samba - Jun 2016 - GPOs: only Default Domain Policy is being applied, ohers are ignored

I recently discovered that only the Default Domain Policy is being applied.
All other GPOs seem to be ignored. All Sysvol filesystem objects have the
right permissions. Both DCs are running Samba 4.4.3 over CentOS 7. There are
no related errors in logs or Windows Event Viewer. Other policies did work
before. I noticed that the corresponding filesystem objects were lastly
placed on users’ desktops four days go.

 

[global]

                workgroup = MYDOMAIN

                realm = MYREALM

                netbios name = MYSERVER

                server role = active directory domain controller

                dns forwarder = 10.0.0.254

                wins support = yes

                domain master =yes

                preferred master = yes

                local master = yes

 

                ntlm auth = no

                client ipc signing = mandatory

 

                server min protocol = SMB2_10

                server max protocol = SMB3_11

                client min protocol = SMB2_10

                client max protocol = SMB3_11

                client ipc min protocol = SMB2_10

                client ipc max protocol = SMB3_11

 

                strict sync = yes

                store dos attributes = yes

                map acl inherit = yes

 

                admin users = @"CIMBAL\Domain Admins"

 

 

[netlogon]

                path = /usr/local/samba/var/sysvol/mydomain/scripts

                read only = no

                browsable = no

                vfs objects = acl_xattr dfs_samba4

 

[sysvol]

                path = /usr/local/samba/var/sysvol

                read only = no

                browsable = no

                vfs objects = acl_xattr dfs_samba4

>> I recently discovered that only the Default Domain Policy is being
applied.
>> All other GPOs seem to be ignored. All Sysvol filesystem objects have
the right permissions. Both DCs are running
>> Samba 4.4.3 over CentOS 7. There are no related errors in logs or
Windows Event Viewer. Other policies did work
>> before. I noticed that the corresponding filesystem objects were lastly
placed on users’desktops four days go.

This problem was not Samba related, it was caused by a Microsoft security update
for Group Policy applied to the Windows clients. The culprit was mainly the
following:

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398


The following page explains the issues and the corrective measures. 
https://support.microsoft.com/en-gb/kb/3163622

In sum:

    Add the Authenticated Users group with Read Permissions on the Group Policy
Object (GPO).
    If you are using security filtering, add the Domain Computers group with
read permission.

Hai Miguel, 

THANKS !!!  

This is one i didnt know about and wil help a lot and explains the sudden GPO
errors.


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Miguel Medalha
> Verzonden: dinsdag 26 juli 2016 19:40
> Aan: 'samba'
> Onderwerp: Re: [Samba] GPOs: only Default Domain Policy is being applied,
> ohers are ignored -- SOLVED
> 
> 
> >> I recently discovered that only the Default Domain Policy is being
> applied.
> >> All other GPOs seem to be ignored. All Sysvol filesystem objects
have
> the right permissions. Both DCs are running
> >> Samba 4.4.3 over CentOS 7. There are no related errors in logs or
> Windows Event Viewer. Other policies did work
> >> before. I noticed that the corresponding filesystem objects were
lastly
> placed on users’desktops four days go.
> 
> 
> This problem was not Samba related, it was caused by a Microsoft security
> update for Group Policy applied to the Windows clients. The culprit was
> mainly the following:
> 
> MS16-072: Security update for Group Policy: June 14, 2016
> https://support.microsoft.com/en-gb/kb/3159398
> 
> 
> The following page explains the issues and the corrective measures.
> https://support.microsoft.com/en-gb/kb/3163622
> 
> In sum:
> 
>     Add the Authenticated Users group with Read Permissions on the Group
> Policy Object (GPO).
>     If you are using security filtering, add the Domain Computers group
> with read permission.
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba