Re: Samba: assign domain group policy through Samba tools?
On Mon, May 17, 2004 at 03:38:37AM -0700, Karsten M. Self wrote:
> I'm using Samba as a PDC on a domain with ten WinXP Pro clients, on
> Debian testing/unstable.
>
> Basic shares work great.
>
> Getting the domain stuff set up was a bit trickier, but the OS News
> article[1] and (once I realized the difference between 2.x and 3.x) docs
> under /usr/share/doc/samba-doc/htmldocs/ were invaluable. Tricky bit
> was creating and mapping groups/users via 'groupadd' and 'net groupmap'.
>
> Printing through CUPS + Samba was a nightmare, but I was under the
> delusion it worked when I left work Friday night. Erm. Saturday
> morning. Post-sunrise. Tricky bit was adding printer support via
> 'cupsaddsmb', and deciphering error output (stderr and logs).
>
>
> I'm stuck on creating a group profile at the domain level, though.
Okay. I haven't done this so just some info you might have missed, or
might help you.
From: http://us3.samba.org/samba/docs/man/guide/happy.html#ch6-massive
At this time, Samba-3 requires that on a PDC all UNIX (Posix) group
accounts that are mapped (linked) to Windows Domain Group accounts must
be in the LDAP database.
This does not actually say it, but I think I read somewhere that Samba
as a PDC requires LDAP to support the Active Directory functions.?
Also, this might be some help:
http://us3.samba.org/samba/docs/man/howto/PolicyMgmt.html#id2577673
Apparently, part of the GPO is stored directly on the Active Directory.
See also the section: Administration of Windows 200x/XP Policies" for
some steps on editting the GPO's using the MMC snap-in. (Who at MS
thinks of these names?)
Anyway, HTH. I was all set when we got a small number of XP boxen at my
work to play around with the PDC thing, only to realize how much MS
changed the structure with 2000/XP. I tired out trying to figure it out
for such a small number of users. I figured by the time I got it
working, MS would release Windows eXtra-eXtra-Pain and it wouldn't work
again.
>
> The goal is to have a single point at which I can make
> additions/deletions to Desktop, Start Menu, "Favorites" (bookmarks),
> Startup, etc. As well as making some registry edits (allowed/disallowed
> apps).
>
>
> I've copied the profile itself, through one of the XP clients, to a
> directory under my [profiles] share on the Samba server.
My quick read seems to indicate it needs to be in the [netlogon] share?
>
> What I don't see is a way to make the association between this profile
> and the group ("members") which I'd like to have use this.
Again, seems to be in the GPO that you define as in the reference above,
but then I haven't done this so maybe I'm just background noise in the
list.
<snip>
Good luck.
--
Chris Harris <charris@rtcmarketing.com>
-------------------------------------------
GNU/Linux --- The best things in life are free.
Reply to: