[Samba] samba linux gpo
Peter Carlson
peter at howudodat.com
Mon Oct 24 16:04:08 UTC 2022
ok, I have setup a complete lab with ADDC, FileServer, linux cli client,
linux gui client, windows client all running on different guests in
proxmox. I compiled 4.17 from source and configured. I then copied the
GNOME admx into /usr/share/samba/admx/GNOME Settings.admx and ran
samba-tool gpo admxload -U Administrator voila GNOME policies appear in
GPO editor
then to bring in windows policies I ran: samba-tool gpo admxload -U
Administrator --admx-dir=./Program\ Files/Microsoft\ Group\
Policy/Windows\ 11\ September\ 2022\ Update\ \(22H2\)/PolicyDefinitions/
and GNOME policies disappear, they are still in sysvol, but no longer
appear in GPO editor
root at nc1:~# ls -l
/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/GN*
-rwxrwx---+ 1 3000000 users 7748 Oct 24 15:44
'/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/GNOME
Settings.admx'
root at nc1:~# ls -l
/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/en-US/GN*
-rwxrwx---+ 1 3000000 users 9614 Oct 24 15:44
'/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/en-US/GNOME
Settings.adml'
Peter
On 10/21/22 09:10, David Mulder via samba wrote:
>
> On 10/21/22 10:03 AM, Peter Carlson via samba wrote:
>> Here is some preliminary testing with samba linux gpo.
>>
>> *Password and Security:*
>> Computer Configuration > Policies > OS Settings > Security Settings >
>> Account Policy
>> OS Settings doesn't exist
>>
>> *GNOME:*
>> I cant find any gnome settings in RSAT
>
> You have to install the templates using the command `samba-tool gpo
> admxload --admx-dir=/location/of/templates` and specify the location
> of the GNOME Settings admx templates. See the samba source in
> libgpo/admx. You can also install the chrome and firefox templates to
> administer these:
>
> https://github.com/mozilla/policy-templates/releases
> https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
>
>>
>> *sudo:*
>> GPO: Linux Sudo
>> All Tests performed with samba-gpupdate --force --rsop
>> step 1: add Domain Users as sudo, that generated gp_syvdg6p6 with
>> Domain Users in it
>>
>> step 2: change policy to Linux Users. That generated a new gp file
>> gp_rjdmvvow with Linux Users (now there are 2 files)
>> ==============================================================================================================================
>>
>> CSE: gp_sudoers_ext
>> --------------------------------------------------------------------------------------------
>>
>> Policy Type: Sudo Rights
>> --------------------------------------------------------------------------------------------
>>
>> [ %SDCP\\Linux\x20Users ALL=(ALL) NOPASSWD: ALL ]
>> --------------------------------------------------------------------------------------------
>>
>>
>> step 3: change policy to Linux Test. That did nothing. gp_rjdmvvow
>> still contains Linux Users
>> GPO: Linux Sudo
>> ==============================================================================================================================
>>
>> CSE: gp_sudoers_ext
>> --------------------------------------------------------------------------------------------
>>
>> Policy Type: Sudo Rights
>> --------------------------------------------------------------------------------------------
>>
>> [ %SDCP\\Linux\x20Test ALL=(ALL) NOPASSWD: ALL ]
>> --------------------------------------------------------------------------------------------
>>
>> --------------------------------------------------------------------------------------------
>>
>>
>> After unlinking the policy, it no longer shows up in --rsop but there
>> are now 2 files
>>
>> root at xrdp:/etc/sudoers.d# ls -l gp*
>> -rw------- 1 root root 312 Oct 21 15:42 gp_rjdmvvow
>> -rw------- 1 root root 313 Oct 21 15:36 gp_syvdg6p6
>> root at xrdp:/etc/sudoers.d# cat gp*
>>
>> ### autogenerated by samba
>> #
>> # This file is generated by the gp_sudoers_ext Group Policy
>> # Client Side Extension. To modify the contents of this file,
>> # modify the appropriate Group Policy objects which apply
>> # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
>> #
>>
>> %SDCP\\Linux\x20Users ALL=(ALL) NOPASSWD: ALL
>>
>> ### autogenerated by samba
>> #
>> # This file is generated by the gp_sudoers_ext Group Policy
>> # Client Side Extension. To modify the contents of this file,
>> # modify the appropriate Group Policy objects which apply
>> # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
>> #
>>
>> %SDCP\\Domain\x20Users ALL=(ALL) NOPASSWD: ALL
>
> Did you run `samba-gpupdate --force` after unlinking the policy? Don't
> run `samba-gpupdate --force` with --rsop. RSoP is for displaying
> policy, not applying it.
>
> Also, worst case you can run `samba-gpupdate --unapply` to forcefully
> remove stuck policies.
>
More information about the samba
mailing list