[PATCHES v1] GPO fixes

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCHES v1] GPO fixes

Samba - samba-technical mailing list
Hoping to get these into 4.8;
Basically these are all the fixes/improvements from the machine policy
patches, minus the machine policy.
Includes:
* Fixes a crash in gpo unapply
* Don't stop parsing gpos if one fails
* Cache gpo versions and read from the cache, instead of reading
directly from the sysvol
* Call the gpupdate command from winbind, using the interval specified
by MS spec (random interval between 90 and 120 minutes).
* Enable gpupdate by default (this now only has the effect of enabling
the system access policies for the kdc).
* NEW: Provide a method for disabling gpo extensions. An extension will
now check if a <my filename>.disabled file is present, and the extension
is ignored if present. This required moving the system access policies
to their own file, which is now required for every extension.

This patch set *does not* contain any new gpo extensions, just
improvements to the overall gpo code (and making it easily extensible
for adding new extensions).

docs-xml/smbdotconf/domain/gpoupdatecommand.xml    |  11 +-
 docs-xml/smbdotconf/winbind/applygrouppolicies.xml |  19 ++++
 lib/param/loadparm.c                               |   1 +
 python/samba/gp_sec_ext.py                         | 140
+++++++++++++++++++++++++
 python/samba/gpclass.py                            | 233
+++++++++++------------------------------
 selftest/target/Samba4.pm                          |   2 +-
 source3/param/loadparm.c                           |   2 +
 source3/winbindd/winbindd.c                        |   2 +
 source3/winbindd/winbindd_gpupdate.c               | 116
+++++++++++++++++++++
 source3/winbindd/winbindd_proto.h                  |   3 +
 source3/winbindd/wscript_build                     |   3 +-
 source4/dsdb/gpo/gpo_update.c                      | 193
----------------------------------
 source4/dsdb/wscript_build                         |   9 --
 source4/scripting/bin/samba_gpoupdate              |  49 +++++++--
 source4/scripting/bin/wscript_build                |   2 +-
 source4/scripting/wscript_build                    |   7 +-
 source4/torture/gpo/apply.c                        | 258
+++++++++++++++++++++++++++++++++++++---------
 17 files changed, 608 insertions(+), 442 deletions(-)

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


gpo_fixes.mbox.txt (74K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES v1] GPO fixes

Samba - samba-technical mailing list
On Mon, 2018-01-08 at 10:05 -0700, David Mulder wrote:

> Hoping to get these into 4.8;
> Basically these are all the fixes/improvements from the machine policy
> patches, minus the machine policy.
> Includes:
> * Fixes a crash in gpo unapply
> * Don't stop parsing gpos if one fails
> * Cache gpo versions and read from the cache, instead of reading
> directly from the sysvol
> * Call the gpupdate command from winbind, using the interval specified
> by MS spec (random interval between 90 and 120 minutes).
> * Enable gpupdate by default (this now only has the effect of enabling
> the system access policies for the kdc).
> * NEW: Provide a method for disabling gpo extensions. An extension will
> now check if a <my filename>.disabled file is present, and the extension
> is ignored if present. This required moving the system access policies
> to their own file, which is now required for every extension.
>
> This patch set *does not* contain any new gpo extensions, just
> improvements to the overall gpo code (and making it easily extensible
> for adding new extensions).

Thanks.  We also need to disable this during our selftest, and
explicitly test it in an environment that is not running tests for
things like minimum password age.  (The idea of this running, randomly,
during one of those tests scares me).

Andrew Bartlett
--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES v1] GPO fixes

Samba - samba-technical mailing list
In reply to this post by Samba - samba-technical mailing list
Hi,

I think I'm mostly fine with the first five patches (the docs need to be
tweaked to remove the mention to env vars though, attached as a patch).
Although most of the concerns we originally raised (in regards to the
KDC settings) have now been addressed, I still think having a release
with it off by default is sensible (and some curious users get to have a
play with it).

I think the disabling mechanism needs some more thought, I don't think
it's appropriate to put the .disabled files under the same sub-directory
as the module (and particularly in the python directory). There might
also be other issues like having it installed vs running from a
source-tree. Perhaps metze had some more thoughts on the most
appropriate location and/or format. You'd normally expect such files to
exist in an /etc/, neighbouring where our smb.conf lives.


Cheers,

Garming

On 09/01/18 06:05, David Mulder wrote:

> Hoping to get these into 4.8;
> Basically these are all the fixes/improvements from the machine policy
> patches, minus the machine policy.
> Includes:
> * Fixes a crash in gpo unapply
> * Don't stop parsing gpos if one fails
> * Cache gpo versions and read from the cache, instead of reading
> directly from the sysvol
> * Call the gpupdate command from winbind, using the interval specified
> by MS spec (random interval between 90 and 120 minutes).
> * Enable gpupdate by default (this now only has the effect of enabling
> the system access policies for the kdc).
> * NEW: Provide a method for disabling gpo extensions. An extension will
> now check if a <my filename>.disabled file is present, and the extension
> is ignored if present. This required moving the system access policies
> to their own file, which is now required for every extension.
>
> This patch set *does not* contain any new gpo extensions, just
> improvements to the overall gpo code (and making it easily extensible
> for adding new extensions).
>
> docs-xml/smbdotconf/domain/gpoupdatecommand.xml    |  11 +-
>   docs-xml/smbdotconf/winbind/applygrouppolicies.xml |  19 ++++
>   lib/param/loadparm.c                               |   1 +
>   python/samba/gp_sec_ext.py                         | 140
> +++++++++++++++++++++++++
>   python/samba/gpclass.py                            | 233
> +++++++++++------------------------------
>   selftest/target/Samba4.pm                          |   2 +-
>   source3/param/loadparm.c                           |   2 +
>   source3/winbindd/winbindd.c                        |   2 +
>   source3/winbindd/winbindd_gpupdate.c               | 116
> +++++++++++++++++++++
>   source3/winbindd/winbindd_proto.h                  |   3 +
>   source3/winbindd/wscript_build                     |   3 +-
>   source4/dsdb/gpo/gpo_update.c                      | 193
> ----------------------------------
>   source4/dsdb/wscript_build                         |   9 --
>   source4/scripting/bin/samba_gpoupdate              |  49 +++++++--
>   source4/scripting/bin/wscript_build                |   2 +-
>   source4/scripting/wscript_build                    |   7 +-
>   source4/torture/gpo/apply.c                        | 258
> +++++++++++++++++++++++++++++++++++++---------
>   17 files changed, 608 insertions(+), 442 deletions(-)
>


0001-docs-Remove-reference-to-environment-variables-for-n.patch (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES v1] GPO fixes

Samba - samba-technical mailing list


On 01/09/2018 02:44 AM, Garming Sam wrote:
> Hi,
>
> I think I'm mostly fine with the first five patches (the docs need to
> be tweaked to remove the mention to env vars though, attached as a
> patch). Although most of the concerns we originally raised (in regards
> to the KDC settings) have now been addressed, I still think having a
> release with it off by default is sensible (and some curious users get
> to have a play with it).
Sounds ok with me. Let's plan on leaving it disabled then.
>
> I think the disabling mechanism needs some more thought, I don't think
> it's appropriate to put the .disabled files under the same
> sub-directory as the module (and particularly in the python
> directory). There might also be other issues like having it installed
> vs running from a source-tree.
Currently it's setup to follow the .py file wherever it might be
installed, so I don't think the installed vs running directory would be
an issue.
> Perhaps metze had some more thoughts on the most appropriate location
> and/or format. You'd normally expect such files to exist in an /etc/,
> neighbouring where our smb.conf lives.
Yes, I wasn't really sure about the proper location for these, but
having them in the same directory as the .py files was what metze
suggested. Maybe let's leave the disable patch out for now? It isn't
particularly useful at this point anyway, since there is only one gp_ext.

>
>
> Cheers,
>
> Garming
>
> On 09/01/18 06:05, David Mulder wrote:
>> Hoping to get these into 4.8;
>> Basically these are all the fixes/improvements from the machine policy
>> patches, minus the machine policy.
>> Includes:
>> * Fixes a crash in gpo unapply
>> * Don't stop parsing gpos if one fails
>> * Cache gpo versions and read from the cache, instead of reading
>> directly from the sysvol
>> * Call the gpupdate command from winbind, using the interval specified
>> by MS spec (random interval between 90 and 120 minutes).
>> * Enable gpupdate by default (this now only has the effect of enabling
>> the system access policies for the kdc).
>> * NEW: Provide a method for disabling gpo extensions. An extension will
>> now check if a <my filename>.disabled file is present, and the extension
>> is ignored if present. This required moving the system access policies
>> to their own file, which is now required for every extension.
>>
>> This patch set *does not* contain any new gpo extensions, just
>> improvements to the overall gpo code (and making it easily extensible
>> for adding new extensions).
>>
>> docs-xml/smbdotconf/domain/gpoupdatecommand.xml    |  11 +-
>>   docs-xml/smbdotconf/winbind/applygrouppolicies.xml |  19 ++++
>>   lib/param/loadparm.c                               |   1 +
>>   python/samba/gp_sec_ext.py                         | 140
>> +++++++++++++++++++++++++
>>   python/samba/gpclass.py                            | 233
>> +++++++++++------------------------------
>>   selftest/target/Samba4.pm                          |   2 +-
>>   source3/param/loadparm.c                           |   2 +
>>   source3/winbindd/winbindd.c                        |   2 +
>>   source3/winbindd/winbindd_gpupdate.c               | 116
>> +++++++++++++++++++++
>>   source3/winbindd/winbindd_proto.h                  |   3 +
>>   source3/winbindd/wscript_build                     |   3 +-
>>   source4/dsdb/gpo/gpo_update.c                      | 193
>> ----------------------------------
>>   source4/dsdb/wscript_build                         |   9 --
>>   source4/scripting/bin/samba_gpoupdate              |  49 +++++++--
>>   source4/scripting/bin/wscript_build                |   2 +-
>>   source4/scripting/wscript_build                    |   7 +-
>>   source4/torture/gpo/apply.c                        | 258
>> +++++++++++++++++++++++++++++++++++++---------
>>   17 files changed, 608 insertions(+), 442 deletions(-)
>>
>

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES v1] GPO fixes

Samba - samba-technical mailing list
On Tue, 2018-01-09 at 07:24 -0700, David Mulder wrote:

>
> On 01/09/2018 02:44 AM, Garming Sam wrote:
> > Hi,
> >
> > I think I'm mostly fine with the first five patches (the docs need to
> > be tweaked to remove the mention to env vars though, attached as a
> > patch). Although most of the concerns we originally raised (in regards
> > to the KDC settings) have now been addressed, I still think having a
> > release with it off by default is sensible (and some curious users get
> > to have a play with it).
>
> Sounds ok with me. Let's plan on leaving it disabled then.
> >
> > I think the disabling mechanism needs some more thought, I don't think
> > it's appropriate to put the .disabled files under the same
> > sub-directory as the module (and particularly in the python
> > directory). There might also be other issues like having it installed
> > vs running from a source-tree.
>
> Currently it's setup to follow the .py file wherever it might be
> installed, so I don't think the installed vs running directory would be
> an issue.
> > Perhaps metze had some more thoughts on the most appropriate location
> > and/or format. You'd normally expect such files to exist in an /etc/,
> > neighbouring where our smb.conf lives.
>
> Yes, I wasn't really sure about the proper location for these, but
> having them in the same directory as the .py files was what metze
> suggested. Maybe let's leave the disable patch out for now? It isn't
> particularly useful at this point anyway, since there is only one gp_ext.

Thanks.  I plan to review this into master with Garming today in time
for 4.8, assuming no additional issues come up.  Thank you very much
for your patience on this and I'm sorry this area isn't moving forward
in the way you would hope.

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


Reply | Threaded
Open this post in threaded view
|

Re: [PATCHES v1] GPO fixes

Samba - samba-technical mailing list
On 01/09/2018 11:40 AM, Andrew Bartlett wrote:

> On Tue, 2018-01-09 at 07:24 -0700, David Mulder wrote:
>> On 01/09/2018 02:44 AM, Garming Sam wrote:
>>> Hi,
>>>
>>> I think I'm mostly fine with the first five patches (the docs need to
>>> be tweaked to remove the mention to env vars though, attached as a
>>> patch). Although most of the concerns we originally raised (in regards
>>> to the KDC settings) have now been addressed, I still think having a
>>> release with it off by default is sensible (and some curious users get
>>> to have a play with it).
>> Sounds ok with me. Let's plan on leaving it disabled then.
>>> I think the disabling mechanism needs some more thought, I don't think
>>> it's appropriate to put the .disabled files under the same
>>> sub-directory as the module (and particularly in the python
>>> directory). There might also be other issues like having it installed
>>> vs running from a source-tree.
>> Currently it's setup to follow the .py file wherever it might be
>> installed, so I don't think the installed vs running directory would be
>> an issue.
>>> Perhaps metze had some more thoughts on the most appropriate location
>>> and/or format. You'd normally expect such files to exist in an /etc/,
>>> neighbouring where our smb.conf lives.
>> Yes, I wasn't really sure about the proper location for these, but
>> having them in the same directory as the .py files was what metze
>> suggested. Maybe let's leave the disable patch out for now? It isn't
>> particularly useful at this point anyway, since there is only one gp_ext.
> Thanks.  I plan to review this into master with Garming today in time
> for 4.8, assuming no additional issues come up.  Thank you very much
> for your patience on this and I'm sorry this area isn't moving forward
> in the way you would hope.
No worries.
>
> Andrew Bartlett
>

--
David Mulder
SUSE Labs Software Engineer - Samba
[hidden email]
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)