[Samba] User GPOs not applied
Peter Milesson
miles at atmos.eu
Mon Apr 5 09:27:10 UTC 2021
On 2021-04-05 10:08, Peter Milesson via samba wrote:
>
>
> On 2021-04-05 09:56, Rowland penny via samba wrote:
>> On 05/04/2021 08:04, Peter Milesson via samba wrote:
>>> Hi folks,
>>>
>>> I have got a problem where GPOs set for a single user or a user
>>> group are not applied. The GPOs should be applied to Windows 10 Pro
>>> computers when the specific user(s) log in. The GPOs are defined for
>>> users, not computers. Domain GPOs for domain computers are applied
>>> appropriately, roaming profiles work, authentication works, the
>>> sysvol and netlogon shares on the DC are accessible and readable by
>>> all users, DNS works. I have tried with existing users and newly
>>> created test users. The GPOs are not applied. The GPOs (minimum
>>> Windows server 2003 or XP) are:
>>>
>>>
>>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the
>>> latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither
>>> is NIS or NFS. The .local TLD is used in the network (for almost 20
>>> years), and all mDNS och zero configurations are prohibited and
>>> disabled.
>>
>>
>> '.local' is not recommended because it can interfere with Avahi, but
>> you have turned this off, so this is not the problem.
>>
>> I take it you compiled Samba using Heimdal, but 4.9.1 is old and no
>> longer supported, so I would suggest you upgrade, indeed this may fix
>> your problem.
>>
>>>
>>> Would installing and setting up a new Debian Buster AD DC solve the
>>> problem?
>>
>>
>> Possibly and you could use the Samba packages from here:
>> https://apt.van-belle.nl/
>>
>>>
>>> Best regards,
>>>
>>> Peter
>>>
>>>
>>> smb.conf
>>> ========
>>> # Global parameters
>>> [global]
>>> netbios name = KONADC
>>> realm = KONSTRUKCE.LOCAL
>>> server role = active directory domain controller
>>> workgroup = KONSTRUKCE
>>> idmap_ldb:use rfc2307 = yes
>>> username map = /etc/samba/user.map
>>
>>
>> You should remove the 'username map' line, it is only used on a Unix
>> domain member, idmapping is done in idmap.ldb on a DC.
>>
>>>
>>> resolv.conf
>>> =========
>>> search konstrukce.local
>>> nameserver 127.0.0.1
>>
>>
>> You should use the DC's ipaddress, not '127.0.0.1'
>>
>> Rowland
>>
>>
>>
> Hi Rowland,
>
> Thanks for your advice. I will try the simplest things first. I will
> report back about the progress.
>
> I wish everybody a nice day,
>
> Peter
>
>
>
Hi folks,
I changed the nameserver address from 127.0.0.1 to the real IP-address
in resolv.conf, and removed the username map entry in smb.conf. I did
not expect it would help, which turned out true.
As things can go terribly wrong when introducing a new DC (which has
been reported on numerous occasions), I will leave it to the coming
weekend, giving me a bit more wiggle room.
Best regards,
Peter
More information about the samba
mailing list