9 Files Policy

The Files Policy is useful to use in conjunction with the Scripts Policy, since it can be used to copy scripts to your client machine. This policy is also useful for deploying custom config files, etc. Like Startup Scripts, this policy began as a compatability layer for Vintela’s Files policy, but has become a Samba standard also. There is no Server Side Extension for the Group Policy Management Editor (GPME), but must be modified using the samba-tool gpo manage.

This policy is physically stored on the SYSVOL in the MACHINE/VGP/ VTLA/Unix/Files/manifest.xml file in the subdirectory of the Group Policy Object. It is stored in an xml format, and is easily modified manually using a text editor.

9.1 Server Side Extension

The Files Policy has no GPME Server Side Extension (SSE), so this policy may only be administered using samba-tool gpo manage files. This is because this SSE is stored on the SYSVOL as an xml file, not in the Registry.pol from an ADMX template.

9.1.1 Managing the Files Policy via samba-tool

The Files samba-tool command has 3 subcommands; add, list, and remove.

> samba-tool gpo manage files --help
Usage: samba-tool gpo manage files <subcommand>

Manage Files Group Policy Objects


Options:
  -h, --help  show this help message and exit


Available subcommands:
  add     - Add VGP Files Group Policy to the sysvol
  list    - List VGP Files Group Policy from the sysvol
  remove  - Remove VGP Files Group Policy from the sysvol

To add a new File policy to the SYSVOL, call the samba-tool gpo manage files add command.

samba-tool gpo manage files add <gpo> <source> <target> <user>
 <group> <mode>

For example:

samba-tool gpo manage files add \
 {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt \
 /usr/share/doc/target.txt root root 600

The source argument refers to the source file on the host you are running the command from. This source file will be uploaded to the SYSVOL. The target argument is where the file should be deployed to on the client by the CSE. The user, group and mode refer to the attributes which will be assigned to the file when it is deployed to the client.

If, for example, we were to create a daily script (as described in chapter 7), we could use this policy to deploy that script to the Linux client. Let’s now create a policy for testing that deployment.

> cat test_script.sh
#!/bin/sh

echo Something is happening daily
> samba-tool gpo manage files add \
 {31B2F340-016D-11D2-945F-00C04FB984F9} ./test_script.sh \
 /usr/bin/test_script.sh root root 555 -UAdministrator
> samba-tool gpo manage files list \
 {31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
-r-xr-xr-x  root    root    /usr/bin/test_script.sh ->
                                test_script.sh

The output of the samba-tool gpo manage files list command now shows that we have a policy set which will deploy a link to our test_script.sh on the host. If we check the contents of the SYSVOL, we can see that our file has been uploaded successfully.

> sudo mount.cifs \\\\lizardo.suse.de\\SYSVOL /mnt/ \
 -ouser=Administrator
> l /mnt/lizardo.suse.de/Policies/
    {31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/
    Unix/Files/
total 2
drwxr-xr-x 2 root root   0 Nov 15 09:55 ./
drwxr-xr-x 2 root root   0 Nov 15 09:55 ../
-rwxr-xr-x 1 root root 532 Nov 15 09:55 manifest.xml*
-rwxr-xr-x 1 root root  45 Nov 15 09:55 test_script.sh*

Let’s take a look at the contents of the manifest.xml which stores our policy.

> cat /mnt/lizardo.suse.de/Policies/
      {31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/VGP/VTLA/
      Unix/Files/manifest.xml | xmllint --format -
<?xml version="1.0" encoding="UTF-8"?>
<vgppolicy>
  <policysetting>
    <version>1</version>
    <name>Files</name>
    <description>
      Represents file data to set/copy on clients
    </description>
    <data>
      <file_properties>
        <source>test_script.sh</source>
        <target>/usr/bin/test_script.sh</target>
        <user>root</user>
        <group>root</group>
        <permissions type="user">
          <read/>
          <execute/>
        </permissions>
        <permissions type="group">
          <read/>
          <execute/>
        </permissions>
        <permissions type="other">
          <read/>
          <execute/>
        </permissions>
      </file_properties>
    </data>
  </policysetting>
</vgppolicy>

Our source now refers to the file uploaded to the same directory as the manifest.

If you wanted to remove this policy later, we would issue the samba-tool gpo manage files remove command.

> samba-tool gpo manage files remove \
 {31B2F340-016D-11D2-945F-00C04FB984F9} /usr/bin/test_script.sh \
 -UAdministrator

Afterward the files list should be empty.

9.2 Client Side Extension

The Files Client Side Extension (CSE) copies the file from the SYSVOL to the location specified in the target variable earlier. The Files Policy only applies to Machine policy.

Let’s now list the Resultant Set of Policy on the Linux client to see the test file we created previously.

> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
=================================================================
  CSE: vgp_files_ext
  -----------------------------------------------------------
    Policy Type: VGP/Unix Settings/Files
    -----------------------------------------------------------
    [ -r-xr-xr-x root root /usr/bin/test_script.sh -> 
                           test_script.sh ]
    -----------------------------------------------------------
  -----------------------------------------------------------
=================================================================

Note that while the output appears to suggest we will be creating a symlink, it is actually a hard copy of the file that is created. The syntax of the output is simply for illustrative purposes.

If we now force the policy to apply, we’ll see our file is physically copied to the requested location, along with the requested permissions.

> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
 | sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
 | xmllint --xpath "//gp_ext[@name='VGP/Unix Settings/Files']" - \
 | xmllint --format -
<gp_ext name="VGP/Unix Settings/Files">
  <attribute name="/usr/bin/test_script.sh">
    268d...9b39:root:root:365
  </attribute>
</gp_ext>
> l /usr/bin/test_script.sh
-r-xr-xr-x 1 root root 45 Nov 15 12:07 /usr/bin/test_script.sh*
> cat /usr/bin/test_script.sh
#!/bin/sh

echo Something is happening daily

The script is present where we requested. You can now refer to chapter 7 section 7.1.1 for details on how to schedule a job to execute this script via the Scripts Policy.