15387 – GPOs containing GPWL policies can not be deleted with samba-tool

Bug 15387 - GPOs containing GPWL policies can not be deleted with samba-tool

Summary: GPOs containing GPWL policies can not be deleted with samba-tool

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.16.9
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-06-05 14:47 UTC by Kacper
Modified:	2024-09-24 17:12 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kacper 2023-06-05 14:47:33 UTC

GPOs containing GPWL (Wireless/Wired Protocol Extension) policies can not be deleted with samba-tool. This is due to GPWL storing policy objects inside LDAP under the GPO entry (e.g. "CN=IEEE8023, CN=Windows, CN=Microsoft, [GPO DN]" or "CN=IEEE80211, CN=Windows, CN=Microsoft, [GPO DN]" or "CN=Wireless, CN=Windows, CN=Microsoft, [GPO DN]") which leads to:


ERROR(ldb): uncaught exception - LDAP error 66 LDAP_NOT_ALLOWED_ON_NON_LEAF -  <00002015: subtree_delete: Unable to delete a non-leaf node (it has 1 children)!> <>
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 1784, in run
    self.samdb.delete(ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn)))

Additionally if the "CN=User" GPO subentry is successfully deleted but "CN=Machine" is not one will not be able to retry the delete operation with samba-tool since the "CN=User" entry is already deleted.

Comment 1 Samba QA Contact 2024-09-24 17:12:03 UTC

This bug was referenced in samba master:

bb12f19e4fe100029c32bdab92aa6515be7e71f6