-
Notifications
You must be signed in to change notification settings - Fork 0
/
04-scripts.Rmd
191 lines (145 loc) · 8.34 KB
/
04-scripts.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
# Script Policies {#scripts}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("scripts-images/write.png")
```
\index{Policies!Script}
The purpose of this policy is to schedule cron jobs on a Linux client. Both Machine and User policy is supported. This policy does not upload a script for execution, it only schedules an existing script to run. To first load a script onto the client, see the Files Policy in chapter \@ref(files).
This policy is physically stored on the SYSVOL in the **MACHINE/Registry.pol** and **USER/Registry.pol** files within the subdirectory of the Group Policy Object. It is stored in registry format. See chapter \@ref(regpol) for details on how to manually modify this file.
## Server Side Extension
The Server Side Extension for smb.conf policies is distributed using Administrative Templates (ADMX). Refer to chapter \@ref(sse) in section \@ref(admx) for details about Administrative Templates.
Setting up the ADMX templates for this policy is described in chapter \@ref(install-admx) section \@ref(install-admx-samba).
\index{Server Side Extensions}
\index{Administrative Templates}
### Managing Machine Scripts Policies via the GPME {#scripts-gpme}
As an example, let's create a simple cron job which echo's "hello world" once every day.
1. Open the Group Policy Management Editor (GPME). For instructions on accessing the GPME, see chapter \@ref(manage) section \@ref(gpopen).
2. In the left pane of the GPME, navigate to `Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts`.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Scripts Server Side Extension (ADMX)"}
knitr::include_graphics("scripts-images/scripts.png")
```
3. In the right pane, double-click the "Daily" policy.
4. In the "Daily" dialog box, click the Enabled option and then click the Show button.
5. In the "Show Contents" dialog box, type the following script in the "Value" field:
```sh
echo "hello world"
```
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Script Example"}
knitr::include_graphics("scripts-images/hello_world.png")
```
6. Click OK to close the "Show Contents" dialog box, and then click OK again to close the "Daily" dialog box.
### Managing User Scripts Policies via the GPME
Next we'll create a user script that echo's the text "Don't do that Dave" every hour.
1. In the left pane of the GPME, navigate to `User Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts`.
2. In the right pane, double-click the "Hourly" policy.
3. In the "Hourly" dialog box, click the Enabled option and then click the Show button.
4. In the "Show Contents" dialog box, type the following script in the "Value" field:
```sh
echo "Don't do that Dave"
```
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "User Script Example"}
knitr::include_graphics("scripts-images/dave.png")
```
5. Click OK to close the "Show Contents" dialog box, and then click OK again to close the "Hourly" dialog box.
The quote "Don't do that Dave" is a line spoken by the character HAL 9000 in the science fiction film "2001: A Space Odyssey." HAL is a sentient computer that controls the systems of a spacecraft, and the quote is spoken in a scene where HAL is attempting to prevent one of the astronauts from disconnecting its memory.
## Client Side Extension
The Scripts Client Side Extension (CSE) creates cron jobs on the Linux client. For Machine policy, these jobs are installed in a file within the `/etc/cron.daily`, `/etc/cron.monthly`, `/etc/cron.weekly` and `/etc/cron.hourly` directories. For User policy, the user's crontab file is directly modified.
\index{Client Side Extensions}
In the previous section we created two test Script policies. If we now go to our Linux client, and check the Resultant Set of Policy, we see this:
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: gp_scripts_ext
-----------------------------------------------------------
Policy Type: Daily Scripts
-----------------------------------------------------------
[ echo hello world ]
-----------------------------------------------------------
-----------------------------------------------------------
CSE: gp_centrify_crontab_ext
-----------------------------------------------------------
Policy Type: Centrify/CrontabEntries
-----------------------------------------------------------
[ @daily echo hello world from Centrify ]
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
> sudo /usr/sbin/samba-gpupdate --target=User -U tux --rsop
Resultant Set of Policy
User Policy
GPO: Default Domain Policy
=================================================================
CSE: gp_user_scripts_ext
-----------------------------------------------------------
Policy Type: Hourly Scripts
-----------------------------------------------------------
[ echo Don't do that Dave ]
-----------------------------------------------------------
-----------------------------------------------------------
CSE: gp_user_centrify_crontab_ext
-----------------------------------------------------------
Policy Type: Centrify/CrontabEntries
-----------------------------------------------------------
[ @hourly echo Don't do that Dave from Centrify ]
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
In addition to the expected scripts that we added previously, you'll notice there are 2 additional entries. The `gp_centrify_crontab_ext` and `gp_user_centrify_crontab_ext` CSEs parse policies provided by a Centrify Server Side Extension. These weren't introduced previously in the chapter because they are a proprietary solution not provided by Samba. Samba provides a CSE to apply these for compatability reasons, but does not provide a SSE to set them. These CSEs are provided to assist in migration from proprietary technologies. We won't discuss these any further.
Let's now force an apply, and verify that the cron jobs are scheduled.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='Unix Settings/Scripts']" - \
| xmllint --format -
<?xml version="1.0"?>
<gp_ext name="Unix Settings/Scripts">
<attribute name="Software\Policies\Samba\Unix
Settings\Daily Scripts:ZWNobyBoZWxsbyB3b3JsZA==">
/etc/cron.daily/gp_m94kdru9
</attribute>
</gp_ext>
> sudo /usr/sbin/samba-gpupdate --target=User -U tux --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "LIZARDO\\tux" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='Unix Settings/Scripts']" - \
| xmllint --format -
<?xml version="1.0"?>
<gp_ext name="Unix Settings/Scripts">
<attribute name="Software\Policies\Samba\Unix
Settings\Hourly Scripts:94d6...e415">
@hourly echo Don't do that Dave
</attribute>
</gp_ext>
```
First we see that the machine policy created the script `/etc/cron.daily/` `gp_m94kdru9`. Let's take a look at the contents.
\index{Group Policy Cache}
```bash
> sudo cat /etc/cron.daily/gp_m94kdru9
#!/bin/sh
### autogenerated by samba
#
# This file is generated by the gp_scripts_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#
echo hello world
```
Next we notice that the user policy created the entry `@hourly echo Don't do that Dave`. If we inspect the crontab of the user `tux`, we see the entry.
```
> sudo crontab -l -u LIZARDO\\tux
### autogenerated by samba
#
# This file is generated by the gp_scripts_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#
@hourly echo Don't do that Dave
### autogenerated by samba ###
```