-
Notifications
You must be signed in to change notification settings - Fork 0
/
09-msgs.Rmd
196 lines (148 loc) · 8.19 KB
/
09-msgs.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
# Message Policies {#msgs}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("msgs-images/msg.png")
```
\index{Policies!Message}
The purpose of the Message policy is to set the contents of the `/etc/motd` and `/etc/issue` files. These are Machine only policies.
This policy is physically stored in three different locations on the SYSVOL, in **MACHINE/Registry.pol**, **MACHINE/VGP/VTLA/Unix/Issue/** **manifest.xml**, and **MACHINE/VGP/VTLA/Unix/MOTD/** **manifest.xml**. The `manifest.xml` files are in xml format, and are easily modified manually using a text editor. The `Registry.pol` is in registry format. See chapter \@ref(regpol) for details on how to manually modify this file.
## Server Side Extension
The Server Side Extensions (SSE) for Message policies are distributed via either Administrative Templates (see chapter \@ref(sse) in section \@ref(admx)) or via the commands `samba-tool gpo manage motd` and `samba-tool gpo manage issue`. Rules added via GPME will not be visible to the respective `samba-tool` commands, and vice versa. This is because the `samba-tool` commands are intended to manage Vintela Group Policy compatability. These two SSEs should not be used in conjunction to one another, as it will cause unpredictable results on the client.
\index{Server Side Extensions}
### Managing Message Policy via the GPME {#msgs-gpme}
Setting up the ADMX templates for this policy is described in chapter \@ref(install-admx) section \@ref(install-admx-samba).
\index{Administrative Templates}
To edit the "Message of the day" and "Login Prompt Message" settings using the Group Policy Management Editor (GPME):
1. Open the Group Policy Management Editor. For instructions on accessing the GPME, see chapter \@ref(manage) section \@ref(gpopen).
2. In the Group Policy Management Editor window, navigate to `Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Messages`.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Group Policy Management Editor"}
knitr::include_graphics("msgs-images/gpme.png")
```
3. In the right pane, double-click on the "Message of the day" setting.
4. In the "Message of the day" dialog box, enter the desired message in the text field.
5. Click "OK" to save the changes and close the dialog box.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Message of the day"}
knitr::include_graphics("msgs-images/motd.png")
```
6. In the right pane, double-click on the "Login Prompt Message" setting.
7. In the "Login Prompt Message" dialog box, enter the desired message in the text field. The "Help" field on the right explains the various options for this message.
8. Click "OK" to save the changes and close the dialog box.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "Login Prompt Message"}
knitr::include_graphics("msgs-images/issue.png")
```
### Managing Message Policy via samba-tool {#msgs-samba-tool}
The `samba-tool gpo manage motd` and `samba-tool gpo manage issue` commands each have 2 subcommands; set and list.
```
> samba-tool gpo manage motd
Usage: samba-tool gpo manage motd <subcommand>
Manage Message of the Day Group Policy Objects
Options:
-h, --help show this help message and exit
Available subcommands:
list - List VGP MOTD Group Policy from the sysvol
set - Sets a VGP MOTD Group Policy to the sysvol
```
The syntax is the same for both `motd` and `issue`. The `list` command simply lists the current value of the setting, while the `set` command will set the contents of the setting.
To use the `samba-tool gpo manage motd list` command, you need to provide the name of the GPO as an argument. For example:
```sh
samba-tool gpo manage motd list \
{31B2F340-016D-11D2-945F-00C04FB984F9}
```
To use the `samba-tool gpo manage motd set` command, you need to provide the name of the GPO as an argument, followed by the message you want to set as the MOTD. For example:
```sh
samba-tool gpo manage motd set \
{31B2F340-016D-11D2-945F-00C04FB984F9} "Welcome to the server!
Please make sure to read the guidelines before proceeding."
```
If no value is provided for the message, the MOTD will be unset and will not be displayed to users when they log in.
Let's set some messages for testing later.
```
> samba-tool gpo manage motd set \
{31B2F340-016D-11D2-945F-00C04FB984F9} \
"motd set from samba-tool" -UAdministrator
> samba-tool gpo manage issue set \
{31B2F340-016D-11D2-945F-00C04FB984F9} \
"issue set from samba-tool" -UAdministrator
```
Doing a list for good measure, we see that the policy is set on the SYSVOL.
```
> samba-tool gpo manage motd list \
{31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator; echo
motd set from samba-tool
> samba-tool gpo manage issue list \
{31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator; echo
issue set from samba-tool
```
## Client Side Extension
Samba provides 3 different Client Side Extensions (CSE) for the Messages policy. The Samba policy distributed via the GPME discussed in \@ref(msgs-gpme) called `gp_msgs_ext`, and the Vintela compatible policy split in 2 parts discussed in \@ref(msgs-samba-tool) called `vgp_motd_ext` and `vgp_issue_ext`.
These CSEs set the contents of `/etc/motd` and `/etc/issue`. If both Samba and Vintela compatible policies are set, they will conflict.
\index{Client Side Extensions}
Let's list the Resultant Set of Policy to view what will be applied by `samba-gpupdate`.
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: gp_msgs_ext
-----------------------------------------------------------
Policy Type: /etc/motd
-----------------------------------------------------------
Welcome to Linux Group Policy!
-----------------------------------------------------------
Policy Type: /etc/issue
-----------------------------------------------------------
Welcome to \s \r \l
-----------------------------------------------------------
-----------------------------------------------------------
CSE: vgp_motd_ext
-----------------------------------------------------------
Policy Type: /etc/motd
-----------------------------------------------------------
motd set from samba-tool
-----------------------------------------------------------
-----------------------------------------------------------
CSE: vgp_issue_ext
-----------------------------------------------------------
Policy Type: /etc/issue
-----------------------------------------------------------
issue set from samba-tool
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
Because both these policies are set, we can't predict which one will actually be applied. Let's do a force and see what the result is.
```
> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='Unix Settings/Messages' or
@name='Unix Settings/Message
of the Day' or
@name='Unix Settings/Issue']" - \
| xmllint --format -
<gp_ext name="Unix Settings/Messages">
<attribute name="motd"/>
<attribute name="issue">
Welcome to openSUSE Tumbleweed
</attribute>
</gp_ext>
<gp_ext name="Unix Settings/Message of the Day">
<attribute name="motd">
Welcome to Linux Group Policy!
</attribute>
</gp_ext>
<gp_ext name="Unix Settings/Issue">
<attribute name="issue">
Welcome to \5Cs \5Cr \5Cl
</attribute>
</gp_ext>
```
Note that Messages policy stores the previous value of the message content in the Group Policy Cache. So we can discern from the message content that `vgp_motd_ext` and `vgp_issue_ext` applied last (since the messages from `gp_msgs_ext` show up in the log). We can confirm this by checking the contents of `/etc/motd` and `/etc/issue`.
\index{Group Policy Cache}
```
> cat /etc/motd; echo
motd set from samba-tool
> cat /etc/issue; echo
issue set from samba-tool
```