Group Policy: Difference between revisions
(→About Group Policy: Include Windows domain member gpupdate force command) |
m (→Introduction) |
||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
This document describes how to manage |
This document describes how to manage domain members using Group Policy. |
||
= About Group Policy = |
= About Group Policy = |
Revision as of 14:56, 5 October 2021
Introduction
This document describes how to manage domain members using Group Policy.
About Group Policy
Group Policy provides centralized management and configuration of operating system, application, and user settings. Policies are delivered to clients by listing them in LDAP, under groupPolicyContainer objects. These objects provide the gPCFileSysPath attribute, which points to policy information stored on the domains SYSVOL share. Policies are enforced at a random interval between 90 and 120 seconds.
Policies can be manually enforced on a Linux domain member using the samba-gpupdate --force
command.
On a Windows domain member, policies are enforced using the gpupdate /force
command.
Configuring Group Policy
Enabling Group Policy in Winbind
To enable Group Policy application in winbind, set the global option apply group policies to yes.
apply group policies = yes
Installing Samba ADMX Templates for the Group Policy Management Console
In order to configure Samba Group Policies, you must first install the ADMX templates provided by Samba.
samba-tool gpo admxload -UAdministrator
The samba-tool gpo admxload command copies the Samba ADMX templates to the <domain>/Policies/PolicyDefinitions directory on the SYSVOL share.
If you run the command without specifying which DC to use with '-H', the ADMX templates may be installed on another DC.]]. |
Setting Samba Group Policy in the Group Policy Management Console
To set Samba Group Policy settings, open the Group Policy Management Console and either create a new Group Policy Object, or edit an existing one.
Creating a Group Policy Object
Group Policy Management Editor
To create the Group Policy Object, highlight the domain or container where you want the object linked, then open the Action menu and select "Create a GPO in this domain, and Link it here".
Enter the name of the new Group Policy in the dialog that appears, then click ok.
samba-tool
Alternatively, to create a Group Policy Object from the command line, issue the samba-tool gpo create
command. To then link it to a container, issue the samba-tool gpo setlink
command.
Editing a Group Policy Object
Group Policy Management Editor
Highlight a policy, and select Edit from the Action menu to open the policy for editing.
Samba policies can be found in the Group Policy Management Editor within User or Computer Configuration > Policies > Administrative Templates > Samba. For Samba Domain Controllers, the Password and Kerberos settings are also applied, which are found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy.
samba-tool
Alternatively, some Group Policies can be managed using the samba-tool gpo manage
command.
Linux Domain Member Policies
smb.conf Policies
smb.conf policies are found in Computer Configuration > Policies > Administrative Templates > Samba > smb.conf. These policies distribute smb.conf global options to the client. This policy is unable to apply idmap policies.
Password and Kerberos Policies
Password and Kerberos policies, found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy, are only applicable to Samba Domain Controllers.
The following password policies are applicable:
- Minimum password age
- Maximum password age
- Minimum password length
- Password must meet complexity requirements
And Kerberos policies:
- Maximum ticket age (Maximum lifetime for user ticket)
- Maximum service age (Maximum lifetime for service ticket)
- Maximum renew age (Maximum lifetime for user ticket renewal)
Script Policies
Script policies create cron jobs on client machines which execute the specified commands. Script policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts.
To add a script policy, open the policy, enable it, and click Show. In the dialog that appears, add the command to execute on the client. Click OK, then Apply to save the policy.
Script policies are applied as cron jobs on the winbind client.
linux-h7xz:~ # /usr/sbin/samba-gpupdate --force linux-h7xz:~ # cat /etc/cron.daily/tmp6l0m809i #!/bin/sh whoami > /daily.log
Startup Script Policies
Startup script policies allow you to upload the script that will be executed to the SYSVOL, as well as scheduling the command to run at startup. These scripts can be set using the samba-tool gpo manage scripts startup
command.
For example:
samba-tool gpo manage scripts startup add {31B2F340-016D-11D2-945F-00C04FB984F9} test_script.sh '-n'
This command would upload the local script test_script.sh
to the SYSVOL, then schedule it to run on clients at startup and will pass the parameter '-n' to the script when it runs.
Files Policy
The Files policy deploys files to client machines. These files are uploaded to the SYSVOL via the samba-tool gpo manage files
command.
For example:
samba-tool gpo manage files add {31B2F340-016D-11D2-945F-00C04FB984F9} ./source.txt /usr/share/doc/target.txt root root 600
This command will upload the local file source.txt to the SYSVOL, which will then be deployed to client machines as /usr/share/doc/target.txt, with the ownership root:root, and the permissions 600.
This policy is useful to use in conjunction with the Scripts policy.
Symlink Policies
The symlink policy creates symbolic links on client machines. This policy is set via the samba-tool gpo manage symlink
command.
For example:
samba-tool gpo manage symlink add {31B2F340-016D-11D2-945F-00C04FB984F9} /tmp/source /tmp/target
This policy will cause clients to symlink the source to the target.
Sudoers Policies
Sudoers policies add sudo rules to client machines. Sudoers policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Sudo Rights.
To add a sudo policy, open the policy, enable it, and click Show. In the dialog that appears, add the sudo rules to the list. Click OK, then Apply to save the policy.
linux-h7xz:~ # /usr/sbin/samba-gpupdate --force linux-h7xz:~ # cat /etc/sudoers.d/gp_eockoryg ### autogenerated by samba # # This file is generated by the gp_sudoers_ext Group Policy # Client Side Extension. To modify the contents of this file, # modify the appropriate Group Policy objects which apply # to this machine. DO NOT MODIFY THIS FILE DIRECTLY. # tux ALL=(ALL) NOPASSWD: ALL
VGP Sudoers Policies
Another Sudoers extension is available for compatibility with Vintela's Sudoers Group Policy. The policy for this extension can be modified using the samba-tool gpo manage sudo
command.
For example, to add an entry for the user 'fakeu':
> samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg
This will create the following entry within /etc/sudoers.d:
> cat /etc/sudoers.d/gp_XXXXX ### autogenerated by samba # # This file is generated by the gp_sudoers_ext Group Policy # Client Side Extension. To modify the contents of this file, # modify the appropriate Group Policy objects which apply # to this machine. DO NOT MODIFY THIS FILE DIRECTLY. # fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL
Note: Samba Sudoers and VGP Sudoers policies can be safely used in conjunction with one another, since these policies are non-overlapping.
Message Policies
Message policies set the contents of the /etc/motd and /etc/issue files on client machines. Message policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Messages.
To add a message of the day policy, for example, open the policy and enable it. In the text box provided, enter the message you'd like displayed after a successful login.
linux-h7xz:~ # samba-gpupdate linux-h7xz:~ # cat /etc/motd This message is distributed by Samba!
To add a login prompt policy, open the 'Logon Prompt Message' policy and enable it. In the text box provided, enter the message you'd like displayed before the login prompt. You can use escape sequences supported by the client /etc/issue file.
linux-h7xz:~ # samba-gpupdate linux-h7xz:~ # cat /etc/issue Samba Group Policy \s \r \l
VGP Message Policies
Other VGP Message extensions are available for compatibility with Vintela's MOTD and Issue Group Policies. The policies for these extensions can be modified using the samba-tool gpo manage motd
and samba-tool gpo manage issue
commands.
Warning: Beware that applying both the Samba and VGP message policies will cause unpredictable behavior, since both policies will apply and will overwrite one another.
PAM Access Policies
PAM Access policies set access rules within /etc/security/access.d. These policies are set using the `samba-tool gpo manage access` command. This policy is compatible with Vintela's Access Group Policy.
For example, to add an allow policy for the user (or group) goodguy in the domain example.com:
> samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com
This will set the policy on the SYSVOL to the GPO specified by the hash {31B2F340-016D-11D2-945F-00C04FB984F9}. You can use the samba-tool gpo list
command to find the hash name for the GPO.
linux-h7xz:~ # samba-gpupdate linux-h7xz:~ # cat /etc/security/access.d/0000000001_gp.conf ### autogenerated by samba # # This file is generated by the vgp_access_ext Group Policy # Client Side Extension. To modify the contents of this file, # modify the appropriate Group Policy objects which apply # to this machine. DO NOT MODIFY THIS FILE DIRECTLY. # -:example.com\goodguy:ALL
Certificate Auto Enrollment
Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.
Configuring Certificate Auto Enrollment on the Server
Prerequisite: An Active Directory domain and a Samba domain member already joined.
The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, and Certificate Enrollment Web Service all must be installed and configured. The instructions here set up AD and CS on the same machine, this is not recommended! Check the Microsoft documentation how to set it up with multiple machines correctly.
Setting up the Certificate Authority
# Install Certificate Service Windows Features Add-WindowsFeature -Name @('ADCS-Cert-Authority','ADCS-Enroll-Web-Pol','ADCS-Enroll-Web-Svc') -IncludeManagementTools $addc = Get-ADDomainController $realm = $addc.domain.ToUpper() $dnsdomain = $addc.domain $domain = $realm.split('\.')[0] $hostname = $addc.hostname # Setup Certificate Authority $admin_creds = Get-Credential Administrator # Details can be found at [1] $params = @{ CAType = "EnterpriseRootCA" CACommonName = "$domain-ROOT-CA" CryptoProviderName = "RSA#Microsoft Software Key Storage Provider" KeyLength = 4096 HashAlgorithmName = "SHA512" OverwriteExistingCAinDS = $true OverwriteExistingKey = $true Credential = $admin_creds Force = $true } Install-AdcsCertificationAuthority @params
Request a Server Certificate for HTTPS from CA
Manual steps: Now follow the instructions you can find here.
Restart the Webserver using:
# Restart IIS iisreset /restart
Setup Certificate Web Services
# Get the SSL Certificate Thumbprint of the Web Server Import-Module WebAdministration $certs = Get-ChildItem IIS:SSLBindings | Foreach-Object { [PSCustomObject]@{ Site=$_.sites.value HostName=$_.Host Port=$_.Port Thumb=$_.thumbprint } } # Setup AdcsEnrollmentPolicyWebService $params = @{ AuthenticationType = "Kerberos" SSLCertThumbprint = $certs.thumb Credential = $admin_creds } Install-AdcsEnrollmentPolicyWebService @params -Force # AdcsEnrollmentWebService: Details can be found at [2] $params = @{ AuthenticationType = "Kerberos" SSLCertThumbprint = $certs.thumb Credential = $admin_creds } Install-AdcsEnrollmentWebService @params -Force
Setup GPO for Auto Enrollment
# Set GPO for Auto Enrollment Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "AEPolicy" -Value 7 -Type "Dword" Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationPercent" -Value 10 -Type "Dword" Set-GPRegistryValue -Name "Default Domain Policy" -Key "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\AutoEnrollment" -ValueName "OfflineExpirationStoreNames" -Value "MY" -Type "String" gpupdate /force # AutoEnrollment successfully set up. Get-CertificateAutoEnrollmentPolicy -Scope Applied -context Machine
Create Test Computer Certificate Template
You can follow the steps you can find here.
Additional Resources
- Certificate Authority Guidance
- Certificate Enrollment Web Service Guidance
- Configure server certificate auto-enrollment
- Configure HTTPS with an Enterprice CA
Enable Certificate Auto Enrollment on the Client
To setup Certificate Auto Enrollment:
- Install certmonger, and cepces. Samba uses certmonger paired with cepces to monitor the host certificate templates. Most distributions have a samba-gpupdate package which pulls in all the required packages for you.
- Join to an Active Directory domain (one where the CA has been previously configured as explained above).
- Run `samba-gpupdate` to install the certificates.
- Issue the `getcert list` to display the installed certificates:
Number of certificates and requests being tracked: 1. Request ID 'Machine': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key' certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt' CA: <My CA> issuer: CN=<My CA> subject: CN=<my hostname> expires: 2017-08-15 17:37:02 UTC dns: <my hostname> key usage: digitalSignature,keyEncipherment eku: id-kp-clientAuth,id-kp-serverAuth certificate template/profile: Machine pre-save command: post-save command: track: yes auto-renew: yes
- To verify Certificate Auto Enrollment is correctly configured, issue the command `samba-gpupdate --rsop`:
Resultant Set of Policy Computer Policy GPO: Default Domain Policy ================================================================================================================= CSE: gp_cert_auto_enroll_ext ----------------------------------------------------------- Policy Type: Auto Enrollment Policy ----------------------------------------------------------- [ <REDACTED CA NAME> ] = [ CA Certificate ] = ----BEGIN CERTIFICATE---- <REDACTED> ----END CERTIFICATE---- [ Auto Enrollment Server ] = <REDACTED DNS NAME> [ Templates ] = [ Machine ] ----------------------------------------------------------- =================================================================================================================
- Change the server variable in `/etc/cepces/cepces.conf` to point to the CA server.
- Set `keberos method = secrets and keytab` in the smb.conf
- Create a keytab for cepces-submit Kerberos authentication with `net ads keytab create`
- Enable group policy apply:
- For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
- For a SSSD joined machine by installing the oddjob-gpupdate package.
Samba's gpupdate will work with SSSD, but will require the oddjob-gpupdate package in order to apply policies automatically. |
Certificates
Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.
Firefox Policy
Firefox policies can be administered using the mozilla templates available here. To install the templates, issue the command:
samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/mozilla/download/policy-templates/windows
Once installed, the policies can be administered from the Group Policy Management Editor.
Applying policy will generate two policy files on the local host:
/usr/lib64/firefox/distribution/policies.json /etc/firefox/policies/policies.json
Both are valid Firefox policies, but the expected location for the policy template recently changed.
Chromium/Chrome Policy
Chromium and Google Chrome policies can be administered using the templates available here. To install the templates, issue the command:
samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/google/download/policy_templates/windows/admx
Once installed, the policies can be administered from the Group Policy Management Editor.
Applying policy will generate four policy files on the local host:
/etc/chromium/policies/managed/policies.json /etc/chromium/policies/recommended/policies.json /etc/opt/chrome/policies/managed/policies.json /etc/opt/chrome/policies/recommended/policies.json
The managed policy files specify required Chrome and Chromium settings, while the recommended policy files specify settings which will be applied but not enforced.
GNOME Settings
GNOME Settings policies are found in the Group Policy Management Editor > Computer Configuration > Policies > Administrative Templates > Samba > GNOME when the default samba ADMX templates are installed. These templates can be installed by executing the command:
samba-tool gpo admxload -UAdministrator
These policies manage some GNOME settings, such as the compose key, screen dimming, online account management, extensions, and the ability to disable printing, file saving, command line access, fingerprint logon, logout, user switching, and reparitioning. There is also a general method for disabling any specific GNOME lockdown value.
OpenSSH Policy
OpenSSH policy applies settings to /etc/ssh/sshd_config.d. These policies can be set using the samba-tool gpo manage openssh
command.
For example, to require kerberos authentication in OpenSSH:
> samba-tool gpo manage openssh set {31B2F340-016D-11D2-945F-00C04FB984F9} KerberosAuthentication Yes
Resultant Set of Policy
The Resultant Set of Policy is a report indicating what policies have been, or what will be, applied to the local system. To display the Resultant Set of Policy, use the `samba-gpupdate --rsop` command:
linux-h7xz:~ # samba-gpupdate --rsop Resultant Set of Policy Computer Policy GPO: Default Domain Policy ================================================================================================ CSE: gp_sec_ext ----------------------------------------------------------- ----------------------------------------------------------- CSE: gp_sec_ext ----------------------------------------------------------- ----------------------------------------------------------- CSE: gp_scripts_ext ----------------------------------------------------------- ----------------------------------------------------------- CSE: gp_sudoers_ext ----------------------------------------------------------- Policy Type: Sudo Rights ----------------------------------------------------------- [ tux ALL=(ALL) NOPASSWD: ALL ] ----------------------------------------------------------- ----------------------------------------------------------- CSE: gp_smb_conf_ext ----------------------------------------------------------- Policy Type: smb.conf ----------------------------------------------------------- [ apply group policies ] = 1 [ client max protocol ] = SMB2_02 ----------------------------------------------------------- ----------------------------------------------------------- CSE: gp_msgs_ext ----------------------------------------------------------- Policy Type: /etc/motd ----------------------------------------------------------- This message is distributed by Samba! ----------------------------------------------------------- Policy Type: /etc/issue ----------------------------------------------------------- Samba Group Policy \s \r \l ----------------------------------------------------------- ----------------------------------------------------------- ================================================================================================