samba - Oct 2021 - Samba and Winbind Group Policy

On 10/4/21 5:01 PM, David Mulder via samba wrote:
> After some discussion about this on the mailing list, I decided to 
> update the outdated wiki page and mention it here. There is a great deal 
> that has changed since the last time I updated the 
> https://wiki.samba.org/index.php/Group_Policy page.
> There are currently 13 distinct policies, including smb.conf, addc 
> password/kerberos, scripts, files, symlinks, sudoers, messages 
> (motd/issue), pam access, certificate auto enrollment, firefox, 
> chrome/chromium, GNOME, and OpenSSH. And I'm not finished. I will try
to
> keep this page up-to-date in the future to avoid confusion.
> 
> FYI, the samba-gpupdate command *does* work when joined via either 
> winbind or sssd, so you can choose.
> 
This is great to know, amazing work. Do anyone know of someone working 
on a console based GPO editor. I remotely manage some small networks and 
it is becoming really painful to have to use remote desktop to fix some 
GPO some local sysadmin needs help, specially on small business Internet 
connections that tend to be saturated, and our country bad ISPs with 2MB 
"super mega fast" internet service.

Now that I see this kind of work, is there some documentation on the GPO 
file formats? Is the samba code base to parse them reusable enough to 
experiment building a console based GPO editor? I am starting to think I 
should invest some time on this.

On 10/7/21 7:19 AM, Robert Marcano via samba wrote:
> 
> This is great to know, amazing work. Do anyone know of someone working 
> on a console based GPO editor. I remotely manage some small networks and 
> it is becoming really painful to have to use remote desktop to fix some 
> GPO some local sysadmin needs help, specially on small business Internet 
> connections that tend to be saturated, and our country bad ISPs with 2MB 
> "super mega fast" internet service.
> 
> Now that I see this kind of work, is there some documentation on the GPO 
> file formats? Is the samba code base to parse them reusable enough to 
> experiment building a console based GPO editor? I am starting to think I 
> should invest some time on this.
> 
I started work on a console based GPO editor: 
https://github.com/yast/yast2-gpmc and 
https://github.com/suse-samba-tools/admin-tools
It needs a lot of work though. I've only implemented a couple of 
policies, and last I checked, I couldn't even build/run the admin-tools. 
The gpmc still works under yast, but crashes in odd places.

As for documentation on file formats, there is none. And Group Policy is 
a mess (I've spent too much time in the guts of this). The majority of 
Group Policies are now implemented in reg_pol syntax though. Take a look 
at python/samba/gp_parse/gp_pol.py in the Samba source tree to see how 
to parse one of these. Those policies are stored in the Registry.pol 
file on the SYSVOL. There are also policies stored in ini files and xml 
files. These are easy to parse. The tough ones (such as software install 
policies) are stored in a mixture of locations, including random bits in 
LDAP.
The tough part about creating a console based editor, is how varied the 
Windows implementation is. Most recent policies are implemented using 
ADMX templates. These are relatively easy to parse, and you can create a 
UI based on the ADML presentation details. More confusing though, are 
the many hard coded policies into the GPMC, which have to be 
individually inspected to determine what they do. These hard coded 
policies include reg_pol, ini, xml, and ldap (from what I've observed). 
There are still some which I haven't ever determined what they do and 
how. I've confusingly come across a few which seem to do nothing at all.
If you want to implement a UI, I'd recommend just sticking to parsing 
the ADMX/ADML templates and ignore the rest of the mess.

One more note, if you start a project, let me know and I'll see what I 
can do to help!

-- 
*David Mulder*
Labs Software Engineer, Samba
SUSE
1800 Novell Place
Provo, UT 84606
(P)+1 801.861.6571
dmulder at suse.com
  <http://www.suse.com/>

On 10/7/21 7:19 AM, Robert Marcano via samba wrote:
> 
> This is great to know, amazing work. Do anyone know of someone working 
> on a console based GPO editor. I remotely manage some small networks and 
> it is becoming really painful to have to use remote desktop to fix some 
> GPO some local sysadmin needs help, specially on small business Internet 
> connections that tend to be saturated, and our country bad ISPs with 2MB 
> "super mega fast" internet service.
> 
> Now that I see this kind of work, is there some documentation on the GPO 
> file formats? Is the samba code base to parse them reusable enough to 
> experiment building a console based GPO editor? I am starting to think I 
> should invest some time on this.
> 
I just remembered the folks at altlinux have also been working on a gpmc 
gui. Take a look at this project: https://github.com/altlinux/admc
That project builds both an aduc and gpmc.

-- 
*David Mulder*
Labs Software Engineer, Samba
SUSE
1800 Novell Place
Provo, UT 84606
(P)+1 801.861.6571
dmulder at suse.com
  <http://www.suse.com/>