samba - Mar 2003 - Does "active directory" support include policy support

Well, a rather odd subject, but I couldn't really express it differently.
I would simply like to know if the active directory "emulation" of 
samba+openLDAP+kerberos or samba 3.0 includes support for policies.

I have a bunch of XP clients that I need to set some restrictions on. 
But it seems the days of config.pol files are over, so i need active 
directory support on my PDC. Having read several articles on active 
directory, I still don't understand it fully, but articles about setting 
up active directory on a samba pdc mentioned only partial support for 
active directory(only some features supported).

So before I start crashing our server with software and configuration, I 
would like to know if (group)policies are supported by active directory 
on samba. If this is the case, I'd also like to hear if anybody has a 
working setup of it, and maybe some links (I couldn't finde any) to 
howtos....

Lasse Riis

On Thu, 2003-03-27 at 19:53, Lasse Riis wrote:
> Well, a rather odd subject, but I couldn't really express it
differently.
> I would simply like to know if the active directory "emulation"
of
> samba+openLDAP+kerberos or samba 3.0 includes support for policies.
> 
> I have a bunch of XP clients that I need to set some restrictions on. 
> But it seems the days of config.pol files are over, so i need active 
> directory support on my PDC. Having read several articles on active 
> directory, I still don't understand it fully, but articles about
setting
> up active directory on a samba pdc mentioned only partial support for 
> active directory(only some features supported).
> 
> So before I start crashing our server with software and configuration, I 
> would like to know if (group)policies are supported by active directory 
> on samba. If this is the case, I'd also like to hear if anybody has a 
> working setup of it, and maybe some links (I couldn't finde any) to 
> howtos....
We don't yet have an Active Directory PDC (it is much more than
samba+openLDAP+kerberos - we need them all working with each other :-).

That said, we are often confused for an active directory PDC by the
clients - they often 'fall back' in parts of the protocol.  It may well
be possible to create such policies - In the end, they are just a file
in a particular file share.  

It would be an interesting challenge for somebody to work on. :-)

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet@samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20030328/bfe6aa7b/attachment.bin

>The workaround that I am using to solve this problem is done on each
 >client but it works.  I built the group policy settings I wanted on one
 >of the machines which is stored on the client machines under
 ><windows>\System32\GroupPolicy.  I made a copy of that directory and
 >then copy it onto the client machines that need the group policy
 >settings at build time.  A bit of a kludge, but it works like a charm.
 >
 >Nathan

Well making policies with gpedit.msc on the clients seem to enforce them 
for all users. I would like a setup where the strict policy is only 
applied for certain (one) users, so that admins still have complete 
control. Do I need a DC(Samba, Kerberos, LDAP, the works) for that....

Lasse