samba - Oct 2021 - Samba and Winbind Group Policy

After some discussion about this on the mailing list, I decided to 
update the outdated wiki page and mention it here. There is a great deal 
that has changed since the last time I updated the 
https://wiki.samba.org/index.php/Group_Policy page.
There are currently 13 distinct policies, including smb.conf, addc 
password/kerberos, scripts, files, symlinks, sudoers, messages 
(motd/issue), pam access, certificate auto enrollment, firefox, 
chrome/chromium, GNOME, and OpenSSH. And I'm not finished. I will try to 
keep this page up-to-date in the future to avoid confusion.

FYI, the samba-gpupdate command *does* work when joined via either 
winbind or sssd, so you can choose.

-- 
*David Mulder*
Labs Software Engineer, Samba
SUSE
1800 Novell Place
Provo, UT 84606
(P)+1 801.861.6571
dmulder at suse.com
  <http://www.suse.com/>

Hi -

After reading through the updated 
https://wiki.samba.org/index.php/Group_Policy, I have a few 
questions/comments.

First of all, it seems like all these policies apply only to linux 
domain members (e.g. cron, motd, and pam_access).

What about GPO's that apply to Windows machines? Is the set of things 
that can be managed using the Group Policy Management Console 
constrained by what's in the Samba ADMX Templates?

So, pam_access controls can be managed using a GPO, but it's still not 
clear to me how I would restrict access to Windows clients through the 
Samba AD.

Wiki editing note: For people less familiar with AD, it would probably 
be a good idea to explain that the GPMC is part of RSAT and only 
available from Windows.

The thing I care about most is mapping folders, which is covered here:

   https://wiki.samba.org/index.php/Windows_User_Home_Folders

The Wiki page title is misleading here because presumably you can map 
*any* folder using the instructions provided here. This page should 
probably be referenced on https://wiki.samba.org/index.php/Group_Policy, 
along with any other Wiki pages dealing with Group Policy (e.g. the 
Configuring Windows Profile Folder Redirections page).


Final Wiki editing note: Under the Startup Script Policies section, this 
example is given:

  samba-tool gpo manage scripts startup add 
{31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'

with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is. 
This is later explained in the Pam Access Policies section; that this is 
the SID (? it's called a hash there, doesn't look like a hash to me) for
the GPO.  That should probably be mentioned the first time this is used, 
along with the brief explanation of how to determine what this is using 
`samba-tool gpo list`, also covered in the PAM Access Policies section. 
  An example of using `samba-tool gpo list` would be helpful too.


On 10/4/21 16:01, David Mulder via samba wrote:
> After some discussion about this on the mailing list, I decided to 
> update the outdated wiki page and mention it here. There is a great deal 
> that has changed since the last time I updated the 
> https://wiki.samba.org/index.php/Group_Policy page.
> There are currently 13 distinct policies, including smb.conf, addc 
> password/kerberos, scripts, files, symlinks, sudoers, messages 
> (motd/issue), pam access, certificate auto enrollment, firefox, 
> chrome/chromium, GNOME, and OpenSSH. And I'm not finished. I will try
to
> keep this page up-to-date in the future to avoid confusion.
> 
> FYI, the samba-gpupdate command *does* work when joined via either 
> winbind or sssd, so you can choose.
>

On 10/4/21 5:01 PM, David Mulder via samba wrote:
> After some discussion about this on the mailing list, I decided to 
> update the outdated wiki page and mention it here. There is a great deal 
> that has changed since the last time I updated the 
> https://wiki.samba.org/index.php/Group_Policy page.
> There are currently 13 distinct policies, including smb.conf, addc 
> password/kerberos, scripts, files, symlinks, sudoers, messages 
> (motd/issue), pam access, certificate auto enrollment, firefox, 
> chrome/chromium, GNOME, and OpenSSH. And I'm not finished. I will try
to
> keep this page up-to-date in the future to avoid confusion.
> 
> FYI, the samba-gpupdate command *does* work when joined via either 
> winbind or sssd, so you can choose.
> 
This is great to know, amazing work. Do anyone know of someone working 
on a console based GPO editor. I remotely manage some small networks and 
it is becoming really painful to have to use remote desktop to fix some 
GPO some local sysadmin needs help, specially on small business Internet 
connections that tend to be saturated, and our country bad ISPs with 2MB 
"super mega fast" internet service.

Now that I see this kind of work, is there some documentation on the GPO 
file formats? Is the samba code base to parse them reusable enough to 
experiment building a console based GPO editor? I am starting to think I 
should invest some time on this.