[Samba] Default Group Policies and Default Domain Controller Policy are empty
rpenny at samba.org
Mon Feb 17 17:30:29 UTC 2020
On 17/02/2020 16:46, kaffeesurrogat wrote:
>>> Dear Rowland,
>>> a typo of mine. some default policies not same default domain policies
>>> Shouldn't there be some default domain policies
>>> after provisioning ?
>>> There is not a single default domain policy.
>>> Thanks again,
>> After a provision, yes. After a join, no.
>> After joining a DC to a Samba domain, you will need to sync sysvol to
>> the new DC, see here:
> Mmm dear Rowland,
> I don't have a second DC. There is only one. I have a filesharer running
> on virtual machine. This is the config of the filesharer on the virtual
> workgroup = XX
> realm = XXX.YY
> security = ADS
> # DOMAIN-NAME muß vor den Anmeldenamen gesetzt werden
> winbind use default domain = yes
> winbind refresh tickets = yes
> #für rfc-2307 kann jeder benutzer eine eigene shell haben
> template shell = /bin/bash
> idmap config * : range = 10000 - 19999
> idmap config LFA : backend = rid
> idmap config LFA : range = 1000000-1999999
> inherit acls = yes
> store dos attributes = yes
> vfs objects = acl_xattr
> bind interfaces only = yes
> interfaces = lo eth0
> man smb.conf states about the server role if not defined:
> SECURITY = ADS
> Note that this mode does NOT make Samba operate as a Active Directory
> Domain Controller.
> On my virtual machine there is no sysvol dir, thus no rsync of sysvol,
You started out by talking about a DC and GPO's and then said yours are
If you have a Samba AD DC that you provisioned, under
'sysvol/dns.domain.tld/Policies/' you should have:
These are the default policies and whilst there numerous directories
under each GUID, they are basically empty
You are quite correct, a Samba fileserver does not store GPO's, neither
does it use them.
If your DC does not have the default GPO's in sysvol on a provisioned
Samba AD DC (something I have never seen), then you have problems.
If they are there, do not change them in any way, create new GPO's instead.
More information about the samba