-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path06-files.Rmd
187 lines (147 loc) · 7 KB
/
06-files.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
# Files Policy {#files}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("files-images/upload.png")
```
\index{Policies!Files}
The Files Policy is useful to use in conjunction with the Scripts Policy, since it can be used to copy scripts to your client machine. This policy is also useful for deploying custom config files, etc. Like Startup Scripts, this policy began as a compatability layer for Vintela's Files policy, but has become a Samba standard also. There is no Server Side Extension for the Group Policy Management Editor (GPME), but must be modified using the `samba-tool gpo manage`.
This policy is physically stored on the SYSVOL in the **MACHINE/VGP/** **VTLA/Unix/Files/manifest.xml** file in the subdirectory of the Group Policy Object. It is stored in an xml format, and is easily modified manually using a text editor.
## Server Side Extension
The Files Policy has no GPME Server Side Extension (SSE), so this policy may only be administered using `samba-tool gpo manage files`. This is because this SSE is stored on the SYSVOL as an xml file, not in the Registry.pol from an ADMX template.
\index{Server Side Extensions}
### Managing the Files Policy via samba-tool
The Files `samba-tool` command has 3 subcommands; add, list, and remove.
```
> samba-tool gpo manage files --help
Usage: samba-tool gpo manage files <subcommand>
Manage Files Group Policy Objects
Options:
-h, --help show this help message and exit
Available subcommands:
add - Add VGP Files Group Policy to the sysvol
list - List VGP Files Group Policy from the sysvol
remove - Remove VGP Files Group Policy from the sysvol
```
To add a new File policy to the SYSVOL, call the `samba-tool gpo manage files add` command.
```sh
samba-tool gpo manage files add <gpo> <source> <target> <user>
<group> <mode>
```
For example:
```sh
samba-tool gpo manage files add \
{31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt \
/usr/share/doc/target.txt root root 600
```
The `source` argument refers to the source file on the host you are running the command from. This source file will be uploaded to the SYSVOL. The `target` argument is where the file should be deployed to on the client by the CSE. The `user`, `group` and `mode` refer to the attributes which will be assigned to the file when it is deployed to the client.
If, for example, we were to create a daily script (as described in chapter \@ref(scripts)), we could use this policy to deploy that script to the Linux client. Let's now create a policy for testing that deployment.
```
> cat test_script.sh
#!/bin/sh
echo Something is happening daily
> samba-tool gpo manage files add \
{31B2F340-016D-11D2-945F-00C04FB984F9} ./test_script.sh \
/usr/bin/test_script.sh root root 555 -UAdministrator
> samba-tool gpo manage files list \
{31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
-r-xr-xr-x root root /usr/bin/test_script.sh ->
test_script.sh
```
The output of the `samba-tool gpo manage files list` command now shows that we have a policy set which will deploy a link to our test\_script.sh on the host. If we check the contents of the SYSVOL, we can see that our file has been uploaded successfully.
```
> sudo mount.cifs \\\\lizardo.suse.de\\SYSVOL /mnt/ \
-ouser=Administrator
> l /mnt/lizardo.suse.de/Policies/
{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/
Unix/Files/
total 2
drwxr-xr-x 2 root root 0 Nov 15 09:55 ./
drwxr-xr-x 2 root root 0 Nov 15 09:55 ../
-rwxr-xr-x 1 root root 532 Nov 15 09:55 manifest.xml*
-rwxr-xr-x 1 root root 45 Nov 15 09:55 test_script.sh*
```
Let's take a look at the contents of the `manifest.xml` which stores our policy.
```
> cat /mnt/lizardo.suse.de/Policies/
{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/
Unix/Files/manifest.xml | xmllint --format -
<?xml version="1.0" encoding="UTF-8"?>
<vgppolicy>
<policysetting>
<version>1</version>
<name>Files</name>
<description>
Represents file data to set/copy on clients
</description>
<data>
<file_properties>
<source>test_script.sh</source>
<target>/usr/bin/test_script.sh</target>
<user>root</user>
<group>root</group>
<permissions type="user">
<read/>
<execute/>
</permissions>
<permissions type="group">
<read/>
<execute/>
</permissions>
<permissions type="other">
<read/>
<execute/>
</permissions>
</file_properties>
</data>
</policysetting>
</vgppolicy>
```
Our `source` now refers to the file uploaded to the same directory as the manifest.
If you wanted to remove this policy later, we would issue the `samba-tool gpo manage files remove` command.
```
> samba-tool gpo manage files remove \
{31B2F340-016D-11D2-945F-00C04FB984F9} /usr/bin/test_script.sh \
-UAdministrator
```
Afterward the files list should be empty.
## Client Side Extension
The Files Client Side Extension (CSE) copies the file from the SYSVOL to the location specified in the `target` variable earlier. The Files Policy only applies to Machine policy.
\index{Client Side Extensions}
Let's now list the Resultant Set of Policy on the Linux client to see the test file we created previously.
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: vgp_files_ext
-----------------------------------------------------------
Policy Type: VGP/Unix Settings/Files
-----------------------------------------------------------
[ -r-xr-xr-x root root /usr/bin/test_script.sh ->
test_script.sh ]
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
Note that while the output appears to suggest we will be creating a symlink, it is actually a hard copy of the file that is created. The syntax of the output is simply for illustrative purposes.
If we now force the policy to apply, we’ll see our file is physically copied to the requested location, along with the requested permissions.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='VGP/Unix Settings/Files']" - \
| xmllint --format -
<gp_ext name="VGP/Unix Settings/Files">
<attribute name="/usr/bin/test_script.sh">
268d...9b39:root:root:365
</attribute>
</gp_ext>
> l /usr/bin/test_script.sh
-r-xr-xr-x 1 root root 45 Nov 15 12:07 /usr/bin/test_script.sh*
> cat /usr/bin/test_script.sh
#!/bin/sh
echo Something is happening daily
```
\index{Group Policy Cache}
The script is present where we requested. You can now refer to chapter \@ref(scripts) section \@ref(scripts-gpme) for details on how to schedule a job to execute this script via the Scripts Policy.