I have hollowed these instructions.
https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu18.04-samba-AD_DC.txt
My normal domain is company.com. For the Samba domain it is
msi.company.com.
DNS is working. I ran these commands.
host -t SRV _ldap._tcp.msi.company.com.
_ldap._tcp.msi.company.com has SRV record 0 100 389 dc0.msi.company.com.
host -t SRV _kerberos._udp.msi.company.com.
_kerberos._udp.msi.company.com has SRV record 0 100 88
dc0.msi.company.com.
host -t A dc0.msi.company.com.
dc0.msi.company.com has address 172.23.93.25
host -t A msi.company.com
msi.company.com has address 172.23.93.25
host -t A dc0.msi.company.com
dc0.msi.company.com has address 172.23.93.25
host -t SRV _kerberos._udp.msi.company.com
_kerberos._udp.msi.company.com has SRV record 0 100 88
dc0.msi.company.com.
host -t SRV _ldap._tcp.msi.company.com
_ldap._tcp.msi.company.com has SRV record 0 100 389 dc0.msi.company.com.
I can even resolve machines on company.com
I can join msi domain, add and modify users, but Group Policies are not
applied. I can even logon with created user.
These are Group Policies I added.
Add a Group Policy for adding Domain Users to local Admin group.
https://wiki.samba.org/index.php/Managing_local_groups_on_domain_members_via_GPO_restricted_groups
And this one to display logon message. Scroll down to 'Step 3: Domain
Group Policy Management'
https://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/
Here is my smb.conf file to start with. I don't know what else to send at
this time.
Ub18.04> less /etc/samba/smb.conf
# Global parameters
[global]
netbios name = DC0
realm = MSI.COMPANY.COM
server role = active directory domain controller
server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
workgroup = MSI
idmap_ldb:use rfc2307 = yes
[netlogon]
path = /var/lib/samba/sysvol/msi.company.com/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
Thank you,
Durwin
This email message and any attachments are for the sole use of the
intended recipient(s) and may contain proprietary and/or confidential
information which may be privileged or otherwise protected from
disclosure. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient(s), please contact the
sender by reply email and destroy the original message and any copies of
the message as well as any attachments to the original message.
Hai, Why would you ever add Domain users to Local Admins? Thas really a very big NO NO, dont do that, really.. Dont.. If you want to be an victum of online crime, that thats the way to allow it to happen. Now your GPO. Its a new setup, correct? If so. Login on the AD and kinit Administrator Run : samba-tool ntacl sysvolreset -k Now, goto the Default Domain policy, is "authenticated users" set as security filter? If not, do so. In that policy change you logon welcom settings. Clear the windows event logs and now, reboot the computer 2x ! Now login and Check again Whats the result. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Durwin via samba > Verzonden: maandag 29 april 2019 21:39 > Aan: samba at lists.samba.org > Onderwerp: [Samba] Group policies are not applied > > I have hollowed these instructions. > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu > 18.04-samba-AD_DC.txt > > My normal domain is company.com. For the Samba domain it is > msi.company.com. > > DNS is working. I ran these commands. > host -t SRV _ldap._tcp.msi.company.com. > _ldap._tcp.msi.company.com has SRV record 0 100 389 > dc0.msi.company.com. > > host -t SRV _kerberos._udp.msi.company.com. > _kerberos._udp.msi.company.com has SRV record 0 100 88 > dc0.msi.company.com. > > host -t A dc0.msi.company.com. > dc0.msi.company.com has address 172.23.93.25 > > host -t A msi.company.com > msi.company.com has address 172.23.93.25 > > host -t A dc0.msi.company.com > dc0.msi.company.com has address 172.23.93.25 > > host -t SRV _kerberos._udp.msi.company.com > _kerberos._udp.msi.company.com has SRV record 0 100 88 > dc0.msi.company.com. > > host -t SRV _ldap._tcp.msi.company.com > _ldap._tcp.msi.company.com has SRV record 0 100 389 > dc0.msi.company.com. > > I can even resolve machines on company.com > > I can join msi domain, add and modify users, but Group > Policies are not > applied. I can even logon with created user. > > These are Group Policies I added. > Add a Group Policy for adding Domain Users to local Admin group. > https://wiki.samba.org/index.php/Managing_local_groups_on_doma > in_members_via_GPO_restricted_groups > > And this one to display logon message. Scroll down to 'Step 3: Domain > Group Policy Management' > https://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ > > > Here is my smb.conf file to start with. I don't know what > else to send at > this time. > > Ub18.04> less /etc/samba/smb.conf > # Global parameters > [global] > netbios name = DC0 > realm = MSI.COMPANY.COM > server role = active directory domain controller > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > winbindd, ntp_signd, kcc, dnsupdate > workgroup = MSI > idmap_ldb:use rfc2307 = yes > > [netlogon] > path = /var/lib/samba/sysvol/msi.company.com/scripts > read only = No > > [sysvol] > path = /var/lib/samba/sysvol > read only = No > > > Thank you, > > Durwin > > > This email message and any attachments are for the sole use of the > intended recipient(s) and may contain proprietary and/or confidential > information which may be privileged or otherwise protected from > disclosure. Any unauthorized review, use, disclosure or > distribution is > prohibited. If you are not the intended recipient(s), please > contact the > sender by reply email and destroy the original message and > any copies of > the message as well as any attachments to the original message. > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hai, That -k should use the kerberos auth. we should think about a bit better description here. When your root/Administrator then it works ok also. Wel, you found the problem and you where able to fix it, so im happy. and good to see that you did not have any errors running: samba-tool ntacl sysvolreset Thanks for the notice back. Greetz, Louis Van: durwin at mgtsciences.com [mailto:durwin at mgtsciences.com] Verzonden: woensdag 1 mei 2019 20:35 Aan: L.P.H. van Belle Onderwerp: Re: [Samba] Group policies are not applied> Its a new setup, correct? If so.Yes> > Login on the AD and kinit Administrator > Run : samba-tool ntacl sysvolreset -kThe -k option requires an option. From man page, -k KERBEROS, but when I use it I get this. What is the -K option suppose to do? Ub18.04> samba-tool ntacl sysvolreset -k KERBEROS Usage: samba-tool ntacl sysvolreset <file> [options] samba-tool ntacl sysvolreset: error: invalid -k option value: KERBEROS I also ran just this. samba-tool ntacl sysvolreset Then running 'samba-tool ntacl sysvolcheck' returns without error.> > Now, goto the Default Domain policy, is "authenticated users" set as > security filter? If not, do so.Yes, "authenticated users" is set in security filter.> In that policy change you logon welcom settings. > > Clear the windows event logs and now, reboot the computer 2x ! > Now login and Check again > > Whats the result.After doing sysvolreset (without -K) I did 2 other things. One was to change passwords on the accounts (this was from a search on the error I saw in Windows events). In the end, all is working correctly. So I cannot confirm the fix. Thank you, Durwin> > Greetz, > > Louis > > > > > > > -----Oorspronkelijk bericht----- > > Van: samba [ MailScanner heeft een e-mail met mogelijk een poging tot fraude gevonden van "lists.samba.org" mailto:samba-bounces at lists.samba.org] Namens > > Durwin via samba > > Verzonden: maandag 29 april 2019 21:39 > > Aan: samba at lists.samba.org > > Onderwerp: [Samba] Group policies are not applied > > > > I have hollowed these instructions. > > https://github.com/thctlo/samba4/blob/master/full-howto-Ubuntu > > 18.04-samba-AD_DC.txt > > > > My normal domain is company.com. For the Samba domain it is > > msi.company.com. > > > > DNS is working. I ran these commands. > > host -t SRV _ldap._tcp.msi.company.com. > > _ldap._tcp.msi.company.com has SRV record 0 100 389 > > dc0.msi.company.com. > > > > host -t SRV _kerberos._udp.msi.company.com. > > _kerberos._udp.msi.company.com has SRV record 0 100 88 > > dc0.msi.company.com. > > > > host -t A dc0.msi.company.com. > > dc0.msi.company.com has address 172.23.93.25 > > > > host -t A msi.company.com > > msi.company.com has address 172.23.93.25 > > > > host -t A dc0.msi.company.com > > dc0.msi.company.com has address 172.23.93.25 > > > > host -t SRV _kerberos._udp.msi.company.com > > _kerberos._udp.msi.company.com has SRV record 0 100 88 > > dc0.msi.company.com. > > > > host -t SRV _ldap._tcp.msi.company.com > > _ldap._tcp.msi.company.com has SRV record 0 100 389 > > dc0.msi.company.com. > > > > I can even resolve machines on company.com > > > > I can join msi domain, add and modify users, but Group > > Policies are not > > applied. I can even logon with created user. > > > > These are Group Policies I added. > > Add a Group Policy for adding Domain Users to local Admin group. > > https://wiki.samba.org/index.php/Managing_local_groups_on_doma > > in_members_via_GPO_restricted_groups > > > > And this one to display logon message. Scroll down to 'Step 3: Domain > > Group Policy Management' > > https://www.tecmint.com/manage-samba4-dns-group-policy-from-windows/ > > > > > > Here is my smb.conf file to start with. I don't know what > > else to send at > > this time. > > > > Ub18.04> less /etc/samba/smb.conf > > # Global parameters > > [global] > > netbios name = DC0 > > realm = MSI.COMPANY.COM > > server role = active directory domain controller > > server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, > > winbindd, ntp_signd, kcc, dnsupdate > > workgroup = MSI > > idmap_ldb:use rfc2307 = yes > > > > [netlogon] > > path = /var/lib/samba/sysvol/msi.company.com/scripts > > read only = No > > > > [sysvol] > > path = /var/lib/samba/sysvol > > read only = No > > > > > > Thank you, > > > > Durwin > > > >This email message and any attachments are for the sole use of the intended recipient(s) and may contain proprietary and/or confidential information which may be privileged or otherwise protected from disclosure. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by reply email and destroy the original message and any copies of the message as well as any attachments to the original message.