Bug 15387 - GPOs containing GPWL policies can not be deleted with samba-tool
Summary: GPOs containing GPWL policies can not be deleted with samba-tool
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.16.9
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-06-05 14:47 UTC by Kacper
Modified: 2023-06-05 14:47 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kacper 2023-06-05 14:47:33 UTC
GPOs containing GPWL (Wireless/Wired Protocol Extension) policies can not be deleted with samba-tool. This is due to GPWL storing policy objects inside LDAP under the GPO entry (e.g. "CN=IEEE8023, CN=Windows, CN=Microsoft, [GPO DN]" or "CN=IEEE80211, CN=Windows, CN=Microsoft, [GPO DN]" or "CN=Wireless, CN=Windows, CN=Microsoft, [GPO DN]") which leads to:


ERROR(ldb): uncaught exception - LDAP error 66 LDAP_NOT_ALLOWED_ON_NON_LEAF -  <00002015: subtree_delete: Unable to delete a non-leaf node (it has 1 children)!> <>
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run
    return self.run(*args, **kwargs)
  File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/gpo.py", line 1784, in run
    self.samdb.delete(ldb.Dn(self.samdb, "CN=Machine,%s" % str(gpo_dn)))

Additionally if the "CN=User" GPO subentry is successfully deleted but "CN=Machine" is not one will not be able to retry the delete operation with samba-tool since the "CN=User" entry is already deleted.