policies only work for admin group

Thu Mar 8 08:19:22 GMT 2001

Sorry, but in a way im glad to see that you are having this problem!   I
have just given up on samba as a pdc for a small domain because of the
policies not working.  I *need* to have working policies to lock down some
student machines and no matter what I do I cant get it working.   So as a
last resort, I have had to go back to a WinNT Server PDC for authentication
and leave all the shares on the Samba server.  I really hoped to get rid of
NT as server but - oh well, give it time and it will all be good in samba
PDC policy support.

Tim Gildersleeve

> -----Original Message-----
> From:	Ben Liesfeld [SMTP:ben.liesfeld at gmx.de]
> Sent:	Wednesday, March 07, 2001 12:58 PM
> To:	samba-ntdom at us5.samba.org
> Subject:	policies only work for admin group
> 
> Hello,
> 
>   I recently moved from TNG 2.6 alpha back again to 2.2.alpha. I still
>   got the problem with policies an NTws. Everything works fine but
>   policies are only applied to members of the domain admin group
>   defined in smb.conf. In the logs I see that normal users access the
>   .pol, too, but they don't get the changes.
> 
>   I'll attach my smb.conf. Hast anybody got policies to work with
>   2.2.alpha?
> 
> ----------smb.conf-------------
> ;
> ; /etc/smb.conf
> ;
> ;
> [global]
>         status = yes
>         message command = winpopup
> ;       interfaces = 192.168.0.50
>         
>         security = user
>         domain master = Yes
>         domain admin group = @adm
>         domain groups = adm, users, referenten, mdstura
>         homedir map = /home
>         domain logons = Yes
>         printing = bsd
>         logon path = \\%L\profiles\%U
>         server string = File-Server des Studentenrates
>         workgroup = Stura
>         passwd chat = *password* %n\n *password* %n\n *Password*changed*
>         logon script = scripts\%G.bat
>         netbios name = zeus
>         keep alive = 30
>         kernel oplocks = false
>         log file = /var/log/samba/log.%m
>         log level = 2
> 
>         printcap name = /etc/printcap
>         dns proxy = no
> ;       logon home = \\%L\%U
>         map to guest = Bad User
>         passwd program = /usr/bin/passwd %u
>         encrypt passwords = yes
>         password level = 2
>         unix password sync = yes
>         guest account = nobody
>         socket options = TCP_NODELAY
>         load printers = yes
>         username level = 2
>         min passwd length = 3
>         security = user
>         os level = 65
>         wins support = yes
> 
>         default case = yes
>         time server = yes
>         logon drive = m:
> 
> [homes]
>    comment = Heimatverzeichnis
>    browseable = no
>    read only = no
>    force create mode = 0700
>    force directory mode = 0700
> 
> ;... lot's of shares
> [printers]
>    comment = All Printers
>    browseable = no
>    printable = yes
>    public = no
>    read only = yes
>    create mode = 0700
>    directory = /tmp
> 
> [profiles]
>   path = /public/profile  
>   comment = Profile
>   guest ok = yes
>   browseable = no
>   read only = yes
>   write list = @adm, @root, @users
> 
> [netlogon]
>   path = /public/netlogon/
>   browseable = yes
>   read only = yes
>   write list = @adm, root
>   force group = adm
>   case sensitive = no
>   preserve case = yes
>   default case = yes    
>   locking = no
>   guest ok = no
>   force directory mode = 0775
>   force create mode = 0775
> ;  writeable = no
> 
> 
> [print$]
>   path = /public/printers
>   guest ok = no
>   browseable = yes
>   read only = yes
>   write list = @adm, root
> 
> 
>   
> 
> -- 
> Ben Liesfeld
> http://www.uni-jena.de/~p9libe/
> http://johnny.rhein.com
> 
> 