I have found a bug with samba-tool gpo subcommand (tested on 4.7 and 4.9rc2) When a gpo is unlinked from an OU object, if it was the last GPO on that object, then the last gplink attribut is not deleted but instead it leaves a gplink attribute with a value of ' ' (space character). This is the expected behavior and it is compliant with MS-AD behavior. In different use cases, the netcmd/gpo.py script needs to do get the GPLink and check if the GPO exists, but if the value is ' ' (space), then it throw an Exception. This causes several samba-tool gpo commands to crash. You only see this issue if you happen to add, then delete all gpo on an OU. Otherwise one don't bump into this issue. =============== For example, in /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py, line 196, we have the following code where there is no check for "empty" gpLink attribute. if 'gPLink' in msg: gplist = parse_gplink(msg['gPLink'][0]) for g in gplist: if g['dn'].lower() == gpo_dn.lower(): gplist.remove(g) found = True break
(In reply to Simon Fonteneau from comment #0) Was there a patch to fix this? Accidentally missing a case that you spotted but I hadn't tested would be unfortunate. Cheers.
1. No gpLink initially. I created an OU: OU=test-OU-having-empty-gpLink,DC=atest,DC=com Computer inside OU: CN=amitk-machine-4,OU=test-OU-having-empty-gpLink,DC=atest,DC=com Initially gpLink is not present. 2. Added "Default Domain Controller Policy", "Default Domain Policy" to OU gpLink populated: [LDAP://cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=atest,DC=com;0][LDAP://cn={6AC1786C-016F-11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=atest,DC=com;0] 3. Removed both GPOs from OU. gpLink: ; 4. So, net ads gpo list amitk-machine-4$ listed "Default Domain Policy" + "Local Policy" -> Though "Default Domain Policy" should not be listed. 5. My patch lists "Local Policy" only. https://gitlab.com/samba-team/samba/merge_requests/579 6. # /usr/local/samba/bin/samba-tool gpo list amitk-machine-4$ ERROR(runtime): uncaught exception - Badly formed gPLink ' ' File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 519, in run glist = parse_gplink(str(msg['gPLink'][0])) File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 102, in parse_gplink raise RuntimeError("Badly formed gPLink '%s'" % g) Will look into and try sending patch!
Fix already present in samba-4.11.0 def parse_gplink(gplink): '''parse a gPLink into an array of dn and options''' ret = [] if gplink.strip() == '': return ret We may add a informational print which will help the end user!! if gplink.strip() == '': print "gpLink is empty" <<<<<<<<< return ret
Fixed in samba-4.11.0.