-
Notifications
You must be signed in to change notification settings - Fork 0
/
02-smb-conf.Rmd
135 lines (95 loc) · 6.02 KB
/
02-smb-conf.Rmd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
# smb.conf Policies {#smbconf}
```{r, echo=FALSE, out.width="30%", fig.align='center'}
knitr::include_graphics("smb-conf-images/smbconf.png")
```
\index{Policies!smb.conf}
The purpose of the smb.conf policies is to be able to distribute smb.conf settings to Linux clients. This policy only supports a physical smb.conf file, and currently does not support smb.conf registry settings.
These policies are physically stored on the SYSVOL in the **MACHINE/Registry.pol** file in the subdirectory of the Group Policy Object. They are stored in registry format, and are difficult to modify manually. See chapter \@ref(regpol) for details on how to manually modify this file.
## Server Side Extension {#smbconf-sse}
The Server Side Extension for smb.conf policies is distributed using Administrative Templates (ADMX). Refer to chapter \@ref(sse) in section \@ref(admx) for details about Administrative Templates.
Setting up the ADMX templates for this policy is described in chapter \@ref(install-admx) section \@ref(install-admx-samba).
\index{Server Side Extensions}
\index{Administrative Templates}
### Managing smb.conf Policies via the GPME
After successfully installing the ADMX templates, open the Group Policy Management Editor (GPME). For instructions on accessing the GPME, see chapter \@ref(manage) section \@ref(gpopen). For this example, we're going to enable the `apply group policies` setting.
1. In the left pane of the GPME, navigate to `Computer Configuration > Policies > Administrative Templates > Samba > smb.conf`.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "smb.conf Server Side Extension (ADMX)"}
knitr::include_graphics("smb-conf-images/gpme.png")
```
2. In the right pane, double-click the "apply group policies" policy.
3. In the "apply group policies" dialog box, click the Enabled option.
4. Check the box next to "apply group policies".
5. Click OK to close the "Apply group policies" dialog box.
```{r, out.width="70%", echo=FALSE, fig.align='center', fig.pos = 'H', fig.cap = "apply group policies Setting"}
knitr::include_graphics("smb-conf-images/setting.png")
```
::: {#info style="color: green;"}
Note: The `apply group policies` setting instructs Winbind to execute the `samba-gpupdate` command on the Group Policy interval (every 90 to 120 minutes). This allows you to apply Group Policy updates to Samba clients without having to log off and log back on.
:::
\index{samba-gpupdate}
\index{Group Policy refresh interval}
There are many other settings available here, but notice that idmap policies are not. That's because idmap policies modify the setting name (not just the value), so these couldn't be included.
### Managing smb.conf Policies via samba-tool
Setting an smb.conf Group Policy via `samba-tool gpo manage smb_conf` is arguably much simpler.
Use the `samba-tool gpo manage smb_conf set` command, providing the following arguments:
1. `<gpo>`: The name of the GPO that you want to modify.
2. `<setting>`: The name of the smb.conf setting that you want to set.
3. `<value>`: The value that you want to set for the specified setting.
For example, to set the `apply gpo policies` setting to `yes` in the GPO named `{31B2F340-016D-11D2-945F-00C04FB984F9}`, you would use the following command:
```sh
samba-tool gpo manage smb_conf set \
{31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies' yes
```
If you want to unset a policy, you can omit the `<value>` argument. For example, to unset the `apply gpo policies` setting in the GPO named `{31B2F340-016D-11D2-945F-00C04FB984F9}`, you would use the following command:
```sh
samba-tool gpo manage smb_conf set \
{31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies'
```
This command does not require the ADMX templates to be installed, and also does not suffer from the same limitation as the GPME for idmap policies.
## Client Side Extension
The smb.conf Client Side Extension (CSE) directly modifies the default smb.conf file. Any custom formatting or comments in the smb.conf file may be overwritten. The CSE will open your existing smb.conf file, read in the current settings, set the settings provided by the GPO, then write the file back to disk. This CSE will only write `global` smb.conf options.
\index{Client Side Extensions}
In the previous section, we enabled the `apply group policies` smb.conf option. If we now go to our Linux client, and check the Resultant Set of Policy, we see this:
```
> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy
GPO: Default Domain Policy
=================================================================
CSE: gp_smb_conf_ext
-----------------------------------------------------------
Policy Type: smb.conf
-----------------------------------------------------------
[ apply group policies ] = 1
-----------------------------------------------------------
-----------------------------------------------------------
=================================================================
```
\index{Resultant Set of Policy}
If we now force the policy, we'll see our setting gets applied to the default smb.conf:
```
> sudo /usr/sbin/samba-gpupdate --force
> diff -u /etc/samba/smb.conf.BAK /etc/samba/smb.conf
--- /etc/samba/smb.conf.BAK
+++ /etc/samba/smb.conf
@@ -1,5 +1,6 @@
# Global parameters
[global]
+ apply group policies = Yes
kerberos method = secrets and keytab
logon drive = P:
logon home = \\%L\%U\.9xprofile
```
If for whatever reason the policy did not apply, it is sometimes helpful to look at the Group Policy Cache, which keeps track of applied policies.
\index{Group Policy Cache}
```
> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='smb.conf']" - \
| xmllint --format -
<?xml version="1.0"?>
<gp_ext name="smb.conf">
<attribute name="apply group policies">yes</attribute>
</gp_ext>
```
Where **TESTSYSDM$** is the system name. You can see in our case Samba has recorded applying the Group Policy Object, and that it set `apply group policies = yes` in our smb.conf.