-
Notifications
You must be signed in to change notification settings - Fork 0
/
07-symlink.Rmd
163 lines (131 loc) · 6.26 KB
/
07-symlink.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# Symlink Policies {#symlink}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("symlink-images/symlink.png")
```
\index{Policies!Symlink}
The purpose of this policy is to create a symbolic link on a Linux client. Only Machine policy is supported. This policy could be useful in conjunction with the Files Policy found in chapter \@ref(files).
This policy is physically stored on the SYSVOL in the **MACHINE/VGP** **/VTLA/Unix/Symlink/manifest.xml** file in the subdirectory of the Group Policy Object. It is stored in an xml format, and is easily modified manually using a text editor.
## Server Side Extension
The Symlink Policy has no GPME Server Side Extension (SSE), so this policy may only be administered using `samba-tool gpo manage symlink`. This is because this SSE is stored on the SYSVOL as an xml file, not in the Registry.pol from an ADMX template.
\index{Server Side Extensions}
### Managing the Symlink Policy via samba-tool
The Symlink `samba-tool` command has 3 subcommands; add, list, and remove.
```
> samba-tool gpo manage symlink --help
Usage: samba-tool gpo manage symlink <subcommand>
Manage symlink Group Policy Objects
Options:
-h, --help show this help message and exit
Available subcommands:
add - Adds a VGP Symbolic Link Group Policy to the sysvol
list - List VGP Symbolic Link Group Policy from the sysvol
remove - Removes a VGP Symbolic Link Group Policy from the
sysvol
```
To add a new Symlink policy to the SYSVOL, call the `samba-tool gpo manage symlink add` command.
```sh
samba-tool gpo manage symlink add <gpo> <source> <target>
```
This command will add a policy instructing the client to create a symbolic link pointing to `source` named `target`.
Let's add a simple policy, which uploads a configuration file using the Files Policy (see chapter \@ref(files)), then symlinks that configuration file to somewhere useful on the system.
```
> cat servlist.conf
N=Libera.Chat
L=1
E=UTF-8 (Unicode)
F=23
D=0
S=irc.libera.chat/6697
J=#samba-technical
> samba-tool gpo manage files add \
{31B2F340-016D-11D2-945F-00C04FB984F9} servlist.conf \
/usr/share/servlist.conf 'LIZARDO\tux' \
'LIZARDO\domain users' 600 -UAdministrator
> samba-tool gpo manage files list \
{31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
-rw------- LIZARDO\tux LIZARDO\domain users
/usr/share/servlist.conf -> servlist.conf
> samba-tool gpo manage symlink add \
{31B2F340-016D-11D2-945F-00C04FB984F9} /usr/share/servlist.conf \
/home/LIZARDO/tux/.config/hexchat/servlist.conf -UAdministrator
> samba-tool gpo manage symlink list \
{31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
ln -s /usr/share/servlist.conf
/home/LIZARDO/tux/.config/hexchat/servlist.conf
```
Here we are uploading a configuration file for hexchat, then symlinking it to a user's profile. The `samba-tool gpo manage symlink list` command displays the link operations that will be performed on the client.
Later when we choose to remove this policy, we will do so with the `samba-tool gpo manage symlink remove` command.
```
> samba-tool gpo manage symlink remove \
{31B2F340-016D-11D2-945F-00C04FB984F9} /usr/share/servlist.conf \
/home/LIZARDO/tux/.config/hexchat/servlist.conf -UAdministrator
```
## Client Side Extension
The Symlink Client Side Extension (CSE) creates a symlink between the `source` and `target`. Startup Scripts only apply for Machine policy.
\index{Client Side Extensions}
Let's list the Resultant Set of Policy to view the symbolic link policy we created in the previous section.
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: vgp_symlink_ext
-----------------------------------------------------------
Policy Type: VGP/Unix Settings/Symbolic Links
-----------------------------------------------------------
[ ln -s /usr/share/servlist.conf
/home/LIZARDO/tux/.config/hexchat/servlist.conf ]
-----------------------------------------------------------
-----------------------------------------------------------
CSE: vgp_files_ext
-----------------------------------------------------------
Policy Type: VGP/Unix Settings/Files
-----------------------------------------------------------
[ -rw------- LIZARDO\tux LIZARDO\domain users
/usr/share/servlist.conf -> servlist.conf ]
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
In addition to our Symlink policy, we also see the Files policy which we added in conjunction with this.
Let's now force our policy to apply and see how the CSE behaves.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
> | sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='VGP/Unix Settings/Files' or
@name='VGP/Unix Settings/Symbolic
Links']" - \
| xmllint --format -
<gp_ext name="VGP/Unix Settings/Files">
<attribute name="/usr/share/servlist.conf">
d5b5...820c:LIZARDO\5Ctux:LIZARDO\5Cdomain users:384
</attribute>
</gp_ext>
<gp_ext name="VGP/Unix Settings/Symbolic Links">
<attribute name="/usr/share/servlist.conf:
/home/LIZARDO/tux/.config/hexchat/servlist.conf">
/home/LIZARDO/tux/.config/hexchat/servlist.conf
</attribute>
</gp_ext>
> l /usr/share/servlist.conf
-rw------- 1 LIZARDO\tux LIZARDO\domain users 87 Nov 15 13:51
/usr/share/servlist.conf
> sudo l /home/LIZARDO/tux/.config/hexchat/servlist.conf
lrwxrwxrwx 1 root root 24 Nov 15 13:51 /home/LIZARDO/tux/.config/
hexchat/servlist.conf -> /usr/share/servlist.conf
```
Our Group Policy Cache at `/var/lib/samba/gpo.tdb` shows the two policies have been applied. Listing the `target`, we also see that the symlink now exists. If we output the contents of our symlink, we can see that it is indeed pointing to our configuration file that we uploaded to the SYSVOL earlier.
\index{Group Policy Cache}
```
> sudo cat /home/LIZARDO/tux/.config/hexchat/servlist.conf
N=Libera.Chat
L=1
E=UTF-8 (Unicode)
F=23
D=0
S=irc.libera.chat/6697
J=#samba-technical
```