[Pkg-samba-maint] Bug#1068360: samba-gpupdate should be in samba-common-bin

Tue May 14 15:50:31 BST 2024

09.04.2024 15:13, Patrick Hibbs wrote:

> The net command in samba-common-bin, specifically: `/usr/bin/net ads join`, allows joining the domain without having the main samba package installed.

Does `net ads join` need any python stuff?

> sssd-ad with it's ad_update_samba_machine_account_password flag set to true in it's config will keep the machine creds up-to-date without the main 
> samba package installed.
> 
> samba-gpupdate handles downloading and managing group policies on the domain member, just like the gpupdate utility under Windows.
> 
> samba-gpupdate is just a python script. It's dependencies are in python3-samba. Which samba-common-bin already depends on. That script is invoked 
> either by winbind,
> 
> the alternative for sssd systems (and not packaged in Debian) oddjob-gpupdate (https://github.com/altlinux/oddjob-gpupdate), or manually by the system 
> admin. (The script takes arguments similar to the Windows utility.)

Okay, I don't know most of this.

But we come across another idea meanwhile.

How about we split out another package out of samba (and samba-common[-bin]),
named samba-ad?

The idea is to have minimal samba-common[-bin] to contain stuff absolutely
necessary for smbclient and all servers (without python deps), samba binary
package (also without python deps) being a minimal stand-alone file server,
samba-ad (depends on python and samba) being AD part of the story, and
samba-ad-dc is the, well, AD-DC part.

This way, samba-gpupdate will be part of samba-ad package, instead of samba-common[-bin].

I'm not yet know if it is doable, but at first look I think it is.

If you can help to better figure out what is what, it would be great.

Maybe samba-ad should not depend on samba though, to suit your needs
expressed in this bug report.

> Personally, I have samba-gpupdate invoked as an hourly cron job. Which is pushed out to the client machines via Samba's crontab group policy 
> extension. (So after the initial join, I have to invoke samba-gpupdate myself once, but after that,
> 
> cron is configured automatically to call it based on the policy that was pulled.) Of course, this will break if the host gets put into an OU in the 
> domain that removes the cronjob, but that can be fixed by recalling samba-gpupdate after fixing the policy on the domain side. (And can even be 
> triggered via a script calling ssh.)

Yes, this can be done too, for sure.  I'd use a systemd timer for this
stuff, and ship it disabled.

Thanks,

/mjt
-- 
GPG Key transition (from rsa2048 to rsa4096) since 2024-04-24.
New key: rsa4096/61AD3D98ECDF2C8E  9D8B E14E 3F2A 9DD7 9199  28F1 61AD 3D98 ECDF 2C8E
Old key: rsa2048/457CE0A0804465C5  6EE1 95D1 886E 8FFB 810D  4324 457C E0A0 8044 65C5
Transition statement: http://www.corpit.ru/mjt/gpg-transition-2024.txt