[PATCHES] GPO support for the AD DC itself
garming at catalyst.net.nz
Mon Jul 3 04:46:45 UTC 2017
I don't think we'd need to go as far as making it a purely manual
change, otherwise it defeats the purpose of aiming to administrate from
a Windows machine. I do agree that it likely needs to be opt-in though,
at least until we figure out this across multiple DCs (SYSVOL
replication?) as well as how it should work with our existing client
tools. As it is, I think switching on the gpoupdate in the server
services is an admission that 'yes I am using this in this way' so that
if they mix the use of samba-tool and the GPO editor, then that's their
On 03/07/17 15:56, Andrew Bartlett via samba-technical wrote:
> On Mon, 2017-07-03 at 15:44 +1200, Andrew Bartlett via samba-technical
>> Thanks David.
>> I'm sorry for not noticing this earlier, but the GPO settings for the
>> KDC look wrong.
>> While you have set the settings into the krb5.conf, I think you
>> actually want to change the KDC in setup_kdc_setup_db_ctx():
>> /* get default kdc policy */
>> Currently this reads smb.conf parameters for these values. If the
>> values from the GPO should override, then these need to be stored
>> somewhere, or perhaps written to AD and read from there.
>> The other challenge is that we now do have a class of administrators
>> who have become very accustomed to the 'samba-tool pwsettings'
>> for setting the password policies, and other administrators who would
>> love to get back to the GUI tools on Windows.
>> If we turned this on, would we suddenly overwrite the settings on a
>> pile of domains?
>> I would be much more comfortable with this change if it were opt-in
>> a release, off by default by skipping the entry in server services,
>> allowing us to understand how it works.
>> For example, I'm a little nervous about the idea of unapplying a
>> setting that might also have been modified directly by the
>> administrator, or applying a setting that was manually set directly.
>> Additionally there is the complexity of a mulit-master replicated
>> domain, the apply/un-apply logs would be scattered on each DC, based
>> who wins the 15 mins timer race.
>> I guess one way out would be to have 'samba-tool domain pwsettings'
>> write group policy files, but without a replicated sysvol I can't see
>> how that works either.
>> I'm sorry to drop such doubts on you at this late moment.
> A way out would be to re-position this tool as something
> the administrator runs manually after a change on their GPO master
> server. (Most Samba sites run one GPO master).
> Andrew Bartlett
More information about the samba-technical