The branch, master has been updated
via 0eec2b6 docs: Remove reference to environment variables for now
via 2ca73cb gpo: Add the winbind call to gpupdate
via fb5241a Revert "gpo: Create the gpo update service"
via 88152ad gpo: Continue parsing GPOs even if one fails
via ef49d0b gpo: Fix crashes in gpo unapply
from 08651a0 samba_kcc: do not commit new nTDSConnection, if we are rodc
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0eec2b6e049ae0acf62a5d704697fe31956ec5b7
Author: Garming Sam <garm...@catalyst.net.nz>
Date: Tue Jan 9 16:28:36 2018 +1300
docs: Remove reference to environment variables for now
Signed-off-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Stefan Metzmacher <me...@samba.org>
Autobuild-Date(master): Sun Jan 14 03:08:01 CET 2018 on sn-devel-144
commit 2ca73cba53621c6db79f769f625316535fbfdbc9
Author: David Mulder <dmul...@suse.com>
Date: Tue Nov 21 03:44:12 2017 -0700
gpo: Add the winbind call to gpupdate
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fb5241aa9d3fe8319ff5232b8a3d1987d03ba7bf
Author: David Mulder <dmul...@suse.com>
Date: Wed Dec 6 12:51:22 2017 -0700
Revert "gpo: Create the gpo update service"
This reverts commit 5662e49b49f6557c80f216f510f224bbf800f40a.
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 88152adeca704bb49574802b280142164a899e31
Author: David Mulder <dmul...@suse.com>
Date: Mon Jan 8 09:19:13 2018 -0700
gpo: Continue parsing GPOs even if one fails
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ef49d0b9eff9b90fa5533d50a0fc26405f44d449
Author: David Mulder <dmul...@suse.com>
Date: Mon Jan 8 09:16:11 2018 -0700
gpo: Fix crashes in gpo unapply
Signed-off-by: David Mulder <dmul...@suse.com>
Reviewed-by: Garming Sam <garm...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
docs-xml/smbdotconf/domain/gpoupdatecommand.xml | 10 +-
docs-xml/smbdotconf/winbind/applygrouppolicies.xml | 19 ++
lib/param/loadparm.c | 1 +
python/samba/gpclass.py | 24 +--
selftest/target/Samba4.pm | 2 +-
source3/param/loadparm.c | 2 +
source3/winbindd/winbindd.c | 2 +
source3/winbindd/winbindd_gpupdate.c | 116 +++++++++++++
source3/winbindd/winbindd_proto.h | 3 +
source3/winbindd/wscript_build | 3 +-
source4/dsdb/gpo/gpo_update.c | 193 ---------------------
source4/dsdb/wscript_build | 9 -
source4/scripting/bin/samba_gpoupdate | 35 +++-
source4/scripting/bin/wscript_build | 2 +-
source4/scripting/wscript_build | 7 +-
15 files changed, 196 insertions(+), 232 deletions(-)
create mode 100644 docs-xml/smbdotconf/winbind/applygrouppolicies.xml
create mode 100644 source3/winbindd/winbindd_gpupdate.c
delete mode 100644 source4/dsdb/gpo/gpo_update.c
Changeset truncated at 500 lines:
diff --git a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
index 22a4216..147751b 100644
--- a/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
+++ b/docs-xml/smbdotconf/domain/gpoupdatecommand.xml
@@ -5,10 +5,12 @@
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
<description>
<para>This option sets the command that is called to apply GPO policies.
- The samba_gpoupdate script applies System Access and Kerberos Policies.
- System Access policies set minPwdAge, maxPwdAge, minPwdLength, and
- pwdProperties in the samdb. Kerberos Policies set kdc:service ticket
lifetime,
- kdc:user ticket lifetime, and kdc:renewal lifetime in smb.conf.
+ The samba_gpoupdate script applies System Access and Kerberos Policies
+ to the KDC, or Environment Variable policies to client machines. System
+ Access policies set minPwdAge, maxPwdAge, minPwdLength, and
+ pwdProperties in the samdb. Kerberos Policies set kdc:service ticket
+ lifetime, kdc:user ticket lifetime, and kdc:renewal lifetime in
+ smb.conf.
</para>
</description>
diff --git a/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
new file mode 100644
index 0000000..67baa0d
--- /dev/null
+++ b/docs-xml/smbdotconf/winbind/applygrouppolicies.xml
@@ -0,0 +1,19 @@
+<samba:parameter name="apply group policies"
+ context="G"
+ type="boolean"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+
+ <para>This option controls whether winbind will execute the gpupdate
+ command defined in <smbconfoption name="gpo update command"/> on the
+ Group Policy update interval. The Group Policy update interval is
+ defined as every 90 minutes, plus a random offset between 0 and 30
+ minutes. This applies Group Policy Machine polices to the client or
+ KDC and machine policies to a server.
+ </para>
+
+</description>
+
+<value type="default">no</value>
+<value type="example">yes</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index f265459..7854f57 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2734,6 +2734,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX
*mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory",
dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory",
dyn_NTP_SIGND_SOCKET_DIR);
lpcfg_do_global_parameter_var(lp_ctx, "gpo update command",
"%s/samba_gpoupdate", dyn_SCRIPTSBINDIR);
+ lpcfg_do_global_parameter_var(lp_ctx, "apply group policies", "False");
lpcfg_do_global_parameter_var(lp_ctx, "dns update command",
"%s/samba_dnsupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "spn update command",
"%s/samba_spnupdate", dyn_SCRIPTSBINDIR);
lpcfg_do_global_parameter_var(lp_ctx, "samba kcc command",
diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py
index 00330eb..33c9001 100644
--- a/python/samba/gpclass.py
+++ b/python/samba/gpclass.py
@@ -19,19 +19,12 @@ import sys
import os
import tdb
sys.path.insert(0, "bin/python")
-import samba.gpo as gpo
-import optparse
-import ldb
-from samba.auth import system_session
-import samba.getopt as options
-from samba.samdb import SamDB
-from samba.netcmd import gpo as gpo_user
-import codecs
from samba import NTSTATUSError
from ConfigParser import ConfigParser
from StringIO import StringIO
from abc import ABCMeta, abstractmethod
import xml.etree.ElementTree as etree
+import re
try:
from enum import Enum
@@ -217,12 +210,19 @@ class gp_log:
exts = guid_obj.findall('gp_ext')
if exts is not None:
for ext in exts:
- ext_map = {val[0]: val[1] for (key, val) in \
- data_maps[ext.attrib['name']].items()}
attrs = ext.findall('attribute')
for attr in attrs:
- ret.append((attr.attrib['name'], attr.text,
- ext_map[attr.attrib['name']]))
+ func = None
+ if attr.attrib['name'] in data_maps[ext.attrib['name']]:
+ func = data_maps[ext.attrib['name']]\
+ [attr.attrib['name']][-1]
+ else:
+ for dmap in data_maps[ext.attrib['name']].keys():
+ if data_maps[ext.attrib['name']][dmap][0] == \
+ attr.attrib['name']:
+ func = data_maps[ext.attrib['name']][dmap][-1]
+ break
+ ret.append((attr.attrib['name'], attr.text, func))
return ret
def delete(self, gp_ext_name, attribute):
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 628f4f1..c161ee0 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -616,7 +616,7 @@ sub provision_raw_step1($$)
rndc command = true
dns update command = $ctx->{samba_dnsupdate}
spn update command =
$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
- gpo update command =
$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_gpoupdate -s $ctx->{smb_conf} -H
$ctx->{privatedir}/sam.ldb
+ gpo update command =
$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_gpoupdate -s $ctx->{smb_conf} -H
$ctx->{privatedir}/sam.ldb --machine
dreplsrv:periodic_startup_interval = 0
dsdb:schema update allowed = yes
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index f1f453e..096c23f 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -923,6 +923,8 @@ static void init_globals(struct loadparm_context *lp_ctx,
bool reinit_globals)
Globals.gpo_update_command = str_list_make_v3_const(NULL, s, NULL);
TALLOC_FREE(s);
+ Globals.apply_group_policies = false;
+
s = talloc_asprintf(talloc_tos(), "%s/samba_spnupdate",
get_dyn_SCRIPTSBINDIR());
if (s == NULL) {
smb_panic("init_globals: ENOMEM");
diff --git a/source3/winbindd/winbindd.c b/source3/winbindd/winbindd.c
index 5326737..0a8d146 100644
--- a/source3/winbindd/winbindd.c
+++ b/source3/winbindd/winbindd.c
@@ -1790,6 +1790,8 @@ int main(int argc, const char **argv)
daemon_ready("winbindd");
}
+ gpupdate_init();
+
/* Loop waiting for requests */
while (1) {
frame = talloc_stackframe();
diff --git a/source3/winbindd/winbindd_gpupdate.c
b/source3/winbindd/winbindd_gpupdate.c
new file mode 100644
index 0000000..48ebb55
--- /dev/null
+++ b/source3/winbindd/winbindd_gpupdate.c
@@ -0,0 +1,116 @@
+/*
+ * Unix SMB/CIFS implementation.
+ * Group Policy Update event for winbindd
+ * Copyright (C) David Mulder 2017
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+#include "includes.h"
+#include "param/param.h"
+#include "param/loadparm.h"
+#include "winbindd.h"
+
+/*
+ * gpupdate_interval()
+ * return Random integer between 5400 and 7200, the group policy update
+ * interval in seconds
+ *
+ * Group Policy should be updated every 90 minutes in the background,
+ * with a random offset between 0 and 30 minutes. This ensures mutiple
+ * clients will not update at the same time.
+ */
+#define GPUPDATE_INTERVAL (90*60)
+#define GPUPDATE_RAND_OFFSET (30*60)
+static uint32_t gpupdate_interval(void)
+{
+ int rand_int_offset = rand() % GPUPDATE_RAND_OFFSET;
+ return GPUPDATE_INTERVAL+rand_int_offset;
+}
+
+struct gpupdate_state {
+ TALLOC_CTX *ctx;
+ struct loadparm_context *lp_ctx;
+};
+
+static void gpupdate_callback(struct tevent_context *ev,
+ struct tevent_timer *tim,
+ struct timeval current_time,
+ void *private_data)
+{
+ struct tevent_timer *time_event;
+ struct timeval schedule;
+ struct tevent_req *req = NULL;
+ struct gpupdate_state *data =
+ talloc_get_type_abort(private_data, struct gpupdate_state);
+ const char *const *gpupdate_cmd =
+ lpcfg_gpo_update_command(data->lp_ctx);
+ const char *smbconf = lp_default_path();
+
+ /* Execute gpupdate */
+ req = samba_runcmd_send(data->ctx, ev, timeval_zero(), 2, 0,
+ gpupdate_cmd,
+ "-s",
+ smbconf,
+ "--machine",
+ "--machine-pass",
+ NULL);
+ if (req == NULL) {
+ DEBUG(0, ("Failed to execute the gpupdate command\n"));
+ return;
+ }
+
+ /* Schedule the next event */
+ schedule = tevent_timeval_current_ofs(gpupdate_interval(), 0);
+ time_event = tevent_add_timer(ev, data->ctx, schedule,
+ gpupdate_callback, data);
+ if (time_event == NULL) {
+ DEBUG(0, ("Failed scheduling the next gpupdate event\n"));
+ }
+}
+
+void gpupdate_init(void)
+{
+ struct tevent_timer *time_event;
+ struct timeval schedule;
+ TALLOC_CTX * ctx = talloc_new(server_event_context());
+ struct gpupdate_state *data = talloc(ctx, struct gpupdate_state);
+ struct loadparm_context *lp_ctx =
+ loadparm_init_s3(NULL, loadparm_s3_helpers());
+
+ /*
+ * Check if gpupdate is enabled for winbind, if not
+ * return without scheduling any events.
+ */
+ if (!lpcfg_apply_group_policies(lp_ctx)) {
+ return;
+ }
+
+ /*
+ * Execute the first event immediately, future events
+ * will execute on the gpupdate interval, which is every
+ * 90 to 120 minutes (at random).
+ */
+ schedule = tevent_timeval_current_ofs(0, 0);
+ data->ctx = ctx;
+ data->lp_ctx = lp_ctx;
+ if (data->lp_ctx == NULL) {
+ smb_panic("Could not load smb.conf\n");
+ }
+ time_event = tevent_add_timer(server_event_context(), data->ctx,
+ schedule, gpupdate_callback, data);
+ if (time_event == NULL) {
+ DEBUG(0, ("Failed scheduling the gpupdate event\n"));
+ }
+}
+
diff --git a/source3/winbindd/winbindd_proto.h
b/source3/winbindd/winbindd_proto.h
index 39cdef5..9a52f6a 100644
--- a/source3/winbindd/winbindd_proto.h
+++ b/source3/winbindd/winbindd_proto.h
@@ -942,4 +942,7 @@ NTSTATUS wb_irpc_register(void);
/* The following definitions come from winbindd/winbindd_reconnect.c */
bool reconnect_need_retry(NTSTATUS status, struct winbindd_domain *domain);
+/* The following definitions come from winbindd/winbindd_gpupdate.c */
+void gpupdate_init(void);
+
#endif /* _WINBINDD_PROTO_H_ */
diff --git a/source3/winbindd/wscript_build b/source3/winbindd/wscript_build
index 51264e9..48250ea 100644
--- a/source3/winbindd/wscript_build
+++ b/source3/winbindd/wscript_build
@@ -254,7 +254,8 @@ bld.SAMBA3_BINARY('winbindd',
winbindd_pam_logoff.c
winbindd_pam_chauthtok.c
winbindd_pam_auth_crap.c
- winbindd_pam_chng_pswd_auth_crap.c''',
+ winbindd_pam_chng_pswd_auth_crap.c
+ winbindd_gpupdate.c''',
deps='''
talloc
tevent
diff --git a/source4/dsdb/gpo/gpo_update.c b/source4/dsdb/gpo/gpo_update.c
deleted file mode 100644
index 997e97e..0000000
--- a/source4/dsdb/gpo/gpo_update.c
+++ /dev/null
@@ -1,193 +0,0 @@
-/*
- Unix SMB/CIFS mplementation.
- GPO update service
-
- Copyright (C) Luke Morrison 2013
-
- Inspired by dns_updates.c written by Andrew Trigell 2009
-
- This program is free software; you can redistribute it and/or modify
- it under the terms of the GNU General Public License as published by
- the Free Software Foundation; either version 3 of the License, or
- (at your option) any later version.
-
- This program is distributed in the hope that it will be useful,
- but WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- GNU General Public License for more details.
-
- You should have received a copy of the GNU General Public License
- along with this program. If not, see <http://www.gnu.org/licenses/
-
-*/
-
-#include "includes.h"
-#include "dsdb/samdb/samdb.h"
-#include "auth/auth.h"
-#include "smbd/service.h"
-#include "lib/messaging/irpc.h"
-#include "param/param.h"
-#include "system/filesys.h"
-#include "dsdb/common/util.h"
-#include "libcli/composite/composite.h"
-#include "libcli/security/dom_sid.h"
-#include "librpc/gen_ndr/ndr_irpc.h"
-#include "libds/common/roles.h"
-
-struct gpoupdate_service {
- struct auth_session_info *system_session_info;
- struct task_server *task;
-
- /* status for periodic sysvol/GPO scan update - >sysvscan */
- struct {
- uint32_t interval;
- struct tevent_timer *te;
- struct tevent_req *subreq;
- NTSTATUS status;
- } sysvscan;
-};
-
-/*
-Called when the sysvol scan has finished
-*/
-static void gpoupdate_sysvscan_done(struct tevent_req *subreq)
-{
- struct gpoupdate_service *service = tevent_req_callback_data(subreq,
- struct
-
gpoupdate_service);
- int ret;
- int sys_errno;
-
- service->sysvscan.subreq = NULL;
-
- ret = samba_runcmd_recv(subreq, &sys_errno);
- TALLOC_FREE(subreq);
- if (ret != 0) {
- service->sysvscan.status =
- map_nt_error_from_unix_common(sys_errno);
- } else {
- service->sysvscan.status = NT_STATUS_OK;
- }
-
- if (!NT_STATUS_IS_OK(service->sysvscan.status)) {
- DEBUG(0, (__location__ ": Failed GPO update - %s\n",
- nt_errstr(service->sysvscan.status)));
- } else {
- DEBUG(3, ("Completed GPO update check OK\n"));
- }
-}
-
-static NTSTATUS gpoupdate_sysvscan_schedule(struct gpoupdate_service *service);
-
-static void gpoupdate_scan_apply(struct gpoupdate_service *service);
-
-static void gpoupdate_sysvscan_handler_te(struct tevent_context *ev,
- struct tevent_timer *te,
- struct timeval t, void *ptr)
-{
- struct gpoupdate_service *service =
- talloc_get_type(ptr, struct gpoupdate_service);
-
- gpoupdate_scan_apply(service);
- gpoupdate_sysvscan_schedule(service);
-}
-
-static NTSTATUS gpoupdate_sysvscan_schedule(struct gpoupdate_service *service)
-{
- /*
- * This is configured, default to 900 sec (15 mins) in
- * gpoupdate_task_init via gpoupdate:config interval
- */
- service->sysvscan.te =
- tevent_add_timer(service->task->event_ctx, service,
- timeval_current_ofs(service->sysvscan.interval, 0),
- gpoupdate_sysvscan_handler_te, service);
- NT_STATUS_HAVE_NO_MEMORY(service->sysvscan.te);
- return NT_STATUS_OK;
-}
-
-static void gpoupdate_scan_apply(struct gpoupdate_service *service)
-{
- const char *const *gpo_update_command =
- lpcfg_gpo_update_command(service->task->lp_ctx);
- const char *smbconf = lpcfg_configfile(service->task->lp_ctx);
- TALLOC_FREE(service->sysvscan.subreq);
- DEBUG(3, ("Calling GPO update script\n"));
- service->sysvscan.subreq = samba_runcmd_send(service,
- service->task->event_ctx,
- timeval_current_ofs(20, 0),
- 2, 0,
- gpo_update_command,
- smbconf, NULL);
- if (service->sysvscan.subreq == NULL) {
- DEBUG(0,
- (__location__
- ": samba_runcmd_send() failed with no memory\n"));
- return;
- }
- tevent_req_set_callback(service->sysvscan.subreq,
- gpoupdate_sysvscan_done, service);
-}
-
-static void gpoupdate_task_init(struct task_server *task)
-{
- NTSTATUS status;
- struct gpoupdate_service *service;
-
- if (lpcfg_server_role(task->lp_ctx) != ROLE_ACTIVE_DIRECTORY_DC) {
- /* not useful for non-DC */
- return;
- }
-
- task_server_set_title(task, "task[gpoupdate]");
-
- service = talloc_zero(task, struct gpoupdate_service);
- if (!service) {
- task_server_terminate(task,
- "gpoupdate_task_init: out of memory",
- true);
- return;
- }
- service->task = task;
- task->private_data = service;
-
- service->system_session_info = system_session(service->task->lp_ctx);
- if (!service->system_session_info) {
- task_server_terminate(task,
- "gpoupdate: Failed to obtain server "
- "credentials\n",
- true);
- return;
- }
-
- service->sysvscan.interval = lpcfg_parm_int(task->lp_ctx, NULL,
- "gpoupdate",
- "config interval",
- 900); /* in seconds */
- status = gpoupdate_sysvscan_schedule(service);
- if (!NT_STATUS_IS_OK(status)) {
- task_server_terminate(task,
- talloc_asprintf(task,
- "gpoupdate: Failed to
update "
- "sysvol scan schedule:
%s\n",
- nt_errstr(status)),
- true);
- return;
- }
-}
-
-NTSTATUS server_service_gpoupdate_init(TALLOC_CTX *ctx);
-
-/*
- register ourselves as a available server
-*/
-NTSTATUS server_service_gpoupdate_init(TALLOC_CTX *ctx)
-{
- struct service_details details = {
- .inhibit_fork_on_accept = true,
- .inhibit_pre_fork = true
- };
- return register_server_service(ctx, "gpoupdate",
- gpoupdate_task_init,
- &details);
-}
diff --git a/source4/dsdb/wscript_build b/source4/dsdb/wscript_build
index 328497c..29c6f0e 100644
--- a/source4/dsdb/wscript_build
+++ b/source4/dsdb/wscript_build
@@ -62,15 +62,6 @@ bld.SAMBA_MODULE('service_dns_update',
enabled=bld.AD_DC_BUILD_IS_ENABLED()
)
--
Samba Shared Repository
