[Samba] samba linux gpo

Peter Carlson peter at howudodat.com
Mon Oct 24 16:04:08 UTC 2022 

ok, I have setup a complete lab with ADDC, FileServer, linux cli client, 
linux gui client, windows client all running on different guests in 
proxmox.  I compiled 4.17 from source and configured.  I then copied the 
GNOME admx into /usr/share/samba/admx/GNOME Settings.admx and ran 
samba-tool gpo admxload -U Administrator voila GNOME policies appear in 
GPO editor

then to bring in windows policies I ran: samba-tool gpo admxload -U 
Administrator --admx-dir=./Program\ Files/Microsoft\ Group\ 
Policy/Windows\ 11\ September\ 2022\ Update\ \(22H2\)/PolicyDefinitions/

and GNOME policies disappear, they are still in sysvol, but no longer 
appear in GPO editor

root at nc1:~# ls -l 
/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/GN*
-rwxrwx---+ 1 3000000 users 7748 Oct 24 15:44 
'/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/GNOME 
Settings.admx'
root at nc1:~# ls -l 
/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/en-US/GN*
-rwxrwx---+ 1 3000000 users 9614 Oct 24 15:44 
'/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/en-US/GNOME 
Settings.adml'

Peter


On 10/21/22 09:10, David Mulder via samba wrote:
>
> On 10/21/22 10:03 AM, Peter Carlson via samba wrote:
>> Here is some preliminary testing with samba linux gpo.
>>
>> *Password and Security:*
>> Computer Configuration > Policies > OS Settings > Security Settings > 
>> Account Policy
>> OS Settings doesn't exist
>>
>> *GNOME:*
>> I cant find any gnome settings in RSAT
>
> You have to install the templates using the command `samba-tool gpo 
> admxload --admx-dir=/location/of/templates` and specify the location 
> of the GNOME Settings admx templates. See the samba source in 
> libgpo/admx. You can also install the chrome and firefox templates to 
> administer these:
>
> https://github.com/mozilla/policy-templates/releases
> https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
>
>>
>> *sudo:*
>> GPO: Linux Sudo
>> All Tests performed with samba-gpupdate --force --rsop
>> step 1: add Domain Users as sudo, that generated gp_syvdg6p6 with 
>> Domain Users in it
>>
>> step 2: change policy to Linux Users.  That generated a new gp file 
>> gp_rjdmvvow with Linux Users  (now there are 2 files)
>> ============================================================================================================================== 
>>
>>   CSE: gp_sudoers_ext
>> -------------------------------------------------------------------------------------------- 
>>
>>     Policy Type: Sudo Rights
>> -------------------------------------------------------------------------------------------- 
>>
>>     [ %SDCP\\Linux\x20Users ALL=(ALL) NOPASSWD: ALL ]
>> -------------------------------------------------------------------------------------------- 
>>
>>
>> step 3: change policy to Linux Test.  That did nothing. gp_rjdmvvow 
>> still contains Linux Users
>> GPO: Linux Sudo
>> ============================================================================================================================== 
>>
>>   CSE: gp_sudoers_ext
>> -------------------------------------------------------------------------------------------- 
>>
>>     Policy Type: Sudo Rights
>> -------------------------------------------------------------------------------------------- 
>>
>>     [ %SDCP\\Linux\x20Test ALL=(ALL) NOPASSWD: ALL ]
>> -------------------------------------------------------------------------------------------- 
>>
>> -------------------------------------------------------------------------------------------- 
>>
>>
>> After unlinking the policy, it no longer shows up in --rsop but there 
>> are now 2 files
>>
>> root at xrdp:/etc/sudoers.d# ls -l gp*
>> -rw------- 1 root root 312 Oct 21 15:42 gp_rjdmvvow
>> -rw------- 1 root root 313 Oct 21 15:36 gp_syvdg6p6
>> root at xrdp:/etc/sudoers.d# cat gp*
>>
>> ### autogenerated by samba
>> #
>> # This file is generated by the gp_sudoers_ext Group Policy
>> # Client Side Extension. To modify the contents of this file,
>> # modify the appropriate Group Policy objects which apply
>> # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
>> #
>>
>> %SDCP\\Linux\x20Users ALL=(ALL) NOPASSWD: ALL
>>
>> ### autogenerated by samba
>> #
>> # This file is generated by the gp_sudoers_ext Group Policy
>> # Client Side Extension. To modify the contents of this file,
>> # modify the appropriate Group Policy objects which apply
>> # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
>> #
>>
>> %SDCP\\Domain\x20Users ALL=(ALL) NOPASSWD: ALL
>
> Did you run `samba-gpupdate --force` after unlinking the policy? Don't 
> run `samba-gpupdate --force` with --rsop. RSoP is for displaying 
> policy, not applying it.
>
> Also, worst case you can run `samba-gpupdate --unapply` to forcefully 
> remove stuck policies.
>

More information about the samba mailing list