[Samba] Samba 3.0.0 PDC + Win2000 Client + Group Policies

Service Informatique iut-ulp.sos-informatique at iutlpa.u-strasbg.fr
Tue Aug 26 10:18:03 GMT 2003

  We want to build a Debian's unstable samba 3.0.0beta2-1 as PDC with plenty of
Windows 2K clients.

  Joining the domain, Domain Logons, Roaming Profiles, Domain Groups, are Ok.

  As we thought that Samba 3 cannot handle Win2K's GPOs (isn't it?), we tried
NT4 style Group Policies to restrict a bit users posibilities (as we have
students as users). Our opinion is that Mandatory Profiles are too restrictive.

  So as explained in "Windows 2000 Group Policy White Paper" from Microsoft, at
"IntelliMirror features w/out Active Directory" chapter, we took a unicode
enabled poledit.exe, we removed #if and #endif lines from GPO's ADM templates
files and created with it the required NTconfig.pol in the netlogon share.

  We tried DefaultUser, a DomainGroup (net groupmap...), a user, and the policy
didn't have any effect at all (we tried to login/logout, secedit /refresh,
and even some different case 4 ntconfig.pol just in case).

  The surprising fact is that from another Win2k, with the same poledit and ADM
files, i can remotely connect (without any password) to the Win2K's logged
domain user's registry, and check some restriction's boxes, and IT WORKS, means
that the changes  of the policy were applied directly into the registry  (after
a reconnection or a restart of explorer.exe) !

  It looks like the Win2K doesn't read any \\PDC\netlogon\NTconfig.pol at all,
as if he would have done without any NT4 style policies.

  We'd like to have your feeling/opinions about it, as we're quite stucked...

our smb.conf :
<=================== smb.conf : start ===================>
# We striped out da comments
   netbios name = VARDA
   workgroup = ARDA
   server string = %h server (Samba %v)
   wins support = yes
   dns proxy = no

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0

   security = user
   encrypt passwords = true
   passdb backend = tdbsam guest

   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\.......

   load printers = yes
   printing = cups
   printcap name = cups
   printer admin = @admin

# Name mangling options
   preserve case = yes
   short preserve case = yes
   case sensitive = no

   socket options = TCP_NODELAY

    domain master = yes
    local master = yes
    domain logons = yes
    preferred master = yes
    os level = 255

    ; logon script = logon.bat
    logon path = \\%L\profiles\%u
    logon drive = U:
    logon home = \\%L\%u\.winprofile

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0640
   directory mask = 0750

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
   comment = Network Logon Service
   path = /iut/profiles/netlogon
   guest ok = yes
   writable = no
   #browseable = no
   write list = @admin
   share modes = no

   comment = Network Profiles
   path = /iut/profiles/users
   writable = yes
   browsable = no
   create mask = 0600
   directory mask = 0700

   comment = Les Imprimantes
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700

   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
   write list = root, @admin

<=================== smb.conf : end ===================>

Service Informatique
IUT Louis Pasteur Schiltigheim
Allee d'Athenes 67300 Schiltigheim
Courriel : iut-ulp.sos-informatique AT iutlpa.u-strasbg.fr

More information about the samba mailing list