From aa9b07ba0f8c906e99bef3ce584c7c16d3620f5f Mon Sep 17 00:00:00 2001
From: David Mulder <dmulder@suse.com>
Date: Fri, 4 May 2018 14:09:30 -0600
Subject: [PATCH] gpo: gp_sec_ext should check whether to apply

Whether an extension should apply should be
determined by the extension, not by the
calling script.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
---
 python/samba/gp_sec_ext.py | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/python/samba/gp_sec_ext.py b/python/samba/gp_sec_ext.py
index 772f67839a3..9c666f902d0 100644
--- a/python/samba/gp_sec_ext.py
+++ b/python/samba/gp_sec_ext.py
@@ -17,6 +17,12 @@
 
 import os.path
 from samba.gpclass import gp_ext_setter, gp_inf_ext
+from samba.auth import system_session
+try:
+    from ldb import LdbError
+    from samba.samdb import SamDB
+except ImportError:
+    pass
 
 
 class inf_to_kdc_tdb(gp_ext_setter):
@@ -55,6 +61,16 @@ class inf_to_ldb(gp_ext_setter):
     object to update the parameter to Samba4. Not registry oriented whatsoever.
     '''
 
+    def __init__(self, logger, gp_db, lp, creds, key, value):
+        super(inf_to_ldb, self).__init__(logger, gp_db, lp, creds, key, value)
+        try:
+            self.ldb = SamDB(self.lp.samdb_url(),
+                             session_info=system_session(),
+                             credentials=self.creds,
+                             lp=self.lp)
+        except (NameError, LdbError):
+            raise Exception('Failed to load SamDB for assigning Group Policy')
+
     def ch_minPwdAge(self, val):
         old_val = self.ldb.get_minPwdAge()
         self.logger.info('KDC Minimum Password age was changed from %s to %s'
@@ -130,6 +146,8 @@ class gp_sec_ext(gp_inf_ext):
         return os.path.join(rootpath, "User/Registry.pol")
 
     def apply_map(self):
+        if self.lp.get('server role') != 'active directory domain controller':
+            return {}
         return {"System Access": {"MinimumPasswordAge": ("minPwdAge",
                                                          inf_to_ldb),
                                   "MaximumPasswordAge": ("maxPwdAge",