[Samba] Group Policy Permissions

Robert Marcano robert at marcanoonline.com
Tue Aug 14 21:05:37 UTC 2018


On 08/14/2018 03:11 PM, Michal Sládek via samba wrote:
> Servers runs CentOS 7, workstations run Windows 10 Pro with latest updates.
> 
> I use Tranquil repo: http://samba.tranquil.it/centos7/stable/x86_64/
> 
> The whole domain is new, no migration, everything was set up according
> Samba wiki (which is excellent by the way!)

Look like that repository publish Samba4 DC support since old releases 
for CentOS, so I think it use the default Heimdal Kerberos  based 
implementation. Too bad there is no Source RPM to check the build.

I asked about Fedora, because Fedora build has the experimental MIT 
Kerberos support and GPOs for machines is broken on MIT Kerberos based 
builds https://bugzilla.samba.org/show_bug.cgi?id=13516

> 
> Michal
> 
> 
> 
> 2018-08-14 21:04 GMT+02:00 Robert Marcano via samba <samba at lists.samba.org>:
> 
>> On 08/14/2018 02:52 PM, Michal Sládek via samba wrote:
>>
>>> 2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba at lists.samba.org
>>>> :
>>>
>>> On Tue, 14 Aug 2018 20:15:04 +0200
>>>> Michal Sládek via samba <samba at lists.samba.org> wrote:
>>>>
>>>> Thank you for your suggestion, I read the whole discussion.
>>>>>
>>>>> My situation is little bit different - my machine policy works, but it
>>>>> stops working once I remove Apply permission from Authenticated Users
>>>>> and replace it with Read and Apply permission for Domain Computers.
>>>>>
>>>>> Group Policy Results in RSAT shows Reason Denied: Access Denied
>>>>> (Security Filtering) for affected computer.
>>>>>
>>>>> The same result I get with command gpresult /Z /SCOPE COMPUTER:
>>>>>
>>>>>       The following GPOs were not applied because they were filtered out
>>>>>       -----------------------------------------------------------
>>>>> --------
>>>>>           Import CA Certificates
>>>>>               Filtering:  Denied (Security)
>>>>>
>>>>> I don't understand why Domain Computers group is not enough...
>>>>>
>>>>>
>>>> That triggered a memory 'MS16-072', see here:
>>>>
>>>> https://support.microsoft.com/en-gb/help/3159398/ms16-072-
>>>> description-of-the-security-update-for-group-policy-june-14-2
>>>>
>>>> and here:
>>>>
>>>> https://support.microsoft.com/en-gb/help/3163622/ms16-072-
>>>> security-update-for-group-policy-june-14-2016
>>>>
>>>> Also here:
>>>>
>>>> https://social.technet.microsoft.com/Forums/windows/
>>>> en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
>>>> ms16072-updates?forum=winserverGP
>>>>
>>>> Rowland
>>>>
>>>>
>>> I know about those changes, but they affected only user policies (context
>>> changed from user to computer account while retrieving the policy from
>>> server).
>>>
>>> I would appreciate a lot if somebody could test my scenario on Samba AD
>>> domain - create any group policy that affects computer configuration and
>>> set Security Filtering to Domain Computers only.
>>>
>>
>> Fedora?
>>
>>
>>> Michal
>>>
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>




More information about the samba mailing list