samba - Apr 2021 - User GPOs not applied

On 05/04/2021 08:04, Peter Milesson via samba wrote:
> Hi folks,
>
> I have got a problem where GPOs set for a single user or a user group 
> are not applied. The GPOs should be applied to Windows 10 Pro 
> computers when the specific user(s) log in. The GPOs are defined for 
> users, not computers. Domain GPOs for domain computers are applied 
> appropriately, roaming profiles work, authentication works, the sysvol 
> and netlogon shares on the DC are accessible and readable by all 
> users, DNS works. I have tried with existing users and newly created 
> test users. The GPOs are not applied. The GPOs (minimum Windows server 
> 2003 or XP) are:
>
>
> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the 
> latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither is 
> NIS or NFS. The .local TLD is used in the network (for almost 20 
> years), and all mDNS och zero configurations are prohibited and disabled.

'.local' is not recommended because it can interfere with Avahi, but you
have turned this off, so this is not the problem.

I take it you compiled Samba using Heimdal, but 4.9.1 is old and no 
longer supported, so I would suggest you upgrade, indeed this may fix 
your problem.
>
> Would installing and setting up a new Debian Buster AD DC solve the 
> problem?

Possibly and you could use the Samba packages from here: 
https://apt.van-belle.nl/
>
> Best regards,
>
> Peter
>
>
> smb.conf
> =======> # Global parameters
> [global]
> ??????? netbios name = KONADC
> ??????? realm = KONSTRUKCE.LOCAL
> ??????? server role = active directory domain controller
> ??????? workgroup = KONSTRUKCE
> ??????? idmap_ldb:use rfc2307 = yes
> ??????? username map = /etc/samba/user.map

You should remove the 'username map' line, it is only used on a Unix 
domain member, idmapping is done in idmap.ldb on a DC.
>
> resolv.conf
> ========> search konstrukce.local
> nameserver 127.0.0.1

You should use the DC's ipaddress, not '127.0.0.1'

Rowland

On 2021-04-05 09:56, Rowland penny via samba wrote:
> On 05/04/2021 08:04, Peter Milesson via samba wrote:
>> Hi folks,
>>
>> I have got a problem where GPOs set for a single user or a user group 
>> are not applied. The GPOs should be applied to Windows 10 Pro 
>> computers when the specific user(s) log in. The GPOs are defined for 
>> users, not computers. Domain GPOs for domain computers are applied 
>> appropriately, roaming profiles work, authentication works, the 
>> sysvol and netlogon shares on the DC are accessible and readable by 
>> all users, DNS works. I have tried with existing users and newly 
>> created test users. The GPOs are not applied. The GPOs (minimum 
>> Windows server 2003 or XP) are:
>>
>>
>> The AD DC is a self compiled 4.9.1, CentOS 7.9, the kernel is the 
>> latest EL-repo ML-kernel (5.11.7-1). SSSD is NOT installed, neither 
>> is NIS or NFS. The .local TLD is used in the network (for almost 20 
>> years), and all mDNS och zero configurations are prohibited and 
>> disabled.
>
>
> '.local' is not recommended because it can interfere with Avahi,
but
> you have turned this off, so this is not the problem.
>
> I take it you compiled Samba using Heimdal, but 4.9.1 is old and no 
> longer supported, so I would suggest you upgrade, indeed this may fix 
> your problem.
>
>>
>> Would installing and setting up a new Debian Buster AD DC solve the 
>> problem?
>
>
> Possibly and you could use the Samba packages from here: 
> https://apt.van-belle.nl/
>
>>
>> Best regards,
>>
>> Peter
>>
>>
>> smb.conf
>> =======>> # Global parameters
>> [global]
>> ??????? netbios name = KONADC
>> ??????? realm = KONSTRUKCE.LOCAL
>> ??????? server role = active directory domain controller
>> ??????? workgroup = KONSTRUKCE
>> ??????? idmap_ldb:use rfc2307 = yes
>> ??????? username map = /etc/samba/user.map
>
>
> You should remove the 'username map' line, it is only used on a
Unix
> domain member, idmapping is done in idmap.ldb on a DC.
>
>>
>> resolv.conf
>> ========>> search konstrukce.local
>> nameserver 127.0.0.1
>
>
> You should use the DC's ipaddress, not '127.0.0.1'
>
> Rowland
>
>
>
Hi Rowland,

Thanks for your advice. I will try the simplest things first. I will 
report back about the progress.

I wish everybody a nice day,

Peter