Web lists-archives.com

Re: [Samba] Group Policy Permissions




On 08/14/2018 03:11 PM, Michal Sládek via samba wrote:
Servers runs CentOS 7, workstations run Windows 10 Pro with latest updates.

I use Tranquil repo: http://samba.tranquil.it/centos7/stable/x86_64/

The whole domain is new, no migration, everything was set up according
Samba wiki (which is excellent by the way!)

Look like that repository publish Samba4 DC support since old releases for CentOS, so I think it use the default Heimdal Kerberos based implementation. Too bad there is no Source RPM to check the build.

I asked about Fedora, because Fedora build has the experimental MIT Kerberos support and GPOs for machines is broken on MIT Kerberos based builds https://bugzilla.samba.org/show_bug.cgi?id=13516


Michal



2018-08-14 21:04 GMT+02:00 Robert Marcano via samba <samba@xxxxxxxxxxxxxxx>:

On 08/14/2018 02:52 PM, Michal Sládek via samba wrote:

2018-08-14 20:38 GMT+02:00 Rowland Penny via samba <samba@xxxxxxxxxxxxxxx
:

On Tue, 14 Aug 2018 20:15:04 +0200
Michal Sládek via samba <samba@xxxxxxxxxxxxxxx> wrote:

Thank you for your suggestion, I read the whole discussion.

My situation is little bit different - my machine policy works, but it
stops working once I remove Apply permission from Authenticated Users
and replace it with Read and Apply permission for Domain Computers.

Group Policy Results in RSAT shows Reason Denied: Access Denied
(Security Filtering) for affected computer.

The same result I get with command gpresult /Z /SCOPE COMPUTER:

      The following GPOs were not applied because they were filtered out
      -----------------------------------------------------------
--------
          Import CA Certificates
              Filtering:  Denied (Security)

I don't understand why Domain Computers group is not enough...


That triggered a memory 'MS16-072', see here:

https://support.microsoft.com/en-gb/help/3159398/ms16-072-
description-of-the-security-update-for-group-policy-june-14-2

and here:

https://support.microsoft.com/en-gb/help/3163622/ms16-072-
security-update-for-group-policy-june-14-2016

Also here:

https://social.technet.microsoft.com/Forums/windows/
en-US/dd21b3cc-d000-48a6-8b35-60ffbbb9fda4/errors-after-
ms16072-updates?forum=winserverGP

Rowland


I know about those changes, but they affected only user policies (context
changed from user to computer account while retrieving the policy from
server).

I would appreciate a lot if somebody could test my scenario on Samba AD
domain - create any group policy that affects computer configuration and
set Security Filtering to Domain Computers only.


Fedora?


Michal



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba