authpolicy: Handle enforced GPOs |
|||||
Issue descriptionIn AD, GPO links can be enforced, meaning that child level GPOs can't override policies set in an enforced GPO. https://technet.microsoft.com/en-us/library/cc753909(v=ws.11).aspx See link_opts, GPO_LINK_OPT_ENFORCED in Samba. Note: net ads gpo list doesn't output that yet, but it could be added (or use net ads gpo linkget, but that would probably add a ton of overhead).
,
Apr 5 2017
,
Apr 13 2017
,
May 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/b58604f37018d4e44e8cfe11c949707ad9c4b21d commit b58604f37018d4e44e8cfe11c949707ad9c4b21d Author: Lutz Justen <ljusten@chromium.org> Date: Sun May 14 23:24:02 2017 samba: Add patches for net ads gpo list Adds three patches that fix issues with the gpo list of the net ads tool. samba-4.5.3-reorder_ads_get_gpo_list.patch: Changes order to match GPO application order. The order of GPOs in a gpo_list generated by ads_get_gpo_list did not match the order of application. Since GPOs are pushed to the FRONT of gpo_list, GPOs have to be pushed in the opposite order of application. (Pushing to front is useful to get inheritance blocking right). samba-4.5.3-fix_block_inheritance.patch: Fixes issue with GPOPTIONS_BLOCK_INHERITANCE. GP links with the GPOPTIONS_BLOCK_INHERITANCE option set were blocking GPOs from the same link (i.e. an OU with the flag set would block its own GPOs). This CL makes sure the GPOs from the link are added to the list. samba-4.5.3-list_forced_gpos_last: ads_get_gpo_list: Put enforced GPOs at the end of the list Enforced GPOs should be applied on top of all non-enforced GPOs, so that they override policies set in non-enforced GPOs. BUG= chromium:710469 , chromium:710434 , chromium:708476 TEST=Made sure that GPO order matches application order. Change-Id: Idf5aaf70d2725b10021ca8f1bc939edd13d1e52a Reviewed-on: https://chromium-review.googlesource.com/480092 Commit-Ready: Lutz Justen <ljusten@chromium.org> Tested-by: Lutz Justen <ljusten@chromium.org> Reviewed-by: Zentaro Kavanagh <zentaro@google.com> [add] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/files/samba-4.5.3-list_forced_gpos_last.patch [add] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/files/samba-4.5.3-fix_block_inheritance.patch [modify] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/samba-4.5.3.ebuild [rename] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/samba-4.5.3-r7.ebuild [add] https://crrev.com/b58604f37018d4e44e8cfe11c949707ad9c4b21d/net-fs/samba/files/samba-4.5.3-reorder_ads_get_gpo_list.patch
,
May 15 2017
,
Jul 6 2017
bulk Verify of older or not-user-facing Chromad bugs |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by ljusten@chromium.org
, Apr 5 2017