-
Notifications
You must be signed in to change notification settings - Fork 0
/
05-startup-scripts.Rmd
172 lines (134 loc) · 7.22 KB
/
05-startup-scripts.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
# Startup Script Policies {#startupscripts}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("startup-scripts-images/start.png")
```
\index{Policies!Startup Script}
Startup scripts earn themselves a chapter independant of the Script Polices chapter because they are so thoroughly different. The Startup Scripts Policy started as a compatability layer for Vintela's Startup Scripts, but became the defacto standard for Samba also. This policy has no Server Side Extension in the Group Policy Management Editor (GPME), but only provides a `samba-tool` command for setting the policy. A nice advantage to using this policy is that when using the `samba-tool gpo manage` command to set the policy, it automatically uploads the script file you specify to the SYSVOL.
This policy is physically stored on the SYSVOL in the **MACHINE/VGP** **/VTLA/Unix/Scripts/Startup/manifest.xml** file in the subdirectory of the Group Policy Object. They are stored in an xml format, and are easily modified manually using a text editor.
## Server Side Extension
Startup Script Policies have no GPME Server Side Extension (SSE), so this policy may only be administered using `samba-tool gpo manage scripts startup`. This is because this SSE is stored on the SYSVOL as an xml file, not in the Registry.pol from an ADMX template.
\index{Server Side Extensions}
### Managing Startup Script Policies via samba-tool
The Startup Scripts `samba-tool` command has 3 subcommands; add, list, and remove.
```
> samba-tool gpo manage scripts startup --help
Usage: samba-tool gpo manage scripts startup <subcommand>
Manage Startup Scripts Group Policy Objects
Options:
-h, --help show this help message and exit
Available subcommands:
add - Adds VGP Startup Script Group Policy to the sysvol
list - List VGP Startup Script Group Policy from the sysvol
remove - Removes VGP Startup Script Group Policy from the sysvol
```
To add a new Startup Script policy to the SYSVOL, call the `samba-tool gpo manage scripts startup add` command.
```sh
samba-tool gpo manage scripts startup add <gpo> <script> [args]
[run_as]
```
The `samba-tool gpo manage scripts startup add` command is used to add a startup script policy to the SYSVOL. The command takes a Group Policy Object (GPO) identifier and a script file as arguments, as well as optional arguments for script arguments, and the user to run the script as.
When adding a script, you pass the relative path to an existing script file. This script will be uploaded to the SYSVOL and made available to clients for execution. You can also provide an optional set of arguments that will be passed to the script when it is executed. These arguments are parsed as a single argument to the command, so they must be wrapped in quotes and all dashes ('-') must be escaped. There is also an optional argument `run_as` to instruct the client to run the script as a specific user. The optional `--run-once` parameter can instruct the script to execute only once, on the next startup, and not again.
Let's add a simple test script now which echos a message, and takes no arguments. By default this command will run as root.
```
> cat test_script.sh
#!/bin/sh
echo Something is happening here at startup
> samba-tool gpo manage scripts startup add \
{31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh \
-UAdministrator
> samba-tool gpo manage scripts startup list \
{31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
@reboot root \\lizardo.suse.de\Policies\
{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\VGP\VTLA\Unix\
Scripts\Startup\test_script.sh
```
Notice that the path to the script is now pointing to an uploaded copy on the SYSVOL.
If we mount the SYSVOL, we can take a look at the xml file created by the policy.
```
> sudo mount.cifs \\\\lizardo.suse.de\\SYSVOL /mnt/ \
-ouser=Administrator
> cat /mnt/lizardo.suse.de/Policies/
{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/Unix/
Scripts/Startup/manifest.xml | xmllint --format -
<?xml version="1.0" encoding="UTF-8"?>
<vgppolicy>
<policysetting>
<version>1</version>
<name>Unix Scripts</name>
<description>
Represents Unix scripts to run on Group Policy clients
</description>
<data>
<listelement>
<script>test_script.sh</script>
<hash>3F1F0449B3070AD113B2878C751C4887</hash>
</listelement>
</data>
</policysetting>
</vgppolicy>
```
If you wanted to remove this policy later, we would issue the `samba-tool gpo manage scripts startup remove` command.
```
> samba-tool gpo manage scripts startup remove \
{31B2F340-016D-11D2-945F-00C04FB984F9} \
-UAdministrator test_script.sh
```
## Client Side Extension
The Startup Scripts Client Side Extension (CSE) creates `@reboot` cron jobs on the Linux client. Startup Scripts only apply for Machine policy.
\index{Client Side Extensions}
We created a test script in the previous section. If we now list the Resultant Set of Policy on the client, we see this:
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: vgp_startup_scripts_ext
-----------------------------------------------------------
Policy Type: VGP/Unix Settings/Startup Scripts
-----------------------------------------------------------
[ @reboot root /var/lib/samba/gpo_cache/LIZARDO.SUSE.DE/
POLICIES/{31B2F340-016D-11D2-945F-00C04FB984F9}/
MACHINE/VGP/VTLA/UNIX/SCRIPTS/STARTUP/
TEST_SCRIPT.SH ]
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
If we now force the policy to apply, we'll see our script is scheduled to execute using a cron job.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
> | sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" | \
xmllint --xpath "//gp_ext[@name='VGP/Unix Settings/
Startup Scripts']" - | \
xmllint --format -
<?xml version="1.0"?>
<gp_ext name="VGP/Unix Settings/Startup Scripts">
<attribute
name="test_script.sh:3F1F0449B3070AD113B2878C751C4887:">
/etc/cron.d/gp_vzldfcii
</attribute>
</gp_ext>
> sudo cat /etc/cron.d/gp_vzldfcii
### autogenerated by samba
#
# This file is generated by the vgp_startup_scripts_ext Group
# Policy Client Side Extension. To modify the contents of this
# file, modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#
@reboot root /var/lib/samba/gpo_cache/LIZARDO.SUSE.DE/POLICIES/
{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/UNIX/
SCRIPTS/STARTUP/TEST_SCRIPT.SH
```
You can see we found the location of our cron job by outputting the applied policy from our Group Policy Cache. The cron job instructs the script to execute as root on every reboot. Let's also verify our script has been deployed on the client.
\index{Group Policy Cache}
```
> sudo cat /var/lib/samba/gpo_cache/LIZARDO.SUSE.DE/POLICIES/
{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/UNIX/
SCRIPTS/STARTUP/TEST_SCRIPT.SH
#!/bin/sh
echo Something is happening here at startup
```