[Samba] User GPOs not applied

Peter Milesson miles at atmos.eu
Mon Apr 5 07:04:27 UTC 2021 

Hi folks,

I have got a problem where GPOs set for a single user or a user group 
are not applied. The GPOs should be applied to Windows 10 Pro computers 
when the specific user(s) log in. The GPOs are defined for users, not 
computers. Domain GPOs for domain computers are applied appropriately, 
roaming profiles work, authentication works, the sysvol and netlogon 
shares on the DC are accessible and readable by all users, DNS works. I 
have tried with existing users and newly created test users. The GPOs 
are not applied. The GPOs (minimum Windows server 2003 or XP) are:

- Set time limit for disconnected sessions
- Set time limit for active but idle Remote Services sessions
- End session when time limits are reached

The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the latest 
EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or 
NFS. The .local TLD is used in the network (for almost 20 years), and 
all mDNS och zero configurations are prohibited and disabled. All 
workstations in the network are Windows 10 Pro with the latest updates, 
and ESET Business antivirus. The main file server, containing the user 
profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got 
nothing to do with the problem.

Would installing and setting up a new Debian Buster AD DC solve the problem?

Best regards,

Peter


smb.conf
========
# Global parameters
[global]
         netbios name = KONADC
         realm = KONSTRUKCE.LOCAL
         server role = active directory domain controller
         workgroup = KONSTRUKCE
         idmap_ldb:use rfc2307 = yes
         username map = /etc/samba/user.map
         dns forwarder = 192.168.0.221

[netlogon]
         path = /var/lib/samba/sysvol/konstrukce.local/scripts
         read only = No

[sysvol]
         path = /var/lib/samba/sysvol
         read only = No


krb5.conf
========
[libdefaults]
         default_realm = KONSTRUKCE.LOCAL
         dns_lookup_realm = false
         dns_lookup_kdc = true

resolv.conf
=========
search konstrukce.local
nameserver 127.0.0.1

nsswitch.conf
===========
passwd:      files winbind
shadow:     files
group:       files winbind

hosts:      files dns myhostname

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:   nisplus
publickey:  nisplus
automount:  files nisplus
aliases:    files nisplus

More information about the samba mailing list