Hi -
After reading through the updated
https://wiki.samba.org/index.php/Group_Policy, I have a few
questions/comments.
First of all, it seems like all these policies apply only to linux
domain members (e.g. cron, motd, and pam_access).
What about GPO's that apply to Windows machines? Is the set of things
that can be managed using the Group Policy Management Console
constrained by what's in the Samba ADMX Templates?
So, pam_access controls can be managed using a GPO, but it's still not
clear to me how I would restrict access to Windows clients through the
Samba AD.
Wiki editing note: For people less familiar with AD, it would probably
be a good idea to explain that the GPMC is part of RSAT and only
available from Windows.
The thing I care about most is mapping folders, which is covered here:
https://wiki.samba.org/index.php/Windows_User_Home_Folders
The Wiki page title is misleading here because presumably you can map
*any* folder using the instructions provided here. This page should
probably be referenced on https://wiki.samba.org/index.php/Group_Policy,
along with any other Wiki pages dealing with Group Policy (e.g. the
Configuring Windows Profile Folder Redirections page).
Final Wiki editing note: Under the Startup Script Policies section, this
example is given:
samba-tool gpo manage scripts startup add
{31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'
with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is.
This is later explained in the Pam Access Policies section; that this is
the SID (? it's called a hash there, doesn't look like a hash to me) for
the GPO. That should probably be mentioned the first time this is used,
along with the brief explanation of how to determine what this is using
`samba-tool gpo list`, also covered in the PAM Access Policies section.
An example of using `samba-tool gpo list` would be helpful too.
On 10/4/21 16:01, David Mulder via samba wrote:> After some discussion about this on the mailing list, I decided to
> update the outdated wiki page and mention it here. There is a great deal
> that has changed since the last time I updated the
> https://wiki.samba.org/index.php/Group_Policy page.
> There are currently 13 distinct policies, including smb.conf, addc
> password/kerberos, scripts, files, symlinks, sudoers, messages
> (motd/issue), pam access, certificate auto enrollment, firefox,
> chrome/chromium, GNOME, and OpenSSH. And I'm not finished. I will try
to
> keep this page up-to-date in the future to avoid confusion.
>
> FYI, the samba-gpupdate command *does* work when joined via either
> winbind or sssd, so you can choose.
>
On 10/5/21 8:29 AM, Patrick Goetz via samba wrote:> First of all, it seems like all these policies apply only to linux> domain members (e.g. cron, motd, and pam_access). > > What about GPO's that apply to Windows machines? Is the set of things > that can be managed using the Group Policy Management Console > constrained by what's in the Samba ADMX Templates? >Yes, this is specifically referring to Linux clients. This does not effect how policies are applied to Windows domain members. The only exception is that you'll need to install Microsoft's ADMX templates to your SYSVOL also. This is explained in Microsoft's documentation, and is something you're expected to do anyway. I'll make a note of this on the wiki.> So, pam_access controls can be managed using a GPO, but it's still not > clear to me how I would restrict access to Windows clients through the > Samba AD. >This is an entirely different topic. Take a look at Microsoft's documentation on access control (maybe you would use "Deny logon locally", for example).> Wiki editing note: For people less familiar with AD, it would probably > be a good idea to explain that the GPMC is part of RSAT and only > available from Windows. > > The thing I care about most is mapping folders, which is covered here: > > ? https://wiki.samba.org/index.php/Windows_User_Home_Folders > > The Wiki page title is misleading here because presumably you can map > *any* folder using the instructions provided here. This page should > probably be referenced on https://wiki.samba.org/index.php/Group_Policy, > along with any other Wiki pages dealing with Group Policy (e.g. the > Configuring Windows Profile Folder Redirections page). >Yes, you make a good point. My work has been on Linux domain member group policy. This wiki page additionally needs details on Windows domain member policy.> > Final Wiki editing note: Under the Startup Script Policies section, this > example is given: > > ?samba-tool gpo manage scripts startup add > {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n' > > with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is. > This is later explained in the Pam Access Policies section; that this is > the SID (? it's called a hash there, doesn't look like a hash to me) for > the GPO.? That should probably be mentioned the first time this is used, > along with the brief explanation of how to determine what this is using > `samba-tool gpo list`, also covered in the PAM Access Policies section. > ?An example of using `samba-tool gpo list` would be helpful too. >Technically this is a GUID (globally unique identifier). I'll clarify this on the wiki. I'll also ensure the instructions on finding the GPO GUID are clearer. -- *David Mulder* Labs Software Engineer, Samba SUSE 1800 Novell Place Provo, UT 84606 (P)+1 801.861.6571 dmulder at suse.com <http://www.suse.com/>
On 10/5/21 8:29 AM, Patrick Goetz via samba wrote:> The thing I care about most is mapping folders, which is covered here: > > ? https://wiki.samba.org/index.php/Windows_User_Home_Folders > > The Wiki page title is misleading here because presumably you can map > *any* folder using the instructions provided here. This page should > probably be referenced on https://wiki.samba.org/index.php/Group_Policy, > along with any other Wiki pages dealing with Group Policy (e.g. the > Configuring Windows Profile Folder Redirections page). >I've included the Home Folders and Folder Redirection information within the Group Policy page (under 'Windows Domain Member Policies'). The content is shared between the articles, so modifying one will also modify the other. I'll look around for other relevant articles in the wiki that should also be linked here. If you come across any that you think should also be included, please let me know. -- *David Mulder* Labs Software Engineer, Samba SUSE 1800 Novell Place Provo, UT 84606 (P)+1 801.861.6571 dmulder at suse.com <http://www.suse.com/>