[Samba] Fwd: long scripts
Kees van Vloten
keesvanvloten at gmail.com
Sat Oct 15 11:03:21 UTC 2022
The advice in the Windows world is generally to link GPO to the base-dn
(DN=example,DN=com) and then filter them to groups.
This is easier to manage and much more flexible than linking them to a
specific OU.
Below is the description of how to get this done in Samba on the
command-line, the assumption is to run it on a DC.
-------- Forwarded Message --------
Policies (at least on Windows) are executed a.o. base on group
membership of the machine.
The group is contained in the DSACL of the policily in LDAP.
This is an example of a GPO DSACL:
Replace <OBJECT_SID> with the attribute "objectSid" of the group you
want the GPO to work on.
To attach multiple groups the DSACL looks like:
Construct a temp-file:
dn: CN=<GPO_UUID>,CN=Policies,CN=System,DN=example,DN=com
changetype: modify
replace: nTSecurityDescriptor
nTSecurityDescriptor: <DSACL>
And apply the DSACL with:
ldbmodify -H /var/lib/samba/private/sam.ldb <TEMP-FILE>
Now run the gpupdate variant for your machine to update the policies and
either apply or remove the policy depending on the group memberships of
the machine.
@Rowland, @David, is it an idea to update the wiki with this information?
Or @David is it an idea to extend "samba-tool gpo" to be able to manage
GPO groups memberships?
- Kees
On 14-10-2022 17:17, David Mulder via samba wrote:
> On 10/14/22 9:08 AM, Peter Carlson via samba wrote:
>> so I am assuming that these scripts are only run on linux systems, if
>> so that takes care of it not running on windows.
>> so if I then put a login script login.ps1 or login.bat it will run on
>> windows, but still try to run on linux and fail?
>> Peter
>> PS: sorry for the mis-spelling in the subject, the brain -> finger
>> interface has one wire a bit loose
> Windows logon scripts are not executed by Samba client group policy,
> so that's not a problem.
> FYI, Samba's user group policy is somewhat limited. User policies
> aren't executed by samba by default, but need to be run some other way
> (I'm working on fixing this though).
> You can either enable them using oddjob-gpupdate:
> https://github.com/openSUSE/oddjob-gpupdate
> Or you can manually run the samba-gpupdate command via bashrc, or
> something:
> /usr/sbin/samba-gpupdate --target=User -U $USER
> Script Policies
> (https://wiki.samba.org/index.php/Group_Policy#Script_Policies) can be
> assigned as user policies, but the Startup Script Policies cannot
> (these are for the machine).
> So it depends on what your needs are. You could potentially run a
> machine Startup Script, which applies policies for all your users,
> etc. That would be the simplest setup.
> I'm happy to help if you run into any problems.
More information about the samba
mailing list