samba - Feb 2020 - Default Group Policies and Default Domain Controller Policy are empty

Dear List,

again a problem I'm not able to solve. I've been trying to add a test
user. Since it is a testuser I'm going to delete quite soon, I've wanted
to use a simple password without any complexity.

Not knowing it better, I wanted to change the default group policy
object of my domain using rsat. First thing I've noticed, that it was
completely empty. Not a singe rule or entry. Same thing holds for my
Default Domain Controller Policy.

Using the "Gruppenrichtlinieneditor" i've added a view rules, like
turning complexity off....

Creating a user with a simple password is still not working.

-----------------------------------------------
I've provisioned my samba ADDC with

samba-tool domain provision --use-rfc2307 --domain=XXX
--targetdir=/smbaddc --interactive


-------------------------------------------
ls /smbaddc/state/sysvol/XXX.YY/Policies returns

three entries with long {...} names.

Judging by the date of creation, those entries by me adding the
Complexity Turn Off Policy to the default policies.

------------------------------------------
gupdate /force on my windowsmachine runs without complains

------------------------------------------

samba-tool ntacl sysvolcheck

does not complain

------------------------------------------

samba-tool gpo aclcheck -UAdministrator

does not complain

------------------------------------------

I did a

samba-tool ntacl sysvolreset

with success.

------------------------------------------

my smb.conf from /smbaddc/etc/smb.conf
# Global parameters
[global]
   binddns dir = /smbaddc/bind-dns
   cache directory = /smbaddc/cache
   dns forwarder = 8.8.8.8
   lock directory = /smbaddc
   netbios name = PLFA1
   private dir = /smbaddc/private
   realm = LFA.LS
   server role = active directory domain controller
   state directory = /smbaddc/state
   workgroup = LFA
   idmap_ldb:use rfc2307 = yes
   bind interfaces only = yes
   interfaces = lo br0

   log file = /var/log/samba/log.%m
   log level = 3

[sysvol]
   path = /smbaddc/state/sysvol
   read only = No

[netlogon]
   path = /smbaddc/state/sysvol/lfa.ls/scripts
   read only = No


wich is strange. Why is there a binddns dir? I've used INTERNAL SAMBA DNS.

------------------------------------------------


long story cut short. Shouldn't there be same default domain policies
after provisioning ?


Have fun,

blubberbaer

On 17/02/2020 13:32, kaffeesurrogat via samba wrote:
> Dear List,
>
> long story cut short. Shouldn't there be same default domain policies
> after provisioning ?
Short answer, no

Long answer, no and do not use the default GPO's, create new ones.

Rowland

On 17/02/2020 13:51, Nico Mock wrote:
>
> On 17/02/2020 14:48, Rowland penny via samba wrote:
>> On 17/02/2020 13:32, kaffeesurrogat via samba wrote:
>>> Dear List,
>>>
>>> long story cut short. Shouldn't there be same default domain
policies
>>> after provisioning ?
>> Short answer, no
>>
>> Long answer, no and do not use the default GPO's, create new ones.
>>
>> Rowland
>>
>>
>>
> Dear Rowland,
>
> a typo of mine. some default policies not same default domain policies ....
>
> Shouldn't there be some default domain policies
> after provisioning ?
>
> There is not a single default domain policy.
>
> Thanks again,
>
> blubberbaer
After a provision, yes. After a join, no.

After joining a DC to a Samba domain, you will need to sync sysvol to 
the new DC, see here:

https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)

Rowland

On 17/02/2020 16:46, kaffeesurrogat wrote:
>
>>> Dear Rowland,
>>>
>>> a typo of mine. some default policies not same default domain
policies
>>> ....
>>>
>>> Shouldn't there be some default domain policies
>>> after provisioning ?
>>>
>>> There is not a single default domain policy.
>>>
>>> Thanks again,
>>>
>>> blubberbaer
>> After a provision, yes. After a join, no.
>>
>> After joining a DC to a Samba domain, you will need to sync sysvol to
>> the new DC, see here:
>>
>> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)
>>
>> Rowland
>>
>
> Mmm dear Rowland,
>
> I don't have a second DC. There is only one. I have a filesharer
running
> on virtual machine. This is the config of the filesharer on the virtual
> machine:
>
>
> [global]
>     workgroup = XX
>
>     realm = XXX.YY
>
>     security = ADS
>
>     # DOMAIN-NAME mu? vor den Anmeldenamen gesetzt werden
>     winbind use default domain = yes
>
>     winbind refresh tickets = yes
>
>     #f?r rfc-2307 kann jeder benutzer eine eigene shell haben
>     template shell = /bin/bash
>
>     idmap config * : range = 10000 - 19999
>     idmap config LFA : backend = rid
>     idmap config LFA : range = 1000000-1999999
>     inherit acls = yes
>     store dos attributes = yes
>     vfs objects = acl_xattr
>
>     bind interfaces only = yes
>     interfaces = lo eth0
>
>
> man smb.conf states about the server role if not defined:
>
>
> SECURITY = ADS
>
> Note that this mode does NOT make Samba operate as a Active Directory
> Domain Controller.
>
> On my virtual machine there is no sysvol dir, thus no rsync of sysvol,
> right?
>
>
> blubberbaer
You started out by talking about a DC and GPO's and then said yours are 
empty.

If you have a Samba AD DC that you provisioned, under 
'sysvol/dns.domain.tld/Policies/' you should have:

{31B2F340-016D-11D2-945F-00C04FB984F9}
{6AC1786C-016F-11D2-945F-00C04FB984F9}

These are the default policies and whilst there numerous directories 
under each GUID, they are basically empty

You are quite correct, a Samba fileserver does not store GPO's, neither 
does it use them.

If your DC does not have the default GPO's? in sysvol on a provisioned 
Samba AD DC (something I have never seen), then you have problems.

If they are there, do not change them in any way, create new GPO's instead.

Rowland