Samba Winbind Group Policy

Samba version 4.14 will ship with Group Policy for Winbind. The Group Policy offerings are made to be similar to what is offered by proprietary tools, such as Vintela’s and Centrify’s Group Policy.

Group Policy Management Console

Winbind Group Policy provides the ability to distribute smb.conf settings, Sudo Privileges, Message of the Day and Login Prompt messages, and daily, hourly, monthly, or weekly cron jobs.

To enable Group Policy in Winbind, set the apply group policies global smb.conf option to Yes. You can even deploy this setting from Group Policy smb.conf options, then running the apply command manually the first time with sudo samba-gpupate --force.

In order to use the Samba Administrative Templates in the Group Policy Management Console, you’ll need to install them first, using the command sudo samba-tool gpo admxload -UAdministrator. This will upload the samba.admx template to the joined domains SYSVOL share.

Resultant Set of Policy

To see what policies will apply to a machine before applying them (or to view what policies are already applied), run the command sudo samba-gpupdate --rsop.

linux-h7xz:~ # samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
============================================================
  CSE: gp_sec_ext
  ------------------------------
  ------------------------------
  CSE: gp_sec_ext
  ------------------------------
  ------------------------------
  CSE: gp_scripts_ext
  ------------------------------
  ------------------------------
  CSE: gp_sudoers_ext
  ------------------------------
    Policy Type: Sudo Rights
    ------------------------------
    [ tux ALL=(ALL) NOPASSWD: ALL ]
    ------------------------------
  ------------------------------
  CSE: gp_smb_conf_ext
  ------------------------------
    Policy Type: smb.conf
    ------------------------------
    [ apply group policies ] = 1
    [ client max protocol ] = SMB2_02
    ------------------------------
  ------------------------------
  CSE: gp_msgs_ext
  ------------------------------
    Policy Type: /etc/motd
    ------------------------------
This message is distributed by Samba!
    ------------------------------
    Policy Type: /etc/issue
    ------------------------------
Samba Group Policy \s \r \l
    ------------------------------
  ------------------------------
============================================================

smb.conf Policies

smb.conf policies are found in Computer Configuration > Policies > Administrative Templates > Samba > smb.conf. These policies distribute smb.conf global options to the client. This policy is unable to apply idmap policies.

Password and Kerberos Policies

Password and Kerberos policies, found in Computer Configuration > Policies > OS Settings > Security Settings > Account Policy, are only applicable to Samba Domain Controllers.

The following password policies are applicable:

  • Minimum password age
  • Maximum password age
  • Minimum password length
  • Password must meet complexity requirements

And Kerberos policies:

  • Maximum ticket age (Maximum lifetime for user ticket)
  • Maximum service age (Maximum lifetime for service ticket)
  • Maximum renew age (Maximum lifetime for user ticket renewal)

Script Policies

Script policies create cron jobs on client machines which execute the specified commands. Script policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Scripts.

To add a script policy, open the policy, enable it, and click Show. In the dialog that appears, add the command to execute on the client. Click OK, then Apply to save the policy.

Applying a Daily cron job

Script policies are applied as cron jobs on the winbind client.

linux-h7xz:~ # /usr/sbin/samba-gpupdate --force
linux-h7xz:~ # cat /etc/cron.daily/tmp6l0m809i 
#!/bin/sh
whoami > /daily.log

Sudoers Policies

Sudoers policies add sudo rules to client machines. Sudoers policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Sudo Rights.

To add a sudo policy, open the policy, enable it, and click Show. In the dialog that appears, add the sudo rules to the list. Click OK, then Apply to save the policy.

linux-h7xz:~ # /usr/sbin/samba-gpupdate --force
linux-h7xz:~ # cat /etc/sudoers.d/gp_eockoryg

### autogenerated by samba
#
# This file is generated by the gp_sudoers_ext Group Policy
# Client Side Extension. To modify the contents of this file,
# modify the appropriate Group Policy objects which apply
# to this machine. DO NOT MODIFY THIS FILE DIRECTLY.
#

tux ALL=(ALL) NOPASSWD: ALL

Message Policies

Message policies set the contents of the /etc/motd and /etc/issue files on client machines. Message policies are found in Computer Configuration > Policies > Administrative Templates > Samba > Unix Settings > Messages.

To add a message of the day policy, for example, open the policy and enable it. In the text box provided, enter the message you’d like displayed after a successful login.

linux-h7xz:~ # samba-gpupdate
linux-h7xz:~ # cat /etc/motd
This message is distributed by Samba!

To add a login prompt policy, open the ‘Logon Prompt Message’ policy and enable it. In the text box provided, enter the message you’d like displayed before the login prompt. You can use escape sequences supported by the client /etc/issue file.

linux-h7xz:~ # samba-gpupdate
linux-h7xz:~ # cat /etc/issue
Samba Group Policy \s \r \l

For more information about Winbind Group Policy, see the Samba wiki.

Published by David Mulder

Software Engineer at SUSE