kaffeesurrogat
2020-Feb-17 13:32 UTC
[Samba] Default Group Policies and Default Domain Controller Policy are empty
Dear List,
again a problem I'm not able to solve. I've been trying to add a test
user. Since it is a testuser I'm going to delete quite soon, I've wanted
to use a simple password without any complexity.
Not knowing it better, I wanted to change the default group policy
object of my domain using rsat. First thing I've noticed, that it was
completely empty. Not a singe rule or entry. Same thing holds for my
Default Domain Controller Policy.
Using the "Gruppenrichtlinieneditor" i've added a view rules, like
turning complexity off....
Creating a user with a simple password is still not working.
-----------------------------------------------
I've provisioned my samba ADDC with
samba-tool domain provision --use-rfc2307 --domain=XXX
--targetdir=/smbaddc --interactive
-------------------------------------------
ls /smbaddc/state/sysvol/XXX.YY/Policies returns
three entries with long {...} names.
Judging by the date of creation, those entries by me adding the
Complexity Turn Off Policy to the default policies.
------------------------------------------
gupdate /force on my windowsmachine runs without complains
------------------------------------------
samba-tool ntacl sysvolcheck
does not complain
------------------------------------------
samba-tool gpo aclcheck -UAdministrator
does not complain
------------------------------------------
I did a
samba-tool ntacl sysvolreset
with success.
------------------------------------------
my smb.conf from /smbaddc/etc/smb.conf
# Global parameters
[global]
binddns dir = /smbaddc/bind-dns
cache directory = /smbaddc/cache
dns forwarder = 8.8.8.8
lock directory = /smbaddc
netbios name = PLFA1
private dir = /smbaddc/private
realm = LFA.LS
server role = active directory domain controller
state directory = /smbaddc/state
workgroup = LFA
idmap_ldb:use rfc2307 = yes
bind interfaces only = yes
interfaces = lo br0
log file = /var/log/samba/log.%m
log level = 3
[sysvol]
path = /smbaddc/state/sysvol
read only = No
[netlogon]
path = /smbaddc/state/sysvol/lfa.ls/scripts
read only = No
wich is strange. Why is there a binddns dir? I've used INTERNAL SAMBA DNS.
------------------------------------------------
long story cut short. Shouldn't there be same default domain policies
after provisioning ?
Have fun,
blubberbaer
Rowland penny
2020-Feb-17 13:48 UTC
[Samba] Default Group Policies and Default Domain Controller Policy are empty
On 17/02/2020 13:32, kaffeesurrogat via samba wrote:> Dear List, > > long story cut short. Shouldn't there be same default domain policies > after provisioning ?Short answer, no Long answer, no and do not use the default GPO's, create new ones. Rowland
Rowland penny
2020-Feb-17 14:35 UTC
[Samba] Default Group Policies and Default Domain Controller Policy are empty
On 17/02/2020 13:51, Nico Mock wrote:> > On 17/02/2020 14:48, Rowland penny via samba wrote: >> On 17/02/2020 13:32, kaffeesurrogat via samba wrote: >>> Dear List, >>> >>> long story cut short. Shouldn't there be same default domain policies >>> after provisioning ? >> Short answer, no >> >> Long answer, no and do not use the default GPO's, create new ones. >> >> Rowland >> >> >> > Dear Rowland, > > a typo of mine. some default policies not same default domain policies .... > > Shouldn't there be some default domain policies > after provisioning ? > > There is not a single default domain policy. > > Thanks again, > > blubberbaerAfter a provision, yes. After a join, no. After joining a DC to a Samba domain, you will need to sync sysvol to the new DC, see here: https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) Rowland
Rowland penny
2020-Feb-17 17:30 UTC
[Samba] Default Group Policies and Default Domain Controller Policy are empty
On 17/02/2020 16:46, kaffeesurrogat wrote:> >>> Dear Rowland, >>> >>> a typo of mine. some default policies not same default domain policies >>> .... >>> >>> Shouldn't there be some default domain policies >>> after provisioning ? >>> >>> There is not a single default domain policy. >>> >>> Thanks again, >>> >>> blubberbaer >> After a provision, yes. After a join, no. >> >> After joining a DC to a Samba domain, you will need to sync sysvol to >> the new DC, see here: >> >> https://wiki.samba.org/index.php/SysVol_replication_(DFS-R) >> >> Rowland >> > > Mmm dear Rowland, > > I don't have a second DC. There is only one. I have a filesharer running > on virtual machine. This is the config of the filesharer on the virtual > machine: > > > [global] > workgroup = XX > > realm = XXX.YY > > security = ADS > > # DOMAIN-NAME mu? vor den Anmeldenamen gesetzt werden > winbind use default domain = yes > > winbind refresh tickets = yes > > #f?r rfc-2307 kann jeder benutzer eine eigene shell haben > template shell = /bin/bash > > idmap config * : range = 10000 - 19999 > idmap config LFA : backend = rid > idmap config LFA : range = 1000000-1999999 > inherit acls = yes > store dos attributes = yes > vfs objects = acl_xattr > > bind interfaces only = yes > interfaces = lo eth0 > > > man smb.conf states about the server role if not defined: > > > SECURITY = ADS > > Note that this mode does NOT make Samba operate as a Active Directory > Domain Controller. > > On my virtual machine there is no sysvol dir, thus no rsync of sysvol, > right? > > > blubberbaerYou started out by talking about a DC and GPO's and then said yours are empty. If you have a Samba AD DC that you provisioned, under 'sysvol/dns.domain.tld/Policies/' you should have: {31B2F340-016D-11D2-945F-00C04FB984F9} {6AC1786C-016F-11D2-945F-00C04FB984F9} These are the default policies and whilst there numerous directories under each GUID, they are basically empty You are quite correct, a Samba fileserver does not store GPO's, neither does it use them. If your DC does not have the default GPO's? in sysvol on a provisioned Samba AD DC (something I have never seen), then you have problems. If they are there, do not change them in any way, create new GPO's instead. Rowland