I have found a bug with samba-tool gpo subcommand (tested on 4.7 and 4.9rc2)
When a gpo is unlinked from an OU object, if it was the last GPO on that object, then the last gplink attribut is not deleted but instead it leaves a gplink attribute with a value of ' ' (space character). This is the expected behavior and it is compliant with MS-AD behavior.
In different use cases, the netcmd/gpo.py script needs to do get the GPLink and check if the GPO exists, but if the value is ' ' (space), then it throw an Exception.
This causes several samba-tool gpo commands to crash.
You only see this issue if you happen to add, then delete all gpo on an OU. Otherwise one don't bump into this issue.
For example, in /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py, line 196, we have the following code where there is no check for "empty" gpLink attribute.
if 'gPLink' in msg:
gplist = parse_gplink(msg['gPLink'])
for g in gplist:
if g['dn'].lower() == gpo_dn.lower():
found = True
(In reply to Simon Fonteneau from comment #0)
Was there a patch to fix this? Accidentally missing a case that you spotted but I hadn't tested would be unfortunate.
1. No gpLink initially.
I created an OU: OU=test-OU-having-empty-gpLink,DC=atest,DC=com
Computer inside OU: CN=amitk-machine-4,OU=test-OU-having-empty-gpLink,DC=atest,DC=com
Initially gpLink is not present.
2. Added "Default Domain Controller Policy", "Default Domain Policy" to OU
3. Removed both GPOs from OU.
4. So, net ads gpo list amitk-machine-4$
listed "Default Domain Policy" + "Local Policy"
-> Though "Default Domain Policy" should not be listed.
5. My patch lists "Local Policy" only.
# /usr/local/samba/bin/samba-tool gpo list amitk-machine-4$
ERROR(runtime): uncaught exception - Badly formed gPLink ' '
File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 519, in run
glist = parse_gplink(str(msg['gPLink']))
File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 102, in parse_gplink
raise RuntimeError("Badly formed gPLink '%s'" % g)
Will look into and try sending patch!
Fix already present in samba-4.11.0
'''parse a gPLink into an array of dn and options'''
ret = 
if gplink.strip() == '':
We may add a informational print which will help the end user!!
if gplink.strip() == '':
print "gpLink is empty" <<<<<<<<<
Fixed in samba-4.11.0.