[Samba] Samba and Winbind Group Policy

Patrick Goetz pgoetz at math.utexas.edu
Tue Oct 5 14:29:55 UTC 2021 

Hi -

After reading through the updated 
https://wiki.samba.org/index.php/Group_Policy, I have a few 
questions/comments.

First of all, it seems like all these policies apply only to linux 
domain members (e.g. cron, motd, and pam_access).

What about GPO's that apply to Windows machines? Is the set of things 
that can be managed using the Group Policy Management Console 
constrained by what's in the Samba ADMX Templates?

So, pam_access controls can be managed using a GPO, but it's still not 
clear to me how I would restrict access to Windows clients through the 
Samba AD.

Wiki editing note: For people less familiar with AD, it would probably 
be a good idea to explain that the GPMC is part of RSAT and only 
available from Windows.

The thing I care about most is mapping folders, which is covered here:

   https://wiki.samba.org/index.php/Windows_User_Home_Folders

The Wiki page title is misleading here because presumably you can map 
*any* folder using the instructions provided here. This page should 
probably be referenced on https://wiki.samba.org/index.php/Group_Policy, 
along with any other Wiki pages dealing with Group Policy (e.g. the 
Configuring Windows Profile Folder Redirections page).


Final Wiki editing note: Under the Startup Script Policies section, this 
example is given:

  samba-tool gpo manage scripts startup add 
{31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'

with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is. 
This is later explained in the Pam Access Policies section; that this is 
the SID (? it's called a hash there, doesn't look like a hash to me) for 
the GPO.  That should probably be mentioned the first time this is used, 
along with the brief explanation of how to determine what this is using 
`samba-tool gpo list`, also covered in the PAM Access Policies section. 
  An example of using `samba-tool gpo list` would be helpful too.


On 10/4/21 16:01, David Mulder via samba wrote:
> After some discussion about this on the mailing list, I decided to 
> update the outdated wiki page and mention it here. There is a great deal 
> that has changed since the last time I updated the 
> https://wiki.samba.org/index.php/Group_Policy page.
> There are currently 13 distinct policies, including smb.conf, addc 
> password/kerberos, scripts, files, symlinks, sudoers, messages 
> (motd/issue), pam access, certificate auto enrollment, firefox, 
> chrome/chromium, GNOME, and OpenSSH. And I'm not finished. I will try to 
> keep this page up-to-date in the future to avoid confusion.
> 
> FYI, the samba-gpupdate command *does* work when joined via either 
> winbind or sssd, so you can choose.
>

More information about the samba mailing list