On 10/5/21 8:29 AM, Patrick Goetz via samba wrote:> First of all, it seems like all these policies apply only to linux> domain members (e.g. cron, motd, and pam_access). > > What about GPO's that apply to Windows machines? Is the set of things > that can be managed using the Group Policy Management Console > constrained by what's in the Samba ADMX Templates? >Yes, this is specifically referring to Linux clients. This does not effect how policies are applied to Windows domain members. The only exception is that you'll need to install Microsoft's ADMX templates to your SYSVOL also. This is explained in Microsoft's documentation, and is something you're expected to do anyway. I'll make a note of this on the wiki.> So, pam_access controls can be managed using a GPO, but it's still not > clear to me how I would restrict access to Windows clients through the > Samba AD. >This is an entirely different topic. Take a look at Microsoft's documentation on access control (maybe you would use "Deny logon locally", for example).> Wiki editing note: For people less familiar with AD, it would probably > be a good idea to explain that the GPMC is part of RSAT and only > available from Windows. > > The thing I care about most is mapping folders, which is covered here: > > ? https://wiki.samba.org/index.php/Windows_User_Home_Folders > > The Wiki page title is misleading here because presumably you can map > *any* folder using the instructions provided here. This page should > probably be referenced on https://wiki.samba.org/index.php/Group_Policy, > along with any other Wiki pages dealing with Group Policy (e.g. the > Configuring Windows Profile Folder Redirections page). >Yes, you make a good point. My work has been on Linux domain member group policy. This wiki page additionally needs details on Windows domain member policy.> > Final Wiki editing note: Under the Startup Script Policies section, this > example is given: > > ?samba-tool gpo manage scripts startup add > {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n' > > with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is. > This is later explained in the Pam Access Policies section; that this is > the SID (? it's called a hash there, doesn't look like a hash to me) for > the GPO.? That should probably be mentioned the first time this is used, > along with the brief explanation of how to determine what this is using > `samba-tool gpo list`, also covered in the PAM Access Policies section. > ?An example of using `samba-tool gpo list` would be helpful too. >Technically this is a GUID (globally unique identifier). I'll clarify this on the wiki. I'll also ensure the instructions on finding the GPO GUID are clearer. -- *David Mulder* Labs Software Engineer, Samba SUSE 1800 Novell Place Provo, UT 84606 (P)+1 801.861.6571 dmulder at suse.com <http://www.suse.com/>
Hi David - Thanks for answering all these questions. One final question on this: Since the linux GPOs in some cases make changes to the client's filesystem (say by adding a cron job or files in /etc/security/access.d, what happens if the GPO is removed from the machine object -- does winbind clean up after itself and remove these files? On 10/5/21 09:47, David Mulder via samba wrote:> On 10/5/21 8:29 AM, Patrick Goetz via samba wrote:> First of all, it > seems like all these policies apply only to linux >> domain members (e.g. cron, motd, and pam_access). >> >> What about GPO's that apply to Windows machines? Is the set of things >> that can be managed using the Group Policy Management Console >> constrained by what's in the Samba ADMX Templates? >> > > Yes, this is specifically referring to Linux clients. This does not > effect how policies are applied to Windows domain members. The only > exception is that you'll need to install Microsoft's ADMX templates to > your SYSVOL also. This is explained in Microsoft's documentation, and is > something you're expected to do anyway. I'll make a note of this on the > wiki. > >> So, pam_access controls can be managed using a GPO, but it's still not >> clear to me how I would restrict access to Windows clients through the >> Samba AD. >> > > This is an entirely different topic. Take a look at Microsoft's > documentation on access control (maybe you would use "Deny logon > locally", for example). > >> Wiki editing note: For people less familiar with AD, it would probably >> be a good idea to explain that the GPMC is part of RSAT and only >> available from Windows. >> >> The thing I care about most is mapping folders, which is covered here: >> >> ?? https://wiki.samba.org/index.php/Windows_User_Home_Folders >> >> The Wiki page title is misleading here because presumably you can map >> *any* folder using the instructions provided here. This page should >> probably be referenced on >> https://wiki.samba.org/index.php/Group_Policy, along with any other >> Wiki pages dealing with Group Policy (e.g. the Configuring Windows >> Profile Folder Redirections page). >> > > Yes, you make a good point. My work has been on Linux domain member > group policy. This wiki page additionally needs details on Windows > domain member policy. > >> >> Final Wiki editing note: Under the Startup Script Policies section, >> this example is given: >> >> ??samba-tool gpo manage scripts startup add >> {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n' >> >> with no explanation of what {31B2F340-016D-11D2-945F-00C04FB984F9} is. >> This is later explained in the Pam Access Policies section; that this >> is the SID (? it's called a hash there, doesn't look like a hash to >> me) for the GPO.? That should probably be mentioned the first time >> this is used, along with the brief explanation of how to determine >> what this is using `samba-tool gpo list`, also covered in the PAM >> Access Policies section. ??An example of using `samba-tool gpo list` >> would be helpful too. >> > > Technically this is a GUID (globally unique identifier). I'll clarify > this on the wiki. I'll also ensure the instructions on finding the GPO > GUID are clearer. >