Hello! My Configuration: lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 14.04.3 LTS Release: 14.04 Codename: trusty Version Samba: samba-tool -V 4.4.4 My problem is, create a GPO with group Filtering, in case I want the GPO to be applied only to a specific group. When I do this (Filter) it does not load the GPO, only when I leave the default (Authenticated User). Is there something wrong with Samba or something different? Regards
On 30/05/17 15:42, Carlos A. P. Cunha via samba wrote:> Hello! > > My Configuration: > > lsb_release -a > > No LSB modules are available. > Distributor ID: Ubuntu > Description: Ubuntu 14.04.3 LTS > Release: 14.04 > Codename: trusty > > Version Samba: > > samba-tool -V > 4.4.4 > > My problem is, create a GPO with group Filtering, in case I want the GPO > to be applied only to a specific group. > When I do this (Filter) it does not load the GPO, only when I leave the > default (Authenticated User). > Is there something wrong with Samba or something different?I've hit this a few weeks back, and it turns out that it is the default behaviour in Active Directory on the Windows side as well - not just Samba. Essentially, if you want to do security filtering on GPO's, you have to add the desired group or user in the security tab, and then go in the Delegation tab, click on Advanced, and remove the "Apply" rights for Authenticated Users - but leave the "Read" right in place. You should not remove the "Authenticated Users" from the security tab (but it will disappear from there when you remove its "Apply" privilege). The bottom line is that the "Authenticated Users" have to stay in with the "Read" permission - otherwise the whole GPO doesn't work. I hope the above makes sense - as I don't have the UI in front of me, and I'm typing from memory.
Hello! Thanks. I'm trying but still unsuccessful ..... Regards Em 30-05-2017 16:05, Sebastian Arcus via samba escreveu:> > On 30/05/17 15:42, Carlos A. P. Cunha via samba wrote: >> Hello! >> >> My Configuration: >> >> lsb_release -a >> >> No LSB modules are available. >> Distributor ID: Ubuntu >> Description: Ubuntu 14.04.3 LTS >> Release: 14.04 >> Codename: trusty >> >> Version Samba: >> >> samba-tool -V >> 4.4.4 >> >> My problem is, create a GPO with group Filtering, in case I want the >> GPO to be applied only to a specific group. >> When I do this (Filter) it does not load the GPO, only when I leave >> the default (Authenticated User). >> Is there something wrong with Samba or something different? > > I've hit this a few weeks back, and it turns out that it is the > default behaviour in Active Directory on the Windows side as well - > not just Samba. Essentially, if you want to do security filtering on > GPO's, you have to add the desired group or user in the security tab, > and then go in the Delegation tab, click on Advanced, and remove the > "Apply" rights for Authenticated Users - but leave the "Read" right in > place. You should not remove the "Authenticated Users" from the > security tab (but it will disappear from there when you remove its > "Apply" privilege). > > The bottom line is that the "Authenticated Users" have to stay in with > the "Read" permission - otherwise the whole GPO doesn't work. > > I hope the above makes sense - as I don't have the UI in front of me, > and I'm typing from memory. >
Last Year Microsoft has changed some things in the GPO Permissions. If you want to ad a group to the filter instead of "Authenticated Users" You must change the delegation-permission for the new GPO-Object. You must add "domain computers" with "read"-Permission to the "Delegation"-Tab. Then everything will work. Am 30.05.17 um 16:42 schrieb Carlos A. P. Cunha via samba:> Hello! > > My Configuration: > > lsb_release -a > > No LSB modules are available. > Distributor ID: Ubuntu > Description: Ubuntu 14.04.3 LTS > Release: 14.04 > Codename: trusty > > Version Samba: > > samba-tool -V > 4.4.4 > > My problem is, create a GPO with group Filtering, in case I want the GPO > to be applied only to a specific group. > When I do this (Filter) it does not load the GPO, only when I leave the > default (Authenticated User). > Is there something wrong with Samba or something different? > > Regards >-------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20170604/587e1616/signature.sig>
Hello After several tests this is finally working. :-D In the security filter, this is only the group I want, and in Delegation, I needed submits to add "Domain Computers" with Read / Apply permission, and now everything is 100%. Thank you all. Regards Em 04-06-2017 05:49, Stefan Kania via samba escreveu:> Last Year Microsoft has changed some things in the GPO Permissions. If > you want to ad a group to the filter instead of "Authenticated Users" > You must change the delegation-permission for the new GPO-Object. You > must add "domain computers" with "read"-Permission to the > "Delegation"-Tab. Then everything will work. > > Am 30.05.17 um 16:42 schrieb Carlos A. P. Cunha via samba: >> Hello! >> >> My Configuration: >> >> lsb_release -a >> >> No LSB modules are available. >> Distributor ID: Ubuntu >> Description: Ubuntu 14.04.3 LTS >> Release: 14.04 >> Codename: trusty >> >> Version Samba: >> >> samba-tool -V >> 4.4.4 >> >> My problem is, create a GPO with group Filtering, in case I want the GPO >> to be applied only to a specific group. >> When I do this (Filter) it does not load the GPO, only when I leave the >> default (Authenticated User). >> Is there something wrong with Samba or something different? >> >> Regards >> > > > > >