Hi folks, I have got a problem where GPOs set for a single user or a user group are not applied. The GPOs should be applied to Windows 10 Pro computers when the specific user(s) log in. The GPOs are defined for users, not computers. Domain GPOs for domain computers are applied appropriately, roaming profiles work, authentication works, the sysvol and netlogon shares on the DC are accessible and readable by all users, DNS works. I have tried with existing users and newly created test users. The GPOs are not applied. The GPOs (minimum Windows server 2003 or XP) are: - Set time limit for disconnected sessions - Set time limit for active but idle Remote Services sessions - End session when time limits are reached The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or NFS. The .local TLD is used in the network (for almost 20 years), and all mDNS och zero configurations are prohibited and disabled. All workstations in the network are Windows 10 Pro with the latest updates, and ESET Business antivirus. The main file server, containing the user profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got nothing to do with the problem. Would installing and setting up a new Debian Buster AD DC solve the problem? Best regards, Peter smb.conf =======# Global parameters [global] ??????? netbios name = KONADC ??????? realm = KONSTRUKCE.LOCAL ??????? server role = active directory domain controller ??????? workgroup = KONSTRUKCE ??????? idmap_ldb:use rfc2307 = yes ??????? username map = /etc/samba/user.map ??????? dns forwarder = 192.168.0.221 [netlogon] ??????? path = /var/lib/samba/sysvol/konstrukce.local/scripts ??????? read only = No [sysvol] ??????? path = /var/lib/samba/sysvol ??????? read only = No krb5.conf =======[libdefaults] ??????? default_realm = KONSTRUKCE.LOCAL ??????? dns_lookup_realm = false ??????? dns_lookup_kdc = true resolv.conf ========search konstrukce.local nameserver 127.0.0.1 nsswitch.conf ==========passwd:????? files winbind shadow:???? files group:?????? files winbind hosts:????? files dns myhostname bootparams: nisplus [NOTFOUND=return] files ethers:???? files netmasks:?? files networks:?? files protocols:? files rpc:??????? files services:?? files netgroup:?? nisplus publickey:? nisplus automount:? files nisplus aliases:??? files nisplus
On 05/04/2021 08:04, Peter Milesson via samba wrote:> Hi folks, > > I have got a problem where GPOs set for a single user or a user group > are not applied. The GPOs should be applied to Windows 10 Pro > computers when the specific user(s) log in. The GPOs are defined for > users, not computers. Domain GPOs for domain computers are applied > appropriately, roaming profiles work, authentication works, the sysvol > and netlogon shares on the DC are accessible and readable by all > users, DNS works. I have tried with existing users and newly created > test users. The GPOs are not applied. The GPOs (minimum Windows server > 2003 or XP) are: > > > The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the > latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is > NIS or NFS. The .local TLD is used in the network (for almost 20 > years), and all mDNS och zero configurations are prohibited and disabled.'.local' is not recommended because it can interfere with Avahi, but you have turned this off, so this is not the problem. I take it you compiled Samba using Heimdal, but 4.9.1 is old and no longer supported, so I would suggest you upgrade, indeed this may fix your problem.> > Would installing and setting up a new Debian Buster AD DC solve the > problem?Possibly and you could use the Samba packages from here: https://apt.van-belle.nl/> > Best regards, > > Peter > > > smb.conf > =======> # Global parameters > [global] > ??????? netbios name = KONADC > ??????? realm = KONSTRUKCE.LOCAL > ??????? server role = active directory domain controller > ??????? workgroup = KONSTRUKCE > ??????? idmap_ldb:use rfc2307 = yes > ??????? username map = /etc/samba/user.mapYou should remove the 'username map' line, it is only used on a Unix domain member, idmapping is done in idmap.ldb on a DC.> > resolv.conf > ========> search konstrukce.local > nameserver 127.0.0.1You should use the DC's ipaddress, not '127.0.0.1' Rowland
The first step to do if a GPO for a user is not working is "samba-tool gpo list <username>" to see if the GPO is relevant for the user. If your GPO is not listed check that the user is in the ou you linked the GPO to. Am 05.04.21 um 09:04 schrieb Peter Milesson via samba:> Hi folks, > > I have got a problem where GPOs set for a single user or a user group > are not applied. The GPOs should be applied to Windows 10 Pro computers > when the specific user(s) log in. The GPOs are defined for users, not > computers. Domain GPOs for domain computers are applied appropriately, > roaming profiles work, authentication works, the sysvol and netlogon > shares on the DC are accessible and readable by all users, DNS works. I > have tried with existing users and newly created test users. The GPOs > are not applied. The GPOs (minimum Windows server 2003 or XP) are: > > - Set time limit for disconnected sessions > - Set time limit for active but idle Remote Services sessions > - End session when time limits are reached > > The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the latest > EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is NIS or > NFS. The .local TLD is used in the network (for almost 20 years), and > all mDNS och zero configurations are prohibited and disabled. All > workstations in the network are Windows 10 Pro with the latest updates, > and ESET Business antivirus. The main file server, containing the user > profiles, runs CentOS 7.8 with Samba 4.10.4, which I assume has got > nothing to do with the problem. > > Would installing and setting up a new Debian Buster AD DC solve the > problem? > > Best regards, > > Peter > > > smb.conf > =======> # Global parameters > [global] > ??????? netbios name = KONADC > ??????? realm = KONSTRUKCE.LOCAL > ??????? server role = active directory domain controller > ??????? workgroup = KONSTRUKCE > ??????? idmap_ldb:use rfc2307 = yes > ??????? username map = /etc/samba/user.map > ??????? dns forwarder = 192.168.0.221 > > [netlogon] > ??????? path = /var/lib/samba/sysvol/konstrukce.local/scripts > ??????? read only = No > > [sysvol] > ??????? path = /var/lib/samba/sysvol > ??????? read only = No > > > krb5.conf > =======> [libdefaults] > ??????? default_realm = KONSTRUKCE.LOCAL > ??????? dns_lookup_realm = false > ??????? dns_lookup_kdc = true > > resolv.conf > ========> search konstrukce.local > nameserver 127.0.0.1 > > nsswitch.conf > ==========> passwd:????? files winbind > shadow:???? files > group:?????? files winbind > > hosts:????? files dns myhostname > > bootparams: nisplus [NOTFOUND=return] files > > ethers:???? files > netmasks:?? files > networks:?? files > protocols:? files > rpc:??????? files > services:?? files > netgroup:?? nisplus > publickey:? nisplus > automount:? files nisplus > aliases:??? files nisplus > >-- Stefan Kania Landweg 13 25693 St. Michaelisdonn Signieren jeder E-Mail hilft Spam zu reduzieren und sch?tzt Ihre Privatsph?re. Ein kostenfreies Zertifikat erhalten Sie unter https://www.dgn.de/dgncert/index.html