-
Notifications
You must be signed in to change notification settings - Fork 0
/
21-policy-application.Rmd
123 lines (83 loc) · 5.37 KB
/
21-policy-application.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
# Automatic Policy Refresh {#policy-refresh}
The `samba-gpupdate` command is typically executed on a regular interval between 90 and 120 minutes in order to ensure that all policy settings are up to date. This interval is known as the Group Policy refresh interval.
\index{Group Policy refresh interval}
There are two main ways that the `samba-gpupdate` command can be executed automatically on a regular basis: via winbind or by oddjob-gpupdate. Regardless of which method is used, the `samba-gpupdate` command is automatically executed on a regular basis to ensure that all policy settings are up to date. This helps to ensure that all users and computers in the network are following the same set of policies and helps to prevent issues with policy inconsistencies.
## The samba-gpupdate command {#samba-gpupdate}
The `samba-gpupdate` command is used to refresh Group Policy settings on an Active Directory domain member. Group Policy allows an administrator to specify settings for users and computers in an Active Directory domain. When these settings are changed, the `samba-gpupdate` command can be used to apply the changes on the domain member.
\index{samba-gpupdate}
To use the `samba-gpupdate` command, open a terminal window and simply type the following:
```shell
samba-gpupdate
```
This will refresh all Group Policy settings on the local machine. You can also specify specific options to refresh only certain settings. For example, to refresh only the computer settings, you can use the `--force` option:
```shell
samba-gpupdate --force
```
To refresh only the user settings, use the `--force` option combined with the `--target` and `-U` options to specify the user:
```shell
samba-gpupdate --force --target=User -U tux
```
To unapply Group Policy settings, you can use the `--unapply` option:
```shell
samba-gpupdate --unapply
```
To print the Resultant Set of Policy (RSOP) for a particular target, you can use the `--rsop` option:
```shell
samba-gpupdate --rsop --target=Computer
```
It is important to note that the `samba-gpupdate` command can only be used on a machine that is a member of an Active Directory domain. It will not work on a standalone machine or on a machine that is part of a different type of domain.
## Automatic Policy Refresh via winbind {#winbind-refresh}
To configure winbind Automatic Policy Refresh, you will set the `apply group policies` smb.conf parameter.
\index{winbind}
To set this parameter manually, you will need to add the following line to the `global` section of the smb.conf file:
```ini
apply group policies = Yes
```
This will enable winbind to automatically apply Group Policy settings on the *Group Policy refresh interval*.
\index{Group Policy refresh interval}
Alternatively, you can deploy this setting automatically using smb.conf Group Policies. See chapter \@ref(smbconf) section \@ref(smbconf-sse) for instructions how to deploy this setting via Group Policy. The `samba-gpupdate` command will need to be executed manually to deploy this setting the first time.
## Automatic Policy Refresh via SSSD {#sssd-refresh}
Using oddjob-gpupdate to provide Automatic Policy Refresh allows you to run Samba's Group Policy with the System Security Services Daemon (SSSD). SSSD is a system service that provides access to remote identity and authentication providers, such as Active Directory.
\index{SSSD}
::: {#warn style="color: red;"}
The pairing of Samba's Group Policy with SSSD is not supported by either the Samba team or the SSSD team. This configuration has been known to work with some versions of Samba and SSSD, but is not widely tested and has been known to break. If in doubt, use Winbind instead.
:::
### Setting up SSSD
Join the domain using SSSD via any standard method, for example with realmd:
```shell
sudo realm join example.com
```
Next set the option `ad_update_samba_machine_account_password` in the domain section of /etc/sssd/sssd.conf to `true` and restart sssd.
Finally, create a simple smb.conf and call `net ads join` to create the secrets.tdb for samba (which will be updated by SSSD).
```ini
[global]
idmap config * : backend = tdb
idmap config * : range = 10000-20000
idmap config dmm : backend = rid
idmap config dmm : range = 20001-99999
kerberos method = secrets and keytab
security = ADS
usershare allow guests = No
workgroup = EXAMPLE
realm = example.com
```
```shell
sudo kinit Administrator
sudo net ads join -k
```
### Configuring policy refresh
To install oddjob-gpupdate, you'll need to find the appropriate packages for your distribution. In openSUSE, for example, you can install oddjob-gpupdate via:
```shell
sudo zypper in oddjob oddjob-gpupdate
```
Some distributions may not have oddjob-gpupdate packaged, in which case you can build the sources from https://github.com/openSUSE/oddjob-gpupdate.
::: {#warn style="color: red;"}
Beware that the package named *oddjob-gpupdate* in the ALT Linux distribution *is not the correct package*. This package is meant for Group Policy application using ALT Linux's custom Group Policy implementation.
:::
After installing oddjob-gpupdate, you can start and enable the oddjob service to begin refreshing policy.
```shell
sudo systemctl enable oddjobd
sudo systemctl start oddjobd
```
Once the oddjobd service is running, it will automatically execute the oddjob-gpupdate command on the *Group Policy refresh interval* to update user and computer Group Policies.
\index{Group Policy refresh interval}