[Samba] Samba and Winbind Group Policy

David Mulder dmulder at samba.org
Tue Oct 5 14:47:20 UTC 2021

On 10/5/21 8:29 AM, Patrick Goetz via samba wrote:> First of all, it 
seems like all these policies apply only to linux
> domain members (e.g. cron, motd, and pam_access).
> What about GPO's that apply to Windows machines? Is the set of things 
> that can be managed using the Group Policy Management Console 
> constrained by what's in the Samba ADMX Templates?

Yes, this is specifically referring to Linux clients. This does not 
effect how policies are applied to Windows domain members. The only 
exception is that you'll need to install Microsoft's ADMX templates to 
your SYSVOL also. This is explained in Microsoft's documentation, and is 
something you're expected to do anyway. I'll make a note of this on the 

> So, pam_access controls can be managed using a GPO, but it's still not 
> clear to me how I would restrict access to Windows clients through the 
> Samba AD.

This is an entirely different topic. Take a look at Microsoft's 
documentation on access control (maybe you would use "Deny logon 
locally", for example).

> Wiki editing note: For people less familiar with AD, it would probably 
> be a good idea to explain that the GPMC is part of RSAT and only 
> available from Windows.
> The thing I care about most is mapping folders, which is covered here:
>    https://wiki.samba.org/index.php/Windows_User_Home_Folders
> The Wiki page title is misleading here because presumably you can map 
> *any* folder using the instructions provided here. This page should 
> probably be referenced on https://wiki.samba.org/index.php/Group_Policy, 
> along with any other Wiki pages dealing with Group Policy (e.g. the 
> Configuring Windows Profile Folder Redirections page).

Yes, you make a good point. My work has been on Linux domain member 
group policy. This wiki page additionally needs details on Windows 
domain member policy.

> Final Wiki editing note: Under the Startup Script Policies section, this 
> example is given:
>   samba-tool gpo manage scripts startup add 
> {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'
> with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is. 
> This is later explained in the Pam Access Policies section; that this is 
> the SID (? it's called a hash there, doesn't look like a hash to me) for 
> the GPO.  That should probably be mentioned the first time this is used, 
> along with the brief explanation of how to determine what this is using 
> `samba-tool gpo list`, also covered in the PAM Access Policies section. 
>   An example of using `samba-tool gpo list` would be helpful too.

Technically this is a GUID (globally unique identifier). I'll clarify 
this on the wiki. I'll also ensure the instructions on finding the GPO 
GUID are clearer.

*David Mulder*
Labs Software Engineer, Samba
1800 Novell Place
Provo, UT 84606
(P)+1 801.861.6571
dmulder at suse.com

More information about the samba mailing list