[Samba] Samba 3.0.0 PDC + Win2000 Client + Group Policies
Service Informatique
iut-ulp.sos-informatique at iutlpa.u-strasbg.fr
Tue Aug 26 10:18:03 GMT 2003
We want to build a Debian's unstable samba 3.0.0beta2-1 as PDC with plenty of
Windows 2K clients.
Joining the domain, Domain Logons, Roaming Profiles, Domain Groups, are Ok.
As we thought that Samba 3 cannot handle Win2K's GPOs (isn't it?), we tried
NT4 style Group Policies to restrict a bit users posibilities (as we have
students as users). Our opinion is that Mandatory Profiles are too restrictive.
So as explained in "Windows 2000 Group Policy White Paper" from Microsoft, at
"IntelliMirror features w/out Active Directory" chapter, we took a unicode
enabled poledit.exe, we removed #if and #endif lines from GPO's ADM templates
files and created with it the required NTconfig.pol in the netlogon share.
We tried DefaultUser, a DomainGroup (net groupmap...), a user, and the policy
didn't have any effect at all (we tried to login/logout, secedit /refresh,
and even some different case 4 ntconfig.pol just in case).
The surprising fact is that from another Win2k, with the same poledit and ADM
files, i can remotely connect (without any password) to the Win2K's logged
domain user's registry, and check some restriction's boxes, and IT WORKS, means
that the changes of the policy were applied directly into the registry (after
a reconnection or a restart of explorer.exe) !
It looks like the Win2K doesn't read any \\PDC\netlogon\NTconfig.pol at all,
as if he would have done without any NT4 style policies.
We'd like to have your feeling/opinions about it, as we're quite stucked...
our smb.conf :
<=================== smb.conf : start ===================>
# We striped out da comments
[global]
netbios name = VARDA
workgroup = ARDA
server string = %h server (Samba %v)
wins support = yes
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
security = user
encrypt passwords = true
passdb backend = tdbsam guest
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\.......
load printers = yes
printing = cups
printcap name = cups
printer admin = @admin
# Name mangling options
preserve case = yes
short preserve case = yes
case sensitive = no
socket options = TCP_NODELAY
domain master = yes
local master = yes
domain logons = yes
preferred master = yes
os level = 255
; logon script = logon.bat
logon path = \\%L\profiles\%u
logon drive = U:
logon home = \\%L\%u\.winprofile
# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
[homes]
comment = Home Directories
browseable = no
writable = yes
create mask = 0640
directory mask = 0750
# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
comment = Network Logon Service
path = /iut/profiles/netlogon
guest ok = yes
writable = no
#browseable = no
write list = @admin
share modes = no
[profiles]
comment = Network Profiles
path = /iut/profiles/users
writable = yes
browsable = no
create mask = 0600
directory mask = 0700
[printers]
comment = Les Imprimantes
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
write list = root, @admin
<=================== smb.conf : end ===================>
Regards,
--
Julien DUPRE & Eric DECORNOD
Service Informatique
IUT Louis Pasteur Schiltigheim
Allee d'Athenes 67300 Schiltigheim
Courriel : iut-ulp.sos-informatique AT iutlpa.u-strasbg.fr
More information about the samba
mailing list