[Samba] User GPOs not applied
miles at atmos.eu
Mon Apr 5 09:27:10 UTC 2021
On 2021-04-05 10:08, Peter Milesson via samba wrote:
> On 2021-04-05 09:56, Rowland penny via samba wrote:
>> On 05/04/2021 08:04, Peter Milesson via samba wrote:
>>> Hi folks,
>>> I have got a problem where GPOs set for a single user or a user
>>> group are not applied. The GPOs should be applied to Windows 10 Pro
>>> computers when the specific user(s) log in. The GPOs are defined for
>>> users, not computers. Domain GPOs for domain computers are applied
>>> appropriately, roaming profiles work, authentication works, the
>>> sysvol and netlogon shares on the DC are accessible and readable by
>>> all users, DNS works. I have tried with existing users and newly
>>> created test users. The GPOs are not applied. The GPOs (minimum
>>> Windows server 2003 or XP) are:
>>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the
>>> latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither
>>> is NIS or NFS. The .local TLD is used in the network (for almost 20
>>> years), and all mDNS och zero configurations are prohibited and
>> '.local' is not recommended because it can interfere with Avahi, but
>> you have turned this off, so this is not the problem.
>> I take it you compiled Samba using Heimdal, but 4.9.1 is old and no
>> longer supported, so I would suggest you upgrade, indeed this may fix
>> your problem.
>>> Would installing and setting up a new Debian Buster AD DC solve the
>> Possibly and you could use the Samba packages from here:
>>> Best regards,
>>> # Global parameters
>>> netbios name = KONADC
>>> realm = KONSTRUKCE.LOCAL
>>> server role = active directory domain controller
>>> workgroup = KONSTRUKCE
>>> idmap_ldb:use rfc2307 = yes
>>> username map = /etc/samba/user.map
>> You should remove the 'username map' line, it is only used on a Unix
>> domain member, idmapping is done in idmap.ldb on a DC.
>>> search konstrukce.local
>>> nameserver 127.0.0.1
>> You should use the DC's ipaddress, not '127.0.0.1'
> Hi Rowland,
> Thanks for your advice. I will try the simplest things first. I will
> report back about the progress.
> I wish everybody a nice day,
I changed the nameserver address from 127.0.0.1 to the real IP-address
in resolv.conf, and removed the username map entry in smb.conf. I did
not expect it would help, which turned out true.
As things can go terribly wrong when introducing a new DC (which has
been reported on numerous occasions), I will leave it to the coming
weekend, giving me a bit more wiggle room.
More information about the samba