[Samba] User GPOs not applied

Peter Milesson miles at atmos.eu
Mon Apr 5 09:27:10 UTC 2021



On 2021-04-05 10:08, Peter Milesson via samba wrote:
>
>
> On 2021-04-05 09:56, Rowland penny via samba wrote:
>> On 05/04/2021 08:04, Peter Milesson via samba wrote:
>>> Hi folks,
>>>
>>> I have got a problem where GPOs set for a single user or a user 
>>> group are not applied. The GPOs should be applied to Windows 10 Pro 
>>> computers when the specific user(s) log in. The GPOs are defined for 
>>> users, not computers. Domain GPOs for domain computers are applied 
>>> appropriately, roaming profiles work, authentication works, the 
>>> sysvol and netlogon shares on the DC are accessible and readable by 
>>> all users, DNS works. I have tried with existing users and newly 
>>> created test users. The GPOs are not applied. The GPOs (minimum 
>>> Windows server 2003 or XP) are:
>>>
>>>
>>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the 
>>> latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither 
>>> is NIS or NFS. The .local TLD is used in the network (for almost 20 
>>> years), and all mDNS och zero configurations are prohibited and 
>>> disabled.
>>
>>
>> '.local' is not recommended because it can interfere with Avahi, but 
>> you have turned this off, so this is not the problem.
>>
>> I take it you compiled Samba using Heimdal, but 4.9.1 is old and no 
>> longer supported, so I would suggest you upgrade, indeed this may fix 
>> your problem.
>>
>>>
>>> Would installing and setting up a new Debian Buster AD DC solve the 
>>> problem?
>>
>>
>> Possibly and you could use the Samba packages from here: 
>> https://apt.van-belle.nl/
>>
>>>
>>> Best regards,
>>>
>>> Peter
>>>
>>>
>>> smb.conf
>>> ========
>>> # Global parameters
>>> [global]
>>>         netbios name = KONADC
>>>         realm = KONSTRUKCE.LOCAL
>>>         server role = active directory domain controller
>>>         workgroup = KONSTRUKCE
>>>         idmap_ldb:use rfc2307 = yes
>>>         username map = /etc/samba/user.map
>>
>>
>> You should remove the 'username map' line, it is only used on a Unix 
>> domain member, idmapping is done in idmap.ldb on a DC.
>>
>>>
>>> resolv.conf
>>> =========
>>> search konstrukce.local
>>> nameserver 127.0.0.1
>>
>>
>> You should use the DC's ipaddress, not '127.0.0.1'
>>
>> Rowland
>>
>>
>>
> Hi Rowland,
>
> Thanks for your advice. I will try the simplest things first. I will 
> report back about the progress.
>
> I wish everybody a nice day,
>
> Peter
>
>
>
Hi folks,

I changed the nameserver address from 127.0.0.1 to the real IP-address 
in resolv.conf, and removed the username map entry in smb.conf. I did 
not expect it would help, which turned out true.

As things can go terribly wrong when introducing a new DC (which has 
been reported on numerous occasions), I will leave it to the coming 
weekend, giving me a bit more wiggle room.

Best regards,

Peter




More information about the samba mailing list