The Samba-Bugzilla – Bug 9922
Computer GPO not applied to worktations.
Last modified: 2015-01-05 08:36:34 UTC
I'm recentrly facing a problem when applying a simple Computer GPO to some Windows 7 workstations.
All User GPOs are correctly applied to the workstations, while Computer GPOs don't.
To restrict focus i've just tried to modify the Password Policy but even that policy cannot get applied to the workstations.
The strange thing is that from the workstation point, all seem ok.
In fact, forcing an policy update command like:
returns with both User and Computer policies correctly applied.
BUT checking the effective password policy in the workstation returns the standard Domain policy instead the modified one (i've only modified the password lenght to 9).
c:\>net accounts /domain
Min. tra tempo limite e disconnessione imposta: Mai
Durata minima della password (giorni): 1
Durata massima della password (giorni): 42
Lunghezza minima della password: **** 7 (instead of 9)
Lunghezza cronologia della password: 24
Soglia di blocchi: Mai
Durata dei blocchi (minuti): 30
Finestra di osservazione dei blocchi (minuti): 30
Ruolo del computer: PRIMARIO
Esecuzione comando riuscita.
I've tried to run samba-tool gpo aclcheck but got this output:
ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run
ds_sd_ndr = m['nTSecurityDescriptor']
Does the problem still exist with a more recent version of Samba? The early 4.0 versions had some incorrect ACLs.
If you update, please follow
to fix the ACLs.
Please give a short feedback if the problem still exists in a recent version and which one you've tried. Thanks.
(In reply to comment #1)
> Does the problem still exist with a more recent version of Samba? The early 4.0
> versions had some incorrect ACLs.
> If you update, please follow
> to fix the ACLs.
> Please give a short feedback if the problem still exists in a recent version
> and which one you've tried. Thanks.
I have tested with 4.1.11.
Whilst I do not get the samba-tool python issue, I can confirm that the password policy GPO when configured is not applied. Other policy objects are applied, just not the password ones.
Tested the GPO's against Windows XP, Windows 7 and Windows 8 - password complexity requirements, password length, history etc all remained at the defaults.
This is after double checking all the policies applied.
Whilst not the original submitter of this issue I am able to replicate 100% of the time. Happy to take any feedback as to providing any data for further diagnosis and resolution.
(In reply to comment #2)
> Whilst I do not get the samba-tool python issue, I can confirm that the
> password policy GPO when configured is not applied. Other policy objects are
> applied, just not the password ones.
Password policies can't be provided via GPO. Because they have to be validated on the DCs and Samba doesn't provides GPO support (yet). Currently there's no timeline, when this will be implemented.
You can only define password policies domain-wide via
# samba-tool domain passwordsettings...
Loading GPOs on a DC itself is tracked in bug #6613...