[Samba] gpo client linux sssd does not apply

Rowland Penny rpenny at samba.org
Tue Apr 18 14:40:12 UTC 2023 


On 18/04/2023 15:01, David Mulder via samba wrote:
> 
> On 4/18/23 4:44 AM, Rowland Penny via samba wrote:
>> I think what you are saying is this, using oddjob-gpupdate replaces 
>> the 'apply group policies = yes' line in smb.conf
>>
>> Anderson compiled oddjob-gpupdate and it didn't work using sssd, but 
>> the same basic setup on the OS using winbind did.
>>
>> As far as I can see, oddjob-gpupdate or 'apply group policies = yes' 
>> just run samba-gpupdate, as the python script works okay using 
>> winbind, it is unlikely there is anything wrong with the script.
>> This leaves sssd, which doesn't seem to take any part in the process, 
>> or the oddjob-gpupdate script, which seems to run the samba-gpudate 
>> script or the basic setup of the OS, my money is on the latter.
>>
>> If the process works correctly when using winbind, what is 
>> oddjob-gpupdate for ? Does Suse require it ?
> 
> samba-gpupdate can be installed without winbind. If winbind isn't 
> installed, oddjob-gpupdate can be used to periodically call 
> samba-gpupdate instead. That's all it does. You could even accomplish 
> this with a cron job (albeit without the correct random interval offsets).

That sounds very like, do not use 'oddjob-gpupdate' with winbind, as 
winbind isn't required if running on a sssd joined machine.

> 
> In the past, I have tested joining an AD domain using SSSD, then 
> installing samba-gpupdate (without any other samba components), and 
> samba-gpupdate works. samba-gpupdate just needs access to the SYSVOL, 
> and valid host creds. SSSD can provide these.

Fully understand that and from the point of view of sssd joined 
machines, that is all you need.

> 
> It doesn't look like there is a problem in oddjob-gpupdate. Anderson 
> could verify this by using oddjob-gpupdate+winbind, but setting smb.conf 
> `apply group policies = No`.
> 

There is absolutely no point in Anderson doing that, he knows that 
winbind and samba-gpudate works, it is the bit, that frankly has nothing 
to do with Samba, that doesn't work.

My feelings are that Anderson would be better off examining what 
packages are installed on the working Ubuntu plus winbind against the 
packages installed on the non-working Ubuntu plus sssd. Discount the 
Samba packages (except for 'samba-common-bin, which sssd seems to 
require) and install any missing ones. Also check:

/etc/resolv.conf
/etc/hostname
/etc/hosts
/etc/krb5.conf

For differences.

Rowland

More information about the samba mailing list