Difference between revisions of "Group Policy"

From SambaWiki
(→‎Policies: Add Chrome/Chromium policy)
(→‎Policies: Add Gnome Settings policy)
Line 221: Line 221:
   
 
The managed policy files specify required Chrome and Chromium settings, while the recommended policy files specify settings which will be applied but not enforced.
 
The managed policy files specify required Chrome and Chromium settings, while the recommended policy files specify settings which will be applied but not enforced.
  +
  +
== GNOME Settings ==
  +
  +
GNOME Settings policies are found in the Group Policy Management Editor > Computer Configuration > Policies > Administrative Templates > Samba > GNOME when the default samba ADMX templates are installed. These templates can be installed by executing the command:
  +
  +
samba-tool gpo admxload -UAdministrator
  +
  +
These policies manage some GNOME settings, such as the compose key, screen dimming, online account management, extensions, and the ability to disable printing, file saving, command line access, fingerprint logon, logout, user switching, and reparitioning. There is also a general method for disabling any specific GNOME lockdown value.
   
 
= Resultant Set of Policy =
 
= Resultant Set of Policy =

Revision as of 20:17, 4 October 2021

Introduction

This document describes how to manage winbind clients using Group Policy.



About Group Policy

Group Policy provides centralized management and configuration of operating system, application, and user settings. Policies are delivered to clients by listing them in LDAP, under groupPolicyContainer objects. These objects provide the gPCFileSysPath attribute, which points to policy information stored on the domains SYSVOL share.

Policies are enforced by winbind at a random interval between 90 and 120 seconds. Policies can be manually enforced using the samba-gpupdate --force command.




Configuring Group Policy

Enabling Group Policy in Winbind

To enable Group Policy application in winbind, set the global option apply group policies to yes.

apply group policies = yes


Installing Samba ADMX Templates for the Group Policy Management Console

In order to configure Samba Group Policies, you must first install the ADMX templates provided by Samba.

samba-tool gpo admxload -UAdministrator

The samba-tool gpo admxload command copies the Samba ADMX templates to the <domain>/Policies/PolicyDefinitions directory on the SYSVOL share.



Setting Samba Group Policy in the Group Policy Management Console

To set Samba Group Policy settings, open the Group Policy Management Console and either create a new Group Policy Object, or edit an existing one.

Creating a Group Policy Object

To create the Group Policy Object, highlight the domain or container where you want the object linked, then open the Action menu and select "Create a GPO in this domain, and Link it here".

Create gpo1 1.png

samba install ad -sssd -rhel

Enter the name of the new Group Policy in the dialog that appears, then click ok.

Create gpo2.png

Editing a Group Policy Object

Highlight a policy, and select Edit from the Action menu to open the policy for editing.

Samba policies can be found in the Group Policy Management Editor within User or Computer Configuration > Policies > Administrative Templates > Samba. For Samba Domain Controllers, the Password and Kerberos settings are also applied, which are found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy.



Policies

smb.conf Policies

smb.conf policies are found in Computer Configuration > Policies > Administrative Templates > Samba > smb.conf. These policies distribute smb.conf global options to the client. This policy is unable to apply idmap policies.



Password and Kerberos Policies

Password and Kerberos policies, found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy, are only applicable to Samba Domain Controllers.

The following password policies are applicable:

  • Minimum password age
  • Maximum password age
  • Minimum password length
  • Password must meet complexity requirements

And Kerberos policies:

  • Maximum ticket age (Maximum lifetime for user ticket)
  • Maximum service age (Maximum lifetime for service ticket)
  • Maximum renew age (Maximum lifetime for user ticket renewal)


Script Policies

Script policies create cron jobs on client machines which execute the specified commands. Script policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts.

To add a script policy, open the policy, enable it, and click Show. In the dialog that appears, add the command to execute on the client. Click OK, then Apply to save the policy.

Scripts gpo1.png

Script policies are applied as cron jobs on the winbind client.

 linux-h7xz:~ # /usr/sbin/samba-gpupdate --force
 linux-h7xz:~ # cat /etc/cron.daily/tmp6l0m809i 
 #!/bin/sh
 whoami > /daily.log



Sudoers Policies

Sudoers policies add sudo rules to client machines. Sudoers policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Sudo Rights.

To add a sudo policy, open the policy, enable it, and click Show. In the dialog that appears, add the sudo rules to the list. Click OK, then Apply to save the policy.

 linux-h7xz:~ # /usr/sbin/samba-gpupdate --force
 linux-h7xz:~ # cat /etc/sudoers.d/gp_eockoryg
 
 ### autogenerated by samba
 #
 # This file is generated by the gp_sudoers_ext Group Policy
 # Client Side Extension. To modify the contents of this file,
 # modify the appropriate Group Policy objects which apply
 # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
 #
 
 tux ALL=(ALL) NOPASSWD: ALL

VGP Sudoers Policies

Another Sudoers extension is available for compatibility with Vintela's Sudoers Group Policy. The policy for this extension can be modified using the `samba-tool gpo manage sudo` command.

For example, to add an entry for the user 'fakeu':

 > samba-tool gpo manage sudoers add {31B2F340-016D-11D2-945F-00C04FB984F9} ALL ALL fakeu fakeg

This will create the following entry within /etc/sudoers.d:

 > cat /etc/sudoers.d/gp_XXXXX
 ### autogenerated by samba
 #
 # This file is generated by the gp_sudoers_ext Group Policy
 # Client Side Extension. To modify the contents of this file,
 # modify the appropriate Group Policy objects which apply
 # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
 #
 
 fakeu,fakeg% ALL=(ALL) NOPASSWD: ALL

Message Policies

Message policies set the contents of the /etc/motd and /etc/issue files on client machines. Message policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Messages.

To add a message of the day policy, for example, open the policy and enable it. In the text box provided, enter the message you'd like displayed after a successful login.

 linux-h7xz:~ # samba-gpupdate
 linux-h7xz:~ # cat /etc/motd
 This message is distributed by Samba!

To add a login prompt policy, open the 'Logon Prompt Message' policy and enable it. In the text box provided, enter the message you'd like displayed before the login prompt. You can use escape sequences supported by the client /etc/issue file.

 linux-h7xz:~ # samba-gpupdate
 linux-h7xz:~ # cat /etc/issue
 Samba Group Policy \s \r \l

PAM Access Policies

PAM Access policies set access rules within /etc/security/access.d. These policies are set using the `samba-tool gpo manage access` command. This policy is compatible with Vintela's Access Group Policy.

For example, to add an allow policy for the user (or group) goodguy in the domain example.com:

 > samba-tool gpo manage access add {31B2F340-016D-11D2-945F-00C04FB984F9} allow goodguy example.com

This will set the policy on the SYSVOL to the GPO specified by the hash {31B2F340-016D-11D2-945F-00C04FB984F9}. You can use the `samba-tool gpo list` command to find the hash name for the GPO.

 linux-h7xz:~ # samba-gpupdate
 linux-h7xz:~ # cat /etc/security/access.d/0000000001_gp.conf
 ### autogenerated by samba
 #
 # This file is generated by the vgp_access_ext Group Policy
 # Client Side Extension. To modify the contents of this file,
 # modify the appropriate Group Policy objects which apply
 # to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
 #
 
 -:example.com\goodguy:ALL

Certificate Auto Enrollment

Certificate Auto Enrollment allows devices to enroll for certificates from Active Directory Certificate Services. It is enabled by Group Policy using Samba's samba-gpupdate command. Certificate Auto Enrollment is available in Samba 4.16 and above.

Configuring Certificate Auto Enrollment on the Server

The Windows server roles Certification Authority, Certificate Enrollment Policy Web Service, Certificate Enrollment Web Service, Certification Authority Web Enrollment, and Network Device Enrollment Service all must be installed and configured.

Configure Group Policy auto enrollment as described in the documentation here.

Enable Certificate Auto Enrollment on the Client

To setup Certificate Auto Enrollment:

  1. Install certmonger, cepces, and sscep. Samba uses sscep to download the CA root chain, then uses certmonger paired with cepces to monitor the host certificate templates.
  2. Join to an Active Directory domain (one where the CA has been previously configured as explained above).
  1. Enable group policy apply:
    • For a Winbind joined machine by setting the smb.conf global parameter 'apply group policies = yes'.
    • For a SSSD joined machine by installing the oddjob-gpupdate package.
  2. To verify Certificate Auto Enrollment is correctly configured, issue the command `/usr/sbin/samba-gpupdate --rsop`
Resultant Set of Policy
Computer Policy

 GPO: Default Domain Policy
======================================================================================================================
CSE: gp_cert_auto_enroll_ext
-----------------------------------------------------------
Policy Type: Auto Enrollment Policy
-----------------------------------------------------------
[ <REDACTED CA NAME> ] =
[ CA Certificate ] =
----BEGIN CERTIFICATE----
<REDACTED>
----END CERTIFICATE----
[ Auto Enrollment Server ] = <REDACTED DNS NAME>
[ Templates ] =
[ Machine ]
-----------------------------------------------------------
-----------------------------------------------------------
======================================================================================================================

Issuing the `getcert list` command will display the installed certificates:

Number of certificates and requests being tracked: 1.
Request ID 'Machine':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/samba/private/certs/Machine.key'
        certificate: type=FILE,location='/var/lib/samba/certs/Machine.crt'
        CA: <My CA>
        issuer: CN=<My CA>
        subject: CN=<my hostname>
        expires: 2017-08-15 17:37:02 UTC
        dns: <my hostname>
        key usage: digitalSignature,keyEncipherment
        eku: id-kp-clientAuth,id-kp-serverAuth
        certificate template/profile: Machine
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Certificates

Certificates are installed in /var/lib/samba/certs and private keys are installed in /var/lib/samba/private/certs.

Firefox Policy

Firefox policies can be administered using the mozilla templates available here. To install the templates, issue the command:

samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/mozilla/download/policy-templates/windows

Once installed, the policies can be administered from the Group Policy Management Editor.

Applying policy will generate two policy files on the local host:

 /usr/lib64/firefox/distribution/policies.json
 /etc/firefox/policies/policies.json

Both are valid Firefox policies, but the expected location for the policy template recently changed.

Chromium/Chrome Policy

Chromium and Google Chrome policies can be administered using the templates available here. To install the templates, issue the command:

samba-tool gpo admxload -UAdministrator --admx-dir=/path/to/google/download/policy_templates/windows/admx

Once installed, the policies can be administered from the Group Policy Management Editor.

Applying policy will generate four policy files on the local host:

 /etc/chromium/policies/managed/policies.json
 /etc/chromium/policies/recommended/policies.json
 /etc/opt/chrome/policies/managed/policies.json
 /etc/opt/chrome/policies/recommended/policies.json

The managed policy files specify required Chrome and Chromium settings, while the recommended policy files specify settings which will be applied but not enforced.

GNOME Settings

GNOME Settings policies are found in the Group Policy Management Editor > Computer Configuration > Policies > Administrative Templates > Samba > GNOME when the default samba ADMX templates are installed. These templates can be installed by executing the command:

 samba-tool gpo admxload -UAdministrator

These policies manage some GNOME settings, such as the compose key, screen dimming, online account management, extensions, and the ability to disable printing, file saving, command line access, fingerprint logon, logout, user switching, and reparitioning. There is also a general method for disabling any specific GNOME lockdown value.

Resultant Set of Policy

The Resultant Set of Policy is a report indicating what policies have been, or what will be, applied to the local system. To display the Resultant Set of Policy, use the `samba-gpupdate --rsop` command:

 linux-h7xz:~ # samba-gpupdate --rsop
 Resultant Set of Policy
 Computer Policy
 
 GPO: Default Domain Policy
 ================================================================================================
   CSE: gp_sec_ext
   -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_sec_ext
   -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_scripts_ext
   -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_sudoers_ext
   -----------------------------------------------------------
     Policy Type: Sudo Rights
     -----------------------------------------------------------
     [ tux ALL=(ALL) NOPASSWD: ALL ]
     -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_smb_conf_ext
   -----------------------------------------------------------
     Policy Type: smb.conf
     -----------------------------------------------------------
     [ apply group policies ] = 1
     [ client max protocol ] = SMB2_02
     -----------------------------------------------------------
   -----------------------------------------------------------
   CSE: gp_msgs_ext
   -----------------------------------------------------------
     Policy Type: /etc/motd
     -----------------------------------------------------------
 This message is distributed by Samba!
     -----------------------------------------------------------
     Policy Type: /etc/issue
     -----------------------------------------------------------
 Samba Group Policy \s \r \l
     -----------------------------------------------------------
   -----------------------------------------------------------
 ================================================================================================