samba - Dec 2023 - Roaming Profiles GPO

On 11.12.2023 11:30, Pluess, Tobias via samba wrote:
> Good Day,
>
> I want to use a GPO to enable roaming profiles for certain users. For this,
> I followed this guide:
>
>
https://learn.microsoft.com/en-us/windows-server/storage/folder-redirection/deploy-roaming-user-profiles#step-2-create-a-roaming-user-profiles-security-group
>
> I created in my directory the group "Roaming Profile Users" and
added 2
> users to it. Afterwards, I went to the GPO editor and created the GPO for
> the roaming profiles. I removed the "Authenticated users" from
the
> "Security Filtering" and added the "Authenticated
users" back on the
> "Delegation" tab.
> Further, I added my freshly created "Roaming Profile Users" group
under
> "Security Filtering", because I understood it such that the GPO
is only
> applied to the users and groups under "Security Filtering".
>
> So, according to my understanding, the configuration was correct. To make
> sure the GPO is in effect, I executed "gpupdate /force" and
rebooted the
> computer. Now, when I want to login as one of the users in the
"Roaming
> Profile Users" group, no roaming profile is created on my file share,
and a
> normal local profile is created instead.
> On the other hand, when I add the "Authenticated users" to the
"Security
> Filtering", everything works as expected, i.e. a roaming profile is
created
> during login, but this happens for all domain users, not just for the ones
> I want.
> So obviously it seems like it does not work to apply a GPO only for one
> group, is this as intended or is this a bug?
>
> I use Samba 4.17.12 on debian and Windows 10 N LTSC as the client.
>
> Thanks for any hints!
Hi Tobias,

I have tried out the GPO handling quite extensively, and last time with 
Samba 4.18.6. If you are using RSAT, you can define the GPOs, but 
gpupdate probably will not work.? You need to open your Samba DCs and run

samba-gpupdate --force

You may also need to make a sysvolcheck and sysvolreset.

I'm now on Samba 4.19.3, but I haven't had time to check if the GPO 
problems persist. It's not that often I need to set GPOs

HTH.

Best regards,

Peter

On 12/11/23 7:10 AM, Peter Milesson via samba wrote:
> Hi Tobias,
>
> I have tried out the GPO handling quite extensively, and last time 
> with Samba 4.18.6. If you are using RSAT, you can define the GPOs, but 
> gpupdate probably will not work.? You need to open your Samba DCs and run
>
> samba-gpupdate --force
All that does is apply policy to the Samba ADDC. That has nothing to do 
with Windows GPOs.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com