Bug 13891 - net ads gpo refresh queries the wrong machine for site group policies.
net ads gpo refresh queries the wrong machine for site group policies.
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
unspecified
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-08 20:44 UTC by Jeremy Allison
Modified: 2019-04-08 20:44 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2019-04-08 20:44:10 UTC
net ads gpo refresh machinename

net_ads_gpo_refresh() calls:
    -> ads_find_samaccount()

on the passed in machinename to return the flags and dn from the LDAP query on:

&(objectclass=user)(sAMAccountName="machinename"))

It then uses the returned dn to call:

ads_get_gpo_list()
    -> ads_get_gpo_list_internal()
        -> if (flags & GPO_LIST_FLAG_MACHINE)
               ads_site_dn_for_machine(ads,
                                       mem_ctx,
                                       ads->config.ldap_server_name,
                                       &site_dn);

This will always return the site of the connected LDAP server, not the site of the machine account we're querying.

Found by Roman Sorokin <rsorokin@google.com>