[Samba] User GPOs not applied

Rowland penny rpenny at samba.org
Mon Apr 5 07:56:00 UTC 2021

On 05/04/2021 08:04, Peter Milesson via samba wrote:
> Hi folks,
> I have got a problem where GPOs set for a single user or a user group 
> are not applied. The GPOs should be applied to Windows 10 Pro 
> computers when the specific user(s) log in. The GPOs are defined for 
> users, not computers. Domain GPOs for domain computers are applied 
> appropriately, roaming profiles work, authentication works, the sysvol 
> and netlogon shares on the DC are accessible and readable by all 
> users, DNS works. I have tried with existing users and newly created 
> test users. The GPOs are not applied. The GPOs (minimum Windows server 
> 2003 or XP) are:
> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the 
> latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is 
> NIS or NFS. The .local TLD is used in the network (for almost 20 
> years), and all mDNS och zero configurations are prohibited and disabled.

'.local' is not recommended because it can interfere with Avahi, but you 
have turned this off, so this is not the problem.

I take it you compiled Samba using Heimdal, but 4.9.1 is old and no 
longer supported, so I would suggest you upgrade, indeed this may fix 
your problem.

> Would installing and setting up a new Debian Buster AD DC solve the 
> problem?

Possibly and you could use the Samba packages from here: 

> Best regards,
> Peter
> smb.conf
> ========
> # Global parameters
> [global]
>         netbios name = KONADC
>         realm = KONSTRUKCE.LOCAL
>         server role = active directory domain controller
>         workgroup = KONSTRUKCE
>         idmap_ldb:use rfc2307 = yes
>         username map = /etc/samba/user.map

You should remove the 'username map' line, it is only used on a Unix 
domain member, idmapping is done in idmap.ldb on a DC.

> resolv.conf
> =========
> search konstrukce.local
> nameserver

You should use the DC's ipaddress, not ''


More information about the samba mailing list