[Samba] can't add user to security filter in a GPO

Rowland Penny rpenny at samba.org
Thu Jan 11 10:49:36 UTC 2024


On Thu, 11 Jan 2024 11:33:52 +0100
samba2024--- via samba <samba at lists.samba.org> wrote:

> Hello,
> 
> we have an Ubuntu 20.04 that was upgraded a while ago from a 16.04, 
> samba Version is 4.13.17. The Server is a fileserver and a samba
> domain controller. 

It is not recommended to use a Samba AD DC as a fileserver, I would
suggest you move the fileserver role to a separate Unix domain member.

> Everything looked fine and we barely use GPOs, it
> was required to add a a group to a GPO security filter and it does
> not work, it worked when it was Ubuntu 16.04 I don't know of the
> Version in the past. There is no error message, the user is not
> added, it was done via RSAT Tools. I can create a new GPO but there I
> could not add a user to security filter there as well.
> I see no error message in any log on the Samba side and I see no
> errors on Windows side, the group is just not added.
> I looked arround and I found a thread saying I should use
> samba-tool dbcheck --cross-ncs
> there where errors I used the --fix parameter and the result was
> Please use --fix to fix these errors
> Checked 3629 objects (3483 errors)
> 
> but it did not change anything about the previous problem
> 
> As there were no messages in the logs neither the Samba-side nor on
> the Windows-Side any idea to solve the problem or to dive into would
> be greatly appreciated.  Of course I can update to the newest version
> on Ubuntu 22.04 but I don't know if I would breake more and destroy
> the domain.
>

There has been a lot of changes in the way Samba uses GPO's since
4.13.x , but upgrading to 22.04 will not get you to the latest
version. I suggest you set up another DC on Debian bookworm with
Samba from backports (which will get you 4.19.3) and join this to your
domain.

Rowland
 




More information about the samba mailing list