[Samba] gpo client linux sssd does not apply

David Mulder dmulder at samba.org
Tue Apr 18 14:01:57 UTC 2023

On 4/18/23 4:44 AM, Rowland Penny via samba wrote:
> I think what you are saying is this, using oddjob-gpupdate replaces 
> the 'apply group policies = yes' line in smb.conf
> Anderson compiled oddjob-gpupdate and it didn't work using sssd, but 
> the same basic setup on the OS using winbind did.
> As far as I can see, oddjob-gpupdate or 'apply group policies = yes' 
> just run samba-gpupdate, as the python script works okay using 
> winbind, it is unlikely there is anything wrong with the script.
> This leaves sssd, which doesn't seem to take any part in the process, 
> or the oddjob-gpupdate script, which seems to run the samba-gpudate 
> script or the basic setup of the OS, my money is on the latter.
> If the process works correctly when using winbind, what is 
> oddjob-gpupdate for ? Does Suse require it ?

samba-gpupdate can be installed without winbind. If winbind isn't 
installed, oddjob-gpupdate can be used to periodically call 
samba-gpupdate instead. That's all it does. You could even accomplish 
this with a cron job (albeit without the correct random interval offsets).

In the past, I have tested joining an AD domain using SSSD, then 
installing samba-gpupdate (without any other samba components), and 
samba-gpupdate works. samba-gpupdate just needs access to the SYSVOL, 
and valid host creds. SSSD can provide these.

It doesn't look like there is a problem in oddjob-gpupdate. Anderson 
could verify this by using oddjob-gpupdate+winbind, but setting smb.conf 
`apply group policies = No`.

David Mulder
Labs Software Engineer, Samba
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com

More information about the samba mailing list