[Samba] gpo client linux sssd does not apply
David Mulder
dmulder at samba.org
Tue Apr 18 14:01:57 UTC 2023
On 4/18/23 4:44 AM, Rowland Penny via samba wrote:
> I think what you are saying is this, using oddjob-gpupdate replaces
> the 'apply group policies = yes' line in smb.conf
>
> Anderson compiled oddjob-gpupdate and it didn't work using sssd, but
> the same basic setup on the OS using winbind did.
>
> As far as I can see, oddjob-gpupdate or 'apply group policies = yes'
> just run samba-gpupdate, as the python script works okay using
> winbind, it is unlikely there is anything wrong with the script.
> This leaves sssd, which doesn't seem to take any part in the process,
> or the oddjob-gpupdate script, which seems to run the samba-gpudate
> script or the basic setup of the OS, my money is on the latter.
>
> If the process works correctly when using winbind, what is
> oddjob-gpupdate for ? Does Suse require it ?
samba-gpupdate can be installed without winbind. If winbind isn't
installed, oddjob-gpupdate can be used to periodically call
samba-gpupdate instead. That's all it does. You could even accomplish
this with a cron job (albeit without the correct random interval offsets).
In the past, I have tested joining an AD domain using SSSD, then
installing samba-gpupdate (without any other samba components), and
samba-gpupdate works. samba-gpupdate just needs access to the SYSVOL,
and valid host creds. SSSD can provide these.
It doesn't look like there is a problem in oddjob-gpupdate. Anderson
could verify this by using oddjob-gpupdate+winbind, but setting smb.conf
`apply group policies = No`.
--
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com
More information about the samba
mailing list