[Samba] User GPOs not applied
Peter Milesson
miles at atmos.eu
Mon Apr 5 15:27:36 UTC 2021
Hi Stefan,
The GPOs do not apply for any user. If I create other OUs and link the
GPOs there, it's got absolutely no effect. Everything seems to be in
order using samba-tool, except that the GPOs do not show up for users.
The GPOs do not show up even if I apply them to Authenticated users.
Computer GPOs work, but not User GPOs.
Thanks for your input.
Best regards,
Peter
On 2021-04-05 14:06, Stefan Kania via samba wrote:
> The first step to do if a GPO for a user is not working is "samba-tool
> gpo list <username>" to see if the GPO is relevant for the user. If your
> GPO is not listed check that the user is in the ou you linked the GPO to.
>
>
> Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:
>> Hi folks,
>>
>> I have got a problem where GPOs set for a single user or a user group
>> are not applied. The GPOs should be applied to Windows 10 Pro computers
>> when the specific user(s) log in. The GPOs are defined for users, not
>> computers. Domain GPOs for domain computers are applied appropriately,
>> roaming profiles work, authentication works, the sysvol and netlogon
>> shares on the DC are accessible and readable by all users, DNS works. I
>> have tried with existing users and newly created test users. The GPOs
>> are not applied. The GPOs (minimum Windows server 2003 or XP) are:
>>
>> - Set time limit for disconnected sessions
>> - Set time limit for active but idle Remote Services sessions
>> - End session when time limits are reached
>>
>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the latest
>> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or
>> NFS. The .local TLD is used in the network (for almost 20 years), and
>> all mDNS och zero configurations are prohibited and disabled. All
>> workstations in the network are Windows 10 Pro with the latest updates,
>> and ESET Business antivirus. The main file server, containing the user
>> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got
>> nothing to do with the problem.
>>
>> Would installing and setting up a new Debian Buster AD DC solve the
>> problem?
>>
>> Best regards,
>>
>> Peter
>>
>>
>> smb.conf
>> ========
>> # Global parameters
>> [global]
>> netbios name = KONADC
>> realm = KONSTRUKCE.LOCAL
>> server role = active directory domain controller
>> workgroup = KONSTRUKCE
>> idmap_ldb:use rfc2307 = yes
>> username map = /etc/samba/user.map
>> dns forwarder = 192.168.0.221
>>
>> [netlogon]
>> path = /var/lib/samba/sysvol/konstrukce.local/scripts
>> read only = No
>>
>> [sysvol]
>> path = /var/lib/samba/sysvol
>> read only = No
>>
>>
>> krb5.conf
>> ========
>> [libdefaults]
>> default_realm = KONSTRUKCE.LOCAL
>> dns_lookup_realm = false
>> dns_lookup_kdc = true
>>
>> resolv.conf
>> =========
>> search konstrukce.local
>> nameserver 127.0.0.1
>>
>> nsswitch.conf
>> ===========
>> passwd: files winbind
>> shadow: files
>> group: files winbind
>>
>> hosts: files dns myhostname
>>
>> bootparams: nisplus [NOTFOUND=return] files
>>
>> ethers: files
>> netmasks: files
>> networks: files
>> protocols: files
>> rpc: files
>> services: files
>> netgroup: nisplus
>> publickey: nisplus
>> automount: files nisplus
>> aliases: files nisplus
>>
>>
>
More information about the samba
mailing list