[Samba] samba linux gpo

Peter Carlson peter at howudodat.com
Fri Oct 21 18:10:10 UTC 2022 

On 10/21/22 09:10, David Mulder via samba wrote:
>
> On 10/21/22 10:03 AM, Peter Carlson via samba wrote:
>> Here is some preliminary testing with samba linux gpo.
>>
>> *Password and Security:*
>> Computer Configuration > Policies > OS Settings > Security Settings > 
>> Account Policy
>> OS Settings doesn't exist
>>
>> *GNOME:*
>> I cant find any gnome settings in RSAT
>
> You have to install the templates using the command `samba-tool gpo 
> admxload --admx-dir=/location/of/templates` and specify the location 
> of the GNOME Settings admx templates. See the samba source in 
> libgpo/admx. You can also install the chrome and firefox templates to 
> administer these:
>
> https://github.com/mozilla/policy-templates/releases
> https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip

ok I did samba-tool gpo admxload to load the default samba template, 
Gnome wasn't there, so I copied the files down from github (gnome and 
samba).  and did: samba-tool gpo admxload -U Administrator 
--admx-dir=./admx, this loaded the new samba.admx (firewalld appeared) 
but doesn't appear to have loaded GNOME Settings.admx

root at nc1:~# tree admx
admx
├── EN-US
│   ├── GNOME Settings.adml
│   └── samba.adml
├── GNOME Settings.admx
└── samba.admx

1 directory, 4 files

looking in sysvol shows it got copied:
root at nc1:~# ls -l 
/var/lib/samba/sysvol/sa***nt.local/Policies/PolicyDefinitions/GNOME\ 
Settings.admx
-rwxrwx---+ 1 3000000 users 7748 Oct 21 18:00 
'/var/lib/samba/sysvol/sa***nt.local/Policies/PolicyDefinitions/GNOME 
Settings.admx'

Still no GNOME or OS Settings in RSAT

root at nc1:/var/lib/samba/sysvol/sa***nt.local/Policies/PolicyDefinitions# 
grep "Account Policy" *.admx
returns no files

Also, is removing definitions as simple as deleting the admx file and 
associated adml files from sysvol?

>
> Did you run `samba-gpupdate --force` after unlinking the policy? Don't 
> run `samba-gpupdate --force` with --rsop. RSoP is for displaying 
> policy, not applying it.
>
> Also, worst case you can run `samba-gpupdate --unapply` to forcefully 
> remove stuck policies.
>
ok, I ran just samba-gpudate --force and then ran  samba-gpudate --rsop 
and it is working correctly.  That might warrant a conflicting 
parameters error, or perhaps handle --force (update) first and then 
process --rsop

More information about the samba mailing list