Bug 13891 - net ads gpo refresh queries the wrong machine for site group policies.
net ads gpo refresh queries the wrong machine for site group policies.
Status: ASSIGNED
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Other
unspecified
All All
: P5 normal
: ---
Assigned To: Jeremy Allison
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-04-08 20:44 UTC by Jeremy Allison
Modified: 2019-06-14 09:23 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2019-04-08 20:44:10 UTC
net ads gpo refresh machinename

net_ads_gpo_refresh() calls:
    -> ads_find_samaccount()

on the passed in machinename to return the flags and dn from the LDAP query on:

&(objectclass=user)(sAMAccountName="machinename"))

It then uses the returned dn to call:

ads_get_gpo_list()
    -> ads_get_gpo_list_internal()
        -> if (flags & GPO_LIST_FLAG_MACHINE)
               ads_site_dn_for_machine(ads,
                                       mem_ctx,
                                       ads->config.ldap_server_name,
                                       &site_dn);

This will always return the site of the connected LDAP server, not the site of the machine account we're querying.

Found by Roman Sorokin <rsorokin@google.com>
Comment 2 Amit Kumar 2019-06-11 08:47:56 UTC
I believe this is the gpo fetch process:

# net ads gpo list machine$
..

ldap_search_ext_s() base=[dc=ATEST,dc=COM] filter=[(&(objectclass=user)(sAMAccountName=machine$))] attr[userAccountControl]  //1. ldapsearch to find DN
..
machine: 'machine$' has dn: 'CN=machine,OU=test,DC=atest,DC=com'  //2. Finds DN
..
ldap_search_ext_s() base=[CN=machine,OU=test,DC=atest,DC=com] filter=[(objectclass=*)] attr[objectSid] scope=[0]      //3. ldapsearch on base=DN
..
ldap_search_ext_s() base=[OU=test,DC=atest,DC=com] filter=[(objectclass=*)] attr[gPLink] scope=[0]     //4. Performs ldapsearch on Container finds gPLink
..
gPLink: [LDAP://cn={31B2F340-016D-11D2-945F-00C04FB984F9},cn=policies,cn=syste
 m,DC=atest,DC=com;0][LDAP://cn={6AC1786C-016F-11D2-945F-00C04fB984F9},cn=poli
 cies,cn=system,DC=atest,DC=com;0][LDAP://cn={903A8BD0-126B-4BF1-8F20-FEE155EA
 DDC4},cn=policies,cn=system,DC=atest,DC=com;2]   //5. gPLink of Container
..
ldap_search_ext_s() base=[cn={903A8BD0-126B-4BF1-8F20-FEE155EADDC4},cn=policies,cn=system,DC=atest,DC=com] filter=[(objectclass=*)] attr[cn]     //6,7,8. ldapsearch on each GPO GUID
..
Then it goes to base container:
ldap_search_ext_s() base=[DC=atest,DC=com] filter=[(objectclass=*)] attr[gPLink] scope=[0]    //9. ldapsearch on base

This does not look correct.. GPO's on machine account inside OU might not be same as parent on OU..
Comment 3 Amit Kumar 2019-06-14 09:23:43 UTC
Though after 
# net ads gpo refresh

list returns compelte list of GPOs associated with machine account
# net ads gpo list machine-name$ all

name:			Local Policy
displayname:		Local Policy
version:		0 (0x00000000)
version_user:		0 (0x0000)
version_machine:	0 (0x0000)
filesyspath:		(null)
dspath:		(null)
options:		0 GPFLAGS_ALL_ENABLED
link:			(null)
link_type:		5 machine_extensions:	(null)
user_extensions:	(null)


name:			{31B2F340-<>-11D2-945F-<>}
displayname:		Default Domain Policy
version:		262147 (0x00040003)
version_user:		4 (0x0004)
version_machine:	3 (0x0003)
filesyspath:		\\<>\sysvol\atest.com\Policies\{<>}
dspath:		CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=<>,DC=com
options:		0 GPFLAGS_ALL_ENABLED
link:			DC=atest,DC=com
link_type:		3 GP_LINK_DOMAIN
machine_extensions:	[{<>}{<>}][{<>}{<>}][{<>}{<>}]

name:			{6AC1786C-<>-11D2-945F-<>}
displayname:		Default Domain Controllers Policy
version:		2 (0x00000002)
version_user:		0 (0x0000)
version_machine:	2 (0x0002)
filesyspath:		\\atest.com\sysvol\atest.com\Policies\{<>}
dspath:		cn={6AC1786C-016F-11D2-945F-00C04fB984F9},cn=policies,cn=system,DC=atest,DC=com
options:		0 GPFLAGS_ALL_ENABLED
link:			OU=test-Computers,DC=atest,DC=com
link_type:		4 GP_LINK_OU
machine_extensions:	[{8<>}{<>}]

name:			{<>}
displayname:		test-Computers-GPO-1    <<<<<<Newly created enforced GPO
version:		0 (0x00000000)
version_user:		0 (0x0000)
version_machine:	0 (0x0000)
filesyspath:		\\atest.com\SysVol\<>\Policies\{<>}
dspath:		cn={0c7ebe47-2264-4a4c-868c-b31cddc999b5},cn=policies,cn=system,DC=atest,DC=com
options:		0 GPFLAGS_ALL_ENABLED
link:			OU=test-Computers,DC=atest,DC=com
link_type:		4 GP_LINK_OU
machine_extensions:	(null)
user_extensions:	(null)
security descriptor: