r23859: Work to have Group Policy work 'out of the box' in Samba4.

This involves creating the SYSVOL and NETLOGON shares at provision
time, and creating the right subdirectories.

This also changes the behaviour of lp.get("foo") in ejs - we now
return undefined, rather than syntax error, if the parameter doesn't
exist (perhaps because the share isn't defined).

Andrew Bartlett

source/scripting/ejs/smbcalls_config.c

@@ -89,7 +89,8 @@ static int ejs_lpGet(MprVarHandle eid, int argc, char **argv)
 		/* its a share parameter */
 		int snum = lp_servicenumber(argv[0]);
 		if (snum == -1) {
-			return -1;
+			mpr_Return(eid, mprCreateUndefinedVar());
+			return 0;
 		}
 		if (strchr(argv[1], ':')) {
 			/* its a parametric option on a share */
@@ -98,16 +99,23 @@ static int ejs_lpGet(MprVarHandle eid, int argc, char **argv)
 							  strcspn(argv[1], ":"));
 			const char *option = strchr(argv[1], ':') + 1;
 			const char *value;
-			if (type == NULL || option == NULL) return -1;
+			if (type == NULL || option == NULL) {
+				mpr_Return(eid, mprCreateUndefinedVar());
+				return 0;
+			}
 			value = lp_get_parametric(snum, type, option);
-			if (value == NULL) return -1;
+			if (value == NULL) {
+				mpr_Return(eid, mprCreateUndefinedVar());
+				return 0;
+			}
 			mpr_ReturnString(eid, value);
 			return 0;
 		}
 
 		parm = lp_parm_struct(argv[1]);
 		if (parm == NULL || parm->class == P_GLOBAL) {
-			return -1;
+			mpr_Return(eid, mprCreateUndefinedVar());
+			return 0;
 		}
 		parm_ptr = lp_parm_ptr(snum, parm);
 	} else if (strchr(argv[0], ':')) {
@@ -116,20 +124,30 @@ static int ejs_lpGet(MprVarHandle eid, int argc, char **argv)
 						  argv[0], strcspn(argv[0], ":"));
 		const char *option = strchr(argv[0], ':') + 1;
 		const char *value;
-		if (type == NULL || option == NULL) return -1;
+		if (type == NULL || option == NULL) {
+			mpr_Return(eid, mprCreateUndefinedVar());
+			return 0;
+		}
 		value = lp_get_parametric(-1, type, option);
-		if (value == NULL) return -1;
+		if (value == NULL) {
+			mpr_Return(eid, mprCreateUndefinedVar());
+			return 0;
+		}
 		mpr_ReturnString(eid, value);
 		return 0;
 	} else {
 		/* its a global parameter */
 		parm = lp_parm_struct(argv[0]);
-		if (parm == NULL) return -1;
+		if (parm == NULL) {
+			mpr_Return(eid, mprCreateUndefinedVar());
+			return 0;
+		}
 		parm_ptr = lp_parm_ptr(-1, parm);
 	}
 
 	if (parm == NULL || parm_ptr == NULL) {
-		return -1;
+		mpr_Return(eid, mprCreateUndefinedVar());
+		return 0;
 	}
 
 	/* construct and return the right type of ejs object */
@@ -142,6 +160,7 @@ static int ejs_lpGet(MprVarHandle eid, int argc, char **argv)
 		mpr_Return(eid, mprCreateBoolVar(*(BOOL *)parm_ptr));
 		break;
 	case P_INTEGER:
+	case P_OCTAL:
 	case P_BYTES:
 		mpr_Return(eid, mprCreateIntegerVar(*(int *)parm_ptr));
 		break;
@@ -152,12 +171,14 @@ static int ejs_lpGet(MprVarHandle eid, int argc, char **argv)
 				return 0;
 			}
 		}
-		return -1;	
+		mpr_Return(eid, mprCreateUndefinedVar());
+		return 0;	
 	case P_LIST: 
 		mpr_Return(eid, mprList(parm->label, *(const char ***)parm_ptr));
 		break;
 	case P_SEP:
-		return -1;
+		mpr_Return(eid, mprCreateUndefinedVar());
+		return 0;
 	}
 	return 0;
 }

source/scripting/libjs/provision.js

@@ -389,6 +389,19 @@ function provision_default_paths(subobj)
 	paths.ldap_basedn_ldif = paths.ldapdir + "/" + subobj.DNSDOMAIN + ".ldif";
 	paths.ldap_config_basedn_ldif = paths.ldapdir + "/" + subobj.DNSDOMAIN + "-config.ldif";
 	paths.ldap_schema_basedn_ldif = paths.ldapdir + "/" + subobj.DNSDOMAIN + "-schema.ldif";
+
+	paths.netlogon = lp.get("netlogon", "path");
+	
+	if (paths.netlogon == undefined) {
+		paths.netlogon = lp.get("lock dir") + "/netlogon";
+	}
+
+	paths.sysvol = lp.get("sysvol", "path");
+
+	if (paths.sysvol == undefined) {
+		paths.sysvol = lp.get("lock dir") + "/sysvol";
+	}
+	
 	return paths;
 }
 
@@ -466,6 +479,9 @@ function provision_fix_subobj(subobj, paths)
 
 	subobj.LDAPMANAGERDN = "cn=Manager," + subobj.DOMAINDN;
 
+	subobj.NETLOGONPATH = paths.netlogon;
+	subobj.SYSVOLPATH = paths.sysvol;
+
 	return true;
 }
 
@@ -703,6 +719,16 @@ function provision(subobj, message, blank, paths, session_info, credentials, lda
 	if (lp.get("server role") == "domain controller") {
 		message("Setting up self join\n");
 		setup_add_ldif("provision_self_join.ldif", info, samdb, false);
+		setup_add_ldif("provision_group_policy.ldif", info, samdb, false);
+
+		sys.mkdir(paths.sysvol, 0755);
+		sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN, 0755);
+		sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies", 0755);
+		sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}", 0755);
+		sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/Machine", 0755);
+		sys.mkdir(paths.sysvol + "/"+ subobj.DNSDOMAIN + "/Policies/{" + subobj.POLICYGUID + "}/User", 0755);
+
+		sys.mkdir(paths.netlogon, 0755);
 	}
 
 	if (setup_name_mappings(info, samdb) == false) {

source/setup/provision

@@ -14,7 +14,9 @@ options = GetOptions(ARGV,
 		'realm=s',
 		'domain=s',
 		'domain-guid=s',
+		'domain-guid=s',
 		'domain-sid=s',
+		'policy-guid=s',
 		'host-name=s',
 		'host-ip=s',
 		'host-guid=s',
@@ -69,6 +71,7 @@ provision [options]
  --host-name	HOSTNAME	set hostname
  --host-ip	IPADDRESS	set ipaddress
  --host-guid	GUID		set hostguid (otherwise random)
+ --policy-guid  GUID            set group policy guid (otherwise random)
  --invocationid	GUID		set invocationid (otherwise random)
  --adminpass	PASSWORD	choose admin password (otherwise random)
  --krbtgtpass	PASSWORD	choose krbtgt password (otherwise random)

source/setup/provision.ldif

@@ -99,31 +99,3 @@ dn: CN=Policies,CN=System,${DOMAINDN}
 objectClass: top
 objectClass: container
 
-dn: CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
-objectClass: top
-objectClass: container
-objectClass: groupPolicyContainer
-displayName: Default Domain Policy
-objectCategory: CN=Group-Policy-Container,${SCHEMADN}
-gPCFunctionalityVersion: 2
-gPCFileSysPath: \\${DNSDOMAIN}\sysvol\${DNSDOMAIN}\Policies\{${POLICYGUID}}
-versionNumber: 1
-flags: 0
-gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-248
- 8-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4
- FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2
- 488-11D1-A28C-00C04FB94F17}]
-gPCUserExtensionNames: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
- 1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-
- 11D1-A7CC-0000F87571E3}]
-nTSecurityDescriptor: O:${DOMAINSID}-512G:${DOMAINSID}-512D:PAI(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
-
-dn: CN=User,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
-objectClass: top
-objectClass: container
-objectCategory: CN=Container,${SCHEMADN}
-
-dn: CN=Machine,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
-objectClass: top
-objectClass: container
-objectCategory: CN=Container,${SCHEMADN}

source/setup/provision.smb.conf

@@ -4,4 +4,10 @@
 	realm		= ${REALM}
 	server role     = domain controller
 
+[netlogon]
+	path = ${NETLOGONPATH}
+	read only = no
 
+[sysvol]
+	path = ${SYSVOLPATH}
+	read only = no

source/setup/provision_group_policy.ldif

@@ -0,0 +1,28 @@
+dn: CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+objectClass: groupPolicyContainer
+displayName: Default Domain Policy
+objectCategory: CN=Group-Policy-Container,${SCHEMADN}
+gPCFunctionalityVersion: 2
+gPCFileSysPath: \\${DNSDOMAIN}\sysvol\${DNSDOMAIN}\Policies\{${POLICYGUID}}
+versionNumber: 1
+flags: 0
+gPCMachineExtensionNames: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{53D6AB1B-248
+ 8-11D1-A28C-00C04FB94F17}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4
+ FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79F83A}{53D6AB1B-2
+ 488-11D1-A28C-00C04FB94F17}]
+gPCUserExtensionNames: [{3060E8D0-7020-11D2-842D-00C04FA372D4}{3060E8CE-7020-1
+ 1D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-
+ 11D1-A7CC-0000F87571E3}]
+nTSecurityDescriptor: O:${DOMAINSID}-512G:${DOMAINSID}-512D:PAI(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-519)(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;${DOMAINSID}-512)(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)(A;CI;RPLCLORC;;;AU)(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;AU)(A;CI;RPLCLORC;;;ED)S:AI(OU;CIIDSA;WPWD;;f30e3bc2-9ff0-11d1-b603-0000f80367c1;WD)(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
+
+dn: CN=User,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+objectCategory: CN=Container,${SCHEMADN}
+
+dn: CN=Machine,CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN}
+objectClass: top
+objectClass: container
+objectCategory: CN=Container,${SCHEMADN}