[Samba] samba linux gpo

Peter Carlson peter at howudodat.com
Mon Oct 24 16:13:18 UTC 2022 

Same thing, policy disappears from GPO Editor

root at nc1:~# ls -l 
/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/GN*
-rwxrwx---+ 1 3000000 users 7748 Oct 24 16:12 
/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/GNOMESettings.admx

Is it possibly a conflict in one of the GUIDs?

On 10/24/22 09:03, David Mulder wrote:
>
> Maybe try removing the space in the filename. I wonder if GPME has 
> issues reading the filename?
>
> On 10/24/22 9:52 AM, Peter Carlson wrote:
>>
>> ok, I have setup a complete lab with ADDC, FileServer, linux cli 
>> client, linux gui client, windows client all running on different 
>> guests in proxmox.  I compiled 4.17 from source and configured.  I 
>> then copied the GNOME admx into /usr/share/samba/admx/GNOME 
>> Settings.admx and ran samba-tool gpo admxload -U Administrator  voila 
>> GNOME policies appear in GPO editor
>>
>> then to bring in windows policies I ran: samba-tool gpo admxload -U 
>> Administrator --admx-dir=./Program\ Files/Microsoft\ Group\ 
>> Policy/Windows\ 11\ September\ 2022\ Update\ \(22H2\)/PolicyDefinitions/
>>
>> and GNOME policies disappear, they are still in sysvol, but no longer 
>> appear in GPO editor
>>
>> root at nc1:~# ls -l 
>> /var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/GN*
>> -rwxrwx---+ 1 3000000 users 7748 Oct 24 15:44 
>> '/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/GNOME 
>> Settings.admx'
>> root at nc1:~# ls -l 
>> /var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/en-US/GN*
>> -rwxrwx---+ 1 3000000 users 9614 Oct 24 15:44 
>> '/var/lib/samba/sysvol/carlson.lab/Policies/PolicyDefinitions/en-US/GNOME 
>> Settings.adml'
>>
>>
>>
>> On 10/21/22 09:10, David Mulder via samba wrote:
>>>
>>> On 10/21/22 10:03 AM, Peter Carlson via samba wrote:
>>>> Here is some preliminary testing with samba linux gpo.
>>>>
>>>> *Password and Security:*
>>>> Computer Configuration > Policies > OS Settings > Security Settings 
>>>> > Account Policy
>>>> OS Settings doesn't exist
>>>>
>>>> *GNOME:*
>>>> I cant find any gnome settings in RSAT
>>>
>>> You have to install the templates using the command `samba-tool gpo 
>>> admxload --admx-dir=/location/of/templates` and specify the location 
>>> of the GNOME Settings admx templates. See the samba source in 
>>> libgpo/admx. You can also install the chrome and firefox templates 
>>> to administer these:
>>>
>>> https://github.com/mozilla/policy-templates/releases
>>> https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
>>>
>>>>
>>>> *sudo:*
>>>> GPO: Linux Sudo
>>>> All Tests performed with samba-gpupdate --force --rsop
>>>> step 1: add Domain Users as sudo, that generated gp_syvdg6p6 with 
>>>> Domain Users in it
>>>>
>>>> step 2: change policy to Linux Users.  That generated a new gp file 
>>>> gp_rjdmvvow with Linux Users  (now there are 2 files)
>>>> ============================================================================================================================== 
>>>>
>>>>   CSE: gp_sudoers_ext
>>>> -------------------------------------------------------------------------------------------- 
>>>>
>>>>     Policy Type: Sudo Rights
>>>> -------------------------------------------------------------------------------------------- 
>>>>
>>>>     [ %SDCP\\Linux\x20Users ALL=(ALL) NOPASSWD: ALL ]
>>>> -------------------------------------------------------------------------------------------- 
>>>>
>>>>
>>>> step 3: change policy to Linux Test.  That did nothing. gp_rjdmvvow 
>>>> still contains Linux Users
>>>> GPO: Linux Sudo
>>>> ============================================================================================================================== 
>>>>
>>>>   CSE: gp_sudoers_ext
>>>> -------------------------------------------------------------------------------------------- 
>>>>
>>>>     Policy Type: Sudo Rights
>>>> -------------------------------------------------------------------------------------------- 
>>>>
>>>>     [ %SDCP\\Linux\x20Test ALL=(ALL) NOPASSWD: ALL ]
>>>> -------------------------------------------------------------------------------------------- 
>>>>
>>>> -------------------------------------------------------------------------------------------- 
>>>>
>>>>
>>>> After unlinking the policy, it no longer shows up in --rsop but 
>>>> there are now 2 files
>>>>
>>>> root at xrdp:/etc/sudoers.d# ls -l gp*
>>>> -rw------- 1 root root 312 Oct 21 15:42 gp_rjdmvvow
>>>> -rw------- 1 root root 313 Oct 21 15:36 gp_syvdg6p6
>>>> root at xrdp:/etc/sudoers.d# cat gp*
>>>>
>>>> ### autogenerated by samba
>>>> #
>>>> # This file is generated by the gp_sudoers_ext Group Policy
>>>> # Client Side Extension. To modify the contents of this file,
>>>> # modify the appropriate Group Policy objects which apply
>>>> # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
>>>> #
>>>>
>>>> %SDCP\\Linux\x20Users ALL=(ALL) NOPASSWD: ALL
>>>>
>>>> ### autogenerated by samba
>>>> #
>>>> # This file is generated by the gp_sudoers_ext Group Policy
>>>> # Client Side Extension. To modify the contents of this file,
>>>> # modify the appropriate Group Policy objects which apply
>>>> # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
>>>> #
>>>>
>>>> %SDCP\\Domain\x20Users ALL=(ALL) NOPASSWD: ALL
>>>
>>> Did you run `samba-gpupdate --force` after unlinking the policy? 
>>> Don't run `samba-gpupdate --force` with --rsop. RSoP is for 
>>> displaying policy, not applying it.
>>>
>>> Also, worst case you can run `samba-gpupdate --unapply` to 
>>> forcefully remove stuck policies.
>>>
> -- 
> David Mulder
> Labs Software Engineer, Samba
> SUSE
> 1221 S Valley Grove Way, Suite 500
> Pleasant Grove, UT 84062
> (P)+1 385.208.2989
> dmulder at suse.com
> http://www.suse.com

More information about the samba mailing list