On 2/6/2018 2:03 PM, Robert Marcano via samba wrote:> On 02/06/2018 02:52 PM, lingpanda101 via samba wrote: >> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote: >>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote: >>>> Hello, >>>> >>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT >>>> Kerberos (clean, not upgraded). I just wan to create/activating a >>>> simple GPOs. >>>> >>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate >>>> >>>> # Interactive login: Do not displa last user name -> activate >>> >>> >>> These look like machine level GPO. See the output of >>> >>> gpresult /v >>> >>> Mine say that machine based GPOs are not applied because of "Denied >>> (Security)" and the GPO is the default one (This is a test domain) >>> where the filter is for "Authenticated Users" and that include >>> machine accounts. >>> >>> Running Samba Version 4.7.4. >>> >>> More details of the same problem (not solved) at this mailing list >>> post https://lists.samba.org/archive/samba/2018-January/213333.html >>> >>>> >>>> When im activating this Policys (no errors or something like that) >>>> nothing happend. >>>> >>>> I reboot two Domain Members (Windows 7). Still showing last >>>> username and CTRL + ALT + DEL. Also typed "gpudate /force", didn't >>>> help. Also rejoined the clients. >>>> >>>> I configured the SYSVOL replication with this guide: >>>> >>>> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround >>>> >>>> >>>> Tell me what information you need if isn't enough. >>>> >>>> I hope you can help! >>>> >>>> Thanks >>>> >>>> Micha >>>> >>>> >>>> >>> >>> >> I don't recommend modifying the default domain or default domain >> controllers policy. Create separate ones and apply to either site or OU. >> > Thanks for the information, to use a default GPO was a simple way to > try to encourage someone to reproduce the problem. > > I already created new GPOs (this is a test domain) Using the default > filter for a new GPO, "Authenticated users", creating a new group for > the test clients and using that as the filter, checking it have the > right permissions (apply), checking every guide about applying GPO to > computers. Using OUs and using domain level GPOs. > > What I find weird is that gpresult doesn't list the computer as a > member of groups I create, only a few predefined ones: > > NULL SID > NT AUTHORITY\NETWORK, > This company, > and something like "mandatory level of no trust" (Windows is not in > english) > > >I think I understand a bit more. You are attempting to modify the Security Filtering from Authenticated Users to a manually created group?>From my testing this for some reason does not work. At least for me.GPO's will not apply. That doesn't mean I'm not able to apply machine account GPO's though. Am I correct? -- -- James
On 02/06/2018 03:20 PM, lingpanda101 via samba wrote:> On 2/6/2018 2:03 PM, Robert Marcano via samba wrote: >> On 02/06/2018 02:52 PM, lingpanda101 via samba wrote: >>> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote: >>>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote: >>>>> Hello, >>>>> >>>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - MIT >>>>> Kerberos (clean, not upgraded). I just wan to create/activating a >>>>> simple GPOs. >>>>> >>>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate >>>>> >>>>> # Interactive login: Do not displa last user name -> activate >>>> >>>> >>>> These look like machine level GPO. See the output of >>>> >>>> gpresult /v >>>> >>>> Mine say that machine based GPOs are not applied because of "Denied >>>> (Security)" and the GPO is the default one (This is a test domain) >>>> where the filter is for "Authenticated Users" and that include >>>> machine accounts. >>>> >>>> Running Samba Version 4.7.4. >>>> >>>> More details of the same problem (not solved) at this mailing list >>>> post https://lists.samba.org/archive/samba/2018-January/213333.html >>>> >>>>> >>>>> When im activating this Policys (no errors or something like that) >>>>> nothing happend. >>>>> >>>>> I reboot two Domain Members (Windows 7). Still showing last >>>>> username and CTRL + ALT + DEL. Also typed "gpudate /force", didn't >>>>> help. Also rejoined the clients. >>>>> >>>>> I configured the SYSVOL replication with this guide: >>>>> >>>>> https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround >>>>> >>>>> >>>>> Tell me what information you need if isn't enough. >>>>> >>>>> I hope you can help! >>>>> >>>>> Thanks >>>>> >>>>> Micha >>>>> >>>>> >>>>> >>>> >>>> >>> I don't recommend modifying the default domain or default domain >>> controllers policy. Create separate ones and apply to either site or OU. >>> >> Thanks for the information, to use a default GPO was a simple way to >> try to encourage someone to reproduce the problem. >> >> I already created new GPOs (this is a test domain) Using the default >> filter for a new GPO, "Authenticated users", creating a new group for >> the test clients and using that as the filter, checking it have the >> right permissions (apply), checking every guide about applying GPO to >> computers. Using OUs and using domain level GPOs. >> >> What I find weird is that gpresult doesn't list the computer as a >> member of groups I create, only a few predefined ones: >> >> NULL SID >> NT AUTHORITY\NETWORK, >> This company, >> and something like "mandatory level of no trust" (Windows is not in >> english) >> >> >> > I think I understand a bit more. You are attempting to modify the > Security Filtering from Authenticated Users to a manually created group? > From my testing this for some reason does not work. At least for me. > GPO's will not apply. That doesn't mean I'm not able to apply machine > account GPO's though. Am I correct? >On my initial test I was just trying to set a computer level GPO, It didn't work (on default GPO or new GPOs), I did not modified the default filter that a GPO have. I created new GPOs, and new groups as a test if some other configuration worked. Another response just received say I should not call sysvolreset after creating GPOs. I don't remember at what time I used sysvolreset trying to make these GPOs to be applied, so I will need to test again.
I also tried "samba-tool ntacl sysvolreset". Did not help. Thy Am 6. Februar 2018 20:29:48 MEZ schrieb Robert Marcano via samba <samba at lists.samba.org>:>On 02/06/2018 03:20 PM, lingpanda101 via samba wrote: >> On 2/6/2018 2:03 PM, Robert Marcano via samba wrote: >>> On 02/06/2018 02:52 PM, lingpanda101 via samba wrote: >>>> On 2/6/2018 1:42 PM, Robert Marcano via samba wrote: >>>>> On 02/06/2018 01:44 PM, Micha Ballmann via samba wrote: >>>>>> Hello, >>>>>> >>>>>> i have a testing environment, 2 DCs Ubuntu 18.04, SAMBA 4.7.4 - >MIT >>>>>> Kerberos (clean, not upgraded). I just wan to create/activating a > >>>>>> simple GPOs. >>>>>> >>>>>> # Interactive logon: Do not require CTRL + ALT + DEL -> activate >>>>>> >>>>>> # Interactive login: Do not displa last user name -> activate >>>>> >>>>> >>>>> These look like machine level GPO. See the output of >>>>> >>>>> gpresult /v >>>>> >>>>> Mine say that machine based GPOs are not applied because of >"Denied >>>>> (Security)" and the GPO is the default one (This is a test domain) > >>>>> where the filter is for "Authenticated Users" and that include >>>>> machine accounts. >>>>> >>>>> Running Samba Version 4.7.4. >>>>> >>>>> More details of the same problem (not solved) at this mailing list > >>>>> post >https://lists.samba.org/archive/samba/2018-January/213333.html >>>>> >>>>>> >>>>>> When im activating this Policys (no errors or something like >that) >>>>>> nothing happend. >>>>>> >>>>>> I reboot two Domain Members (Windows 7). Still showing last >>>>>> username and CTRL + ALT + DEL. Also typed "gpudate /force", >didn't >>>>>> help. Also rejoined the clients. >>>>>> >>>>>> I configured the SYSVOL replication with this guide: >>>>>> >>>>>> >https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround > >>>>>> >>>>>> >>>>>> Tell me what information you need if isn't enough. >>>>>> >>>>>> I hope you can help! >>>>>> >>>>>> Thanks >>>>>> >>>>>> Micha >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>> I don't recommend modifying the default domain or default domain >>>> controllers policy. Create separate ones and apply to either site >or OU. >>>> >>> Thanks for the information, to use a default GPO was a simple way to > >>> try to encourage someone to reproduce the problem. >>> >>> I already created new GPOs (this is a test domain) Using the default > >>> filter for a new GPO, "Authenticated users", creating a new group >for >>> the test clients and using that as the filter, checking it have the >>> right permissions (apply), checking every guide about applying GPO >to >>> computers. Using OUs and using domain level GPOs. >>> >>> What I find weird is that gpresult doesn't list the computer as a >>> member of groups I create, only a few predefined ones: >>> >>> NULL SID >>> NT AUTHORITY\NETWORK, >>> This company, >>> and something like "mandatory level of no trust" (Windows is not >in >>> english) >>> >>> >>> >> I think I understand a bit more. You are attempting to modify the >> Security Filtering from Authenticated Users to a manually created >group? >> From my testing this for some reason does not work. At least for me. >> GPO's will not apply. That doesn't mean I'm not able to apply >machine >> account GPO's though. Am I correct? >> > > >On my initial test I was just trying to set a computer level GPO, It >didn't work (on default GPO or new GPOs), I did not modified the >default >filter that a GPO have. I created new GPOs, and new groups as a test if > >some other configuration worked. > >Another response just received say I should not call sysvolreset after >creating GPOs. I don't remember at what time I used sysvolreset trying >to make these GPOs to be applied, so I will need to test again. > > >-- >To unsubscribe from this list go to the following URL and read the >instructions: https://lists.samba.org/mailman/options/samba-- Diese Nachricht wurde von meinem Android-Gerät mit K-9 Mail gesendet.