[Samba] Samba and Winbind Group Policy
Patrick Goetz
pgoetz at math.utexas.edu
Tue Oct 5 17:24:27 UTC 2021
Hi David -
Thanks for answering all these questions. One final question on this:
Since the linux GPOs in some cases make changes to the client's
filesystem (say by adding a cron job or files in /etc/security/access.d,
what happens if the GPO is removed from the machine object -- does
winbind clean up after itself and remove these files?
On 10/5/21 09:47, David Mulder via samba wrote:
> On 10/5/21 8:29 AM, Patrick Goetz via samba wrote:> First of all, it
> seems like all these policies apply only to linux
>> domain members (e.g. cron, motd, and pam_access).
>>
>> What about GPO's that apply to Windows machines? Is the set of things
>> that can be managed using the Group Policy Management Console
>> constrained by what's in the Samba ADMX Templates?
>>
>
> Yes, this is specifically referring to Linux clients. This does not
> effect how policies are applied to Windows domain members. The only
> exception is that you'll need to install Microsoft's ADMX templates to
> your SYSVOL also. This is explained in Microsoft's documentation, and is
> something you're expected to do anyway. I'll make a note of this on the
> wiki.
>
>> So, pam_access controls can be managed using a GPO, but it's still not
>> clear to me how I would restrict access to Windows clients through the
>> Samba AD.
>>
>
> This is an entirely different topic. Take a look at Microsoft's
> documentation on access control (maybe you would use "Deny logon
> locally", for example).
>
>> Wiki editing note: For people less familiar with AD, it would probably
>> be a good idea to explain that the GPMC is part of RSAT and only
>> available from Windows.
>>
>> The thing I care about most is mapping folders, which is covered here:
>>
>> https://wiki.samba.org/index.php/Windows_User_Home_Folders
>>
>> The Wiki page title is misleading here because presumably you can map
>> *any* folder using the instructions provided here. This page should
>> probably be referenced on
>> https://wiki.samba.org/index.php/Group_Policy, along with any other
>> Wiki pages dealing with Group Policy (e.g. the Configuring Windows
>> Profile Folder Redirections page).
>>
>
> Yes, you make a good point. My work has been on Linux domain member
> group policy. This wiki page additionally needs details on Windows
> domain member policy.
>
>>
>> Final Wiki editing note: Under the Startup Script Policies section,
>> this example is given:
>>
>> samba-tool gpo manage scripts startup add
>> {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'
>>
>> with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is.
>> This is later explained in the Pam Access Policies section; that this
>> is the SID (? it's called a hash there, doesn't look like a hash to
>> me) for the GPO. That should probably be mentioned the first time
>> this is used, along with the brief explanation of how to determine
>> what this is using `samba-tool gpo list`, also covered in the PAM
>> Access Policies section. An example of using `samba-tool gpo list`
>> would be helpful too.
>>
>
> Technically this is a GUID (globally unique identifier). I'll clarify
> this on the wiki. I'll also ensure the instructions on finding the GPO
> GUID are clearer.
>
More information about the samba
mailing list