GPO Backup and Restore

Revision as of 22:16, 20 March 2019 by Garming (talk | contribs) (Generalizing a GPO to use in a different domain)

Overview

Added in Samba version: 4.10

<What does the feature do, Why might users care about it, What is the Microsoft-equivalent that a Windows admin might be familiar with, etc>

How to configure it

Setup your GPO,

Generalizing a GPO to use in a different domain

samba-tool gpo backup --generalize --entities=<output path>
<!ENTITY SAMBA__NETWORK_PATH__82419dafed126a07d6b96c66fc943735__ "\\garming.replaced.realm.com">
<!ENTITY SAMBA__NETWORK_PATH__0484cd41ded45a0728333a9c5e5ef619__ "\\garming">
<!ENTITY SAMBA____SDDL_ACL____4ce8277be3f630300cbcf80a80e21cf4__ "D:PAR(A;CI;KA;;;BA)(A;CIIO;KA;;;CO)(A;CI;KA;;;SY)(A;CI;KR;;;BU)(A;CI;KR;;;S-1-0-0)">
<!ENTITY SAMBA____USER_ID_____d0970f5a1e19cb803f916c203d5c39c4__ "*S-1-5-21-3075996733-1131693954-1131023892-501">
<!ENTITY SAMBA____USER_ID_____7b7bc2512ee1fedcd76bdc68926d4f7b__ "Guest">
<!ENTITY SAMBA____USER_ID_____a3069f5a7a6530293ad8df6abd32af3d__ "Foobar">

Known issues and limitations

In Samba 4.10, there are these bugs currently open (no backports yet):

  • BUG #13825: GPE.INI files causes backup to fail
  • BUG #13806: GPT.INI failing with GPO names with accents
  • BUG #13627: GPO import doesn't enable the GPO immediately

This tool is largely independent to many Samba components. Building from source and running the latest Git master to backup and restore fixes these bugs correctly.

GPE.INI files causes backup to fail

Currently, if a GPE.INI file is created via RSAT, the backup no longer works. The only likely workaround would be to remove the GPE.INI file temporarily and copy it to its final location manually.

It would be recommended to use Samba master until this patch is backported.

GPT.INI failing with GPO names with accents

Currently, the only workaround for this bug appears to be avoiding setting a display name with non-ASCII characters. Removing the display name from the GPT.INI manually may also be an option (but note, this hasn't been tested).

In master, the name is interpreted as Latin-1 and is eventually removed entirely in any restored GPO (as the name appears to be sourced from LDAP and not this file).

GPO import doesn't enable the GPO immediately

Currently, the gPCMachineExtensionNames and gPCUserExtensionNames values on a newly restored GPO are not being set. To workaround, querying over LDAP from the DC where the backup was made, copy these values to the new GPO.

In master, this is now automatically done by the tool (but a new backup must be generated).

Troubleshooting

Manually inspecting output files and the resulting GPO in RSAT is probably the best way to ensure that the GPO work as intended. The generalization function for migrating GPO across domains is still incomplete as there are only a subset of files that support this feature in the tool.

Report any errors to Samba bugzilla, there are probably a number of files (and associated file formats) which have yet to be attempted with this tool.

For Developers

How to test it

make test TESTS=samba_tool.gpo

GPO import and export has a fallback mode to restore from binary files instead of from XML if any errors occur in the restore. Currently there isn't any way to turn this off, and so what should probably fail often doesn't.

Where the code is located

The core parsing logic for GPO is in the python gp_parse module.

The outer logic lives in netcmd/gpo.py (where the actual regex matching used to identify which parser is used) and the tests are all in the samba_tool gpo.py tests.

Note: The parser for PReg .pol files is auto-generated from IDL.

Reference Docs

[MS-GPOD] and [MS-GPOD] describe an overview of how the overall Group Policy system works. Individual references to which file formats correspond to which parsers lives in the comments of each parser class in gp_parse.