[Samba] Open Source W2k Policy Implementation (was Re: Windows2000 policies in a Samba PDC)

Sharp, Clint clint.sharp at attws.com
Mon Dec 29 15:29:24 GMT 2003

> -----Original Message-----
> On Mon, 29 Dec 2003, [ISO-8859-1] Áncor González Sosa wrote:
> With Samba you can do only what you can do with NT4 using the 
> NTConfig.POL file.
> You can copy the files Win2K creates in 
> c:\WINNT\SYSVOL\sysvol\domainname\profiles to a share called 
> "SYSVOL" under the path: 
> /var/lib/sysvol/sysvol/domainname/profiles/...
> Where the root of the SYSVOL share is /var/lib/sysvol.
> From my experimentation this only partly works at best. Only NT4
> NTConfig.POL policies work consistently.
> The other choice you have is to edit the NTUSER.DAT from the 
> users' profile, add the policy settings in it, then save it back.
> To do this you must load the NTUSER.DAT file as an add-on 
> hive in regedt32. Edit, then unload the hive. Be careful with 
> this! It can ruin your day!
> No to create that you must use the NT4 Group Policy Editor. 
> No alternative exists.
> Sorry. Not possible today.
> - John T.
> -- 
> John H Terpstra
> Email: jht at samba.org

Sorry for badly hacking up your reply since most of this could be taken out of context w/o his message, but I wanted to leave a couple of the lines in there.

The reason I joined the list was to ask this question.  I'm aware of the current situation with W2k policies, and I was wondering if anyone has undertaken work to implement all or part of the W2k GPO outside of Active Directory.  Since essentially GPOs are simply an ACL which implements registry changes dependent on the policy defined in the GPO, I would think this is definitely possible.  Maybe I'm over simplifying what GPOs do or possibly I only used GPO features which were NT4 compatible (which would mean that I could get by with .POL files).

I'm currently trying to solve three problems in my Samba implementation.  Two of these are irrelevant to this discussion, but I want to include them as I'm considering solving them with the same software:

* Microsoft implemented roaming profiles suck and are incredibly ineffecient over slow links.  I'm considering re-implementing them using a client-side process and librsync.
* Patching systems is a pain, as well as installating software for users.  This is generally part of SUS or could be part of GPO (maybe SUS creates GPOs to install the updates, I dunno).  The problem I've always found is getting around my users not having admin priviledges on their machines.  I've found several free su-like implementations for Windows, but all still require a password on the command line or are just too insecure for me if they don't.  I'm considering implementing a service which would patch software on the Windows machine based on output from a server process running on my Samba servers (possibly only the PDC).
* As mentioned before, I'd like an open-source implementation of W2k GPOs.  This wouldn't run using Microsoft's GPO process, instead it would be implemented by a client-side process which would make the necessary changes.

Has anyone currently started work fixing any of these?  I'm ready to trash all the custom work I've done to solve these problems and start fresh with something that'll work cleanly and smoothly.  I've got some ideas for architecture including development language, communications protocols, etc, but nothing's firm, and I'd be glad to contribute to someone who's already started a project which solves one or more of the above problems.  If not, if anyone else is interested in the above problems and wants to start work on a new project which would solve those, I'd be happy to discuss with you offline.


More information about the samba mailing list