diff options
author | David Mulder <dmulder@suse.com> | 2018-05-09 13:16:38 -0600 |
---|---|---|
committer | Aurélien Aptel <aaptel@samba.org> | 2018-10-08 18:17:15 +0200 |
commit | 7bb326a60d2bd2210e76bb20071df114f9c30462 (patch) | |
tree | a0d17b50c4a72c583cd489b239dad6085cb38ff9 /python | |
parent | fb22582aef50491e48ab3d8ed69f15b7500d10c2 (diff) | |
download | samba-7bb326a60d2bd2210e76bb20071df114f9c30462.tar.gz |
gpo: Implement process_group_policy() gp_ext func
MS spec describes the policy callback as a
function called ProcessGroupPolicy which accepts
a pDeletedGPOList and a pChangedGPOList param.
The Group Policy Client Side Extension then
iterates over the deleted, then the changed gpo
lists and applies/unapplies policy. We should do
this also.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Diffstat (limited to 'python')
-rw-r--r-- | python/samba/gp_sec_ext.py | 11 | ||||
-rw-r--r-- | python/samba/gpclass.py | 43 |
2 files changed, 36 insertions, 18 deletions
diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py index c3d611bbaad..2dc34e67863 100644 --- a/python/samba/gp_sec_ext.py +++ b/python/samba/gp_sec_ext.py @@ -166,3 +166,14 @@ class gp_sec_ext(gp_inf_ext): } } + def process_group_policy(self, deleted_gpo_list, changed_gpo_list): + if self.lp.get('server role') != 'active directory domain controller': + return + inf_file = 'MACHINE/Microsoft/Windows NT/SecEdit/GptTmpl.inf' + + for gpo in changed_gpo_list: + if gpo.file_sys_path: + self.gp_db.set_guid(gpo.name) + path = os.path.join(gpo.file_sys_path, inf_file) + self.parse(path) + diff --git a/python/samba/gpclass.py b/python/samba/gpclass.py index 2de11e7730e..07b8b217084 100644 --- a/python/samba/gpclass.py +++ b/python/samba/gpclass.py @@ -309,6 +309,10 @@ class gp_ext(object): pass @abstractmethod + def process_group_policy(self, deleted_gpo_list, changed_gpo_list): + pass + + @abstractmethod def apply_map(self): pass @@ -467,30 +471,33 @@ def apply_gp(lp, creds, logger, store, gp_extensions): % dc_hostname) return + changed_gpos = [] for gpo_obj in gpos: - guid = gpo_obj.name - if guid == 'Local Policy': + if not gpo_obj.file_sys_path: continue - path = os.path.join(lp.get('realm'), 'Policies', guid).upper() + guid = gpo_obj.name + path = check_safe_path(gpo_obj.file_sys_path).upper() version = gpo_version(lp, path) if version != store.get_int(guid): logger.info('GPO %s has changed' % guid) - gp_db.state(GPOSTATE.APPLY) - else: - gp_db.state(GPOSTATE.ENFORCE) - gp_db.set_guid(guid) - store.start() - for ext in gp_extensions: - try: - ext.parse(ext.list(path)) - except Exception as e: - logger.error('Failed to parse gpo %s for extension %s' % - (guid, str(ext))) - logger.error('Message was: ' + str(e)) - store.cancel() - continue + changed_gpos.append(gpo_obj) + + store.start() + for ext in gp_extensions: + try: + ext.process_group_policy([], changed_gpos) + except Exception as e: + logger.error('Failed to apply extension %s' % str(ext)) + logger.error('Message was: ' + str(e)) + continue + for gpo_obj in gpos: + if not gpo_obj.file_sys_path: + continue + guid = gpo_obj.name + path = check_safe_path(gpo_obj.file_sys_path).upper() + version = gpo_version(lp, path) store.store(guid, '%i' % version) - store.commit() + store.commit() def unapply_log(gp_db): |