[PATCHES] GPO support for client machine policy
Stefan Metzmacher
metze at samba.org
Thu Dec 7 07:37:51 UTC 2017
Am 06.12.2017 um 19:10 schrieb David Mulder via samba-technical:
> Right. Then maybe Garming is right, we probably don't need the KDC
> service, just the one attached to winbind.
Yes, only one please.
Maybe we should have the different evaluation scripts in a generic way
similar to ctdb event scripts, so one .py file for each task.
where an admin could use something like 'touch
/path/to/python/samba/gpoupdate/scripts/machine/50.kdc_policy.py.disabled'
in order to
disable the evaluation of that policy.
I think it should also be on by default on an AD DC.
metze
> On 12/06/2017 11:02 AM, Andrew Bartlett wrote:
>> On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
>>> Yes, they would run simultaneously, but they apply different things.
>>> They also run on different intervals.
>>> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
>>> it sets the extensions to apply based on the type of apply (KDC, client
>>> machine, or user which isn't available yet).
>>> I had considered removing the KDC service, but I think it is fine as is.
>>> The way it is now, if they choose not to configure winbind, kdc policy
>>> is still applied.
>> To be clear, winbindd is a mandatory part of the AD DC.
>>
>> Andrew Bartlett
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20171207/a0edc3c9/signature.sig>
More information about the samba-technical
mailing list