Bug 13564 - Exception thrown in samba-tool gpo subcommand when gplink has just a space character
Summary: Exception thrown in samba-tool gpo subcommand when gplink has just a space ch...
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.9.0rc1
Hardware: All Linux
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
Depends on:
Reported: 2018-08-07 13:57 UTC by Simon Fonteneau
Modified: 2019-06-27 16:38 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Simon Fonteneau 2018-08-07 13:57:00 UTC
I have found a bug with samba-tool gpo subcommand (tested on 4.7 and 4.9rc2)

When a gpo is unlinked from an OU object, if it was the last GPO on that object, then the last gplink attribut is not deleted but instead it leaves a gplink attribute with a value of ' ' (space character). This is the expected behavior and it is compliant with MS-AD behavior.

In different use cases, the netcmd/gpo.py script needs to do get the GPLink and check if the GPO exists, but if the value is ' ' (space), then it throw an Exception.

This causes several samba-tool gpo commands to crash.

You only see this issue if you happen to add, then delete all gpo on an OU. Otherwise one don't bump into this issue.


For example, in /usr/local/samba/lib/python2.7/site-packages/samba/netcmd/gpo.py, line 196, we have the following code where there is no check for "empty" gpLink attribute.

    if 'gPLink' in msg:
        gplist = parse_gplink(msg['gPLink'][0])
        for g in gplist:
            if g['dn'].lower() == gpo_dn.lower():
                found = True
Comment 1 Garming Sam 2018-10-18 03:32:32 UTC
(In reply to Simon Fonteneau from comment #0)

Was there a patch to fix this? Accidentally missing a case that you spotted but I hadn't tested would be unfortunate.

Comment 2 Amit Kumar 2019-06-26 12:12:53 UTC
1. No gpLink initially.
I created an OU: OU=test-OU-having-empty-gpLink,DC=atest,DC=com
Computer inside OU: CN=amitk-machine-4,OU=test-OU-having-empty-gpLink,DC=atest,DC=com

Initially gpLink is not present.

2. Added "Default Domain Controller Policy", "Default Domain Policy" to OU
gpLink populated:

3. Removed both GPOs from OU.
gpLink: ;

4. So, net ads gpo list amitk-machine-4$
listed "Default Domain Policy" + "Local Policy"
-> Though "Default Domain Policy" should not be listed.

5. My patch lists "Local Policy" only.

# /usr/local/samba/bin/samba-tool gpo list amitk-machine-4$
ERROR(runtime): uncaught exception - Badly formed gPLink ' '
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 185, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 519, in run
    glist = parse_gplink(str(msg['gPLink'][0]))
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 102, in parse_gplink
    raise RuntimeError("Badly formed gPLink '%s'" % g)

Will look into and try sending patch!
Comment 3 Amit Kumar 2019-06-27 07:00:41 UTC
Fix already present in samba-4.11.0

def parse_gplink(gplink):
    '''parse a gPLink into an array of dn and options'''
    ret = []

    if gplink.strip() == '':
        return ret

We may add a informational print which will help the end user!!

    if gplink.strip() == '':
        print "gpLink is empty"         <<<<<<<<<
        return ret
Comment 4 Jeremy Allison 2019-06-27 16:38:48 UTC
Fixed in samba-4.11.0.