[Samba] User GPOs not applied
L.P.H. van Belle
belle at bazuin.nl
Tue Apr 6 09:55:41 UTC 2021
Hai Peter,
To save you some time.. a fresh version of samba is not going to help,
Just, thats what i think.
Unless your using very old samba versions, but i dont think that.
Now, look at this one.
http://jaredheinrichs.com/how-to-fix-8007071a-the-remote-procedure-call-was-cancelled.html
so, is WMI enabled in the windows firewalls?
Or, better said, is Windows Defender set to "DomainNetworks"
and is the Active domainnetwork, showing your primaryDNS domainname ?
run on AD_DC/Members : hostname -d
windows ipconfig/all will show it.
if these are correct.. try this.
disable IPV6 on windows 10.
In the pc firewall add the lan range CIDR to be trusted.
Reboot the PC 2 times ,after reboot 1, login as Administrator.
just a login, and reboot again, then login as user.
Now check it all again.
I hope this gave you some ideas.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
> via samba
> Verzonden: dinsdag 6 april 2021 10:55
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] User GPOs not applied
>
> Hi Louis,
>
> As an example, I have got two PCs in the OU (named Shaky Computers). One
> of the PCs is the one where the RSAT tools are installed and which I use
> for administration of the domain. The other PC is the one where I most
> want the applied GPO. Using the Group Policy Management tool, I mark the
> OU, and issue a force an update on the OU. On the administration PC the
> update succeeds, but on the other PC it doesn't (and it doesn't succeed
> on any other PCs if I use another OU with most of the domain PCs). The
> error code is 8007071a (The remote procedure call was cancelled).
>
> I have tried to set GPOs on individual users, as well as user groups
> like Authenticated Users (all users in the domain). The User GPOs are
> not applied.
> Only default domain policy is set on the PCs, no other GPOs set here.
>
> If I run gpupdate /force from a cmd window, it reports "Computer Policy
> update has completed successfully" and "User Policy update has completed
> successfully".
well, in that case, check if user "SYSTEM" has access..
>
> Maybe it's better to wait until I have configured a fresh version of
> Samba under Debian. I do not risk it during the working week, i put it
> off until the weekend.
>
> Thanks for your input.
>
> Best regards,
>
> Peter
>
> On 2021-04-06 09:55, L.P.H. van Belle via samba wrote:
> > On the PC, run CMD:
> >
> > GPRESULT /H c:\GPReport.html
> > check that report.
> >
> > In which OU is the user created?
> >
> > ON which OU is the USER GPO set?
> > ON which OU is the COMPUTER GPO set?
> >
> > Run a : gupdate /force
> > Are there now any windows eventid's?
> >
> > These things are needed to know.
> >
> > greetz,
> >
> > Louis
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
> >> via samba
> >> Verzonden: maandag 5 april 2021 17:28
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] User GPOs not applied
> >>
> >> Hi Stefan,
> >>
> >> The GPOs do not apply for any user. If I create other OUs and link the
> >> GPOs there, it's got absolutely no effect. Everything seems to be in
> >> order using samba-tool, except that the GPOs do not show up for users.
> >> The GPOs do not show up even if I apply them to Authenticated users.
> >> Computer GPOs work, but not User GPOs.
> >>
> >> Thanks for your input.
> >>
> >> Best regards,
> >>
> >> Peter
> >>
> >> On 2021-04-05 14:06, Stefan Kania via samba wrote:
> >>> The first step to do if a GPO for a user is not working is "samba-tool
> >>> gpo list <username>" to see if the GPO is relevant for the user. If
> your
> >>> GPO is not listed check that the user is in the ou you linked the GPO
> >> to.
> >>>
> >>> Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:
> >>>> Hi folks,
> >>>>
> >>>> I have got a problem where GPOs set for a single user or a user group
> >>>> are not applied. The GPOs should be applied to Windows 10 Pro
> computers
> >>>> when the specific user(s) log in. The GPOs are defined for users, not
> >>>> computers. Domain GPOs for domain computers are applied
> appropriately,
> >>>> roaming profiles work, authentication works, the sysvol and netlogon
> >>>> shares on the DC are accessible and readable by all users, DNS works.
> I
> >>>> have tried with existing users and newly created test users. The GPOs
> >>>> are not applied. The GPOs (minimum Windows server 2003 or XP) are:
> >>>>
> >>>> - Set time limit for disconnected sessions
> >>>> - Set time limit for active but idle Remote Services sessions
> >>>> - End session when time limits are reached
> >>>>
> >>>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the
> >> latest
> >>>> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS
> or
> >>>> NFS. The .local TLD is used in the network (for almost 20 years), and
> >>>> all mDNS och zero configurations are prohibited and disabled. All
> >>>> workstations in the network are Windows 10 Pro with the latest
> updates,
> >>>> and ESET Business antivirus. The main file server, containing the
> user
> >>>> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got
> >>>> nothing to do with the problem.
> >>>>
> >>>> Would installing and setting up a new Debian Buster AD DC solve the
> >>>> problem?
> >>>>
> >>>> Best regards,
> >>>>
> >>>> Peter
> >>>>
> >>>>
> >>>> smb.conf
> >>>> ========
> >>>> # Global parameters
> >>>> [global]
> >>>> netbios name = KONADC
> >>>> realm = KONSTRUKCE.LOCAL
> >>>> server role = active directory domain controller
> >>>> workgroup = KONSTRUKCE
> >>>> idmap_ldb:use rfc2307 = yes
> >>>> username map = /etc/samba/user.map
> >>>> dns forwarder = 192.168.0.221
> >>>>
> >>>> [netlogon]
> >>>> path = /var/lib/samba/sysvol/konstrukce.local/scripts
> >>>> read only = No
> >>>>
> >>>> [sysvol]
> >>>> path = /var/lib/samba/sysvol
> >>>> read only = No
> >>>>
> >>>>
> >>>> krb5.conf
> >>>> ========
> >>>> [libdefaults]
> >>>> default_realm = KONSTRUKCE.LOCAL
> >>>> dns_lookup_realm = false
> >>>> dns_lookup_kdc = true
> >>>>
> >>>> resolv.conf
> >>>> =========
> >>>> search konstrukce.local
> >>>> nameserver 127.0.0.1
> >>>>
> >>>> nsswitch.conf
> >>>> ===========
> >>>> passwd: files winbind
> >>>> shadow: files
> >>>> group: files winbind
> >>>>
> >>>> hosts: files dns myhostname
> >>>>
> >>>> bootparams: nisplus [NOTFOUND=return] files
> >>>>
> >>>> ethers: files
> >>>> netmasks: files
> >>>> networks: files
> >>>> protocols: files
> >>>> rpc: files
> >>>> services: files
> >>>> netgroup: nisplus
> >>>> publickey: nisplus
> >>>> automount: files nisplus
> >>>> aliases: files nisplus
> >>>>
> >>>>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions: https://lists.samba.org/mailman/options/samba
> >
> >
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba
mailing list