[Samba] User GPOs not applied

Stefan Kania stefan at kania-online.de
Mon Apr 5 12:06:46 UTC 2021 

The first step to do if a GPO for a user is not working is "samba-tool
gpo list <username>" to see if the GPO is relevant for the user. If your
GPO is not listed check that the user is in the ou you linked the GPO to.


Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:
> Hi folks,
> 
> I have got a problem where GPOs set for a single user or a user group
> are not applied. The GPOs should be applied to Windows 10 Pro computers
> when the specific user(s) log in. The GPOs are defined for users, not
> computers. Domain GPOs for domain computers are applied appropriately,
> roaming profiles work, authentication works, the sysvol and netlogon
> shares on the DC are accessible and readable by all users, DNS works. I
> have tried with existing users and newly created test users. The GPOs
> are not applied. The GPOs (minimum Windows server 2003 or XP) are:
> 
> - Set time limit for disconnected sessions
> - Set time limit for active but idle Remote Services sessions
> - End session when time limits are reached
> 
> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the latest
> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or
> NFS. The .local TLD is used in the network (for almost 20 years), and
> all mDNS och zero configurations are prohibited and disabled. All
> workstations in the network are Windows 10 Pro with the latest updates,
> and ESET Business antivirus. The main file server, containing the user
> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got
> nothing to do with the problem.
> 
> Would installing and setting up a new Debian Buster AD DC solve the
> problem?
> 
> Best regards,
> 
> Peter
> 
> 
> smb.conf
> ========
> # Global parameters
> [global]
>         netbios name = KONADC
>         realm = KONSTRUKCE.LOCAL
>         server role = active directory domain controller
>         workgroup = KONSTRUKCE
>         idmap_ldb:use rfc2307 = yes
>         username map = /etc/samba/user.map
>         dns forwarder = 192.168.0.221
> 
> [netlogon]
>         path = /var/lib/samba/sysvol/konstrukce.local/scripts
>         read only = No
> 
> [sysvol]
>         path = /var/lib/samba/sysvol
>         read only = No
> 
> 
> krb5.conf
> ========
> [libdefaults]
>         default_realm = KONSTRUKCE.LOCAL
>         dns_lookup_realm = false
>         dns_lookup_kdc = true
> 
> resolv.conf
> =========
> search konstrukce.local
> nameserver 127.0.0.1
> 
> nsswitch.conf
> ===========
> passwd:      files winbind
> shadow:     files
> group:       files winbind
> 
> hosts:      files dns myhostname
> 
> bootparams: nisplus [NOTFOUND=return] files
> 
> ethers:     files
> netmasks:   files
> networks:   files
> protocols:  files
> rpc:        files
> services:   files
> netgroup:   nisplus
> publickey:  nisplus
> automount:  files nisplus
> aliases:    files nisplus
> 
> 

-- 
Stefan Kania
Landweg 13
25693 St. Michaelisdonn


Signieren jeder E-Mail hilft Spam zu reduzieren und schützt Ihre
Privatsphäre. Ein kostenfreies Zertifikat erhalten Sie unter
https://www.dgn.de/dgncert/index.html

More information about the samba mailing list