[Samba] Default Group Policies and Default Domain Controller Policy are empty

Rowland penny rpenny at samba.org
Mon Feb 17 17:30:29 UTC 2020


On 17/02/2020 16:46, kaffeesurrogat wrote:
>
>>> Dear Rowland,
>>>
>>> a typo of mine. some default policies not same default domain policies
>>> ....
>>>
>>> Shouldn't there be some default domain policies
>>> after provisioning ?
>>>
>>> There is not a single default domain policy.
>>>
>>> Thanks again,
>>>
>>> blubberbaer
>> After a provision, yes. After a join, no.
>>
>> After joining a DC to a Samba domain, you will need to sync sysvol to
>> the new DC, see here:
>>
>> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
>>
>> Rowland
>>
>
> Mmm dear Rowland,
>
> I don't have a second DC. There is only one. I have a filesharer running
> on virtual machine. This is the config of the filesharer on the virtual
> machine:
>
>
> [global]
>     workgroup = XX
>
>     realm = XXX.YY
>
>     security = ADS
>
>     # DOMAIN-NAME muß vor den Anmeldenamen gesetzt werden
>     winbind use default domain = yes
>
>     winbind refresh tickets = yes
>
>     #für rfc-2307 kann jeder benutzer eine eigene shell haben
>     template shell = /bin/bash
>
>     idmap config * : range = 10000 - 19999
>     idmap config LFA : backend = rid
>     idmap config LFA : range = 1000000-1999999
>     inherit acls = yes
>     store dos attributes = yes
>     vfs objects = acl_xattr
>
>     bind interfaces only = yes
>     interfaces = lo eth0
>
>
> man smb.conf states about the server role if not defined:
>
>
> SECURITY = ADS
>
> Note that this mode does NOT make Samba operate as a Active Directory
> Domain Controller.
>
> On my virtual machine there is no sysvol dir, thus no rsync of sysvol,
> right?
>
>
> blubberbaer

You started out by talking about a DC and GPO's and then said yours are 
empty.

If you have a Samba AD DC that you provisioned, under 
'sysvol/dns.domain.tld/Policies/' you should have:

{31B2F340-016D-11D2-945F-00C04FB984F9}
{6AC1786C-016F-11D2-945F-00C04FB984F9}

These are the default policies and whilst there numerous directories 
under each GUID, they are basically empty

You are quite correct, a Samba fileserver does not store GPO's, neither 
does it use them.

If your DC does not have the default GPO's  in sysvol on a provisioned 
Samba AD DC (something I have never seen), then you have problems.

If they are there, do not change them in any way, create new GPO's instead.

Rowland





More information about the samba mailing list