samba - Aug 2003 - Samba 3.0.0 PDC + Win2000 Client + Group Policies

We want to build a Debian's unstable samba 3.0.0beta2-1 as PDC with plenty
of
Windows 2K clients.

  Joining the domain, Domain Logons, Roaming Profiles, Domain Groups, are Ok.

  As we thought that Samba 3 cannot handle Win2K's GPOs (isn't it?), we
tried
NT4 style Group Policies to restrict a bit users posibilities (as we have
students as users). Our opinion is that Mandatory Profiles are too restrictive.

  So as explained in "Windows 2000 Group Policy White Paper" from
Microsoft, at
"IntelliMirror features w/out Active Directory" chapter, we took a
unicode
enabled poledit.exe, we removed #if and #endif lines from GPO's ADM
templates
files and created with it the required NTconfig.pol in the netlogon share.

  We tried DefaultUser, a DomainGroup (net groupmap...), a user, and the policy
didn't have any effect at all (we tried to login/logout, secedit /refresh,
and even some different case 4 ntconfig.pol just in case).

  The surprising fact is that from another Win2k, with the same poledit and ADM
files, i can remotely connect (without any password) to the Win2K's logged
domain user's registry, and check some restriction's boxes, and IT
WORKS, means
that the changes  of the policy were applied directly into the registry  (after
a reconnection or a restart of explorer.exe) !

  It looks like the Win2K doesn't read any \\PDC\netlogon\NTconfig.pol at
all,
as if he would have done without any NT4 style policies.

  We'd like to have your feeling/opinions about it, as we're quite
stucked...


our smb.conf :
<=================== smb.conf : start ===================>
# We striped out da comments
[global]
   netbios name = VARDA
   workgroup = ARDA
   server string = %h server (Samba %v)
   wins support = yes
   dns proxy = no

   log file = /var/log/samba/log.%m
   max log size = 1000
   syslog = 0

   security = user
   encrypt passwords = true
   passdb backend = tdbsam guest

   unix password sync = yes
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\.......

   load printers = yes
   printing = cups
   printcap name = cups
   printer admin = @admin

# Name mangling options
   preserve case = yes
   short preserve case = yes
   case sensitive = no

   socket options = TCP_NODELAY

    domain master = yes
    local master = yes
    domain logons = yes
    preferred master = yes
    os level = 255

    ; logon script = logon.bat
    logon path = \\%L\profiles\%u
    logon drive = U:
    logon home = \\%L\%u\.winprofile

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

[homes]
   comment = Home Directories
   browseable = no
   writable = yes
   create mask = 0640
   directory mask = 0750

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
   comment = Network Logon Service
   path = /iut/profiles/netlogon
   guest ok = yes
   writable = no
   #browseable = no
   write list = @admin
   share modes = no

[profiles]
   comment = Network Profiles
   path = /iut/profiles/users
   writable = yes
   browsable = no
   create mask = 0600
   directory mask = 0700

[printers]
   comment = Les Imprimantes
   browseable = no
   path = /tmp
   printable = yes
   public = no
   writable = no
   create mode = 0700

[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
   write list = root, @admin

<=================== smb.conf : end ===================>


 Regards,
-- 
Julien DUPRE & Eric DECORNOD
Service Informatique
IUT Louis Pasteur Schiltigheim
Allee d'Athenes 67300 Schiltigheim
Courriel : iut-ulp.sos-informatique AT iutlpa.u-strasbg.fr