Miguel Medalha
2016-Jun-24 15:32 UTC
[Samba] GPOs: only Default Domain Policy is being applied, ohers are ignored
I recently discovered that only the Default Domain Policy is being applied.
All other GPOs seem to be ignored. All Sysvol filesystem objects have the
right permissions. Both DCs are running Samba 4.4.3 over CentOS 7. There are
no related errors in logs or Windows Event Viewer. Other policies did work
before. I noticed that the corresponding filesystem objects were lastly
placed on users desktops four days go.
[global]
workgroup = MYDOMAIN
realm = MYREALM
netbios name = MYSERVER
server role = active directory domain controller
dns forwarder = 10.0.0.254
wins support = yes
domain master =yes
preferred master = yes
local master = yes
ntlm auth = no
client ipc signing = mandatory
server min protocol = SMB2_10
server max protocol = SMB3_11
client min protocol = SMB2_10
client max protocol = SMB3_11
client ipc min protocol = SMB2_10
client ipc max protocol = SMB3_11
strict sync = yes
store dos attributes = yes
map acl inherit = yes
admin users = @"CIMBAL\Domain Admins"
[netlogon]
path = /usr/local/samba/var/sysvol/mydomain/scripts
read only = no
browsable = no
vfs objects = acl_xattr dfs_samba4
[sysvol]
path = /usr/local/samba/var/sysvol
read only = no
browsable = no
vfs objects = acl_xattr dfs_samba4
Miguel Medalha
2016-Jul-26 17:39 UTC
[Samba] GPOs: only Default Domain Policy is being applied, ohers are ignored -- SOLVED
>> I recently discovered that only the Default Domain Policy is being applied. >> All other GPOs seem to be ignored. All Sysvol filesystem objects have the right permissions. Both DCs are running >> Samba 4.4.3 over CentOS 7. There are no related errors in logs or Windows Event Viewer. Other policies did work >> before. I noticed that the corresponding filesystem objects were lastly placed on users’desktops four days go.This problem was not Samba related, it was caused by a Microsoft security update for Group Policy applied to the Windows clients. The culprit was mainly the following: MS16-072: Security update for Group Policy: June 14, 2016 https://support.microsoft.com/en-gb/kb/3159398 The following page explains the issues and the corrective measures. https://support.microsoft.com/en-gb/kb/3163622 In sum: Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO). If you are using security filtering, add the Domain Computers group with read permission.
L.P.H. van Belle
2016-Jul-27 08:01 UTC
[Samba] GPOs: only Default Domain Policy is being applied, ohers are ignored -- SOLVED
Hai Miguel, THANKS !!! This is one i didnt know about and wil help a lot and explains the sudden GPO errors. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Miguel Medalha > Verzonden: dinsdag 26 juli 2016 19:40 > Aan: 'samba' > Onderwerp: Re: [Samba] GPOs: only Default Domain Policy is being applied, > ohers are ignored -- SOLVED > > > >> I recently discovered that only the Default Domain Policy is being > applied. > >> All other GPOs seem to be ignored. All Sysvol filesystem objects have > the right permissions. Both DCs are running > >> Samba 4.4.3 over CentOS 7. There are no related errors in logs or > Windows Event Viewer. Other policies did work > >> before. I noticed that the corresponding filesystem objects were lastly > placed on users’desktops four days go. > > > This problem was not Samba related, it was caused by a Microsoft security > update for Group Policy applied to the Windows clients. The culprit was > mainly the following: > > MS16-072: Security update for Group Policy: June 14, 2016 > https://support.microsoft.com/en-gb/kb/3159398 > > > The following page explains the issues and the corrective measures. > https://support.microsoft.com/en-gb/kb/3163622 > > In sum: > > Add the Authenticated Users group with Read Permissions on the Group > Policy Object (GPO). > If you are using security filtering, add the Domain Computers group > with read permission. > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba