[Samba] User GPOs not applied

Peter Milesson miles at atmos.eu
Mon Apr 5 08:08:05 UTC 2021 


On 2021-04-05 09:56, Rowland penny via samba wrote:
> On 05/04/2021 08:04, Peter Milesson via samba wrote:
>> Hi folks,
>>
>> I have got a problem where GPOs set for a single user or a user group 
>> are not applied. The GPOs should be applied to Windows 10 Pro 
>> computers when the specific user(s) log in. The GPOs are defined for 
>> users, not computers. Domain GPOs for domain computers are applied 
>> appropriately, roaming profiles work, authentication works, the 
>> sysvol and netlogon shares on the DC are accessible and readable by 
>> all users, DNS works. I have tried with existing users and newly 
>> created test users. The GPOs are not applied. The GPOs (minimum 
>> Windows server 2003 or XP) are:
>>
>>
>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the 
>> latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither 
>> is NIS or NFS. The .local TLD is used in the network (for almost 20 
>> years), and all mDNS och zero configurations are prohibited and 
>> disabled.
>
>
> '.local' is not recommended because it can interfere with Avahi, but 
> you have turned this off, so this is not the problem.
>
> I take it you compiled Samba using Heimdal, but 4.9.1 is old and no 
> longer supported, so I would suggest you upgrade, indeed this may fix 
> your problem.
>
>>
>> Would installing and setting up a new Debian Buster AD DC solve the 
>> problem?
>
>
> Possibly and you could use the Samba packages from here: 
> https://apt.van-belle.nl/
>
>>
>> Best regards,
>>
>> Peter
>>
>>
>> smb.conf
>> ========
>> # Global parameters
>> [global]
>>         netbios name = KONADC
>>         realm = KONSTRUKCE.LOCAL
>>         server role = active directory domain controller
>>         workgroup = KONSTRUKCE
>>         idmap_ldb:use rfc2307 = yes
>>         username map = /etc/samba/user.map
>
>
> You should remove the 'username map' line, it is only used on a Unix 
> domain member, idmapping is done in idmap.ldb on a DC.
>
>>
>> resolv.conf
>> =========
>> search konstrukce.local
>> nameserver 127.0.0.1
>
>
> You should use the DC's ipaddress, not '127.0.0.1'
>
> Rowland
>
>
>
Hi Rowland,

Thanks for your advice. I will try the simplest things first. I will 
report back about the progress.

I wish everybody a nice day,

Peter

More information about the samba mailing list