to the KRB5Parser and gp_log classes.
> > > > Documentation
> > > > has
> > > > been added for the settings that are being applied. The source
> > > > has
> > > > been
> > > > rebased against master. A build warning was silenced using
> > > > discard_const_p(). Segfaults in the make test were fixed.
> > > >
> > > > Feedback is appreciated!
> > >
> > > Thanks David. 
> > >
> > > I'm sorry for not noticing this earlier, but the GPO settings for
> > > the
> > > KDC look wrong. 
> > >
> > > While you have set the settings into the krb5.conf, I think you
> > > actually want to change the KDC in setup_kdc_setup_db_ctx():
> > >
> > > /* get default kdc policy */
> > > lpcfg_default_kdc_policy(base_ctx->lp_ctx,
> > >  &kdc_db_ctx->policy.svc_tkt_lifetime,
> > >  &kdc_db_ctx->policy.usr_tkt_lifetime,
> > >  &kdc_db_ctx->policy.renewal_lifetime);
> >
> > I'll get this fixed today and submit new patches.
> >
> > > Currently this reads smb.conf parameters for these values.  If
> > > the
> > > values from the GPO should override, then these need to be stored
> > > somewhere, or perhaps written to AD and read from there.
> > >
> > > The other challenge is that we now do have a class of
> > > administrators
> > > who have become very accustomed to the 'samba-tool pwsettings'
> > > command
> > > for setting the password policies, and other administrators who
> > > would
> > > love to get back to the GUI tools on Windows. 
> > >
> > > If we turned this on, would we suddenly overwrite the settings on
> > > a
> > > pile of domains?  
> > >
> > > I would be much more comfortable with this change if it were opt-
> > > in for
> > > a release, off by default by skipping the entry in server
> > > services,
> > > allowing us to understand how it works.
> >
> > I agree with that. Let's make it off by default for one release.
> > > For example, I'm a little nervous about the idea of unapplying a
> > > setting that might also have been modified directly by the
> > > administrator, or applying a setting that was manually set
> > > directly.  
> >
> > The whole point of GPO is to _enforce_ policy, so that if someone
> > is
> > manually making changes, they _intentionally_ get overwritten. I'd
> > argue
> > that this isn't a drawback, by the intention of this feature.
> > The issue is, we need admins to get used to this, and to stop
> > making
> > manual changes.
> > > Additionally there is the complexity of a mulit-master replicated
> > > domain, the apply/un-apply logs would be scattered on each DC,
> > > based on
> > > who wins the 15 mins timer race.
> >
> > The point of the unapply log is to be able to role back policies to
> > a
> > state prior to GPO apply. So, for example, if gpo gets turned on,
> > and
> > admin decides they don't want it anymore, they can easily role back
> > to
> > the original settings and disable gpo apply. This is not something
> > that
> > should be used regularly.
> > > I guess one way out would be to have 'samba-tool domain
> > > pwsettings'
> > > write group policy files, but without a replicated sysvol I can't
> > > see
> > > how that works either.
> > >
> > > I'm sorry to drop such doubts on you at this late moment. 
> > >
> > > Sorry,
> > >
> > > Andrew Bartlett
> > >
> > > >  ctdb/common/system.h                            |   1 -
> > > >  ctdb/common/system_util.c                       |  49 +-----
> > > >  ctdb/wscript                                    |   4 +-
> > > >  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
> > > >  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  17 ++
> > > >  dynconfig/dynconfig.c                           |   1 +
> > > >  dynconfig/dynconfig.h                           |   1 +
> > > >  dynconfig/wscript                               |   2 +
> > > >  lib/param/loadparm.c                            |   3 +-
> > > >  lib/util/mkdir_p.c                              |  71 ++++++++
> > > >  lib/util/mkdir_p.h                              |  22 +++
> > > >  lib/util/wscript_build                          |   5 +
> > > >  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
> > > >  libgpo/gpo_ldap.c                               |   4 +-
> > > >  {source3/libgpo => libgpo}/gpo_proto.h          |   0
> > > >  {source3/libgpo => libgpo}/gpo_reg.c            |   0
> > > >  libgpo/pygpo.c                                  | 451
> > > > +++++++++++++++++++++++++++++++++++++++++++++++
> > > >  libgpo/wscript_build                            |  12 ++
> > > >  python/samba/gpclass.py                         | 463
> > > > +++++++++++++++++++++++++++++++++++++++++++++++++
> > > >  python/samba/krb5parse.py                       |  78
> > > > +++++++++
> > > >  python/samba/samdb.py                           |  18 ++
> > > >  selftest/target/Samba4.pm                       |   1 +
> > > >  source3/libgpo/gpext/wscript_build              |   4 -
> > > >  source3/param/loadparm.c                        |   9 +-
> > > >  source3/utils/wscript_build                     |   2 +-
> > > >  source3/wscript_build                           |  19 --
> > > >  source4/dsdb/gpo/gpo_update.c                   | 191
> > > > ++++++++++++++++++++
> > > >  source4/dsdb/wscript_build                      |   9 +
> > > >  source4/param/pyparam.c                         |   7 +
> > > >  source4/scripting/bin/samba_gpoupdate           | 153
> > > > ++++++++++++++++
> > > >  source4/scripting/bin/wscript_build             |   2 +-
> > > >  source4/scripting/wscript_build                 |   2 +-
> > > >  source4/selftest/tests.py                       |   4 +
> > > >  source4/torture/gpo/apply.c                     | 165
> > > > ++++++++++++++++++
> > > >  source4/torture/gpo/gpo.c                       |  36 ++++
> > > >  source4/torture/gpo/wscript_build               |  14 ++
> > > >  source4/torture/wscript_build                   |   1 +
> > > >  wscript_build                                   |   1 +
> > > >  38 files changed, 1743 insertions(+), 81 deletions(-)
> > > >
> > > > On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
> > > > > These patches were originally sent to the mailing list on 05
> > > > > June
> > > > > 2014.
> > > > > New python bindings for getting gpo guids and correct apply
> > > > > order
> > > > > from
> > > > > libgpo. Completely rewritten samba_gpoupdate to use new
> > > > > python
> > > > > bindings.
> > > > > Added unapply.
> > > > > I would love to get these into 4.7. Feedback welcome!
> > > > >
> > > > >  ctdb/common/system.h                            |   1 -
> > > > >  ctdb/common/system_util.c                       |  49 +-----
> > > > >  ctdb/wscript                                    |   4 +-
> > > > >  docs-xml/smbdotconf/base/serverservices.xml     |   2 +-
> > > > >  docs-xml/smbdotconf/domain/gpoupdatecommand.xml |  14 ++
> > > > >  dynconfig/dynconfig.c                           |   1 +
> > > > >  dynconfig/dynconfig.h                           |   1 +
> > > > >  dynconfig/wscript                               |   2 +
> > > > >  lib/param/loadparm.c                            |   3 +-
> > > > >  lib/util/mkdir_p.c                              |  71
> > > > > ++++++++
> > > > >  lib/util/mkdir_p.h                              |  22 +++
> > > > >  lib/util/wscript_build                          |   5 +
> > > > >  {source3/libgpo => libgpo}/gpo_filesync.c       |   0
> > > > >  libgpo/gpo_ldap.c                               |   4 +-
> > > > >  {source3/libgpo => libgpo}/gpo_proto.h          |   0
> > > > >  {source3/libgpo => libgpo}/gpo_reg.c            |   0
> > > > >  libgpo/pygpo.c                                  | 448
> > > > > +++++++++++++++++++++++++++++++++++++++++++++++++
> > > > >  libgpo/wscript_build                            |  12 ++
> > > > >  python/samba/gpclass.py                         | 387
> > > > > ++++++++++++++++++++++++++++++++++++++++++
> > > > >  python/samba/krb5parse.py                       |  67
> > > > > ++++++++
> > > > >  python/samba/samdb.py                           |  18 ++
> > > > >  selftest/target/Samba4.pm                       |   1 +
> > > > >  source3/auth/token_util.c                       |   3 +-
> > > > >  source3/libgpo/gpext/wscript_build              |   4 -
> > > > >  source3/param/loadparm.c                        |   9 +-
> > > > >  source3/utils/wscript_build                     |   2 +-
> > > > >  source3/wscript_build                           |  19 ---
> > > > >  source4/dsdb/gpo/gpo_update.c                   | 191
> > > > > +++++++++++++++++++++
> > > > >  source4/dsdb/wscript_build                      |   9 +
> > > > >  source4/param/pyparam.c                         |   7 +
> > > > >  source4/scripting/bin/samba_gpoupdate           | 147
> > > > > ++++++++++++++++
> > > > >  source4/scripting/bin/wscript_build             |   2 +-
> > > > >  source4/scripting/wscript_build                 |   2 +-
> > > > >  source4/selftest/tests.py                       |   4 +
> > > > >  source4/torture/gpo/apply.c                     | 165
> > > > > ++++++++++++++++++
> > > > >  source4/torture/gpo/gpo.c                       |  36 ++++
> > > > >  source4/torture/gpo/wscript_build               |  14 ++
> > > > >  source4/torture/wscript_build                   |   1 +
> > > > >  wscript_build                                   |   1 +
> > > > >  39 files changed, 1646 insertions(+), 82 deletions(-)
> > > > >
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT  
https://catalyst.net.nz/services/samba





Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
I agree the smb.conf rewrite isn't ideal. I'd considered simply storing
the settings in the samdb, and doing like you said, but that was a
bigger rewrite than I had time for Monday.
 I'll see who I can get to review the source.


--

David Mulder

SUSE Labs Software Engineer - Samba

[hidden email]

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)


>>>
Andrew Bartlett via samba-technical <[hidden email]>
07/03/17 11:57 PM >>>
On Mon, 2017-07-03 at 09:07 -0600, David Mulder wrote:
> Here is a new set of patches that addresses the kerberos settings
> issue,
> as well as disabling the service by default.

Thanks.

I think that addresses my comments. I'm not super-keen on the rewrite
of the smb.conf. I think this belongs as a database that Samba reads,
and that we overwrite at startup if the smb.conf has a setting. If you
could drop that bit it would be ideal.

I'm sure others who look at this would see the second-last commit of
'rewrite' as a bit of a red flag, but considering the history of this
effort I'm not sure it can be avoided.

It did make it hard to just drop the KDC options patch however, which
was something I was considering, so as to land the majority of your
work.

If you can collect two reviewers then please do, I'm still not able to
get my head into it enough to give you that myself.

Having it off by default helps a lot, it should also get a WHATNEW
section and a manpage for samba_gpoupdate explaining what it does, and
that it is experimental at this stage.

Thank you so much for all your efforts here! I'm sorry if this doesn't
make 4.7, as you have made a valiant effort!

Thanks,

Andrew Bartlett

> On 07/03/2017 06:14 AM, David Mulder wrote:
> >
> > On 07/02/2017 09:44 PM, Andrew Bartlett wrote:
> > > On Wed, 2017-06-28 at 13:48 -0600, David Mulder wrote:
> > > > I've attached a new set of patches that fix the issues that
> > > > Garming
> > > > pointed out (as well as a few issues I discovered).
> > > >
> > > > The changes to finalize_local_nt_token() have been removed.
> > > > Comments
> > > > have been added to the KRB5Parser and gp_log classes.
> > > > Documentation
> > > > has
> > > > been added for the settings that are being applied. The source
> > > > has
> > > > been
> > > > rebased against master. A build warning was silenced using
> > > > discard_const_p(). Segfaults in the make test were fixed.
> > > >
> > > > Feedback is appreciated!
> > >
> > > Thanks David.
> > >
> > > I'm sorry for not noticing this earlier, but the GPO settings for
> > > the
> > > KDC look wrong.
> > >
> > > While you have set the settings into the krb5.conf, I think you
> > > actually want to change the KDC in setup_kdc_setup_db_ctx():
> > >
> > >     /* get default kdc policy */
> > >     lpcfg_default_kdc_policy(base_ctx->lp_ctx,
> > >                  &kdc_db_ctx->policy.svc_tkt_lifetime,
> > >                  &kdc_db_ctx->policy.usr_tkt_lifetime,
> > >                  &kdc_db_ctx->policy.renewal_lifetime);
> >
> > I'll get this fixed today and submit new patches.
> >
> > > Currently this reads smb.conf parameters for these values. If
> > > the
> > > values from the GPO should override, then these need to be stored
> > > somewhere, or perhaps written to AD and read from there.
> > >
> > > The other challenge is that we now do have a class of
> > > administrators
> > > who have become very accustomed to the 'samba-tool pwsettings'
> > > command
> > > for setting the password policies, and other administrators who
> > > would
> > > love to get back to the GUI tools on Windows.
> > >
> > > If we turned this on, would we suddenly overwrite the settings on
> > > a
> > > pile of domains?
> > >
> > > I would be much more comfortable with this change if it were opt-
> > > in for
> > > a release, off by default by skipping the entry in server
> > > services,
> > > allowing us to understand how it works.
> >
> > I agree with that. Let's make it off by default for one release.
> > > For example, I'm a little nervous about the idea of unapplying a
> > > setting that might also have been modified directly by the
> > > administrator, or applying a setting that was manually set
> > > directly.
> >
> > The whole point of GPO is to _enforce_ policy, so that if someone
> > is
> > manually making changes, they _intentionally_ get overwritten. I'd
> > argue
> > that this isn't a drawback, by the intention of this feature.
> > The issue is, we need admins to get used to this, and to stop
> > making
> > manual changes.
> > > Additionally there is the complexity of a mulit-master replicated
> > > domain, the apply/un-apply logs would be scattered on each DC,
> > > based on
> > > who wins the 15 mins timer race.
> >
> > The point of the unapply log is to be able to role back policies to
> > a
> > state prior to GPO apply. So, for example, if gpo gets turned on,
> > and
> > admin decides they don't want it anymore, they can easily role back
> > to
> > the original settings and disable gpo apply. This is not something
> > that
> > should be used regularly.
> > > I guess one way out would be to have 'samba-tool domain
> > > pwsettings'
> > > write group policy files, but without a replicated sysvol I can't
> > > see
> > > how that works either.
> > >
> > > I'm sorry to drop such doubts on you at this late moment.
> > >
> > > Sorry,
> > >
> > > Andrew Bartlett
> > >
> > > > ctdb/common/system.h | 1 -
> > > > ctdb/common/system_util.c | 49 +-----
> > > > ctdb/wscript | 4 +-
> > > > docs-xml/smbdotconf/base/serverservices.xml | 2 +-
> > > > docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 17 ++
> > > > dynconfig/dynconfig.c | 1 +
> > > > dynconfig/dynconfig.h | 1 +
> > > > dynconfig/wscript | 2 +
> > > > lib/param/loadparm.c | 3 +-
> > > > lib/util/mkdir_p.c | 71 ++++++++
> > > > lib/util/mkdir_p.h | 22 +++
> > > > lib/util/wscript_build | 5 +
> > > > {source3/libgpo => libgpo}/gpo_filesync.c | 0
> > > > libgpo/gpo_ldap.c | 4 +-
> > > > {source3/libgpo => libgpo}/gpo_proto.h | 0
> > > > {source3/libgpo => libgpo}/gpo_reg.c | 0
> > > > libgpo/pygpo.c | 451
> > > > +++++++++++++++++++++++++++++++++++++++++++++++
> > > > libgpo/wscript_build | 12 ++
> > > > python/samba/gpclass.py | 463
> > > > +++++++++++++++++++++++++++++++++++++++++++++++++
> > > > python/samba/krb5parse.py | 78
> > > > +++++++++
> > > > python/samba/samdb.py | 18 ++
> > > > selftest/target/Samba4.pm | 1 +
> > > > source3/libgpo/gpext/wscript_build | 4 -
> > > > source3/param/loadparm.c | 9 +-
> > > > source3/utils/wscript_build | 2 +-
> > > > source3/wscript_build | 19 --
> > > > source4/dsdb/gpo/gpo_update.c | 191
> > > > ++++++++++++++++++++
> > > > source4/dsdb/wscript_build | 9 +
> > > > source4/param/pyparam.c | 7 +
> > > > source4/scripting/bin/samba_gpoupdate | 153
> > > > ++++++++++++++++
> > > > source4/scripting/bin/wscript_build | 2 +-
> > > > source4/scripting/wscript_build | 2 +-
> > > > source4/selftest/tests.py | 4 +
> > > > source4/torture/gpo/apply.c | 165
> > > > ++++++++++++++++++
> > > > source4/torture/gpo/gpo.c | 36 ++++
> > > > source4/torture/gpo/wscript_build | 14 ++
> > > > source4/torture/wscript_build | 1 +
> > > > wscript_build | 1 +
> > > > 38 files changed, 1743 insertions(+), 81 deletions(-)
> > > >
> > > > On 06/16/2017 10:04 AM, David Mulder via samba-technical wrote:
> > > > > These patches were originally sent to the mailing list on 05
> > > > > June
> > > > > 2014.
> > > > > New python bindings for getting gpo guids and correct apply
> > > > > order
> > > > > from
> > > > > libgpo. Completely rewritten samba_gpoupdate to use new
> > > > > python
> > > > > bindings.
> > > > > Added unapply.
> > > > > I would love to get these into 4.7. Feedback welcome!
> > > > >
> > > > > ctdb/common/system.h | 1 -
> > > > > ctdb/common/system_util.c | 49 +-----
> > > > > ctdb/wscript | 4 +-
> > > > > docs-xml/smbdotconf/base/serverservices.xml | 2 +-
> > > > > docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 14 ++
> > > > > dynconfig/dynconfig.c | 1 +
> > > > > dynconfig/dynconfig.h | 1 +
> > > > > dynconfig/wscript | 2 +
> > > > > lib/param/loadparm.c | 3 +-
> > > > > lib/util/mkdir_p.c | 71
> > > > > ++++++++
> > > > > lib/util/mkdir_p.h | 22 +++
> > > > > lib/util/wscript_build | 5 +
> > > > > {source3/libgpo => libgpo}/gpo_filesync.c | 0
> > > > > libgpo/gpo_ldap.c | 4 +-
> > > > > {source3/libgpo => libgpo}/gpo_proto.h | 0
> > > > > {source3/libgpo => libgpo}/gpo_reg.c | 0
> > > > > libgpo/pygpo.c | 448
> > > > > +++++++++++++++++++++++++++++++++++++++++++++++++
> > > > > libgpo/wscript_build | 12 ++
> > > > > python/samba/gpclass.py | 387
> > > > > ++++++++++++++++++++++++++++++++++++++++++
> > > > > python/samba/krb5parse.py | 67
> > > > > ++++++++
> > > > > python/samba/samdb.py | 18 ++
> > > > > selftest/target/Samba4.pm | 1 +
> > > > > source3/auth/token_util.c | 3 +-
> > > > > source3/libgpo/gpext/wscript_build | 4 -
> > > > > source3/param/loadparm.c | 9 +-
> > > > > source3/utils/wscript_build | 2 +-
> > > > > source3/wscript_build | 19 ---
> > > > > source4/dsdb/gpo/gpo_update.c | 191
> > > > > +++++++++++++++++++++
> > > > > source4/dsdb/wscript_build | 9 +
> > > > > source4/param/pyparam.c | 7 +
> > > > > source4/scripting/bin/samba_gpoupdate | 147
> > > > > ++++++++++++++++
> > > > > source4/scripting/bin/wscript_build | 2 +-
> > > > > source4/scripting/wscript_build | 2 +-
> > > > > source4/selftest/tests.py | 4 +
> > > > > source4/torture/gpo/apply.c | 165
> > > > > ++++++++++++++++++
> > > > > source4/torture/gpo/gpo.c | 36 ++++
> > > > > source4/torture/gpo/wscript_build | 14 ++
> > > > > source4/torture/wscript_build | 1 +
> > > > > wscript_build | 1 +
> > > > > 39 files changed, 1646 insertions(+), 82 deletions(-)
> > > > >
>
>
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba






Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
Added to WHATSNEW, added a man page for samba_gpoupdate, and rewrote the
kdc kerberos policy to apply to a tdb, then be read by
lpcfg_default_kdc_policy().

On 07/05/2017 07:20 AM, David Mulder via samba-technical wrote:
> I agree the smb.conf rewrite isn't ideal. I'd considered simply storing
> the settings in the samdb, and doing like you said, but that was a
> bigger rewrite than I had time for Monday.
>  I'll see who I can get to review the source.
>
>

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


gpo.mbox (262K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Re: [PATCHES] GPO support for the AD DC itself

Samba - samba-technical mailing list
Hey,

So I went ahead and squashed the unapply and tdb storage commits
together, which required extracting pieces of the always apply patch. I
renamed the tdb file to gpo.tdb throughout the history, and I pulled in
my patch that fixes the unapply (which I broke earlier when rebasing).
This is all based on top of Garming's rebase work, so it's all in there.
Thanks for your help Garming, the patches are looking great!
Patches are attached.

On 08/08/2017 10:47 PM, Garming Sam wrote:

> Hi,
>
> I've taken a look at the patches, and they needed a lot of squashing
> in my mind. It seemed easier to just do it than explain at length all
> the details. The overall patchset result stays the same, but a lot of
> the intermediate steps have now been removed. The Kerberos patches in
> particular have been disentangled from the middle of the patchset.
> Unless you had any objections or other things to add, I will look to
> squashing the unapply code together with the tdb storage. The
> syslog.tdb (and sysvol_log.tdb) which appeared at various points also
> need to be renamed to gpo.tdb for continuity.
>
> Apart from that, the changes don't look all that overwhelming anymore
> and I'm happier with them. It should also be much clearer for Andrew
> to look at now.
>
>
> Cheers,
>
> Garming
>
--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


gpo.mbox (198K) Download Attachment
12