[PATCHES] GPO support for client machine policy
Stefan Metzmacher
metze at samba.org
Thu Dec 7 06:57:41 UTC 2017
Hi David,
is it also possible to have something useful as a domain member?
It would be nice if we could remove the lockout_policy() and
password_policy() hooks from winbindd_methods and make sure
the gpo code applies the correct settings to the local
account_policy.tdb
metze
Am 06.12.2017 um 19:10 schrieb David Mulder via samba-technical:
> Right. Then maybe Garming is right, we probably don't need the KDC
> service, just the one attached to winbind.
>
> On 12/06/2017 11:02 AM, Andrew Bartlett wrote:
>> On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
>>> Yes, they would run simultaneously, but they apply different things.
>>> They also run on different intervals.
>>> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
>>> it sets the extensions to apply based on the type of apply (KDC, client
>>> machine, or user which isn't available yet).
>>> I had considered removing the KDC service, but I think it is fine as is.
>>> The way it is now, if they choose not to configure winbind, kdc policy
>>> is still applied.
>> To be clear, winbindd is a mandatory part of the AD DC.
>>
>> Andrew Bartlett
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171207/50765cb3/signature.sig>
More information about the samba-technical
mailing list