Bug 9922 - Computer GPO not applied to worktations.
Summary: Computer GPO not applied to worktations.
Status: RESOLVED WORKSFORME
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.0.0
Hardware: All Linux
: P3 major (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-03 09:32 UTC by Emilicus
Modified: 2020-01-08 08:40 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Emilicus 2013-06-03 09:32:38 UTC
I'm recentrly facing a problem when applying a simple Computer GPO to some Windows 7 workstations.
All User GPOs are correctly applied to the workstations, while Computer GPOs don't.
To restrict focus i've just tried to modify the Password Policy but even that policy cannot get applied to the workstations.

The strange thing is that from the workstation point, all seem ok.
In fact, forcing an policy update command like:

c:\>gpupdate /force

returns with both User and Computer policies correctly applied.
BUT checking the effective password policy in the workstation returns the standard Domain policy instead the modified one (i've only modified the password lenght to 9).

c:\>net accounts /domain

Min. tra tempo limite e disconnessione imposta:              Mai
Durata minima della password (giorni):                       1
Durata massima della password (giorni):                      42
Lunghezza minima della password:                      ****   7   (instead of 9)
Lunghezza cronologia della password:                         24
Soglia di blocchi:                                           Mai
Durata dei blocchi (minuti):                                 30
Finestra di osservazione dei blocchi (minuti):               30
Ruolo del computer:                                          PRIMARIO
Esecuzione comando riuscita.

I've tried to run samba-tool gpo aclcheck but got this output:

ERROR(<type 'exceptions.KeyError'>): uncaught exception - 'No such element'
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/gpo.py", line 1150, in run
    ds_sd_ndr = m['nTSecurityDescriptor'][0]
Comment 1 Marc Muehlfeld 2014-05-26 22:52:17 UTC
Does the problem still exist with a more recent version of Samba? The early 4.0 versions had some incorrect ACLs.

If you update, please follow
https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs
to fix the ACLs.


Please give a short feedback if the problem still exists in a recent version and which one you've tried. Thanks.
Comment 2 alex.braunegg 2014-08-25 21:12:07 UTC
(In reply to comment #1)
> Does the problem still exist with a more recent version of Samba? The early 4.0
> versions had some incorrect ACLs.
> 
> If you update, please follow
> https://wiki.samba.org/index.php/Updating_Samba#Updates_of_early_Samba_4_version_on_Samba_Active_Directory_DCs
> to fix the ACLs.
> 
> 
> Please give a short feedback if the problem still exists in a recent version
> and which one you've tried. Thanks.

I have tested with 4.1.11.

Whilst I do not get the samba-tool python issue, I can confirm that the password policy GPO when configured is not applied. Other policy objects are applied, just not the password ones.

Tested the GPO's against Windows XP, Windows 7 and Windows 8 - password complexity requirements, password length, history etc all remained at the defaults.

This is after double checking all the policies applied.

Whilst not the original submitter of this issue I am able to replicate 100% of the time. Happy to take any feedback as to providing any data for further diagnosis and resolution.
Comment 3 Marc Muehlfeld 2014-08-26 00:13:36 UTC
(In reply to comment #2)
> Whilst I do not get the samba-tool python issue, I can confirm that the
> password policy GPO when configured is not applied. Other policy objects are
> applied, just not the password ones.

Password policies can't be provided via GPO. Because they have to be validated on the DCs and Samba doesn't provides GPO support (yet). Currently there's no timeline, when this will be implemented.

See: https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F


You can only define password policies domain-wide via 
# samba-tool domain passwordsettings...
Comment 4 Stefan Metzmacher 2015-01-05 08:36:34 UTC
Loading GPOs on a DC itself is tracked in bug #6613...
Comment 5 Björn Jacke 2020-01-08 08:40:51 UTC
not a bug. we even support PSO now.