Bug 13564 - Exception thrown in samba-tool gpo subcommand when gplink has just a space character
Summary: Exception thrown in samba-tool gpo subcommand when gplink has just a space ch...
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.9.0rc1
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-07 13:57 UTC by Simon Fonteneau
Modified: 2019-06-27 16:38 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fonteneau 2018-08-07 13:57:00 UTC
I have found a bug with samba-tool gpo subcommand (tested on 4.7 and 4.9rc2)

When a gpo is unlinked from an OU object, if it was the last GPO on that object, then the last gplink attribut is not deleted but instead it leaves a gplink attribute with a value of ' ' (space character). This is the expected behavior and it is compliant with MS-AD behavior.

In different use cases, the netcmd/gpo.py script needs to do get the GPLink and check if the GPO exists, but if the value is ' ' (space), then it throw an Exception.

This causes several samba-tool gpo commands to crash.

You only see this issue if you happen to add, then delete all gpo on an OU. Otherwise one don't bump into this issue.

===============

For example, in /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py, line 196, we have the following code where there is no check for "empty" gpLink attribute.

    if 'gPLink' in msg:
        gplist = parse_gplink(msg['gPLink'][0])
        for g in gplist:
            if g['dn'].lower() == gpo_dn.lower():
                gplist.remove(g)
                found = True
                break
Comment 1 Garming Sam 2018-10-18 03:32:32 UTC
(In reply to Simon Fonteneau from comment #0)

Was there a patch to fix this? Accidentally missing a case that you spotted but I hadn't tested would be unfortunate.

Cheers.
Comment 2 Amit Kumar 2019-06-26 12:12:53 UTC
1. No gpLink initially.
I created an OU: OU=test-OU-having-empty-gpLink,DC=atest,DC=com
Computer inside OU: CN=amitk-machine-4,OU=test-OU-having-empty-gpLink,DC=atest,DC=com

Initially gpLink is not present.

2. Added "Default Domain Controller Policy", "Default Domain Policy" to OU
gpLink populated:
[LDAP://cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=system,DC=atest,DC=com;0][LDAP://cn={6AC1786C-016F-11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=atest,DC=com;0]

3. Removed both GPOs from OU.
gpLink: ;

4. So, net ads gpo list amitk-machine-4$
listed "Default Domain Policy" + "Local Policy"
-> Though "Default Domain Policy" should not be listed.

5. My patch lists "Local Policy" only.
https://gitlab.com/samba-team/samba/merge_requests/579

6. 
# /usr/local/samba/bin/samba-tool gpo list amitk-machine-4$
ERROR(runtime): uncaught exception - Badly formed gPLink ' '
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 519, in run
    glist = parse_gplink(str(msg['gPLink'][0]))
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 102, in parse_gplink
    raise RuntimeError("Badly formed gPLink '%s'" % g)

Will look into and try sending patch!
Comment 3 Amit Kumar 2019-06-27 07:00:41 UTC
Fix already present in samba-4.11.0

def parse_gplink(gplink):
    '''parse a gPLink into an array of dn and options'''
    ret = []

    if gplink.strip() == '':
        return ret

We may add a informational print which will help the end user!!

    if gplink.strip() == '':
        print "gpLink is empty"         <<<<<<<<<
        return ret
Comment 4 Jeremy Allison 2019-06-27 16:38:48 UTC
Fixed in samba-4.11.0.