Issue-1: Description of 'net ads gpo apply' not clear 1. test-user-1 has 2 GPOs on AD. # net ads gpo list test-user-1 Enter root's password: user: 'test-user-1' has dn: 'CN=test-user-1,OU=test-users,DC=atest,DC=com' --------------------- name: Local Policy displayname: Local Policy --------------------- name: {31B2F340-016D-11D2-945F-00C04FB984F9} displayname: Default Domain Policy --------------------- name: {8D86E985-594F-4D32-95E6-272647F9CDF4} displayname: test-Users-GPO-1 2. I want to apply a new GPO named 'smart-card-gpo' to 'test-user-1' # net ads gpo listall Enter root's password: Got 5 replies --------------------- name: {31B2F340-016D-11D2-945F-00C04FB984F9} displayname: Default Domain Policy security descriptor: --------------------- name: {6AC1786C-016F-11D2-945F-00C04fB984F9} displayname: Default Domain Controllers Policy --------------------- name: {398F2193-BCB5-438D-AB47-EC65512E221C} displayname: smart-card-gpo --------------------- name: {0C7EBE47-2264-4A4C-868C-B31CDDC999B5} displayname: test-Computers-GPO-1 --------------------- name: {8D86E985-594F-4D32-95E6-272647F9CDF4} displayname: test-Users-GPO-1 3. Checking help. # net ads gpo -h Usage: net ads gpo apply Apply GPO to container .. 4. Provided OU to which I wanted to apply GPO # net ads gpo apply test-OU-having-empty-gpLink -h Usage: net ads gpo apply <username|machinename> Apply GPOs for machine/user username Username to apply GPOs for machinename Machine to apply GPOs for 5. provided machine name inside GPO. BUT SEE HELP IS MISLEADING. <<<<< # net ads gpo apply test-OU-having-empty-gpLink amitk-machine-4 -h Usage: net ads gpo apply <username|machinename> Apply GPOs for machine/user username Username to apply GPOs for machinename Machine to apply GPOs for 6. Tried Applying GPO at OU level. # net ads gpo apply test-OU-having-empty-gpLink amitk-machine-4 smart-card-gpo Enter root's password: failed to find samaccount for test-OU-having-empty-gpLink: No results returned 7. Tried applying GPO on OU. # net ads gpo apply test-OU-having-empty-gpLink smart-card-gpo Enter root's password: failed to find samaccount for test-OU-having-empty-gpLink: No results returned 8. tried applying GPO on another OU present in SOM. # net ads gpo apply test-Comp2 smart-card-gpo Enter root's password: failed to find samaccount for test-Comp2: No results returned Issue-2: Is 'net ads gpo apply <>' working properly or not.
Actually API net_ads_gpo_apply() expects arg1: username|machinename arg2: Client side extensions(CSE) CSEs to GUID mapping is defined in: static struct gp_table gpo_cse_extensions[] - Code retrieve GUID of entered CSE. - Code retrieves GPOs applied to username|machinename 'dn' on AD. - gpext_init_gp_extensions() function tries to opendir(modules_path(talloc_tos(), SAMBA_SUBSYSTEM_GPEXT) and fails. I believe at this path *.so is searched for CSE which needed to be applied on username|machinename dn.
# /usr/local/samba/bin/net ads gpo apply <username> <client-side-extension> source code flow: argv[0]=AD-User-name, argv[1]=Client-Side-Extension Step-1: Retrieve GUID of CSE using cse_gpo_name_to_guid_string [filter=GUID_of_CSE] Step-2: ads_startup() Step-3: ads_find_samaccount(argv[0], &uac, &dn) Finds dn, userAccessControl value for username entered Step-4: ads_get_gpo_list(dn, token, &gpo_list) retrieves gpo_list on basis of dn,token. [gpo_list=GPOs_of_dn] Step-5: gpo_process_gpo_list(token, gpo_list, filter) 5a: gp_init_reg_ctx(KEY_HKCU, REG_KEY_WRITE,token,**reg_ctx); [Get values filled in struct gp_registry_context] 5b: gpext_process_extension(token,flags,root_key,filter,gpo_list) 5b1: gpext_init_gp_extensions(mem_ctx) 5b1-1: gp_glob_ext_list() it calls 'modules_path(talloc_tos(),SAMBA_SUBSYSTEM_GPEXT)' libgpo/gpext/gpext.c modules_path(talloc_tos(),SAMBA_SUBSYSTEM_GPEXT) returns '/usr/local/samba/lib/gpext' which does not exist lib/util/util_paths.c char *modules_path(TALLOC_CTX *mem_ctx, const char *name) { return talloc_asprintf(mem_ctx, "%s/%s", get_dyn_MODULESDIR(), name); } Investigating!! 1. get_dyn_MODULESDIR() from where it finds dynamic modules directory? 2. Shouldn't we provide 2nd argument to 'net ads gpo apply <user|machine-dn> <gpo>' as new GPO to be applied to user or machine account? -> why client side extension's GUID need to be provided?