http:///https:///api.php?action=feedcontributions&user=Pgoetz&feedformat=atomSambaWiki - User contributions [en]2024-03-28T09:43:29ZUser contributionsMediaWiki 1.39.5https://wiki.samba.org/index.php?title=Testing_the_DNS_Name_Resolution&diff=18117Testing the DNS Name Resolution2022-03-06T12:11:13Z<p>Pgoetz: /* Forward Lookup */</p>
<hr />
<div><noinclude><br />
= Introduction =<br />
</noinclude><br />
<br />
To verify that your DNS settings are correct and your client or server is able to resolve IP addresses and host names use the <code>nslookup</code> or <code>host</code> commands. The <code>nslookup</code> command is available on Linux and Windows.<br />
<br />
== Forward Lookup ==<br />
<br />
To resolve a host name its IP address:<br />
<br />
# nslookup DC1.samdom.example.com<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
Name: DC1.samdom.example.com<br />
Address: 10.99.0.1<br />
<br />
alternatively you can use the <code>host</code> command:<br />
<br />
# host DC1.samdom.example.com<br />
DC1.samdom.example.com has address 10.99.0.1<br />
<br />
== Reverse Lookup ==<br />
<br />
To resolve a IP address to its host name:<br />
<br />
# nslookup 10.99.0.1<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
1.0.99.10.in-addr.arpa name = DC1.samdom.example.com.<br />
<br />
or<br />
<br />
# host 10.99.0.1<br />
1.0.99.10.in-addr.arpa domain name pointer DC1.samdom.example.com<br />
<br />
<br />
Note that in a Samba AD, the reverse zone is not automatically configured. To set up a reverse zone, see [[DNS_Administration|DNS Administration]].<br />
<br />
== Resolving SRV Records ==<br />
<br />
Active Directory (AD) uses SRV records to locate services, such as Kerberos and LDAP. To verify that SRV records are resolved correctly, use the <code>nslookup</code> interactive shell:<br />
<br />
$ nslookup<br />
> set type=SRV<br />
> _ldap._tcp.samdom.example.com<br />
Server: 192.168.0.4<br />
Address: 192.168.0.4#53<br />
<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc2.samdom.example.com.<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc1.samdom.example.com.<br />
> exit<br />
<br />
or<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc2.samdom.example.com.<br />
<br />
== Error Messages ==<br />
<br />
* The DNS server is not able to resolve the host name:<br />
<br />
** server can't find DC1.samdom.example.com: NXDOMAIN<br />
<br />
* The DNS server is not able to resolve the IP address:<br />
<br />
** server can't find 1.0.99.10.in-addr.arpa: NXDOMAIN<br />
<br />
* The DNS server used is not available:<br />
<br />
;; connection timed out; no servers could be reached</div>Pgoetzhttps://wiki.samba.org/index.php?title=Testing_the_DNS_Name_Resolution&diff=18116Testing the DNS Name Resolution2022-03-06T12:10:09Z<p>Pgoetz: /* Introduction */</p>
<hr />
<div><noinclude><br />
= Introduction =<br />
</noinclude><br />
<br />
To verify that your DNS settings are correct and your client or server is able to resolve IP addresses and host names use the <code>nslookup</code> or <code>host</code> commands. The <code>nslookup</code> command is available on Linux and Windows.<br />
<br />
== Forward Lookup ==<br />
<br />
To resolve a host name its IP address:<br />
<br />
# nslookup DC1.samdom.example.com<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
Name: DC1.samdom.example.com<br />
Address: 10.99.0.1<br />
<br />
alternatively you can use the command:<br />
<br />
# host DC1.samdom.example.com<br />
DC1.samdom.example.com has address 10.99.0.1<br />
<br />
== Reverse Lookup ==<br />
<br />
To resolve a IP address to its host name:<br />
<br />
# nslookup 10.99.0.1<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
1.0.99.10.in-addr.arpa name = DC1.samdom.example.com.<br />
<br />
or<br />
<br />
# host 10.99.0.1<br />
1.0.99.10.in-addr.arpa domain name pointer DC1.samdom.example.com<br />
<br />
<br />
Note that in a Samba AD, the reverse zone is not automatically configured. To set up a reverse zone, see [[DNS_Administration|DNS Administration]].<br />
<br />
== Resolving SRV Records ==<br />
<br />
Active Directory (AD) uses SRV records to locate services, such as Kerberos and LDAP. To verify that SRV records are resolved correctly, use the <code>nslookup</code> interactive shell:<br />
<br />
$ nslookup<br />
> set type=SRV<br />
> _ldap._tcp.samdom.example.com<br />
Server: 192.168.0.4<br />
Address: 192.168.0.4#53<br />
<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc2.samdom.example.com.<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc1.samdom.example.com.<br />
> exit<br />
<br />
or<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc2.samdom.example.com.<br />
<br />
== Error Messages ==<br />
<br />
* The DNS server is not able to resolve the host name:<br />
<br />
** server can't find DC1.samdom.example.com: NXDOMAIN<br />
<br />
* The DNS server is not able to resolve the IP address:<br />
<br />
** server can't find 1.0.99.10.in-addr.arpa: NXDOMAIN<br />
<br />
* The DNS server used is not available:<br />
<br />
;; connection timed out; no servers could be reached</div>Pgoetzhttps://wiki.samba.org/index.php?title=Testing_the_DNS_Name_Resolution&diff=18115Testing the DNS Name Resolution2022-03-06T12:09:22Z<p>Pgoetz: /* Introduction */</p>
<hr />
<div><noinclude><br />
= Introduction =<br />
</noinclude><br />
<br />
To verify that your DNS settings are correct and your client or server is able to resolve IP addresses and host names use the <code>nslookup</code> or <code>host</code> commands. The <code>nslookup</code> command is available on Linux and Windows.<br />
<br />
<br />
<br />
<br />
<br />
== Forward Lookup ==<br />
<br />
To resolve a host name its IP address:<br />
<br />
# nslookup DC1.samdom.example.com<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
Name: DC1.samdom.example.com<br />
Address: 10.99.0.1<br />
<br />
alternatively you can use the command:<br />
<br />
# host DC1.samdom.example.com<br />
DC1.samdom.example.com has address 10.99.0.1<br />
<br />
== Reverse Lookup ==<br />
<br />
To resolve a IP address to its host name:<br />
<br />
# nslookup 10.99.0.1<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
1.0.99.10.in-addr.arpa name = DC1.samdom.example.com.<br />
<br />
or<br />
<br />
# host 10.99.0.1<br />
1.0.99.10.in-addr.arpa domain name pointer DC1.samdom.example.com<br />
<br />
<br />
Note that in a Samba AD, the reverse zone is not automatically configured. To set up a reverse zone, see [[DNS_Administration|DNS Administration]].<br />
<br />
== Resolving SRV Records ==<br />
<br />
Active Directory (AD) uses SRV records to locate services, such as Kerberos and LDAP. To verify that SRV records are resolved correctly, use the <code>nslookup</code> interactive shell:<br />
<br />
$ nslookup<br />
> set type=SRV<br />
> _ldap._tcp.samdom.example.com<br />
Server: 192.168.0.4<br />
Address: 192.168.0.4#53<br />
<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc2.samdom.example.com.<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc1.samdom.example.com.<br />
> exit<br />
<br />
or<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc2.samdom.example.com.<br />
<br />
== Error Messages ==<br />
<br />
* The DNS server is not able to resolve the host name:<br />
<br />
** server can't find DC1.samdom.example.com: NXDOMAIN<br />
<br />
* The DNS server is not able to resolve the IP address:<br />
<br />
** server can't find 1.0.99.10.in-addr.arpa: NXDOMAIN<br />
<br />
* The DNS server used is not available:<br />
<br />
;; connection timed out; no servers could be reached</div>Pgoetzhttps://wiki.samba.org/index.php?title=Linux_and_Unix_DNS_Configuration&diff=18114Linux and Unix DNS Configuration2022-03-06T11:53:29Z<p>Pgoetz: Add brief explanation for NetworkManager</p>
<hr />
<div><noinclude><br />
__TOC__<br />
<br />
<br />
<br />
= Introduction =<br />
</noinclude><br />
Active Directory (AD) uses DNS in the background, to locate other DCs and services, such as Kerberos. Thus AD domain members and servers must be able to resolve the AD DNS zones.<br />
<br />
The following describes how to manually configure Linux clients to use DNS servers. If you are running a DHCP server providing DNS settings to your client computers, configure your DHCP server to send the IP addresses of your DNS servers.<br />
<br />
== Configuring the /etc/resolv.conf ==<br />
<br />
Set the DNS server IP and AD DNS domain in your <code>/etc/resolv.conf</code>. For example:<br />
<br />
nameserver 10.99.0.1<br />
search samdom.example.com<br />
<br />
Some utilities, such as NetworkManager can overwrite manual changes in that file. See your distribution's documentation for information about how to configure name resolution permanently.<br />
<br />
For NetworkManager, set the DNS server using either the graphical interface or nmcli and restart the NetworkManager service. The visible /etc/resolv.conf file:<br />
<br />
nameserver 127.0.0.53<br />
search samdom.example.com<br />
<br />
won't list the DNS server explicitly but nevertheless works correctly.<br />
<br />
== Testing DNS resolution ==<br />
<br />
{{:Testing_the_DNS_Name_Resolution}}<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:Domain Members]]</div>Pgoetzhttps://wiki.samba.org/index.php?title=Testing_the_DNS_Name_Resolution&diff=18113Testing the DNS Name Resolution2022-03-05T19:36:36Z<p>Pgoetz: /added host example</p>
<hr />
<div><noinclude><br />
= Introduction =<br />
</noinclude><br />
<br />
To verify that your DNS settings are correct and your client or server is able to resolve IP addresses and host names use the <code>nslookup</code> command. The command is available on Linux and Windows.<br />
<br />
<br />
<br />
<br />
<br />
== Forward Lookup ==<br />
<br />
To resolve a host name its IP address:<br />
<br />
# nslookup DC1.samdom.example.com<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
Name: DC1.samdom.example.com<br />
Address: 10.99.0.1<br />
<br />
alternatively you can use the command:<br />
<br />
# host DC1.samdom.example.com<br />
DC1.samdom.example.com has address 10.99.0.1<br />
<br />
== Reverse Lookup ==<br />
<br />
To resolve a IP address to its host name:<br />
<br />
# nslookup 10.99.0.1<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
1.0.99.10.in-addr.arpa name = DC1.samdom.example.com.<br />
<br />
or<br />
<br />
# host 10.99.0.1<br />
1.0.99.10.in-addr.arpa domain name pointer DC1.samdom.example.com<br />
<br />
<br />
Note that in a Samba AD, the reverse zone is not automatically configured. To set up a reverse zone, see [[DNS_Administration|DNS Administration]].<br />
<br />
== Resolving SRV Records ==<br />
<br />
Active Directory (AD) uses SRV records to locate services, such as Kerberos and LDAP. To verify that SRV records are resolved correctly, use the <code>nslookup</code> interactive shell:<br />
<br />
$ nslookup<br />
> set type=SRV<br />
> _ldap._tcp.samdom.example.com<br />
Server: 192.168.0.4<br />
Address: 192.168.0.4#53<br />
<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc2.samdom.example.com.<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc1.samdom.example.com.<br />
> exit<br />
<br />
or<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc2.samdom.example.com.<br />
<br />
== Error Messages ==<br />
<br />
* The DNS server is not able to resolve the host name:<br />
<br />
** server can't find DC1.samdom.example.com: NXDOMAIN<br />
<br />
* The DNS server is not able to resolve the IP address:<br />
<br />
** server can't find 1.0.99.10.in-addr.arpa: NXDOMAIN<br />
<br />
* The DNS server used is not available:<br />
<br />
;; connection timed out; no servers could be reached</div>Pgoetzhttps://wiki.samba.org/index.php?title=Testing_the_DNS_Name_Resolution&diff=18112Testing the DNS Name Resolution2022-03-05T19:29:37Z<p>Pgoetz: updated text to adapt to previous edit</p>
<hr />
<div><noinclude><br />
= Introduction =<br />
</noinclude><br />
<br />
To verify that your DNS settings are correct and your client or server is able to resolve IP addresses and host names use the <code>nslookup</code> command. The command is available on Linux and Windows.<br />
<br />
<br />
<br />
<br />
<br />
== Forward Lookup ==<br />
<br />
To resolve a host name its IP address:<br />
<br />
# nslookup DC1.samdom.example.com<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
Name: DC1.samdom.example.com<br />
Address: 10.99.0.1<br />
<br />
alternatively you can use the command:<br />
<br />
# host DC1.samdom.example.com<br />
DC1.samdom.example.com has address 10.99.0.1<br />
<br />
== Reverse Lookup ==<br />
<br />
To resolve a IP address to its host name:<br />
<br />
# nslookup 10.99.0.1<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
1.0.99.10.in-addr.arpa name = DC1.samdom.example.com.<br />
<br />
Note that in a Samba AD, the reverse zone is not automatically configured. To set up a reverse zone, see [[DNS_Administration|DNS Administration]].<br />
<br />
<br />
<br />
<br />
<br />
== Resolving SRV Records ==<br />
<br />
Active Directory (AD) uses SRV records to locate services, such as Kerberos and LDAP. To verify that SRV records are resolved correctly, use the <code>nslookup</code> interactive shell:<br />
<br />
$ nslookup<br />
> set type=SRV<br />
> _ldap._tcp.samdom.example.com<br />
Server: 192.168.0.4<br />
Address: 192.168.0.4#53<br />
<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc2.samdom.example.com.<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc1.samdom.example.com.<br />
> exit<br />
<br />
or<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc2.samdom.example.com.<br />
<br />
== Error Messages ==<br />
<br />
* The DNS server is not able to resolve the host name:<br />
<br />
** server can't find DC1.samdom.example.com: NXDOMAIN<br />
<br />
* The DNS server is not able to resolve the IP address:<br />
<br />
** server can't find 1.0.99.10.in-addr.arpa: NXDOMAIN<br />
<br />
* The DNS server used is not available:<br />
<br />
;; connection timed out; no servers could be reached</div>Pgoetzhttps://wiki.samba.org/index.php?title=Testing_the_DNS_Name_Resolution&diff=18111Testing the DNS Name Resolution2022-03-05T19:28:36Z<p>Pgoetz: added host alternative</p>
<hr />
<div><noinclude><br />
= Introduction =<br />
</noinclude><br />
<br />
To verify that your DNS settings are correct and your client or server is able to resolve IP addresses and host names use the <code>nslookup</code> command. The command is available on Linux and Windows.<br />
<br />
<br />
<br />
<br />
<br />
== Forward Lookup ==<br />
<br />
To resolve a host name its IP address:<br />
<br />
# nslookup DC1.samdom.example.com<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
Name: DC1.samdom.example.com<br />
Address: 10.99.0.1<br />
<br />
alternatively you can use the command:<br />
<br />
# host DC1.samdom.example.com<br />
DC1.samdom.example.com has address 10.99.0.1<br />
<br />
== Reverse Lookup ==<br />
<br />
To resolve a IP address to its host name:<br />
<br />
# nslookup 10.99.0.1<br />
Server: 10.99.0.1<br />
Address: 10.99.0.1#53<br />
<br />
1.0.99.10.in-addr.arpa name = DC1.samdom.example.com.<br />
<br />
Note that in a Samba AD, the reverse zone is not automatically configured. To set up a reverse zone, see [[DNS_Administration|DNS Administration]].<br />
<br />
<br />
<br />
<br />
<br />
== Resolving SRV Records ==<br />
<br />
Active Directory (AD) uses SRV records to locate services, such as Kerberos and LDAP. To verify that SRV records are resolved correctly, use the <code>nslookup</code> interactive shell:<br />
<br />
$ nslookup<br />
> set type=SRV<br />
> _ldap._tcp.samdom.example.com<br />
Server: 192.168.0.4<br />
Address: 192.168.0.4#53<br />
<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc2.samdom.example.com.<br />
_ldap._tcp.samdom.example.com service = 0 100 389 dc1.samdom.example.com.<br />
> exit<br />
<br />
Alternatively, you can use the host command.<br />
<br />
$ host -t SRV _ldap._tcp.samdom.example.com<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc1.samdom.example.com.<br />
_ldap._tcp.samdom.example.com has SRV record 0 100 389 dc2.samdom.example.com.<br />
<br />
<br />
<br />
<br />
<br />
== Error Messages ==<br />
<br />
* The DNS server is not able to resolve the host name:<br />
<br />
** server can't find DC1.samdom.example.com: NXDOMAIN<br />
<br />
* The DNS server is not able to resolve the IP address:<br />
<br />
** server can't find 1.0.99.10.in-addr.arpa: NXDOMAIN<br />
<br />
* The DNS server used is not available:<br />
<br />
;; connection timed out; no servers could be reached</div>Pgoetzhttps://wiki.samba.org/index.php?title=The_Samba_AD_DNS_Back_Ends&diff=17943The Samba AD DNS Back Ends2021-11-05T18:10:48Z<p>Pgoetz: Added some information about editing/querying the Samba DNS using samba-tool</p>
<hr />
<div>__TOC__<br />
<br />
= Introduction =<br />
<br />
In an Active Directory (AD), DNS is a very important service. It is used for:<br />
* name resolution<br />
* locating services, such as Kerberos and LDAP<br />
* locating local domain controllers (DC) when using AD sites. For details, see [[Active_Directory_Sites|Active Directory Sites]].<br />
<br />
{{Imbox<br />
| type = note<br />
| text = All clients and server in an AD must use a DNS server that is able to resolve the AD DNS zones.<br />
}}<br />
<br />
<br />
<br />
<br />
<br />
= Supported DNS Back Ends =<br />
<br />
Samba supports the following DNS back ends:<br />
<br />
* [[Samba_Internal_DNS_Back_End|Samba Internal DNS Back End]]<br />
:* Default when provisioning a new domain, joining an existing domain or migrating an NT4 domain to AD.<br />
:* No additional software or DNS knowledge is required.<br />
:* Use this back end for simple DNS setups. For a list of limitations, see [[Samba_Internal_DNS_Back_End#Limitations|Limitations]].<br />
<br />
* [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]<br />
:* Requires BIND 9.8 or later installed and configured locally on the Samba Active Directory (AD) domain controller (DC). For additional information, see [[Setting_up_a_BIND_DNS_Server|Setting up a BIND DNS Server]].<br />
:* Requires knowledge about the BIND DNS server and how to configure the service.<br />
:* Use this back end for complex DNS scenarios, you can not configure in the internal DNS.<br />
<br />
<br />
If you are unsure which DNS back end to select during the DC installation, start with the Samba internal DNS. You can change the back end at any time. For details, see [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing the DNS Back End of a Samba AD DC]].<br />
<br />
<br />
{{Imbox<br />
| type = important<br />
| text = Do not use the <code>BIND9_FLATFILE</code> DNS back end. It is not supported and will be formally deprecated when 4.11.0 is released and removed at 4.12.0.<br />
}}<br />
<br />
<br />
= Using the Samba Internal DNS Back End =<br />
<br />
The Samba internal DNS server can be edited and queried using [https://www.samba.org/samba/docs/current/man-html/samba-tool.8.html samba-tool]. For example,<br />
<br />
To get a get a list of zones: <code>samba-tool dns zonelist ''server''</code><br />
<br />
To update a record: <code>samba-tool dns update ''server'' ''zone_name'' A|AAA|CNAME|NS|MX|SRV|TXT ''old_value'' ''new_value''</code><br />
<br />
Run <code>samba-tool dns -h</code> to see the complete list of available commands.<br />
<br />
= Selecting the AD Forest Root Domain =<br />
<br />
Before you provision your Active Directory (AD), you must select a DNS zone for your AD forest root domain. For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]].<br />
<br />
{{Imbox<br />
| type = warning<br />
| text = Samba does not support renaming the AD forest root domain.<br />
}}<br />
<br />
Best practices:<br />
<br />
* Use a domain name you own.<br />
* Use a subdomain of your domain, such as <code>ad.example.com</code>.<br />
* Do not use <code>.local</code> domains. They can cause problems with Mac OS X and Zeroconf.<br />
<br />
For details, see [[Active_Directory_Naming_FAQ|Active Directory Naming FAQ]].<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:DNS]]</div>Pgoetzhttps://wiki.samba.org/index.php?title=Windows_User_Home_Folders&diff=17942Windows User Home Folders2021-11-05T14:27:48Z<p>Pgoetz: updated the erroneous assertion that the use of POSIX ACLs does not allow for autocreation of home directories</p>
<hr />
<div>= Introduction =<br />
<br />
Home folders contain files of an individual account. Using Samba, you can share the directories to enable network users to store own files on their home folder on the file server.<br />
<br />
This documentation does not use the Samba built-in <code>[homes]</code> section that dynamically shares the user's home directory using the <code>\\server\''user_name''\</code> path. While this can be helpful in certain scenarios, it has some disadvantages:<br />
* Windows does not support this feature, and certain settings, such as folder redirection in an Active Directory (AD), require a workaround instead and you cannot use the official solution.<br />
* You must create each new user's home directory manually.<br />
* Whilst The <code>[homes]</code> feature is supported on a Samba Active Directory (AD) domain controller (DC), it will not work for Windows users home directories. It will work for Unix home directories, but this setup is not shown here.<br />
<br />
In the following, the directory containing the home folders are shared using the <code>users</code> share name. Each user's home directory is created as a subdirectory on the <code>\\server\users\</code> share, such as, <code>\\server\users\''user_name''</code>. This is the same format used in a Microsoft Windows environment and requires no additional work to set up.<br />
<br />
<br />
<br />
<br />
<br />
= Setting up the Share on the Samba File Server =<br />
<br />
== Using Windows ACLs ==<br />
<br />
Setting extended access control lists (ACL) on the share that hosts home directories enables you to create new users in the <code>Active Directory Users and Computers</code> application without manually creating the user's home folder and setting permissions.<br />
<br />
To create a share, for example, <code>users</code> for hosting the user home folders on a Samba file server: <br />
<br />
* Create a new share. For details, see [[Setting up a Share Using Windows ACLs]]. Set the following permissions:<br />
<br />
:* Share permissions:<br />
::{| class="wikitable"<br />
!Principal<br />
!Access<br />
|-<br />
|Domain Users<br />
|Change<br />
|-<br />
|Domain Admins<br />
|Full Control<br />
|}<br />
<br />
:* File system permissions on the root of the <code>users</code> share:<br />
<br />
::{| class="wikitable"<br />
!Principal<br />
!Access<br />
!Applies to<br />
|-<br />
|Domain Users*<br />
|Read & execute<br />
|This folder only<br />
|-<br />
|CREATOR OWNER<br />
|Full control<br />
|Subfolders and files only<br />
|-<br />
|Domain Admins<br />
|Full control<br />
|This folder, subfolders and files<br />
|}<br />
<br />
::<nowiki>*</nowiki> You can alternatively set other groups, to enable the group members to store their user profile on the share. When using different groups, apply the permissions as displayed for <code>Domain Users</code> in the previous example.<br />
<br />
:: Verify that permission inheritance is disabled on the root of the share. If any permission entry in the <code>Advanced Security Settings</code> window displays a path in the <code>Inherited from</code> column, click the <code>Disable inheritance</code> button. On Windows 7, unselect the <code>Include inheritable permissions from this object's parent</code> check box to set the same setting.<br />
<br />
::[[Image:Home_Folder_File_System_ACLs.png]]<br />
<br />
:: On a Samba share, you can omit the <code>SYSTEM</code> account in the file system ACLs. For details, see [[The SYSTEM Account]].<br />
<br />
These settings enable members of the <code>Domain Admins</code> group to set the user home folder in the <code>Active Directory Users and Computers</code> application, that automatically creates the home folder and sets the correct permissions.<br />
<br />
<br />
<br />
== Using POSIX ACLs ==<br />
<br />
Instead of using Windows access control lists (ACL), you can set up a share using POSIX ACLs on your Samba server. This is useful if you're also supporting linux users, say mounting shares via NFS. The Samba DC then does its best to set up POSIX ACLs which will provide both linux and Windows users with the security restrictions they expect to see. If you use the RSAT tools to set a remote home directory for the user ''my_user'' on a Samba fileserver, the resulting POSIX permissions on the (automatically created) home directory will look something like this:<br />
<br />
root@my_samba_fileserver:/home# getfacl my_user<br />
# file: my_user<br />
# owner: root<br />
# group: root<br />
user::rwx<br />
user:root:rwx<br />
user:my_user:rwx<br />
group::---<br />
group:root:---<br />
group:BUILTIN\\administrators:rwx<br />
group:my_user:rwx<br />
mask::rwx<br />
other::---<br />
default:user::rwx<br />
default:user:root:rwx<br />
default:user:my_user:rwx<br />
default:group::---<br />
default:group:root:---<br />
default:group:BUILTIN\\administrators:rwx<br />
default:group:my_user:rwx<br />
default:mask::rwx<br />
default:other::---<br />
<br />
The ''my_user'' user has complete control over /home/my_user despite root being the primary owner of the folder.<br />
<br />
<br />
{{Imbox<br />
| type = note<br />
| text = When setting up the share on a Samba Active Directory (AD) domain controller (DC), you cannot use POSIX ACLs. On an Samba DC, only shares using extended ACLs are supported. For further details, see [[Setting_up_a_Share_Using_Windows_ACLs#Enable_Extended_ACL_Support_in_the_smb.conf_File|Enable Extended ACL Support in the smb.conf File]]. To set up the share on a Samba AD DC, see [[#Using_Windows_ACLs|Setting up the Home Folder Share on the Samba File Server - Using Windows ACLs]].<br />
}}<br />
<br />
For example, to create the <code>users</code> share: <br />
<br />
* Add the following share configuration section to your <code>smb.conf</code> file:<br />
<br />
[users]<br />
path = /srv/samba/users/<br />
read only = no<br />
force create mode = 0600<br />
force directory mode = 0700<br />
<br />
: For details about the parameters used, see the descriptions in the smb.conf(5) man page.<br />
<br />
: Do not use <code>homes</code> as name of the share. For further details, see [[#Introduction|Introduction]].<br />
<br />
* Create the directory and set the correct permissions:<br />
<br />
# mkdir -p /srv/samba/users/<br />
# chgrp -R "''Domain Users''" /srv/samba/users/<br />
# chmod 2750 /srv/samba/users/<br />
<br />
: In a domain, the <code>Domain Users</code> group is a group, all domain user accounts are member of. Alternatively, or if you are running a non-domain environment, you can set it to any group that exists locally. However, user accounts must be member of this group to access the share.<br />
<br />
* Reload Samba:<br />
<br />
# smbcontrol all reload-config<br />
<br />
= Creating the Home Folder for a New User =<br />
<br />
== Using Windows ACLs ==<br />
<br />
If you are using the <code>Active Directory Users and Computers</code> application, the user's home directory is automatically created and the correct permissions applied when you set the path to the user folder in the application.<br />
<br />
<br />
If you are not using <code>Active Directory Users and Computers</code>, you must create the folder manually and set the correct permissions. For example:<br />
<br />
* Log in to a Windows machine using an account that has permissions to create new folders on the <code>\\server\users\</code> share.<br />
<br />
* Navigate to the <code>\\server\users\</code> share.<br />
<br />
* Create a new home folder for the user.<br />
<br />
* Add the user to the access control list (ACL) of the folder and grant <code>Full control</code> to the user. For details, see [[Setting_up_a_Share_Using_Windows_ACLs#Setting_ACLs_on_a_Folder|Setting ACLs on a Folder]].<br />
<br />
<br />
<br />
== Using POSIX ACLs ==<br />
<br />
When you set up the <code>users</code> share using POSIX access control lists (ACL), you must create the home folder for each new user manually. To create the home folder for the <code>demo</code> user:<br />
<br />
* Create the directory:<br />
<br />
# mkdir /srv/samba/users/demo/<br />
<br />
* Set the following permissions to only enable the <code>demo</code> user to access the directory:<br />
<br />
# chown ''user_name'' /srv/samba/users/demo/<br />
# chmod 700 /srv/samba/users/demo/<br />
<br />
<br />
<br />
<br />
<br />
= Assigning a Home Folder to a User =<br />
<br />
== In an Active Directory ==<br />
<br />
=== Using <code>Active Directory Users and Computers</code> ===<br />
<br />
In an Active Directory, you can use the <code>Active Directory Users and Computers</code> Windows application to set the path to the user home folder and the assigned drive letter. If you do not have the Remote Server Administration Tools (RSAT) installed, see [[Installing RSAT|Installing RSAT]].<br />
<br />
To assign the <code>\\server\users\demo\</code> path as home folder to the <code>demo</code> account:<br />
<br />
* Log in to a computer using an account that is able to edit user accounts.<br />
<br />
* Open the <code>Active Directory Users and Computers</code> application.<br />
<br />
* Navigate to the directory container that contains the <code>demo</code> account.<br />
<br />
* Right-click to the <code>demo</code> user account and select <code>Properties</code>.<br />
<br />
* Select the <code>Profile</code> tab.<br />
<br />
* Select <code>Connect</code>, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into the <code>To</code> field.<br />
<br />
:[[Image:ADUC_Set_Home_Folder.png]].<br />
<br />
* Click <code>OK</code>.<br />
<br />
If a warning is displayed when saving the settings that the home folder was not created:<br />
* the permissions on the <code>users</code> share were incorrectly set when you set up the share using Windows access control lists (ACL). To fix the problem, set the permissions described in [[#Using_Windows_ACLs|Using Windows ACLs]].<br />
* you set up the share using POSIX ACL. To fix the problem, create the directory manually. See [[#Using_POSIX_ACLs_2|Creating the Home Folder for a New User - Using POSIX ACLs]].<br />
<br />
<br />
<br />
=== Using a Group Policy Preference ===<br />
<br />
{{:Using_a_Group_Policy_Preference}}<br />
<br />
=== Using <code>ldbedit</code> on a Domain Controller ===<br />
<br />
On a domain controller (DC), for example, to assign the <code>\\server\users\demo</code> path as home folder to the <code>demo</code> account and set the assigned drive letter to <code>H:</code><br />
<br />
* Edit the <code>demo</code>user account:<br />
<br />
# ldbedit -H /usr/local/samba/private/sam.ldb 'sAMAccountName=demo'<br />
<br />
* The accounts attributes are displayed in an editor. Append the following attributes and values to the end of the list:<br />
<br />
homeDrive: H:<br />
homeDirectory: \\server\users\demo\<br />
<br />
* Save the changes.<br />
<br />
The setting is applied the next time the user logs in.<br />
<br />
<br />
<br />
== In an NT4 Domain ==<br />
<br />
In an Samba NT4 domain, to set <code>\\server\users\%U</code> as path to the home folder and to map the drive to the <code>H:</code> drive letter:<br />
<br />
* Add the following parameters to the <code>[global]</code> section in your <code>smb.conf</code> file:<br />
<br />
logon drive = H:<br />
logon home = \\server\users\%U<br />
<br />
: During logging in to the domain member, Samba automatically replaces the <code>%U</code> variable with the session user name. For further details, see the <code>Variable Substitutions</code> section in the <code>smb.conf(5)</code> man page.<br />
<br />
* Reload Samba:<br />
<br />
# smbcontrol all reload-config<br />
<br />
<br />
<br />
== In a Non-domain Environment ==<br />
<br />
=== Using a Windows Professional or Higher Edition ===<br />
<br />
If your Samba server and clients are not part of a domain, set the user home folder mapping in the local user account's properties:<br />
<br />
* Log on to the Windows machine using an account that is member of the local <code>Administrators</code> group.<br />
<br />
* Open the <code>lusrmgr.msc</code> (Local User and Groups) application.<br />
: The <code>lusrmgr.msc</code> application is not available in Windows Home editions.<br />
<br />
* Click <code>Users</code> in the navigation on the left side.<br />
<br />
* Right-click the account you want to assign a home folder to, and select <code>Properties</code><br />
<br />
* Navigate to the <code>Profile</code> tab.<br />
<br />
* Select <code>Connect</code>, the drive letter Windows assigns the mapped home folder to, and enter the path to the home folder into the <code>To</code> field.<br />
<br />
* Click <code>OK</code>.<br />
<br />
You must set the mapping for each user on every Windows client manually.<br />
<br />
<br />
<br />
=== Using Windows Home Edition ===<br />
<br />
Windows Home editions do not provide the necessary application to set the user home folder mapping in the local account properties. Instead each user must map the drive manually:<br />
<br />
* Log on to the Windows machine as the user that should get the home folder mapped<br />
<br />
* Open a command prompt.<br />
<br />
* For example, to map the <code>\\server\users\demo\</code> folder to the <code>H:</code> drive letter, enter:<br />
<br />
> net use H: \\server\users\demo\ /persistent:yes<br />
<br />
The user home folder is automatically connected when the user logs in. To stop the automatic mapping, disconnect the drive. For example:<br />
<br />
> net use H: /delete<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:Domain Members]]<br />
[[Category:File Serving]]<br />
[[Category:NT4 Domains]]<br />
[[Category:Standalone Server]]</div>Pgoetzhttps://wiki.samba.org/index.php?title=Configuring_Windows_Profile_Folder_Redirections_with_Group_Policy&diff=17931Configuring Windows Profile Folder Redirections with Group Policy2021-11-02T07:35:37Z<p>Pgoetz: /* Using a Group Policy Preference */</p>
<hr />
<div>Using group policies, you can assign settings to organizational units (OU) or to a domain. This enables you, for example, to automatically set folder redirections to all users in the OU or domain. If you move the account to a different OU or domain, the settings are removed or updated. Using this way, you do not have to set the redirection manually for each user account.<br />
<br />
<br />
<br />
=== Using Group Policy Folder Redirection ===<br />
<br />
Using a group policy object (GPO) is the preferred way to set folder redirections.<br />
<br />
{{Imbox<br />
| type = note<br />
| text = Windows does not support dynamically-generated user home folders provided by the Samba <code>[homes]</code> section. If you used this way to provide home folders, set up a group policy preference instead. See [[#Using_a_Group_Policy_Preference|Using a Group Policy Preference]].<br />
}}<br />
<br />
To create a group policy object (GPO) for the domain that automatically redirects profile folders to user's home folder:<br />
<br />
* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account.<br />
<br />
* Open the <code>Group Policy Management Console</code>. If you are not having the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]].<br />
<br />
* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>.<br />
<br />
:[[Image:GPMC_Create_GPO.png]]<br />
<br />
* Enter a name for the GPO, such as <code>Folder Redirections</code>. The new GPO is shown below the domain entry.<br />
<br />
* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>.<br />
<br />
* Navigate to the <code>User Configuration</code> &rarr; <code>Policies</code> &rarr; <code>Windows Settings</code> &rarr; <code>Folder Redirection</code> entry.<br />
<br />
* Right-click to the folder to redirect, such as <code>Documents</code>, and select <code>Properties</code>.<br />
<br />
* Set the following:<br />
:* On the <code>Target</code> tab:<br />
::* Setting: <code>Basic - Redirect everyone's folder to the same location</code><br />
::* Target folder location: <code>Redirect to the user's home directory</code><br />
:* On the <code>Settings</code> tab:<br />
::* Unselect <code>Grant the user exclusive rights.</code><br />
::* Unselect <code>Move the contents of Documents to the new location.</code><br />
::* Select <code>Also apply redirection to Windows 2000, Windows 2000 Server, Windows XP, and Windows Server 2003 operating systems.</code><br />
::* Select <code>Leave the folder in the new location when policy is removed.</code><br />
(If you choose to set these options differently and run into problems such as Event ID 502 in the application event log when a user logs in, see [https://support.microsoft.com/en-us/help/2493506/redirecting-the-user-s-documents-folder-to-their-home-directory-fails this Microsoft support article] which boils down to either setting both ''Grant user exclusive'' and ''Also apply to Windows 2000'' or neither of them.)<br />
<br />
::[[Image:GPME_Folder_Redirection_Documents.png]]<br />
<br />
:* Click <code>OK</code>.<br />
<br />
* Optionally, redirect other folders in the same way.<br />
<br />
* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC).<br />
<br />
* Close the <code>Group Policy Management Console</code>.<br />
<br />
The policy is applied to users in domain at the next log in.<br />
<br />
=== Using a Group Policy Preference ===<br />
<br />
When you use the Samba <code>[homes]</code> section to dynamically generate user home folders, you must set registry keys using a group policy preference to redirect folders. If you provide home folders using a different share name, see [[#Using Group Policy Folder Redirection|Using Group Policy Folder Redirection]].<br />
<br />
To create a group policy preference for the domain that automatically redirects profile folders to user's home folder:<br />
<br />
* Log in to a computer using an account that is allowed you to edit group policies, such as the AD domain <code>Administrator</code> account.<br />
<br />
* Open the <code>Group Policy Management Console</code>. If you do not already have the Remote Server Administration Tools (RSAT) installed on this computer, see [[Installing RSAT|Installing RSAT]].<br />
<br />
* Right-click to your AD domain and select <code>Create a GPO in this domain, and Link it here</code>.<br />
<br />
:[[Image:GPMC_Create_GPO.png]]<br />
<br />
* Enter a name for the GPO, such as <code>Folder Redirections</code>. The new GPO is shown below the domain entry.<br />
<br />
* Right-click to the newly-created GPO and select <code>Edit</code> to open the <code>Group Policy Management Editor</code>.<br />
<br />
* Navigate to the <code>User Configuration</code> &rarr; <code>Preferences</code> &rarr; <code>Windows Settings</code> entry.<br />
<br />
* Right-click to the <code>Registry</code> entry in the navigation and select <code>New</code> &rarr; <code>Registry Item</code>.<br />
<br />
* Set the following:<br />
:* Action: <code>Replace</code><br />
:* Hive: <code>HKEY_CURRENT_USER</code><br />
:* Key Path: <code>Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code><br />
:* Value name: For example, to redirect the <code>Documents</code> folder, enter: <code>Personal</code><br />
:: For a list of other registry keys of folders you can redirect, see the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code> entry in your local Windows registry.<br />
:* Value type: <code>REG_EXPAND_SZ</code><br />
:* Value data: For example: <code>\\server\%USERNAME%\Documents</code><br />
:: Windows automatically replaces the <code>%USERNAME%</code> variable with the name of the current user when the policy is applied.<br />
<br />
:[[Image:GPME_Folder_Redirection_GP_Preference_Documents.png]]<br />
<br />
* Optionally, redirect other folders in the same way.<br />
<br />
* Close the <code>Group Policy Management Editor</code>. The GPOs are automatically saved on the <code>Sysvol</code> share on the domain controller (DC).<br />
<br />
* Close the <code>Group Policy Management Console</code>.<br />
<br />
The policy is applied to users in domain at the next log in.</div>Pgoetzhttps://wiki.samba.org/index.php?title=Configuring_Windows_Profile_Folder_Redirections&diff=17930Configuring Windows Profile Folder Redirections2021-11-02T07:24:19Z<p>Pgoetz: </p>
<hr />
<div>= Introduction =<br />
<br />
Using the default settings, roaming Windows user profiles include folder that can contain a large amount of data, such as <code>Documents</code>, <code>Downloads</code>, and <code>Pictures</code>. When logging in, the data is transferred from the Server to the domain member and back when the user logs out. Folder redirection enables you to redirect paths of folders outside of the Windows user profile to reduce the size of the profile.<br />
<br />
Because the user profile can contain sensitive information, you should redirect the folder to a secured area that only the profile owner can access, such as the [[User Home Folders|user's home folder]].<br />
<br />
<br />
= Setting Folder Redirections =<br />
<br />
== In an Active Directory ==<br />
<br />
{{:Configuring_Windows_Profile_Folder_Redirections_with_Group_Policy}}<br />
<br />
== In an NT4 Domain ==<br />
<br />
NT4 policies are only supported by the following Windows versions:<br />
* Windows NT 4.0 - Windows XP<br />
* Windows NT Server 4.0 - Windows Server 2003 R2<br />
<br />
To create a folder redirection for the <code>Default User Policy</code> entry:<br />
<br />
* Log in to a computer using an account that is allowed you to edit NT4 policies, such as the NT4 domain <code>Administrator</code> account.<br />
<br />
* Open the <code>System Policy Editor</code> (poledit.exe). This application is stored on the Windows Server CD-ROM and part of the MS Office 2000 Resource Kit. For further details, see [http://support.microsoft.com/kb/910203 KB910203].<br />
<br />
* Select <code>Options</code> &rarr; <code>Policy Template</code> and open an <code>*.adm</code> file that contains policies for folder redirection.<br />
:[[Image:Poledit_Opening_an_ADM_File.png]]<br />
<br />
* Create a new policy or open an existing one.<br />
<br />
* Double-click <code>Default User</code>.<br />
<br />
* Navigate to the folder redirection. The location depents on the structure of the ADM file you use.<br />
<br />
* Select the folder to redirect and enter the path to the destination. For example, to redirect the <code>Documents</code> folder to <code>H:\My Documents</code>:<br />
:[[Image:Poledit_Folder_Redirection_Documents.png]]<br />
<br />
* Optionally, redirect other folders in the same way.<br />
<br />
* Click <code>OK</code><br />
<br />
* Save the policy in the <code>\\''PDC_name''\netlogon\ntconfig.pol</code> file. Note that all domain users must have permissions to read the file.<br />
<br />
The policy is applied to users in domain at the next log in.<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]<br />
[[Category:NT4 Domains]]</div>Pgoetzhttps://wiki.samba.org/index.php?title=Group_Policy&diff=17929Group Policy2021-10-30T14:08:59Z<p>Pgoetz: /* Installing Samba ADMX Templates */</p>
<hr />
<div>= Introduction =<br />
<br />
This document describes how to manage domain members using Group Policy.<br />
<br />
= About Group Policy =<br />
<br />
Group Policy provides centralized management and configuration of operating system, application, and user settings. Policies are delivered to clients by listing them in LDAP, under groupPolicyContainer objects. These objects provide the gPCFileSysPath attribute, which points to policy information stored on the domains SYSVOL share. Policies are enforced at a random interval between 90 and 120 seconds.<br />
<br />
Policies can be manually enforced on a Linux domain member using the <code>samba-gpupdate --force</code> command.<br />
<br />
On a Windows domain member, policies are enforced using the <code>gpupdate /force</code> command.<br />
<br />
= Configuring Group Policy =<br />
<br />
== Enabling Group Policy on a Domain Member ==<br />
<br />
=== Winbind ===<br />
<br />
To enable Group Policy application in winbind, set the global option ''apply group policies'' to yes.<br />
<br />
<code>apply group policies = yes</code><br />
<br />
=== SSSD ===<br />
<br />
Group Policy application can be enforced using [https://github.com/openSUSE/oddjob-gpupdate oddjob-gpupdate]. The samba-gpupdate command from Samba must be installed.<br />
<br />
=== Windows ===<br />
<br />
Group Policy is automatically enabled in Windows domain members.<br />
<br />
== Installing Samba ADMX Templates ==<br />
<br />
In order to configure Samba Group Policies, you must first install the ADMX templates provided by Samba.<br />
<br />
<code>samba-tool gpo admxload -U Administrator</code><br />
<br />
The ''samba-tool gpo admxload'' command copies the Samba ADMX templates to the ''<domain>''/Policies/PolicyDefinitions directory on the SYSVOL share.<br />
<br />
If you have more than one domain controller you should run the command with '-H' in order to insure the ADMX templates are installed on the correct DC; e.g.<br />
<br />
<code>samba-tool gpo admxload -H dc1.samdom.example.com -U Administrator</code><br />
<br />
{{Imbox<br />
| type = warning<br />
| text = After installing the Samba ADMX templates, you MUST install [https://www.microsoft.com/en-us/download/102157 Microsoft's ADMX templates] also, otherwise you will be unable to administer Windows domain members.<br />
}}<br />
<br />
To install [https://www.microsoft.com/en-us/download/102157 Microsoft's ADMX templates]:<br />
msiextract /path/to/microsoft/download/Administrative\ Templates\ \(.admx\)\ for\ Windows\ 10\ October\ 2020\ Update.msi<br />
samba-tool gpo admxload -U Administrator --admx-dir=/path/to/extracted/msi/Program\ Files/Microsoft\ Group\ Policy/Windows\ 10\ October\ 2020\ Update\ \(20H2\)/PolicyDefinitions/<br />
<br />
{{Imbox<br />
| type = note<br />
| text = The msiextract command can be found in the ''msitools'' package on most distributions, including Debian/Ubuntu, RHEL/CentOS, and Arch linux in the AUR.<br />
}}<br />
<br />
== Creating a Group Policy Object ==<br />
<br />
<br />
=== Group Policy Management Editor ===<br />
<br />
Open the Group Policy Management Console (which is part of Windows [[Installing_RSAT|RSAT]] tools). Highlight a policy, and select ''Edit'' from the Action menu to open the policy for editing.<br />
<br />
To create the Group Policy Object, highlight the domain or container where you want the object linked, then open the Action menu and select "Create a GPO in this domain, and Link it here".<br />
<br />
Enter the name of the new Group Policy in the dialog that appears, then click ok.<br />
<br />
=== samba-tool ===<br />
<br />
Alternatively, to create a Group Policy Object from the command line, issue the <code>samba-tool gpo create</code> command. To then link it to a container, issue the <code>samba-tool gpo setlink</code> command.<br />
<br />
<br />
== Editing a Group Policy Object ==<br />
<br />
<br />
=== Group Policy Management Editor ===<br />
Open the Group Policy Management Console (which is part of Windows [[Installing_RSAT|RSAT]] tools). Highlight a policy, and select ''Edit'' from the Action menu to open the policy for editing.<br />
<br />
Samba policies can be found in the Group Policy Management Editor within User or Computer Configuration > Policies > Administrative Templates > Samba. For Samba Domain Controllers, the Password and Kerberos settings are also applied, which are found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy.<br />
<br />
=== samba-tool ===<br />
<br />
Alternatively, some Group Policies can be managed using the <code>samba-tool gpo manage</code> command.<br />
<br />
<br />
== Listing Existing Group Policies ==<br />
<br />
List existing Group Policies using the <code>samba-tool gpo listall</code> command.<br />
<br />
# samba-tool gpo listall -UAdministrator<br />
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}<br />
display name : Default Domain Policy<br />
path : \\example.com\sysvol\example.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}<br />
dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=example,DC=com<br />
version : 2097290<br />
flags : NONE<br />
<br />
The first attribute of each GPO listed is the GUID (Globally Unique Identifier) of the GPO (in the form {31B2F340-016D-11D2-945F-00C04FB984F9}). You'll need this GUID in order to identify the GPO in other <code>samba-tool gpo</code> commands.<br />
<br />
== Removing Policy from a Domain Member ==<br />
<br />
=== Linux Domain Member ===<br />
<br />
To remove policies applied to a domain member, issue the command:<br />
<br />
samba-gpupdate --unapply --target=Computer<br />
<br />
Or, to remove applied user policy:<br />
<br />
samba-gpupdate --unapply --target=User -U<username><br />
<br />
Only a user with root privileges can remove applied policy.<br />
<br />
=== Windows Domain Member ===<br />
<br />
Windows does not provide a feature for removing policy. The only work-around is to unjoin the domain, then force an apply with:<br />
<br />
gpupdate /force /boot<br />
<br />
= Linux Domain Member Policies =<br />
<br />
Linux domain member policies are applied using the samba-gpupdate command. These policies are non-tatooing, meaning when a Group Policy Object is removed from a computer or user, the policies are also removed from the associated domain member.<br />
<br />
== smb.conf Policies ==<br />
<br />
smb.conf policies are found in Computer Configuration > Policies > Administrative Templates > Samba > smb.conf. These policies distribute smb.conf global options to the client. This policy is unable to apply idmap policies.<br />
<br />
<br />
<br />
== Password and Kerberos Policies ==<br />
<br />
Password and Kerberos policies, found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy, are only applicable to Samba Domain Controllers.<br />
<br />
The following password policies are applicable:<br />
* Minimum password age<br />
* Maximum password age<br />
* Minimum password length<br />
* Password must meet complexity requirements<br />
<br />
And Kerberos policies:<br />
* Maximum ticket age (Maximum lifetime for user ticket)<br />
* Maximum service age (Maximum lifetime for service ticket)<br />
* Maximum renew age (Maximum lifetime for user ticket renewal)<br />
<br />
<br />
<br />
== Script Policies ==<br />
<br />
Script policies create cron jobs on client machines which execute the specified commands. Script policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts.<br />
<br />
To add a script policy, open the policy, enable it, and click ''Show''. In the dialog that appears, add the command to execute on the client. Click OK, then Apply to save the policy.<br />
<br />
[[File:Scripts_gpo1.png]]<br />
<br />
Script policies are applied as cron jobs on the winbind client.<br />
<br />
linux-h7xz:~ # /usr/sbin/samba-gpupdate --force<br />
linux-h7xz:~ # cat /etc/cron.daily/tmp6l0m809i <br />
#!/bin/sh<br />
whoami > /daily.log<br />
<br />
<br />
=== Startup Script Policies ===<br />
<br />
Startup script policies allow you to upload the script that will be executed to the SYSVOL, as well as scheduling the command to run at startup. These scripts can be set using the <code>samba-tool gpo manage scripts startup</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'<br />
<br />
This command would upload the local script <code>test_script.sh</code> to the SYSVOL, then schedule it to run on clients at startup and will pass the parameter '-n' to the script when it runs. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
== Files Policy ==<br />
<br />
The Files policy deploys files to client machines. These files are uploaded to the SYSVOL via the <code>samba-tool gpo manage files</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt /usr/share/doc/target.txt root root 600<br />
<br />
This command will upload the local file source.txt to the SYSVOL, which will then be deployed to client machines as /usr/share/doc/target.txt, with the ownership root:root, and the permissions 600. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
This policy is useful to use in conjunction with the Scripts policy.<br />
<br />
== Symlink Policies ==<br />
<br />
The symlink policy creates symbolic links on client machines. This policy is set via the <code>samba-tool gpo manage symlink</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target<br />
<br />
This policy will cause clients to symlink the source to the target. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
== Sudoers Policies ==<br />
<br />
Sudoers policies add sudo rules to client machines. Sudoers policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Sudo Rights.<br />
<br />
To add a sudo policy, open the policy, enable it, and click ''Show''. In the dialog that appears, add the sudo rules to the list. Click OK, then Apply to save the policy.<br />
<br />
linux-h7xz:~ # /usr/sbin/samba-gpupdate --force<br />
linux-h7xz:~ # cat /etc/sudoers.d/gp_eockoryg<br />
<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the gp_sudoers_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
tux ALL=(ALL) NOPASSWD: ALL<br />
<br />
<br />
=== VGP Sudoers Policies ===<br />
<br />
Another Sudoers extension is available for compatibility with Vintela's Sudoers Group Policy. The policy for this extension can be modified using the <code>samba-tool gpo manage sudo</code> command.<br />
<br />
For example, to add an entry for the user 'fakeu':<br />
<br />
> samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg<br />
<br />
The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
This will create the following entry within /etc/sudoers.d:<br />
> cat /etc/sudoers.d/gp_XXXXX<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the gp_sudoers_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL<br />
<br />
{{Imbox<br />
| type = note<br />
| text = Samba Sudoers and VGP Sudoers policies can be safely used in conjunction with one another, since these policies are non-overlapping.<br />
}}<br />
<br />
== Message Policies ==<br />
<br />
Message policies set the contents of the /etc/motd and /etc/issue files on client machines. Message policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Messages.<br />
<br />
To add a message of the day policy, for example, open the policy and enable it. In the text box provided, enter the message you'd like displayed after a successful login.<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/motd<br />
This message is distributed by Samba!<br />
<br />
To add a login prompt policy, open the 'Logon Prompt Message' policy and enable it. In the text box provided, enter the message you'd like displayed before the login prompt. You can use escape sequences supported by the client /etc/issue file.<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/issue<br />
Samba Group Policy \s \r \l<br />
<br />
<br />
=== VGP Message Policies ===<br />
<br />
Other VGP Message extensions are available for compatibility with Vintela's MOTD and Issue Group Policies. The policies for these extensions can be modified using the <code>samba-tool gpo manage motd</code> and <code>samba-tool gpo manage issue</code> commands. <br />
<br />
{{Imbox<br />
| type = warning<br />
| text = Beware that applying both the Samba and VGP message policies will cause unpredictable behavior, since both policies will apply and will overwrite one another.<br />
}}<br />
<br />
== PAM Access Policies ==<br />
<br />
PAM Access policies set access rules within /etc/security/access.d. These policies are set using the `samba-tool gpo manage access` command. This policy is compatible with Vintela's Access Group Policy.<br />
<br />
For example, to add an allow policy for the user (or group) goodguy in the domain example.com:<br />
<br />
> samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com<br />
<br />
This will set the policy on the SYSVOL to the GPO specified by the GUID {31B2F340-016D-11D2-945F-00C04FB984F9}. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/security/access.d/0000000001_gp.conf<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the vgp_access_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
-:example.com\goodguy:ALL<br />
<br />
== Certificate Auto Enrollment ==<br />
<br />
{{:Certificate_Auto_Enrollment}}<br />
<br />
<br />
== Firefox Policy ==<br />
<br />
Firefox policies can be administered using the mozilla templates [https://github.com/mozilla/policy-templates/releases available here]. To install the templates, issue the command:<br />
<br />
<code>samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/mozilla/download/policy-templates/windows</code><br />
<br />
Once installed, the policies can be administered from the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools).<br />
<br />
Applying policy will generate two policy files on the local host:<br />
<br />
/usr/lib64/firefox/distribution/policies.json<br />
/etc/firefox/policies/policies.json<br />
<br />
Both are valid Firefox policies, but the expected location for the policy template recently changed.<br />
<br />
== Chromium/Chrome Policy ==<br />
<br />
Chromium and Google Chrome policies can be administered using the templates [https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip available here]. To install the templates, issue the command:<br />
<br />
<code>samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/google/download/policy_templates/windows/admx</code><br />
<br />
Once installed, the policies can be administered from the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools).<br />
<br />
Applying policy will generate four policy files on the local host:<br />
<br />
/etc/chromium/policies/managed/policies.json<br />
/etc/chromium/policies/recommended/policies.json<br />
/etc/opt/chrome/policies/managed/policies.json<br />
/etc/opt/chrome/policies/recommended/policies.json<br />
<br />
The managed policy files specify required Chrome and Chromium settings, while the recommended policy files specify settings which will be applied but not enforced.<br />
<br />
== GNOME Settings ==<br />
<br />
GNOME Settings policies are found in the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools) > Computer Configuration > Policies > Administrative Templates > Samba > GNOME when the default samba ADMX templates are installed. These templates can be installed by executing the command:<br />
<br />
samba-tool gpo admxload -UAdministrator<br />
<br />
These policies manage some GNOME user settings, [https://help.gnome.org/admin/system-admin-guide/stable/user-settings.html.en as described in the GNOME system admin guide], such as the compose key, screen dimming, online account management, extensions, and the ability to disable printing, file saving, command line access, fingerprint logon, logout, user switching, and reparitioning. There is also a general method for disabling any specific GNOME lockdown value.<br />
<br />
== OpenSSH Policy ==<br />
<br />
OpenSSH policy applies settings to /etc/ssh/sshd_config.d. These policies can be set using the <code>samba-tool gpo manage openssh</code> command.<br />
<br />
For example, to require kerberos authentication in OpenSSH:<br />
<br />
> samba-tool gpo manage openssh set {31B2F340-016D-11D2-945F-00C04FB984F9} KerberosAuthentication Yes<br />
<br />
The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
= Windows Domain Member Policies =<br />
<br />
== User Home Folders ==<br />
<br />
{{:Using_a_Group_Policy_Preference}}<br />
<br />
== Folder Redirection ==<br />
<br />
{{:Configuring_Windows_Profile_Folder_Redirections_with_Group_Policy}}<br />
<br />
== Restricted Groups ==<br />
<br />
{{:Managing_local_groups_on_domain_members_via_GPO_restricted_groups}}<br />
<br />
= Resultant Set of Policy =<br />
<br />
The Resultant Set of Policy assists in troubleshooting policy implementation. It is a report indicating what policies have been, or what will be, applied to a domain member.<br />
<br />
== Linux Domain Member ==<br />
<br />
To display the Resultant Set of Policy, use the <code>samba-gpupdate --rsop</code> command:<br />
<br />
linux-h7xz:~ # samba-gpupdate --rsop<br />
Resultant Set of Policy<br />
Computer Policy<br />
<br />
GPO: Default Domain Policy<br />
================================================================================================<br />
CSE: gp_sec_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_sec_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_scripts_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_sudoers_ext<br />
-----------------------------------------------------------<br />
Policy Type: Sudo Rights<br />
-----------------------------------------------------------<br />
[ tux ALL=(ALL) NOPASSWD: ALL ]<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_smb_conf_ext<br />
-----------------------------------------------------------<br />
Policy Type: smb.conf<br />
-----------------------------------------------------------<br />
[ apply group policies ] = 1<br />
[ client max protocol ] = SMB2_02<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_msgs_ext<br />
-----------------------------------------------------------<br />
Policy Type: /etc/motd<br />
-----------------------------------------------------------<br />
This message is distributed by Samba!<br />
-----------------------------------------------------------<br />
Policy Type: /etc/issue<br />
-----------------------------------------------------------<br />
Samba Group Policy \s \r \l<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
================================================================================================<br />
<br />
== Windows Domain Member ==<br />
<br />
To view the Resultant Set of Policy on a Windows domain member:<br />
<br />
# Open the Microsoft Management Console<br />
# Click File > Add/Remove Snap-in<br />
# Select the Resultant Set of Policy, and then click Add.<br />
# Click OK<br />
<br />
----<br />
[[Category:Active Directory]]</div>Pgoetzhttps://wiki.samba.org/index.php?title=Managing_local_groups_on_domain_members_via_GPO_restricted_groups&diff=17917Managing local groups on domain members via GPO restricted groups2021-10-24T09:53:38Z<p>Pgoetz: /* Modify local group membership and keep existing members */</p>
<hr />
<div>=== Introduction ===<br />
<br />
AD administrators often have the requirement to manage local group memberships of Windows workstations and servers from on a central way. Group Policies Restricted Groups is a simple way to accomplish this requirement and works in a Samba AD as well as in a MS controlled.<br />
<br />
Restricted Groups are non-tatooing changes. This means, if you undo this change in the GPO, the changes are reset to their previous state on the affected computers after the next GPO refresh.<br />
<br />
A best practice is, to use only AD groups instead of individual user accounts, to add to local groups. This allows changes on a central place (AD), by adding/removing members to/from the group, instead of modifying the GPO.<br />
<br />
For simplicity, all examples in this documentation are configured on domain level through the Default Domain Policy. Needless to say, that is possible in self-created GPOs and OU-level, too.<br />
<br />
<br />
<br />
<br />
<br />
=== Preconditions ===<br />
<br />
* Installed Group Policy Management Console. It is part of the [[Installing RSAT|Remote Server Administration Tools (RSAT)]].<br />
<br />
* The examples used below add a AD domain group „SAMDOM\Wks Admins“. Groups can be added to the AD using 'samba-tool' or Active Directory User and Computer (ADUC).<br />
<br />
<br />
<br />
<br />
<br />
=== Modify local group membership and keep existing members ===<br />
<br />
This is the most typical field of application: An AD group should be added as a member to a local group and all already existing members should be untouched.<br />
<br />
''<u>Example</u>: The AD domain group „SAMDOM\Wks Admins“ should be added to the local „Administrators“ group on all computers in the domain (workstations and server). The members of this domain group can be managed centrally in AD and allows member accounts to have local administrator permissions on all Windows computers, without knowing the Domain Administrator password or being member of the „Domain Admins“ group. All existing members in the local „Administrators“ group should stay. Only the domain group „SAMDOM\Wks Admins“should be added.''<br />
<br />
* Create a domain group „Wks Admins“, using 'samba-tool' or Active Directory Users and Computers from the Remote Server Administration Tools (RSAT).<br />
<br />
* Open the Group Policy Management Console<br />
<br />
* Select the "Default Domain Policy". Verify that the "Authenticated Users" principal is listed in the "Security Filters" list (this is the default). If the principal is not part of the list, add it. In case you removed this principal intentionally, you must alternatively add the computer account(s) to the list and grant "read" permissions. For details, see [https://support.microsoft.com/en-gb/help/3159398/ms16-072-description-of-the-security-update-for-group-policy-june-14,-2016 MS16-072].<br />
<br />
* Right-click to „Default Domain Policy“ and choose „Edit...“<br />
<br />
:[[Image:GPMC_Edit_Default_Domain_Policy.png]]<br />
<br />
* The Group Policy Management Editor opens<br />
<br />
* Navigate and right-click to „Computer Configuration“ / „Policies“ / „Windows Settings“ / „Security Settings“ / „Restricted Groups“ and choose „Add group...“.<br />
<br />
:[[Image:GPME_Right-click_Restricted_Group.png]]<br />
<br />
* Enter the name of the AD group „SAMDOM\Wks Admins“ by browsing your directory and click „OK“.<br />
<br />
:[[Image:GPME_Add_restricted_group_Domain.png]]<br />
<br />
* The properties window opens. Click the „Add“ button next to the „This group is a member of“ box.<br />
<br />
:[[Image:GPME_Group_is_a_member_of_Add_button.png]]<br />
<br />
* Enter the local „Administrators“ group name. If you use the „Browse“ button, select the local computer, by using the „Locations...“ button in the upcomming window, to browse local instead of AD security objects!<br />
<br />
:[[Image:GPME_Add_local_Administrators_group.png]]<br />
<br />
* You see the local „Administrators“ group entry in the „This group is a member of“ list.<br />
<br />
:[[Image:GPME_Group_is_a_member_of.png]]<br />
<br />
* Click „OK“.<br />
<br />
After the clients have re-read the changed group policy, the domain group „SAMDOM\Wks Admins“ will appear in the local „Administrators“ group on each client affected by the GPO. All existing members of this group stay untouched.<br />
<br />
:[[Image:Local_Administrators_Group_GroupIsMemberOf.png]]<br />
<br />
=== Explicit control of local group membership ===<br />
<br />
This way describes how to explicitly set the membership of a local group by replacing existing memberships with the ones defined in the GPO. Use this with care, to ensure that you don't break existing permissions of accounts used by users and applications!<br />
<br />
''<u>Example</u>: On all computer in the domain (workstations and servers), the local Administrator and the domain group „SAMDOM\Wks Admins“ should be the only members of the local „Administrators“ group. All existing members of this group should be removed and just these two objects should be part of it.''<br />
<br />
* Create a domain group „Wks Admins“, using 'samba-tool' or Active Directory Users and Computers from the Remote Server Administration Tools (RSAT).<br />
<br />
* Open the Group Policy Management Console<br />
<br />
* Select the "Default Domain Policy". Verify that the "Authenticated Users" principal is listed in the "Security Filters" list (this is the default). If the principal is not part of the list, add it. In case you removed this principal intentionally, you must alternatively add the computer account(s) to the list and grant "read" permissions. For details, see [https://support.microsoft.com/en-gb/help/3159398/ms16-072-description-of-the-security-update-for-group-policy-june-14,-2016 MS16-072].<br />
<br />
* Right-click to „Default Domain Policy“ and choose „Edit...“<br />
<br />
:[[Image:GPMC_Edit_Default_Domain_Policy.png]]<br />
<br />
* The Group Policy Management Editor opens<br />
<br />
* Navigate and right-click to „Computer Configuration“ / „Policies“ / „Windows Settings“ / „Security Settings“ / „Restricted Groups“ and choose „Add group...“.<br />
<br />
:[[Image:GPME_Right-click_Restricted_Group.png]]<br />
<br />
* Enter the local „Administrators“ group name. If you use the „Browse“ button, select the local computer, by using the „Locations...“ button in the upcomming window, to browse local instead of AD security objects!<br />
<br />
:[[Image:GPME_Add_restricted_group_Local.png]]<br />
<br />
* Click the „Add“ button next to the „Members of this group“ box.<br />
<br />
:[[Image:GPME_Members_of_this_group_Add_button.png]]<br />
<br />
* Enter the domain group „SAMDOM\Wks Admins“ and the local „Administrator“ account. If you use the „Browse“ button, select the domain/local computer, by using the „Locations...“ button, to browse the domain/local security objects!<br />
<br />
:[[Image:GPME_Add_group_members.png]]<br />
<br />
* You see the local „Administrator“ account and the AD group „SAMDOM\Wks Admins“ in the „Members of this group“ list.<br />
<br />
:[[Image:GPME_Members_of_this_group.png]]<br />
<br />
* Click „OK“.<br />
<br />
After the clients have re-read the changed group policy, only the local „Administrator“ account and then domain group „SAMDOM\Wks Admins“ will appear in the local „Administrators“ group on each client affected by the GPO. All previous members have been replaced by this new members.<br />
<br />
:[[Image:Local_Administrators_Group_MemberOfGroup.png]]<br />
<br />
<br />
<br />
<br />
<br />
=== Force manual group policy refresh ===<br />
<br />
Windows computers refresh and apply group policies on changes per default every 90 minutes with a random offset of 0 to 30 minutes. See [http://technet.microsoft.com/en-us/library/cc940895.aspx http://technet.microsoft.com/en-us/library/cc940895.aspx].<br />
<br />
To see if changes took effect, you can force an immediate refresh of all GPOs on a host by running:<br />
<br />
> gpupdate /force /target:computer<br />
<br />
The „/target:computer“ option reads only the „Computer Configuration“ part of GPOs.<br />
<br />
<br />
<br />
<br />
<br />
----<br />
[[Category:Active Directory]]</div>Pgoetzhttps://wiki.samba.org/index.php?title=Group_Policy&diff=17915Group Policy2021-10-23T21:49:36Z<p>Pgoetz: /* Installing Samba ADMX Templates */</p>
<hr />
<div>= Introduction =<br />
<br />
This document describes how to manage domain members using Group Policy.<br />
<br />
= About Group Policy =<br />
<br />
Group Policy provides centralized management and configuration of operating system, application, and user settings. Policies are delivered to clients by listing them in LDAP, under groupPolicyContainer objects. These objects provide the gPCFileSysPath attribute, which points to policy information stored on the domains SYSVOL share. Policies are enforced at a random interval between 90 and 120 seconds.<br />
<br />
Policies can be manually enforced on a Linux domain member using the <code>samba-gpupdate --force</code> command.<br />
<br />
On a Windows domain member, policies are enforced using the <code>gpupdate /force</code> command.<br />
<br />
= Configuring Group Policy =<br />
<br />
== Enabling Group Policy on a Domain Member ==<br />
<br />
=== Winbind ===<br />
<br />
To enable Group Policy application in winbind, set the global option ''apply group policies'' to yes.<br />
<br />
<code>apply group policies = yes</code><br />
<br />
=== SSSD ===<br />
<br />
Group Policy application can be enforced using [https://github.com/openSUSE/oddjob-gpupdate oddjob-gpupdate]. The samba-gpupdate command from Samba must be installed.<br />
<br />
=== Windows ===<br />
<br />
Group Policy is automatically enabled in Windows domain members.<br />
<br />
== Installing Samba ADMX Templates ==<br />
<br />
In order to configure Samba Group Policies, you must first install the ADMX templates provided by Samba.<br />
<br />
<code>samba-tool gpo admxload -U Administrator</code><br />
<br />
The ''samba-tool gpo admxload'' command copies the Samba ADMX templates to the ''<domain>''/Policies/PolicyDefinitions directory on the SYSVOL share.<br />
<br />
If you have more than one domain controller you should run the command with '-H' in order to insure the ADMX templates are installed on the correct DC; e.g.<br />
<br />
<code>samba-tool gpo admxload -H dc1.samdom.example.com -U Administrator</code><br />
<br />
{{Imbox<br />
| type = warning<br />
| text = After installing the Samba ADMX templates, you MUST install [https://www.microsoft.com/en-us/download/102157 Microsoft's ADMX templates] also, otherwise you will be unable to administer Windows domain members.<br />
}}<br />
<br />
To install [https://www.microsoft.com/en-us/download/102157 Microsoft's ADMX templates]:<br />
msiextract /path/to/microsoft/download/Administrative\ Templates\ \(.admx\)\ for\ Windows\ 10\ October\ 2020\ Update.msi<br />
samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/extracted/msi/Program\ Files/Microsoft\ Group\ Policy/Windows\ 10\ October\ 2020\ Update\ \(20H2\)/PolicyDefinitions/<br />
<br />
{{Imbox<br />
| type = note<br />
| text = The msiextract command can be found in the ''msitools'' package on most distributions, including Debian/Ubuntu, RHEL/CentOS, and Arch linux in the AUR.<br />
}}<br />
<br />
== Creating a Group Policy Object ==<br />
<br />
<br />
=== Group Policy Management Editor ===<br />
<br />
Open the Group Policy Management Console (which is part of Windows [[Installing_RSAT|RSAT]] tools). Highlight a policy, and select ''Edit'' from the Action menu to open the policy for editing.<br />
<br />
To create the Group Policy Object, highlight the domain or container where you want the object linked, then open the Action menu and select "Create a GPO in this domain, and Link it here".<br />
<br />
Enter the name of the new Group Policy in the dialog that appears, then click ok.<br />
<br />
=== samba-tool ===<br />
<br />
Alternatively, to create a Group Policy Object from the command line, issue the <code>samba-tool gpo create</code> command. To then link it to a container, issue the <code>samba-tool gpo setlink</code> command.<br />
<br />
<br />
== Editing a Group Policy Object ==<br />
<br />
<br />
=== Group Policy Management Editor ===<br />
Open the Group Policy Management Console (which is part of Windows [[Installing_RSAT|RSAT]] tools). Highlight a policy, and select ''Edit'' from the Action menu to open the policy for editing.<br />
<br />
Samba policies can be found in the Group Policy Management Editor within User or Computer Configuration > Policies > Administrative Templates > Samba. For Samba Domain Controllers, the Password and Kerberos settings are also applied, which are found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy.<br />
<br />
=== samba-tool ===<br />
<br />
Alternatively, some Group Policies can be managed using the <code>samba-tool gpo manage</code> command.<br />
<br />
<br />
== Listing Existing Group Policies ==<br />
<br />
List existing Group Policies using the <code>samba-tool gpo listall</code> command.<br />
<br />
# samba-tool gpo listall -UAdministrator<br />
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}<br />
display name : Default Domain Policy<br />
path : \\example.com\sysvol\example.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}<br />
dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=example,DC=com<br />
version : 2097290<br />
flags : NONE<br />
<br />
The first attribute of each GPO listed is the GUID (Globally Unique Identifier) of the GPO (in the form {31B2F340-016D-11D2-945F-00C04FB984F9}). You'll need this GUID in order to identify the GPO in other <code>samba-tool gpo</code> commands.<br />
<br />
== Removing Policy from a Domain Member ==<br />
<br />
=== Linux Domain Member ===<br />
<br />
To remove policies applied to a domain member, issue the command:<br />
<br />
samba-gpupdate --unapply --target=Computer<br />
<br />
Or, to remove applied user policy:<br />
<br />
samba-gpupdate --unapply --target=User -U<username><br />
<br />
Only a user with root privileges can remove applied policy.<br />
<br />
=== Windows Domain Member ===<br />
<br />
Windows does not provide a feature for removing policy. The only work-around is to unjoin the domain, then force an apply with:<br />
<br />
gpupdate /force /boot<br />
<br />
= Linux Domain Member Policies =<br />
<br />
Linux domain member policies are applied using the samba-gpupdate command. These policies are non-tatooing, meaning when a Group Policy Object is removed from a computer or user, the policies are also removed from the associated domain member.<br />
<br />
== smb.conf Policies ==<br />
<br />
smb.conf policies are found in Computer Configuration > Policies > Administrative Templates > Samba > smb.conf. These policies distribute smb.conf global options to the client. This policy is unable to apply idmap policies.<br />
<br />
<br />
<br />
== Password and Kerberos Policies ==<br />
<br />
Password and Kerberos policies, found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy, are only applicable to Samba Domain Controllers.<br />
<br />
The following password policies are applicable:<br />
* Minimum password age<br />
* Maximum password age<br />
* Minimum password length<br />
* Password must meet complexity requirements<br />
<br />
And Kerberos policies:<br />
* Maximum ticket age (Maximum lifetime for user ticket)<br />
* Maximum service age (Maximum lifetime for service ticket)<br />
* Maximum renew age (Maximum lifetime for user ticket renewal)<br />
<br />
<br />
<br />
== Script Policies ==<br />
<br />
Script policies create cron jobs on client machines which execute the specified commands. Script policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts.<br />
<br />
To add a script policy, open the policy, enable it, and click ''Show''. In the dialog that appears, add the command to execute on the client. Click OK, then Apply to save the policy.<br />
<br />
[[File:Scripts_gpo1.png]]<br />
<br />
Script policies are applied as cron jobs on the winbind client.<br />
<br />
linux-h7xz:~ # /usr/sbin/samba-gpupdate --force<br />
linux-h7xz:~ # cat /etc/cron.daily/tmp6l0m809i <br />
#!/bin/sh<br />
whoami > /daily.log<br />
<br />
<br />
=== Startup Script Policies ===<br />
<br />
Startup script policies allow you to upload the script that will be executed to the SYSVOL, as well as scheduling the command to run at startup. These scripts can be set using the <code>samba-tool gpo manage scripts startup</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'<br />
<br />
This command would upload the local script <code>test_script.sh</code> to the SYSVOL, then schedule it to run on clients at startup and will pass the parameter '-n' to the script when it runs. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
== Files Policy ==<br />
<br />
The Files policy deploys files to client machines. These files are uploaded to the SYSVOL via the <code>samba-tool gpo manage files</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt /usr/share/doc/target.txt root root 600<br />
<br />
This command will upload the local file source.txt to the SYSVOL, which will then be deployed to client machines as /usr/share/doc/target.txt, with the ownership root:root, and the permissions 600. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
This policy is useful to use in conjunction with the Scripts policy.<br />
<br />
== Symlink Policies ==<br />
<br />
The symlink policy creates symbolic links on client machines. This policy is set via the <code>samba-tool gpo manage symlink</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target<br />
<br />
This policy will cause clients to symlink the source to the target. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
== Sudoers Policies ==<br />
<br />
Sudoers policies add sudo rules to client machines. Sudoers policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Sudo Rights.<br />
<br />
To add a sudo policy, open the policy, enable it, and click ''Show''. In the dialog that appears, add the sudo rules to the list. Click OK, then Apply to save the policy.<br />
<br />
linux-h7xz:~ # /usr/sbin/samba-gpupdate --force<br />
linux-h7xz:~ # cat /etc/sudoers.d/gp_eockoryg<br />
<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the gp_sudoers_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
tux ALL=(ALL) NOPASSWD: ALL<br />
<br />
<br />
=== VGP Sudoers Policies ===<br />
<br />
Another Sudoers extension is available for compatibility with Vintela's Sudoers Group Policy. The policy for this extension can be modified using the <code>samba-tool gpo manage sudo</code> command.<br />
<br />
For example, to add an entry for the user 'fakeu':<br />
<br />
> samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg<br />
<br />
The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
This will create the following entry within /etc/sudoers.d:<br />
> cat /etc/sudoers.d/gp_XXXXX<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the gp_sudoers_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL<br />
<br />
{{Imbox<br />
| type = note<br />
| text = Samba Sudoers and VGP Sudoers policies can be safely used in conjunction with one another, since these policies are non-overlapping.<br />
}}<br />
<br />
== Message Policies ==<br />
<br />
Message policies set the contents of the /etc/motd and /etc/issue files on client machines. Message policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Messages.<br />
<br />
To add a message of the day policy, for example, open the policy and enable it. In the text box provided, enter the message you'd like displayed after a successful login.<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/motd<br />
This message is distributed by Samba!<br />
<br />
To add a login prompt policy, open the 'Logon Prompt Message' policy and enable it. In the text box provided, enter the message you'd like displayed before the login prompt. You can use escape sequences supported by the client /etc/issue file.<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/issue<br />
Samba Group Policy \s \r \l<br />
<br />
<br />
=== VGP Message Policies ===<br />
<br />
Other VGP Message extensions are available for compatibility with Vintela's MOTD and Issue Group Policies. The policies for these extensions can be modified using the <code>samba-tool gpo manage motd</code> and <code>samba-tool gpo manage issue</code> commands. <br />
<br />
{{Imbox<br />
| type = warning<br />
| text = Beware that applying both the Samba and VGP message policies will cause unpredictable behavior, since both policies will apply and will overwrite one another.<br />
}}<br />
<br />
== PAM Access Policies ==<br />
<br />
PAM Access policies set access rules within /etc/security/access.d. These policies are set using the `samba-tool gpo manage access` command. This policy is compatible with Vintela's Access Group Policy.<br />
<br />
For example, to add an allow policy for the user (or group) goodguy in the domain example.com:<br />
<br />
> samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com<br />
<br />
This will set the policy on the SYSVOL to the GPO specified by the GUID {31B2F340-016D-11D2-945F-00C04FB984F9}. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/security/access.d/0000000001_gp.conf<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the vgp_access_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
-:example.com\goodguy:ALL<br />
<br />
== Certificate Auto Enrollment ==<br />
<br />
{{:Certificate_Auto_Enrollment}}<br />
<br />
<br />
== Firefox Policy ==<br />
<br />
Firefox policies can be administered using the mozilla templates [https://github.com/mozilla/policy-templates/releases available here]. To install the templates, issue the command:<br />
<br />
<code>samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/mozilla/download/policy-templates/windows</code><br />
<br />
Once installed, the policies can be administered from the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools).<br />
<br />
Applying policy will generate two policy files on the local host:<br />
<br />
/usr/lib64/firefox/distribution/policies.json<br />
/etc/firefox/policies/policies.json<br />
<br />
Both are valid Firefox policies, but the expected location for the policy template recently changed.<br />
<br />
== Chromium/Chrome Policy ==<br />
<br />
Chromium and Google Chrome policies can be administered using the templates [https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip available here]. To install the templates, issue the command:<br />
<br />
<code>samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/google/download/policy_templates/windows/admx</code><br />
<br />
Once installed, the policies can be administered from the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools).<br />
<br />
Applying policy will generate four policy files on the local host:<br />
<br />
/etc/chromium/policies/managed/policies.json<br />
/etc/chromium/policies/recommended/policies.json<br />
/etc/opt/chrome/policies/managed/policies.json<br />
/etc/opt/chrome/policies/recommended/policies.json<br />
<br />
The managed policy files specify required Chrome and Chromium settings, while the recommended policy files specify settings which will be applied but not enforced.<br />
<br />
== GNOME Settings ==<br />
<br />
GNOME Settings policies are found in the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools) > Computer Configuration > Policies > Administrative Templates > Samba > GNOME when the default samba ADMX templates are installed. These templates can be installed by executing the command:<br />
<br />
samba-tool gpo admxload -UAdministrator<br />
<br />
These policies manage some GNOME user settings, [https://help.gnome.org/admin/system-admin-guide/stable/user-settings.html.en as described in the GNOME system admin guide], such as the compose key, screen dimming, online account management, extensions, and the ability to disable printing, file saving, command line access, fingerprint logon, logout, user switching, and reparitioning. There is also a general method for disabling any specific GNOME lockdown value.<br />
<br />
== OpenSSH Policy ==<br />
<br />
OpenSSH policy applies settings to /etc/ssh/sshd_config.d. These policies can be set using the <code>samba-tool gpo manage openssh</code> command.<br />
<br />
For example, to require kerberos authentication in OpenSSH:<br />
<br />
> samba-tool gpo manage openssh set {31B2F340-016D-11D2-945F-00C04FB984F9} KerberosAuthentication Yes<br />
<br />
The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
= Windows Domain Member Policies =<br />
<br />
== User Home Folders ==<br />
<br />
{{:Using_a_Group_Policy_Preference}}<br />
<br />
== Folder Redirection ==<br />
<br />
{{:Configuring_Windows_Profile_Folder_Redirections_with_Group_Policy}}<br />
<br />
== Restricted Groups ==<br />
<br />
{{:Managing_local_groups_on_domain_members_via_GPO_restricted_groups}}<br />
<br />
= Resultant Set of Policy =<br />
<br />
The Resultant Set of Policy assists in troubleshooting policy implementation. It is a report indicating what policies have been, or what will be, applied to a domain member.<br />
<br />
== Linux Domain Member ==<br />
<br />
To display the Resultant Set of Policy, use the <code>samba-gpupdate --rsop</code> command:<br />
<br />
linux-h7xz:~ # samba-gpupdate --rsop<br />
Resultant Set of Policy<br />
Computer Policy<br />
<br />
GPO: Default Domain Policy<br />
================================================================================================<br />
CSE: gp_sec_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_sec_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_scripts_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_sudoers_ext<br />
-----------------------------------------------------------<br />
Policy Type: Sudo Rights<br />
-----------------------------------------------------------<br />
[ tux ALL=(ALL) NOPASSWD: ALL ]<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_smb_conf_ext<br />
-----------------------------------------------------------<br />
Policy Type: smb.conf<br />
-----------------------------------------------------------<br />
[ apply group policies ] = 1<br />
[ client max protocol ] = SMB2_02<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_msgs_ext<br />
-----------------------------------------------------------<br />
Policy Type: /etc/motd<br />
-----------------------------------------------------------<br />
This message is distributed by Samba!<br />
-----------------------------------------------------------<br />
Policy Type: /etc/issue<br />
-----------------------------------------------------------<br />
Samba Group Policy \s \r \l<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
================================================================================================<br />
<br />
== Windows Domain Member ==<br />
<br />
To view the Resultant Set of Policy on a Windows domain member:<br />
<br />
# Open the Microsoft Management Console<br />
# Click File > Add/Remove Snap-in<br />
# Select the Resultant Set of Policy, and then click Add.<br />
# Click OK<br />
<br />
----<br />
[[Category:Active Directory]]</div>Pgoetzhttps://wiki.samba.org/index.php?title=Group_Policy&diff=17914Group Policy2021-10-23T21:47:38Z<p>Pgoetz: /* Installing Samba ADMX Templates */</p>
<hr />
<div>= Introduction =<br />
<br />
This document describes how to manage domain members using Group Policy.<br />
<br />
= About Group Policy =<br />
<br />
Group Policy provides centralized management and configuration of operating system, application, and user settings. Policies are delivered to clients by listing them in LDAP, under groupPolicyContainer objects. These objects provide the gPCFileSysPath attribute, which points to policy information stored on the domains SYSVOL share. Policies are enforced at a random interval between 90 and 120 seconds.<br />
<br />
Policies can be manually enforced on a Linux domain member using the <code>samba-gpupdate --force</code> command.<br />
<br />
On a Windows domain member, policies are enforced using the <code>gpupdate /force</code> command.<br />
<br />
= Configuring Group Policy =<br />
<br />
== Enabling Group Policy on a Domain Member ==<br />
<br />
=== Winbind ===<br />
<br />
To enable Group Policy application in winbind, set the global option ''apply group policies'' to yes.<br />
<br />
<code>apply group policies = yes</code><br />
<br />
=== SSSD ===<br />
<br />
Group Policy application can be enforced using [https://github.com/openSUSE/oddjob-gpupdate oddjob-gpupdate]. The samba-gpupdate command from Samba must be installed.<br />
<br />
=== Windows ===<br />
<br />
Group Policy is automatically enabled in Windows domain members.<br />
<br />
== Installing Samba ADMX Templates ==<br />
<br />
In order to configure Samba Group Policies, you must first install the ADMX templates provided by Samba.<br />
<br />
<code>samba-tool gpo admxload -U Administrator</code><br />
<br />
The ''samba-tool gpo admxload'' command copies the Samba ADMX templates to the ''<domain>''/Policies/PolicyDefinitions directory on the SYSVOL share.<br />
<br />
If you have more than one domain controller you should run the command with '-H' in order to insure the ADMX templates are installed on the correct DC; e.g.<br />
<br />
<code>samba-tool gpo admxload -H dc1.samdom.example.com -U Administrator</code><br />
<br />
{{Imbox<br />
| type = warning<br />
| text = After installing the Samba ADMX templates, you MUST install [https://www.microsoft.com/en-us/download/102157 Microsoft's ADMX templates] also, otherwise you will be unable to administer Windows domain members.<br />
}}<br />
<br />
To install [https://www.microsoft.com/en-us/download/102157 Microsoft's ADMX templates]:<br />
msiextract /path/to/microsoft/download/Administrative\ Templates\ \(.admx\)\ for\ Windows\ 10\ October\ 2020\ Update.msi<br />
samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/extracted/msi/Program\ Files/Microsoft\ Group\ Policy/Windows\ 10\ October\ 2020\ Update\ \(20H2\)/PolicyDefinitions/<br />
<br />
{{Imbox<br />
| type = note<br />
| text = The msiextract command can be found in the msitools package on most distributions, including Debian/Ubuntu, RHEL/CentOS, and Arch linux in the AUR.<br />
}}<br />
<br />
== Creating a Group Policy Object ==<br />
<br />
<br />
=== Group Policy Management Editor ===<br />
<br />
Open the Group Policy Management Console (which is part of Windows [[Installing_RSAT|RSAT]] tools). Highlight a policy, and select ''Edit'' from the Action menu to open the policy for editing.<br />
<br />
To create the Group Policy Object, highlight the domain or container where you want the object linked, then open the Action menu and select "Create a GPO in this domain, and Link it here".<br />
<br />
Enter the name of the new Group Policy in the dialog that appears, then click ok.<br />
<br />
=== samba-tool ===<br />
<br />
Alternatively, to create a Group Policy Object from the command line, issue the <code>samba-tool gpo create</code> command. To then link it to a container, issue the <code>samba-tool gpo setlink</code> command.<br />
<br />
<br />
== Editing a Group Policy Object ==<br />
<br />
<br />
=== Group Policy Management Editor ===<br />
Open the Group Policy Management Console (which is part of Windows [[Installing_RSAT|RSAT]] tools). Highlight a policy, and select ''Edit'' from the Action menu to open the policy for editing.<br />
<br />
Samba policies can be found in the Group Policy Management Editor within User or Computer Configuration > Policies > Administrative Templates > Samba. For Samba Domain Controllers, the Password and Kerberos settings are also applied, which are found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy.<br />
<br />
=== samba-tool ===<br />
<br />
Alternatively, some Group Policies can be managed using the <code>samba-tool gpo manage</code> command.<br />
<br />
<br />
== Listing Existing Group Policies ==<br />
<br />
List existing Group Policies using the <code>samba-tool gpo listall</code> command.<br />
<br />
# samba-tool gpo listall -UAdministrator<br />
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}<br />
display name : Default Domain Policy<br />
path : \\example.com\sysvol\example.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}<br />
dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=example,DC=com<br />
version : 2097290<br />
flags : NONE<br />
<br />
The first attribute of each GPO listed is the GUID (Globally Unique Identifier) of the GPO (in the form {31B2F340-016D-11D2-945F-00C04FB984F9}). You'll need this GUID in order to identify the GPO in other <code>samba-tool gpo</code> commands.<br />
<br />
== Removing Policy from a Domain Member ==<br />
<br />
=== Linux Domain Member ===<br />
<br />
To remove policies applied to a domain member, issue the command:<br />
<br />
samba-gpupdate --unapply --target=Computer<br />
<br />
Or, to remove applied user policy:<br />
<br />
samba-gpupdate --unapply --target=User -U<username><br />
<br />
Only a user with root privileges can remove applied policy.<br />
<br />
=== Windows Domain Member ===<br />
<br />
Windows does not provide a feature for removing policy. The only work-around is to unjoin the domain, then force an apply with:<br />
<br />
gpupdate /force /boot<br />
<br />
= Linux Domain Member Policies =<br />
<br />
Linux domain member policies are applied using the samba-gpupdate command. These policies are non-tatooing, meaning when a Group Policy Object is removed from a computer or user, the policies are also removed from the associated domain member.<br />
<br />
== smb.conf Policies ==<br />
<br />
smb.conf policies are found in Computer Configuration > Policies > Administrative Templates > Samba > smb.conf. These policies distribute smb.conf global options to the client. This policy is unable to apply idmap policies.<br />
<br />
<br />
<br />
== Password and Kerberos Policies ==<br />
<br />
Password and Kerberos policies, found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy, are only applicable to Samba Domain Controllers.<br />
<br />
The following password policies are applicable:<br />
* Minimum password age<br />
* Maximum password age<br />
* Minimum password length<br />
* Password must meet complexity requirements<br />
<br />
And Kerberos policies:<br />
* Maximum ticket age (Maximum lifetime for user ticket)<br />
* Maximum service age (Maximum lifetime for service ticket)<br />
* Maximum renew age (Maximum lifetime for user ticket renewal)<br />
<br />
<br />
<br />
== Script Policies ==<br />
<br />
Script policies create cron jobs on client machines which execute the specified commands. Script policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts.<br />
<br />
To add a script policy, open the policy, enable it, and click ''Show''. In the dialog that appears, add the command to execute on the client. Click OK, then Apply to save the policy.<br />
<br />
[[File:Scripts_gpo1.png]]<br />
<br />
Script policies are applied as cron jobs on the winbind client.<br />
<br />
linux-h7xz:~ # /usr/sbin/samba-gpupdate --force<br />
linux-h7xz:~ # cat /etc/cron.daily/tmp6l0m809i <br />
#!/bin/sh<br />
whoami > /daily.log<br />
<br />
<br />
=== Startup Script Policies ===<br />
<br />
Startup script policies allow you to upload the script that will be executed to the SYSVOL, as well as scheduling the command to run at startup. These scripts can be set using the <code>samba-tool gpo manage scripts startup</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'<br />
<br />
This command would upload the local script <code>test_script.sh</code> to the SYSVOL, then schedule it to run on clients at startup and will pass the parameter '-n' to the script when it runs. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
== Files Policy ==<br />
<br />
The Files policy deploys files to client machines. These files are uploaded to the SYSVOL via the <code>samba-tool gpo manage files</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt /usr/share/doc/target.txt root root 600<br />
<br />
This command will upload the local file source.txt to the SYSVOL, which will then be deployed to client machines as /usr/share/doc/target.txt, with the ownership root:root, and the permissions 600. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
This policy is useful to use in conjunction with the Scripts policy.<br />
<br />
== Symlink Policies ==<br />
<br />
The symlink policy creates symbolic links on client machines. This policy is set via the <code>samba-tool gpo manage symlink</code> command.<br />
<br />
For example:<br />
<br />
samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target<br />
<br />
This policy will cause clients to symlink the source to the target. The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
== Sudoers Policies ==<br />
<br />
Sudoers policies add sudo rules to client machines. Sudoers policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Sudo Rights.<br />
<br />
To add a sudo policy, open the policy, enable it, and click ''Show''. In the dialog that appears, add the sudo rules to the list. Click OK, then Apply to save the policy.<br />
<br />
linux-h7xz:~ # /usr/sbin/samba-gpupdate --force<br />
linux-h7xz:~ # cat /etc/sudoers.d/gp_eockoryg<br />
<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the gp_sudoers_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
tux ALL=(ALL) NOPASSWD: ALL<br />
<br />
<br />
=== VGP Sudoers Policies ===<br />
<br />
Another Sudoers extension is available for compatibility with Vintela's Sudoers Group Policy. The policy for this extension can be modified using the <code>samba-tool gpo manage sudo</code> command.<br />
<br />
For example, to add an entry for the user 'fakeu':<br />
<br />
> samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg<br />
<br />
The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
This will create the following entry within /etc/sudoers.d:<br />
> cat /etc/sudoers.d/gp_XXXXX<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the gp_sudoers_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL<br />
<br />
{{Imbox<br />
| type = note<br />
| text = Samba Sudoers and VGP Sudoers policies can be safely used in conjunction with one another, since these policies are non-overlapping.<br />
}}<br />
<br />
== Message Policies ==<br />
<br />
Message policies set the contents of the /etc/motd and /etc/issue files on client machines. Message policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Messages.<br />
<br />
To add a message of the day policy, for example, open the policy and enable it. In the text box provided, enter the message you'd like displayed after a successful login.<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/motd<br />
This message is distributed by Samba!<br />
<br />
To add a login prompt policy, open the 'Logon Prompt Message' policy and enable it. In the text box provided, enter the message you'd like displayed before the login prompt. You can use escape sequences supported by the client /etc/issue file.<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/issue<br />
Samba Group Policy \s \r \l<br />
<br />
<br />
=== VGP Message Policies ===<br />
<br />
Other VGP Message extensions are available for compatibility with Vintela's MOTD and Issue Group Policies. The policies for these extensions can be modified using the <code>samba-tool gpo manage motd</code> and <code>samba-tool gpo manage issue</code> commands. <br />
<br />
{{Imbox<br />
| type = warning<br />
| text = Beware that applying both the Samba and VGP message policies will cause unpredictable behavior, since both policies will apply and will overwrite one another.<br />
}}<br />
<br />
== PAM Access Policies ==<br />
<br />
PAM Access policies set access rules within /etc/security/access.d. These policies are set using the `samba-tool gpo manage access` command. This policy is compatible with Vintela's Access Group Policy.<br />
<br />
For example, to add an allow policy for the user (or group) goodguy in the domain example.com:<br />
<br />
> samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com<br />
<br />
This will set the policy on the SYSVOL to the GPO specified by the GUID {31B2F340-016D-11D2-945F-00C04FB984F9}. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
linux-h7xz:~ # samba-gpupdate<br />
linux-h7xz:~ # cat /etc/security/access.d/0000000001_gp.conf<br />
### autogenerated by samba<br />
#<br />
# This file is generated by the vgp_access_ext Group Policy<br />
# Client Side Extension. To modify the contents of this file,<br />
# modify the appropriate Group Policy objects which apply<br />
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.<br />
#<br />
<br />
-:example.com\goodguy:ALL<br />
<br />
== Certificate Auto Enrollment ==<br />
<br />
{{:Certificate_Auto_Enrollment}}<br />
<br />
<br />
== Firefox Policy ==<br />
<br />
Firefox policies can be administered using the mozilla templates [https://github.com/mozilla/policy-templates/releases available here]. To install the templates, issue the command:<br />
<br />
<code>samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/mozilla/download/policy-templates/windows</code><br />
<br />
Once installed, the policies can be administered from the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools).<br />
<br />
Applying policy will generate two policy files on the local host:<br />
<br />
/usr/lib64/firefox/distribution/policies.json<br />
/etc/firefox/policies/policies.json<br />
<br />
Both are valid Firefox policies, but the expected location for the policy template recently changed.<br />
<br />
== Chromium/Chrome Policy ==<br />
<br />
Chromium and Google Chrome policies can be administered using the templates [https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip available here]. To install the templates, issue the command:<br />
<br />
<code>samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/google/download/policy_templates/windows/admx</code><br />
<br />
Once installed, the policies can be administered from the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools).<br />
<br />
Applying policy will generate four policy files on the local host:<br />
<br />
/etc/chromium/policies/managed/policies.json<br />
/etc/chromium/policies/recommended/policies.json<br />
/etc/opt/chrome/policies/managed/policies.json<br />
/etc/opt/chrome/policies/recommended/policies.json<br />
<br />
The managed policy files specify required Chrome and Chromium settings, while the recommended policy files specify settings which will be applied but not enforced.<br />
<br />
== GNOME Settings ==<br />
<br />
GNOME Settings policies are found in the Group Policy Management Editor (which is part of Windows [[Installing_RSAT|RSAT]] tools) > Computer Configuration > Policies > Administrative Templates > Samba > GNOME when the default samba ADMX templates are installed. These templates can be installed by executing the command:<br />
<br />
samba-tool gpo admxload -UAdministrator<br />
<br />
These policies manage some GNOME user settings, [https://help.gnome.org/admin/system-admin-guide/stable/user-settings.html.en as described in the GNOME system admin guide], such as the compose key, screen dimming, online account management, extensions, and the ability to disable printing, file saving, command line access, fingerprint logon, logout, user switching, and reparitioning. There is also a general method for disabling any specific GNOME lockdown value.<br />
<br />
== OpenSSH Policy ==<br />
<br />
OpenSSH policy applies settings to /etc/ssh/sshd_config.d. These policies can be set using the <code>samba-tool gpo manage openssh</code> command.<br />
<br />
For example, to require kerberos authentication in OpenSSH:<br />
<br />
> samba-tool gpo manage openssh set {31B2F340-016D-11D2-945F-00C04FB984F9} KerberosAuthentication Yes<br />
<br />
The GUID {31B2F340-016D-11D2-945F-00C04FB984F9} specifies to which GPO the policy will be set. [[#Listing_Existing_Group_Policies|You can use the <code>samba-tool gpo listall</code> command to find the GUID for the GPO]].<br />
<br />
= Windows Domain Member Policies =<br />
<br />
== User Home Folders ==<br />
<br />
{{:Using_a_Group_Policy_Preference}}<br />
<br />
== Folder Redirection ==<br />
<br />
{{:Configuring_Windows_Profile_Folder_Redirections_with_Group_Policy}}<br />
<br />
== Restricted Groups ==<br />
<br />
{{:Managing_local_groups_on_domain_members_via_GPO_restricted_groups}}<br />
<br />
= Resultant Set of Policy =<br />
<br />
The Resultant Set of Policy assists in troubleshooting policy implementation. It is a report indicating what policies have been, or what will be, applied to a domain member.<br />
<br />
== Linux Domain Member ==<br />
<br />
To display the Resultant Set of Policy, use the <code>samba-gpupdate --rsop</code> command:<br />
<br />
linux-h7xz:~ # samba-gpupdate --rsop<br />
Resultant Set of Policy<br />
Computer Policy<br />
<br />
GPO: Default Domain Policy<br />
================================================================================================<br />
CSE: gp_sec_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_sec_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_scripts_ext<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_sudoers_ext<br />
-----------------------------------------------------------<br />
Policy Type: Sudo Rights<br />
-----------------------------------------------------------<br />
[ tux ALL=(ALL) NOPASSWD: ALL ]<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_smb_conf_ext<br />
-----------------------------------------------------------<br />
Policy Type: smb.conf<br />
-----------------------------------------------------------<br />
[ apply group policies ] = 1<br />
[ client max protocol ] = SMB2_02<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
CSE: gp_msgs_ext<br />
-----------------------------------------------------------<br />
Policy Type: /etc/motd<br />
-----------------------------------------------------------<br />
This message is distributed by Samba!<br />
-----------------------------------------------------------<br />
Policy Type: /etc/issue<br />
-----------------------------------------------------------<br />
Samba Group Policy \s \r \l<br />
-----------------------------------------------------------<br />
-----------------------------------------------------------<br />
================================================================================================<br />
<br />
== Windows Domain Member ==<br />
<br />
To view the Resultant Set of Policy on a Windows domain member:<br />
<br />
# Open the Microsoft Management Console<br />
# Click File > Add/Remove Snap-in<br />
# Select the Resultant Set of Policy, and then click Add.<br />
# Click OK<br />
<br />
----<br />
[[Category:Active Directory]]</div>Pgoetz