Policies (at least on Windows) are executed a.o. base on group
membership of the machine.
The group is contained in the DSACL of the policily in LDAP.
This is an example of a GPO DSACL:
O:DAG:DAD:PAR
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)
(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
(A;CI;RPLCLORC;;;ED)
(A;CI;RPLCRC;;;<OBJECT_SID>)
(A;CI;RPLCRC;;;AU)
(A;CI;RPLCRC;;;<OBJECT_SID>)
(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;<OBJECT_SID>)
S:AI
(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
Replace <OBJECT_SID> with the attribute "objectSid" of the group
you
want the GPO to work on.
To attach multiple groups the DSACL looks like:
O:DAG:DAD:PAR
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;EA)
(A;CIIO;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)
(A;;RPWPCCDCLCLORCWOWDSDDTSW;;;DA)
(A;CI;RPWPCCDCLCLORCWOWDSDDTSW;;;SY)
(A;CI;RPLCLORC;;;ED)
(A;CI;RPLCRC;;;<FIRST_OBJECT_SID>)
(A;CI;RPLCRC;;;AU)
<FOR OBJECT_SID IN OBJECT_SIDS>
(A;CI;RPLCRC;;;<OBJECT_SID>)
<ENDFOR>
<FOR OBJECT_SID IN OBJECT_SIDS>
(OA;CI;CR;edacfd8f-ffb3-11d1-b41d-00a0c968f939;;<OBJECT_SID>)
<ENDFOR>
S:AI
(OU;CIIOIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
(OU;CIIOIDSA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
Construct a temp-file:
dn: CN=<GPO_UUID>,CN=Policies,CN=System,DN=example,DN=com
changetype: modify
replace: nTSecurityDescriptor
nTSecurityDescriptor: <DSACL>
And apply the DSACL with:
ldbmodify -H /var/lib/samba/private/sam.ldb <TEMP-FILE>
Now run the gpupdate variant for your machine to update the policies and
either apply or remove the policy depending on the group memberships of
the machine.
@Rowland, @David, is it an idea to update the wiki with this information?
Or @David is it an idea to extend "samba-tool gpo" to be able to
manage
GPO groups memberships?
- Kees
On 14-10-2022 17:17, David Mulder via samba wrote:>
> On 10/14/22 9:08 AM, Peter Carlson via samba wrote:
>> so I am assuming that these scripts are only run on linux systems, if
>> so that takes care of it not running on windows.
>>
>> so if I then put a login script login.ps1 or login.bat it will run on
>> windows, but still try to run on linux and fail?
>>
>> Peter
>> PS: sorry for the mis-spelling in the subject, the brain -> finger
>> interface has one wire a bit loose
>>
> Windows logon scripts are not executed by Samba client group policy,
> so that's not a problem.
>
> FYI, Samba's user group policy is somewhat limited. User policies
> aren't executed by samba by default, but need to be run some other way
> (I'm working on fixing this though).
>
> You can either enable them using oddjob-gpupdate:
> https://github.com/openSUSE/oddjob-gpupdate
> Or you can manually run the samba-gpupdate command via bashrc, or
> something:
> /usr/sbin/samba-gpupdate --target=User -U $USER
>
> Script Policies
> (https://wiki.samba.org/index.php/Group_Policy#Script_Policies) can be
> assigned as user policies, but the Startup Script Policies cannot
> (these are for the machine).
>
> So it depends on what your needs are. You could potentially run a
> machine Startup Script, which applies policies for all your users,
> etc. That would be the simplest setup.
>
> I'm happy to help if you run into any problems.
>