Discussion:
[Samba] GPOs: only Default Domain Policy is being applied, ohers are ignored
Miguel Medalha
2016-06-24 15:32:03 UTC
Permalink
I recently discovered that only the Default Domain Policy is being applied.
All other GPOs seem to be ignored. All Sysvol filesystem objects have the
right permissions. Both DCs are running Samba 4.4.3 over CentOS 7. There are
no related errors in logs or Windows Event Viewer. Other policies did work
before. I noticed that the corresponding filesystem objects were lastly
placed on users’ desktops four days go.



[global]

workgroup = MYDOMAIN

realm = MYREALM

netbios name = MYSERVER

server role = active directory domain controller

dns forwarder = 10.0.0.254

wins support = yes

domain master =yes

preferred master = yes

local master = yes



ntlm auth = no

client ipc signing = mandatory



server min protocol = SMB2_10

server max protocol = SMB3_11

client min protocol = SMB2_10

client max protocol = SMB3_11

client ipc min protocol = SMB2_10

client ipc max protocol = SMB3_11



strict sync = yes

store dos attributes = yes

map acl inherit = yes



admin users = @"CIMBAL\Domain Admins"





[netlogon]

path = /usr/local/samba/var/sysvol/mydomain/scripts

read only = no

browsable = no

vfs objects = acl_xattr dfs_samba4



[sysvol]

path = /usr/local/samba/var/sysvol

read only = no

browsable = no

vfs objects = acl_xattr dfs_samba4
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Miguel Medalha
2016-07-26 17:39:44 UTC
Permalink
Post by Miguel Medalha
I recently discovered that only the Default Domain Policy is being applied.
All other GPOs seem to be ignored. All Sysvol filesystem objects have the right permissions. Both DCs are running
Samba 4.4.3 over CentOS 7. There are no related errors in logs or Windows Event Viewer. Other policies did work
before. I noticed that the corresponding filesystem objects were lastly placed on users’desktops four days go.
This problem was not Samba related, it was caused by a Microsoft security update for Group Policy applied to the Windows clients. The culprit was mainly the following:

MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398


The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622

In sum:

Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
L.P.H. van Belle
2016-07-27 08:01:39 UTC
Permalink
Hai Miguel,

THANKS !!!

This is one i didnt know about and wil help a lot and explains the sudden GPO errors.


Greetz,

Louis
-----Oorspronkelijk bericht-----
Verzonden: dinsdag 26 juli 2016 19:40
Aan: 'samba'
Onderwerp: Re: [Samba] GPOs: only Default Domain Policy is being applied,
ohers are ignored -- SOLVED
Post by Miguel Medalha
I recently discovered that only the Default Domain Policy is being
applied.
Post by Miguel Medalha
All other GPOs seem to be ignored. All Sysvol filesystem objects have
the right permissions. Both DCs are running
Post by Miguel Medalha
Samba 4.4.3 over CentOS 7. There are no related errors in logs or
Windows Event Viewer. Other policies did work
Post by Miguel Medalha
before. I noticed that the corresponding filesystem objects were lastly
placed on users’desktops four days go.
This problem was not Samba related, it was caused by a Microsoft security
update for Group Policy applied to the Windows clients. The culprit was
MS16-072: Security update for Group Policy: June 14, 2016
https://support.microsoft.com/en-gb/kb/3159398
The following page explains the issues and the corrective measures.
https://support.microsoft.com/en-gb/kb/3163622
Add the Authenticated Users group with Read Permissions on the Group
Policy Object (GPO).
If you are using security filtering, add the Domain Computers group
with read permission.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Loading...