10 Symlink Policies

The purpose of this policy is to create a symbolic link on a Linux client. Only Machine policy is supported. This policy could be useful in conjunction with the Files Policy found in chapter 9.

This policy is physically stored on the SYSVOL in the MACHINE/VGP /VTLA/Unix/Symlink/manifest.xml file in the subdirectory of the Group Policy Object. It is stored in an xml format, and is easily modified manually using a text editor.

10.1 Server Side Extension

The Symlink Policy has no GPME Server Side Extension (SSE), so this policy may only be administered using samba-tool gpo manage symlink. This is because this SSE is stored on the SYSVOL as an xml file, not in the Registry.pol from an ADMX template.

10.1.1 Managing the Symlink Policy via samba-tool

The Symlink samba-tool command has 3 subcommands; add, list, and remove.

> samba-tool gpo manage symlink --help
Usage: samba-tool gpo manage symlink <subcommand>

Manage symlink Group Policy Objects


Options:
  -h, --help  show this help message and exit


Available subcommands:
  add     - Adds a VGP Symbolic Link Group Policy to the sysvol
  list    - List VGP Symbolic Link Group Policy from the sysvol
  remove  - Removes a VGP Symbolic Link Group Policy from the
            sysvol

To add a new Symlink policy to the SYSVOL, call the samba-tool gpo manage symlink add command.

samba-tool gpo manage symlink add <gpo> <source> <target>

This command will add a policy instructing the client to create a symbolic link pointing to source named target.

Let’s add a simple policy, which uploads a configuration file using the Files Policy (see chapter 9), then symlinks that configuration file to somewhere useful on the system.

> cat servlist.conf
N=Libera.Chat
L=1
E=UTF-8 (Unicode)
F=23
D=0
S=irc.libera.chat/6697
J=#samba-technical
> samba-tool gpo manage files add \
 {31B2F340-016D-11D2-945F-00C04FB984F9} servlist.conf \
 /usr/share/servlist.conf 'LIZARDO\tux' \
 'LIZARDO\domain users' 600 -UAdministrator
> samba-tool gpo manage files list \
 {31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
-rw------- LIZARDO\tux LIZARDO\domain users
 /usr/share/servlist.conf -> servlist.conf
> samba-tool gpo manage symlink add \
 {31B2F340-016D-11D2-945F-00C04FB984F9} /usr/share/servlist.conf \
 /home/LIZARDO/tux/.config/hexchat/servlist.conf -UAdministrator
> samba-tool gpo manage symlink list \
 {31B2F340-016D-11D2-945F-00C04FB984F9} -UAdministrator
ln -s /usr/share/servlist.conf
 /home/LIZARDO/tux/.config/hexchat/servlist.conf

Here we are uploading a configuration file for hexchat, then symlinking it to a user’s profile. The samba-tool gpo manage symlink list command displays the link operations that will be performed on the client.

Later when we choose to remove this policy, we will do so with the samba-tool gpo manage symlink remove command.

> samba-tool gpo manage symlink remove \
 {31B2F340-016D-11D2-945F-00C04FB984F9} /usr/share/servlist.conf \
 /home/LIZARDO/tux/.config/hexchat/servlist.conf -UAdministrator

10.2 Client Side Extension

The Symlink Client Side Extension (CSE) creates a symlink between the source and target. Startup Scripts only apply for Machine policy.

Let’s list the Resultant Set of Policy to view the symbolic link policy we created in the previous section.

> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
=================================================================
  CSE: vgp_symlink_ext
  -----------------------------------------------------------
    Policy Type: VGP/Unix Settings/Symbolic Links
    -----------------------------------------------------------
    [ ln -s /usr/share/servlist.conf
      /home/LIZARDO/tux/.config/hexchat/servlist.conf ]
    -----------------------------------------------------------
  -----------------------------------------------------------
  CSE: vgp_files_ext
  -----------------------------------------------------------
    Policy Type: VGP/Unix Settings/Files
    -----------------------------------------------------------
    [ -rw------- LIZARDO\tux LIZARDO\domain users
      /usr/share/servlist.conf -> servlist.conf ]
    -----------------------------------------------------------
  -----------------------------------------------------------
=================================================================

In addition to our Symlink policy, we also see the Files policy which we added in conjunction with this.

Let’s now force our policy to apply and see how the CSE behaves.

> sudo /usr/sbin/samba-gpupdate --force
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
> | sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
 | xmllint --xpath "//gp_ext[@name='VGP/Unix Settings/Files' or
                             @name='VGP/Unix Settings/Symbolic
                                    Links']" - \
 | xmllint --format -
<gp_ext name="VGP/Unix Settings/Files">
  <attribute name="/usr/share/servlist.conf">
    d5b5...820c:LIZARDO\5Ctux:LIZARDO\5Cdomain users:384
  </attribute>
</gp_ext>
<gp_ext name="VGP/Unix Settings/Symbolic Links">
  <attribute name="/usr/share/servlist.conf:
             /home/LIZARDO/tux/.config/hexchat/servlist.conf">
    /home/LIZARDO/tux/.config/hexchat/servlist.conf
  </attribute>
</gp_ext>
> l /usr/share/servlist.conf
-rw------- 1 LIZARDO\tux LIZARDO\domain users 87 Nov 15 13:51
 /usr/share/servlist.conf
> sudo l /home/LIZARDO/tux/.config/hexchat/servlist.conf
lrwxrwxrwx 1 root root 24 Nov 15 13:51 /home/LIZARDO/tux/.config/
 hexchat/servlist.conf -> /usr/share/servlist.conf

Our Group Policy Cache at /var/lib/samba/gpo.tdb shows the two policies have been applied. Listing the target, we also see that the symlink now exists. If we output the contents of our symlink, we can see that it is indeed pointing to our configuration file that we uploaded to the SYSVOL earlier.

> sudo cat /home/LIZARDO/tux/.config/hexchat/servlist.conf
N=Libera.Chat
L=1
E=UTF-8 (Unicode)
F=23
D=0
S=irc.libera.chat/6697
J=#samba-technical