[Samba] Samba and Winbind Group Policy

Patrick Goetz pgoetz at math.utexas.edu
Tue Oct 5 17:24:27 UTC 2021

Hi David -

Thanks for answering all these questions. One final question on this: 
Since the linux GPOs in some cases make changes to the client's 
filesystem (say by adding a cron job or files in /etc/security/access.d,
what happens if the GPO is removed from the machine object -- does 
winbind clean up after itself and remove these files?

On 10/5/21 09:47, David Mulder via samba wrote:
> On 10/5/21 8:29 AM, Patrick Goetz via samba wrote:> First of all, it 
> seems like all these policies apply only to linux
>> domain members (e.g. cron, motd, and pam_access).
>> What about GPO's that apply to Windows machines? Is the set of things 
>> that can be managed using the Group Policy Management Console 
>> constrained by what's in the Samba ADMX Templates?
> Yes, this is specifically referring to Linux clients. This does not 
> effect how policies are applied to Windows domain members. The only 
> exception is that you'll need to install Microsoft's ADMX templates to 
> your SYSVOL also. This is explained in Microsoft's documentation, and is 
> something you're expected to do anyway. I'll make a note of this on the 
> wiki.
>> So, pam_access controls can be managed using a GPO, but it's still not 
>> clear to me how I would restrict access to Windows clients through the 
>> Samba AD.
> This is an entirely different topic. Take a look at Microsoft's 
> documentation on access control (maybe you would use "Deny logon 
> locally", for example).
>> Wiki editing note: For people less familiar with AD, it would probably 
>> be a good idea to explain that the GPMC is part of RSAT and only 
>> available from Windows.
>> The thing I care about most is mapping folders, which is covered here:
>>    https://wiki.samba.org/index.php/Windows_User_Home_Folders
>> The Wiki page title is misleading here because presumably you can map 
>> *any* folder using the instructions provided here. This page should 
>> probably be referenced on 
>> https://wiki.samba.org/index.php/Group_Policy, along with any other 
>> Wiki pages dealing with Group Policy (e.g. the Configuring Windows 
>> Profile Folder Redirections page).
> Yes, you make a good point. My work has been on Linux domain member 
> group policy. This wiki page additionally needs details on Windows 
> domain member policy.
>> Final Wiki editing note: Under the Startup Script Policies section, 
>> this example is given:
>>   samba-tool gpo manage scripts startup add 
>> {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'
>> with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is. 
>> This is later explained in the Pam Access Policies section; that this 
>> is the SID (? it's called a hash there, doesn't look like a hash to 
>> me) for the GPO.  That should probably be mentioned the first time 
>> this is used, along with the brief explanation of how to determine 
>> what this is using `samba-tool gpo list`, also covered in the PAM 
>> Access Policies section.   An example of using `samba-tool gpo list` 
>> would be helpful too.
> Technically this is a GUID (globally unique identifier). I'll clarify 
> this on the wiki. I'll also ensure the instructions on finding the GPO 
> GUID are clearer.

More information about the samba mailing list