[Samba] User GPOs not applied

Peter Milesson miles at atmos.eu
Tue Apr 6 10:36:33 UTC 2021 

Hi Louis,

Thanks a lot for the advice.

The Samba AD DC is 4.9.1. It is old, but I suppose not THAT old.

When checking my admin PC, WMI was disabled. That will probably be the 
case on the other domain PCs also.
hostname -d reports the domain correctly on Linux member servers. 
ipconfig /all also reports the domain on Windows PCs.

I will try it out after work hours.

Best regards,

Peter


On 2021-04-06 11:55, L.P.H. van Belle via samba wrote:
> Hai Peter,
>
> To save you some time.. a fresh version of samba is not going to help,
> Just, thats what i think.
> Unless your using very old samba versions, but i dont think that.
>
> Now, look at this one.
> http://jaredheinrichs.com/how-to-fix-8007071a-the-remote-procedure-call-was-cancelled.html
>
> so, is WMI enabled in the windows firewalls?
> Or, better said, is Windows Defender set to "DomainNetworks"
> and is the Active domainnetwork, showing your primaryDNS domainname ?
> run on AD_DC/Members : hostname -d
> windows ipconfig/all will show it.
>
> if these are correct.. try this.
> disable IPV6 on windows 10.
> In the pc firewall add the lan range CIDR to be trusted.
> Reboot the PC 2 times ,after reboot 1, login as Administrator.
> just a login, and reboot again, then login as user.
>
> Now check it all again.
>
> I hope this gave you some ideas.
>
>
> Greetz,
>
> Louis
>
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
>> via samba
>> Verzonden: dinsdag 6 april 2021 10:55
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] User GPOs not applied
>>
>> Hi Louis,
>>
>> As an example, I have got two PCs in the OU (named Shaky Computers). One
>> of the PCs is the one where the RSAT tools are installed and which I use
>> for administration of the domain. The other PC is the one where I most
>> want the applied GPO. Using the Group Policy Management tool, I mark the
>> OU, and issue a force an update on the OU. On the administration PC the
>> update succeeds, but on the other PC it doesn't (and it doesn't succeed
>> on any other PCs if I use another OU with most of the domain PCs). The
>> error code is 8007071a (The remote procedure call was cancelled).
>>
>> I have tried to set GPOs on individual users, as well as user groups
>> like Authenticated Users (all users in the domain). The User GPOs are
>> not applied.
>> Only default domain policy is set on the PCs, no other GPOs set here.
>>
>> If I run gpupdate /force from a cmd window, it reports "Computer Policy
>> update has completed successfully" and "User Policy update has completed
>> successfully".
> well, in that case, check if user "SYSTEM" has access..
>
>> Maybe it's better to wait until I have configured a fresh version of
>> Samba under Debian. I do not risk it during the working week, i put it
>> off until the weekend.
>>
>> Thanks for your input.
>>
>> Best regards,
>>
>> Peter
>>
>> On 2021-04-06 09:55, L.P.H. van Belle via samba wrote:
>>> On the PC, run CMD:
>>>
>>> GPRESULT /H c:\GPReport.html
>>> check that report.
>>>
>>> In which OU is the user created?
>>>
>>> ON which OU is the USER GPO set?
>>> ON which OU is the COMPUTER GPO set?
>>>
>>> Run a : gupdate /force
>>> Are there now any windows eventid's?
>>>
>>> These things are needed to know.
>>>
>>> greetz,
>>>
>>> Louis
>>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Peter Milesson
>>>> via samba
>>>> Verzonden: maandag 5 april 2021 17:28
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] User GPOs not applied
>>>>
>>>> Hi Stefan,
>>>>
>>>> The GPOs do not apply for any user. If I create other OUs and link the
>>>> GPOs there, it's got absolutely no effect. Everything seems to be in
>>>> order using samba-tool, except that the GPOs do not show up for users.
>>>> The GPOs do not show up even if I apply them to Authenticated users.
>>>> Computer GPOs work, but not User GPOs.
>>>>
>>>> Thanks for your input.
>>>>
>>>> Best regards,
>>>>
>>>> Peter
>>>>
>>>> On 2021-04-05 14:06, Stefan Kania via samba wrote:
>>>>> The first step to do if a GPO for a user is not working is "samba-tool
>>>>> gpo list <username>" to see if the GPO is relevant for the user. If
>> your
>>>>> GPO is not listed check that the user is in the ou you linked the GPO
>>>> to.
>>>>> Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:
>>>>>> Hi folks,
>>>>>>
>>>>>> I have got a problem where GPOs set for a single user or a user group
>>>>>> are not applied. The GPOs should be applied to Windows 10 Pro
>> computers
>>>>>> when the specific user(s) log in. The GPOs are defined for users, not
>>>>>> computers. Domain GPOs for domain computers are applied
>> appropriately,
>>>>>> roaming profiles work, authentication works, the sysvol and netlogon
>>>>>> shares on the DC are accessible and readable by all users, DNS works.
>> I
>>>>>> have tried with existing users and newly created test users. The GPOs
>>>>>> are not applied. The GPOs (minimum Windows server 2003 or XP) are:
>>>>>>
>>>>>> - Set time limit for disconnected sessions
>>>>>> - Set time limit for active but idle Remote Services sessions
>>>>>> - End session when time limits are reached
>>>>>>
>>>>>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the
>>>> latest
>>>>>> EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS
>> or
>>>>>> NFS. The .local TLD is used in the network (for almost 20 years), and
>>>>>> all mDNS och zero configurations are prohibited and disabled. All
>>>>>> workstations in the network are Windows 10 Pro with the latest
>> updates,
>>>>>> and ESET Business antivirus. The main file server, containing the
>> user
>>>>>> profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got
>>>>>> nothing to do with the problem.
>>>>>>
>>>>>> Would installing and setting up a new Debian Buster AD DC solve the
>>>>>> problem?
>>>>>>
>>>>>> Best regards,
>>>>>>
>>>>>> Peter
>>>>>>
>>>>>>
>>>>>> smb.conf
>>>>>> ========
>>>>>> # Global parameters
>>>>>> [global]
>>>>>>            netbios name = KONADC
>>>>>>            realm = KONSTRUKCE.LOCAL
>>>>>>            server role = active directory domain controller
>>>>>>            workgroup = KONSTRUKCE
>>>>>>            idmap_ldb:use rfc2307 = yes
>>>>>>            username map = /etc/samba/user.map
>>>>>>            dns forwarder = 192.168.0.221
>>>>>>
>>>>>> [netlogon]
>>>>>>            path = /var/lib/samba/sysvol/konstrukce.local/scripts
>>>>>>            read only = No
>>>>>>
>>>>>> [sysvol]
>>>>>>            path = /var/lib/samba/sysvol
>>>>>>            read only = No
>>>>>>
>>>>>>
>>>>>> krb5.conf
>>>>>> ========
>>>>>> [libdefaults]
>>>>>>            default_realm = KONSTRUKCE.LOCAL
>>>>>>            dns_lookup_realm = false
>>>>>>            dns_lookup_kdc = true
>>>>>>
>>>>>> resolv.conf
>>>>>> =========
>>>>>> search konstrukce.local
>>>>>> nameserver 127.0.0.1
>>>>>>
>>>>>> nsswitch.conf
>>>>>> ===========
>>>>>> passwd:      files winbind
>>>>>> shadow:     files
>>>>>> group:       files winbind
>>>>>>
>>>>>> hosts:      files dns myhostname
>>>>>>
>>>>>> bootparams: nisplus [NOTFOUND=return] files
>>>>>>
>>>>>> ethers:     files
>>>>>> netmasks:   files
>>>>>> networks:   files
>>>>>> protocols:  files
>>>>>> rpc:        files
>>>>>> services:   files
>>>>>> netgroup:   nisplus
>>>>>> publickey:  nisplus
>>>>>> automount:  files nisplus
>>>>>> aliases:    files nisplus
>>>>>>
>>>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list