14019 – Behavior of net ads gpo apply <> not clear. cannot apply GPO on OU

Bug 14019 - Behavior of net ads gpo apply <> not clear. cannot apply GPO on OU

Summary: Behavior of net ads gpo apply <> not clear. cannot apply GPO on OU

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	4.10.4
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2019-06-28 14:40 UTC by Amit Kumar
Modified:	2019-07-08 13:41 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Amit Kumar 2019-06-28 14:40:19 UTC

Issue-1: Description of 'net ads gpo apply' not clear

1. test-user-1 has 2 GPOs on AD.
# net ads gpo list test-user-1
Enter root's password:
user: 'test-user-1' has dn: 'CN=test-user-1,OU=test-users,DC=atest,DC=com'
---------------------
name:			Local Policy
displayname:		Local Policy
---------------------
name:			{31B2F340-016D-11D2-945F-00C04FB984F9}
displayname:		Default Domain Policy
---------------------
name:			{8D86E985-594F-4D32-95E6-272647F9CDF4}
displayname:		test-Users-GPO-1

2. I want to apply a new GPO named 'smart-card-gpo' to 'test-user-1'
# net ads gpo listall
Enter root's password:
Got 5 replies
---------------------
name:			{31B2F340-016D-11D2-945F-00C04FB984F9}
displayname:		Default Domain Policy
security descriptor:
---------------------
name:			{6AC1786C-016F-11D2-945F-00C04fB984F9}
displayname:		Default Domain Controllers Policy
---------------------
name:			{398F2193-BCB5-438D-AB47-EC65512E221C}
displayname:		smart-card-gpo
---------------------
name:			{0C7EBE47-2264-4A4C-868C-B31CDDC999B5}
displayname:		test-Computers-GPO-1
---------------------
name:			{8D86E985-594F-4D32-95E6-272647F9CDF4}
displayname:		test-Users-GPO-1


3. Checking help.
# net ads gpo -h
Usage:
net ads gpo apply
    Apply GPO to container
..

4. Provided OU to which I wanted to apply GPO 
# net ads gpo apply test-OU-having-empty-gpLink -h
Usage:
net ads gpo apply <username|machinename>
  Apply GPOs for machine/user
    username	Username to apply GPOs for
    machinename	Machine to apply GPOs for


5. provided machine name inside GPO. BUT SEE HELP IS MISLEADING. <<<<< 
# net ads gpo apply test-OU-having-empty-gpLink amitk-machine-4 -h
Usage:
net ads gpo apply <username|machinename>
  Apply GPOs for machine/user
    username	Username to apply GPOs for
    machinename	Machine to apply GPOs for

6. Tried Applying GPO at OU level.
# net ads gpo apply test-OU-having-empty-gpLink amitk-machine-4 smart-card-gpo
Enter root's password:
failed to find samaccount for test-OU-having-empty-gpLink: No results returned

7. Tried applying GPO on OU.
# net ads gpo apply test-OU-having-empty-gpLink smart-card-gpo
Enter root's password:
failed to find samaccount for test-OU-having-empty-gpLink: No results returned

8. tried applying GPO on another OU present in SOM.
# net ads gpo apply test-Comp2 smart-card-gpo
Enter root's password:
failed to find samaccount for test-Comp2: No results returned


Issue-2: Is 'net ads gpo apply <>' working properly or not.

Comment 1 Amit Kumar 2019-07-02 09:14:53 UTC

Actually API net_ads_gpo_apply() expects 
arg1: username|machinename 
arg2: Client side extensions(CSE)

CSEs to GUID mapping is defined in:
static struct gp_table gpo_cse_extensions[]
 
- Code retrieve GUID of entered CSE.
- Code retrieves GPOs applied to username|machinename 'dn' on AD.
- gpext_init_gp_extensions() function tries to opendir(modules_path(talloc_tos(), 
SAMBA_SUBSYSTEM_GPEXT) and fails. I believe at this path *.so is searched for CSE which needed to be applied on username|machinename dn.

Comment 2 Amit Kumar 2019-07-08 13:41:21 UTC

# /usr/local/samba/bin/net ads gpo apply <username> <client-side-extension>

source code flow:

argv[0]=AD-User-name, argv[1]=Client-Side-Extension
Step-1: Retrieve GUID of CSE using
cse_gpo_name_to_guid_string [filter=GUID_of_CSE]

Step-2: ads_startup()

Step-3: ads_find_samaccount(argv[0], &uac, &dn) Finds
dn, userAccessControl value for username entered 

Step-4: ads_get_gpo_list(dn, token, &gpo_list) retrieves
gpo_list on basis of dn,token. [gpo_list=GPOs_of_dn]

Step-5: gpo_process_gpo_list(token, gpo_list, filter)
    5a: gp_init_reg_ctx(KEY_HKCU,
REG_KEY_WRITE,token,**reg_ctx); [Get values filled in struct
gp_registry_context]
    5b: gpext_process_extension(token,flags,root_key,filter,gpo_list)
        5b1: gpext_init_gp_extensions(mem_ctx)
             5b1-1: gp_glob_ext_list() it calls
'modules_path(talloc_tos(),SAMBA_SUBSYSTEM_GPEXT)'

libgpo/gpext/gpext.c
modules_path(talloc_tos(),SAMBA_SUBSYSTEM_GPEXT)  returns
'/usr/local/samba/lib/gpext' which does not exist

lib/util/util_paths.c
char *modules_path(TALLOC_CTX *mem_ctx, const char *name)
{
        return talloc_asprintf(mem_ctx, "%s/%s", get_dyn_MODULESDIR(), name);
}

Investigating!!
1. get_dyn_MODULESDIR() from where it finds dynamic modules directory?
2. Shouldn't we provide 2nd argument to 'net ads gpo apply
<user|machine-dn> <gpo>' as new GPO to be applied to user or machine
account?
 -> why client side extension's GUID need to be provided?