[Samba] samba linux gpo
David Mulder
dmulder at samba.org
Fri Oct 21 16:10:57 UTC 2022
On 10/21/22 10:03 AM, Peter Carlson via samba wrote:
> Here is some preliminary testing with samba linux gpo.
>
> *Password and Security:*
> Computer Configuration > Policies > OS Settings > Security Settings >
> Account Policy
> OS Settings doesn't exist
>
> *GNOME:*
> I cant find any gnome settings in RSAT
You have to install the templates using the command `samba-tool gpo
admxload --admx-dir=/location/of/templates` and specify the location of
the GNOME Settings admx templates. See the samba source in libgpo/admx.
You can also install the chrome and firefox templates to administer these:
https://github.com/mozilla/policy-templates/releases
https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
>
> *sudo:*
> GPO: Linux Sudo
> All Tests performed with samba-gpupdate --force --rsop
> step 1: add Domain Users as sudo, that generated gp_syvdg6p6 with
> Domain Users in it
>
> step 2: change policy to Linux Users. That generated a new gp file
> gp_rjdmvvow with Linux Users (now there are 2 files)
> ==============================================================================================================================
>
> CSE: gp_sudoers_ext
> --------------------------------------------------------------------------------------------
>
> Policy Type: Sudo Rights
> --------------------------------------------------------------------------------------------
>
> [ %SDCP\\Linux\x20Users ALL=(ALL) NOPASSWD: ALL ]
> --------------------------------------------------------------------------------------------
>
>
> step 3: change policy to Linux Test. That did nothing. gp_rjdmvvow
> still contains Linux Users
> GPO: Linux Sudo
> ==============================================================================================================================
>
> CSE: gp_sudoers_ext
> --------------------------------------------------------------------------------------------
>
> Policy Type: Sudo Rights
> --------------------------------------------------------------------------------------------
>
> [ %SDCP\\Linux\x20Test ALL=(ALL) NOPASSWD: ALL ]
> --------------------------------------------------------------------------------------------
>
> --------------------------------------------------------------------------------------------
>
>
> After unlinking the policy, it no longer shows up in --rsop but there
> are now 2 files
>
> root at xrdp:/etc/sudoers.d# ls -l gp*
> -rw------- 1 root root 312 Oct 21 15:42 gp_rjdmvvow
> -rw------- 1 root root 313 Oct 21 15:36 gp_syvdg6p6
> root at xrdp:/etc/sudoers.d# cat gp*
>
> ### autogenerated by samba
> #
> # This file is generated by the gp_sudoers_ext Group Policy
> # Client Side Extension. To modify the contents of this file,
> # modify the appropriate Group Policy objects which apply
> # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
> #
>
> %SDCP\\Linux\x20Users ALL=(ALL) NOPASSWD: ALL
>
> ### autogenerated by samba
> #
> # This file is generated by the gp_sudoers_ext Group Policy
> # Client Side Extension. To modify the contents of this file,
> # modify the appropriate Group Policy objects which apply
> # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
> #
>
> %SDCP\\Domain\x20Users ALL=(ALL) NOPASSWD: ALL
Did you run `samba-gpupdate --force` after unlinking the policy? Don't
run `samba-gpupdate --force` with --rsop. RSoP is for displaying policy,
not applying it.
Also, worst case you can run `samba-gpupdate --unapply` to forcefully
remove stuck policies.
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
More information about the samba
mailing list