[Samba] Is Server-side GPO Configuration possible? (for logon script)

[John]

Is it possible to make GPO changes from the server (i.e. without using
Windows) ?

I would like to include some configuration in my build-out script and
wonder if it is possible. Specifically, I am trying to provide a logon
script. Here's what I know.

1. I can identify the correct GPO GUID object using "samba-tool gpo
listall" or with something like this

$ ldbsearch -H /var/lib/samba/private/sam.ldb displayName="Default
Domain Policy" name | grep name | cut -d\ -f2

2. I then write my "logon.bat" script, chmod 755, to

/var/lib/samba/sysvol/<domain>/Policies/{<GPO
GUID>}/USER/Scripts/Logon/logon.bat

3. Enabling the script on windows (with the "Group Policy Management"
tool) alters the following files:

(a) /var/lib/samba/private/sam.ldb
(b) /var/lib/samba/private/sam.ldb.d/DC=MYDOMAIN,DC=CO,DC=UK.ldb

The change in (a) adds a GUID to "gPCUserExtensionNames" within object
DN "CN={<GPO GUID>},CN=Policies,CN=System,DC=mydomain...."

A similar change is made in (b) , plus "replPropertyMetaData" is
altered. This I can view using "ldp.exe" on Windows but I don't
understand it.

There may be other things that happen that I am unaware of. I am
stopping myself from delving in further and reverse-engineering it!

I'd like to be able to script the GPO changes to enable the logon
script. I've looked at "samba-tool gpo" but wonder if this is at all
possible?

If this is documented anywhere please let me know - I couldn't find
anything about doing GPO configuration on the server.
(I found a question on the ML
https://lists.samba.org/archive/samba/2013-March/172079.html but it just
points the OP to ADUC tool on Windows)

TIA











--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

[Marc Muehlfeld]

Hello John,

Am 26.02.2015 um 12:17 schrieb John:
> Is it possible to make GPO changes from the server (i.e. without using
> Windows) ?

No. There's no tool for *nix, to edit GPOs. At least I've never seen
one. :-)


Regards,
Marc

[John]

On 26/02/15 16:54, Marc Muehlfeld wrote:
> Hello John,
>
> Am 26.02.2015 um 12:17 schrieb John:
>> Is it possible to make GPO changes from the server (i.e. without using
>> Windows) ?
> No. There's no tool for *nix, to edit GPOs. At least I've never seen
> one. :-)
>
>
> Regards,
> Marc
>

Shame, that. But I kind of expected that to be the answer.

I guess the next best thing is to script it on Windows. Provide a script
(perhaps in sysvol/scripts) that can be run on a windows box as a domain
admin to finish the configuration. I guess this would be a Windows
Powershell script.

Here I go off into unknown waters. Has anyone done this that could
provide some insight?

[Denis Cardon]

Hi John

> On 26/02/15 16:54, Marc Muehlfeld wrote:
>> Hello John,
>>
>> Am 26.02.2015 um 12:17 schrieb John:
>>> Is it possible to make GPO changes from the server (i.e. without using
>>> Windows) ?
>> No. There's no tool for *nix, to edit GPOs. At least I've never seen
>> one. :-)
>>
>>
>> Regards,
>> Marc
>>
> Shame, that. But I kind of expected that to be the answer.
>
> I guess the next best thing is to script it on Windows. Provide a script
> (perhaps in sysvol/scripts) that can be run on a windows box as a domain
> admin to finish the configuration. I guess this would be a Windows
> Powershell script.
>
> Here I go off into unknown waters. Has anyone done this that could
> provide some insight?

I don't know how much there is in common between local gpo and domain
gpo, but I had to dive in the local gpo subject for another software I
working on [1]. If you don't want gui and powershell, the documentation
is really scarce and most code sample you can find don't properly create
the GPO. You can checkout our local gpo code here:

https://github.com/tranquilit/WAPT/blob/master/setuphelpers.py#L1340

Hope this helps,

Denis

[1] WAPT, Windows apt-get :
http://dev.tranquil.it/wiki/WAPT_-_apt-get_pour_Windows (sorry, website
is in French, but comments in the code are in English :-)

>

--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil-it-systems.fr

[Marc Muehlfeld]

Am 27.02.2015 um 09:42 schrieb John:
> Shame, that. But I kind of expected that to be the answer.
>
> I guess the next best thing is to script it on Windows. Provide a script
> (perhaps in sysvol/scripts) that can be run on a windows box as a domain
> admin to finish the configuration. I guess this would be a Windows
> Powershell script.
>
> Here I go off into unknown waters. Has anyone done this that could
> provide some insight?

What is your final goal?

You said you want to provide a logon script. This is possible without
GPO if you put it to the netlogon share and mention it in each users
account settings. But GPO based logon scripts also work.

I don't understand, why you want to script now something in windows?



Regards,
Marc

[John]

On 27/02/15 14:34, Marc Muehlfeld wrote:
> Am 27.02.2015 um 09:42 schrieb John:
>> Shame, that. But I kind of expected that to be the answer.
>>
>> I guess the next best thing is to script it on Windows. Provide a script
>> (perhaps in sysvol/scripts) that can be run on a windows box as a domain
>> admin to finish the configuration. I guess this would be a Windows
>> Powershell script.
>>
>> Here I go off into unknown waters. Has anyone done this that could
>> provide some insight?
>
> What is your final goal?
>
> You said you want to provide a logon script. This is possible without
> GPO if you put it to the netlogon share and mention it in each users
> account settings. But GPO based logon scripts also work.
>
> I don't understand, why you want to script now something in windows?
>

I have a logon script and I can manually activate it using the Windows tools
(see this screenshot: http://i.imgur.com/84pBo8e.png).

I am building a scripted install of Samba ADDS that sets up a new
server. This is performed on a Linux machine and deploys a preconfigured
new server.

I want that scripted install to do absolutely everything necessary to
produce a final working system that end-users can log in to.

The server has a login script that sets up the user environment upon
login. Right now, this just sets up some shares but it could be used for
other things.
(example:
\\<mydomain>\sysvol\<mydomain>\Policies\{<guid>}\USER\Scripts\Logon\logon.bat)

The login script needs to be activated (not sure if that's the right
term?) in the GPO. This needs to be done manually using the tools
depicted in the screen-shot.

I am using GPO rather than per-user account settings because it is the
cleaner approach hopefully requiring less maintenance.

I ideally want to do the script activation as part of the scripted
install so that no further action is required.

However, it does not appear to be possible to do that directly on the
Samba server. So the next best thing is to provide a configuration
script that can be run by an administrator on the new server before
regular users log in. This script would perform the tasks that currently
need to be done by hand via the GUI.

So that's what I want to do - provide a script to install a logon script
without having to use the Windows GUI. Ideally I would do this
server-side but a script to be run by an administrator on Windows is an
acceptable compromise.

Does that explain it ok?

Thanks for trying to help,
John

[Marc Muehlfeld]

Hello John,

OK. Things getting clearer now.


Should the logon script be part of the Default Domain policy? This one
always has the same GUID (31B2F340-016D-11D2-945F-00C04FB984F9). You can
configure your stuff and then copy the content from one DC to a new one.
But reset the ACLs afterwards!

If it's not the Default domain policy, I think it's not possible to
script this on *nix side an easy way. You need to create directory
entries, set dirctory ACLs etc.

[John]

On 27/02/15 16:39, Marc Muehlfeld wrote:

Thanks Marc for taking the time to reply.

> OK. Things getting clearer now.
>
>
> Should the logon script be part of the Default Domain policy? This one
> always has the same GUID (31B2F340-016D-11D2-945F-00C04FB984F9). You can
> configure your stuff and then copy the content from one DC to a new one.
> But reset the ACLs afterwards!

It is that GUID indeed. I am not sure how I would copy the content from
the DC, however.

Not being a Windows person, my natural inclination would be to so it
server-side. Somehow diff the before and after ldbs and get a LDIF for
ldbmodify.
There's probably a better way however and I am getting beyond my
knowledge. I may have to accept that you just can't do the things in the
windows world that you can on the good-old *nix command line ;)

John

[Marc Muehlfeld]

Am 27.02.2015 um 20:11 schrieb John:
>> Should the logon script be part of the Default Domain policy? This one
>> always has the same GUID (31B2F340-016D-11D2-945F-00C04FB984F9). You can
>> configure your stuff and then copy the content from one DC to a new one.
>> But reset the ACLs afterwards!
>
> It is that GUID indeed. I am not sure how I would copy the content from
> the DC, however.

Tar the sysvol content below the domain directory and ship it with your
script. After the provision your script unpacks it and resets the ACLs.

If you don't change the ACLs on the Default Domain Policy, there's
nothing stored inside the AD, if I'm right.


Regards,
Marc