5 smb.conf Policies

The purpose of the smb.conf policies is to be able to distribute smb.conf settings to Linux clients. This policy only supports a physical smb.conf file, and currently does not support smb.conf registry settings.

These policies are physically stored on the SYSVOL in the MACHINE/Registry.pol file in the subdirectory of the Group Policy Object. They are stored in registry format, and are difficult to modify manually. See chapter 21 for details on how to manually modify this file.

5.1 Server Side Extension

The Server Side Extension for smb.conf policies is distributed using Administrative Templates (ADMX). Refer to chapter 20.1 in section 20.1.1 for details about Administrative Templates.

Setting up the ADMX templates for this policy is described in chapter 22 section 22.1.

5.1.1 Managing smb.conf Policies via the GPME

After successfully installing the ADMX templates, open the Group Policy Management Editor (GPME). For instructions on accessing the GPME, see chapter 4 section 4.1. For this example, we’re going to enable the apply group policies setting.

  1. In the left pane of the GPME, navigate to Computer Configuration > Policies > Administrative Templates > Samba > smb.conf.
smb.conf Server Side Extension (ADMX)

Figure 5.1: smb.conf Server Side Extension (ADMX)

  1. In the right pane, double-click the “apply group policies” policy.

  2. In the “apply group policies” dialog box, click the Enabled option.

  3. Check the box next to “apply group policies”.

  4. Click OK to close the “Apply group policies” dialog box.

apply group policies Setting

Figure 5.2: apply group policies Setting

Note: The apply group policies setting instructs Winbind to execute the samba-gpupdate command on the Group Policy interval (every 90 to 120 minutes). This allows you to apply Group Policy updates to Samba clients without having to log off and log back on.

There are many other settings available here, but notice that idmap policies are not. That’s because idmap policies modify the setting name (not just the value), so these couldn’t be included.

5.1.2 Managing smb.conf Policies via samba-tool

Setting an smb.conf Group Policy via samba-tool gpo manage smb_conf is arguably much simpler.

Use the samba-tool gpo manage smb_conf set command, providing the following arguments:

  1. <gpo>: The name of the GPO that you want to modify.

  2. <setting>: The name of the smb.conf setting that you want to set.

  3. <value>: The value that you want to set for the specified setting.

For example, to set the apply gpo policies setting to yes in the GPO named {31B2F340-016D-11D2-945F-00C04FB984F9}, you would use the following command:

samba-tool gpo manage smb_conf set \
    {31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies' yes

If you want to unset a policy, you can omit the <value> argument. For example, to unset the apply gpo policies setting in the GPO named {31B2F340-016D-11D2-945F-00C04FB984F9}, you would use the following command:

samba-tool gpo manage smb_conf set \
    {31B2F340-016D-11D2-945F-00C04FB984F9} 'apply gpo policies'

This command does not require the ADMX templates to be installed, and also does not suffer from the same limitation as the GPME for idmap policies.

5.2 Client Side Extension

The smb.conf Client Side Extension (CSE) directly modifies the default smb.conf file. Any custom formatting or comments in the smb.conf file may be overwritten. The CSE will open your existing smb.conf file, read in the current settings, set the settings provided by the GPO, then write the file back to disk. This CSE will only write global smb.conf options.

In the previous section, we enabled the apply group policies smb.conf option. If we now go to our Linux client, and check the Resultant Set of Policy, we see this:

> sudo /usr/sbin/samba-gpupdate --rsop
Resultant Set of Policy
Computer Policy

GPO: Default Domain Policy
=================================================================
  CSE: gp_smb_conf_ext
  -----------------------------------------------------------
    Policy Type: smb.conf
    -----------------------------------------------------------
    [ apply group policies ] = 1
    -----------------------------------------------------------
  -----------------------------------------------------------
=================================================================

If we now force the policy, we’ll see our setting gets applied to the default smb.conf:

> sudo /usr/sbin/samba-gpupdate --force
> diff -u /etc/samba/smb.conf.BAK /etc/samba/smb.conf
--- /etc/samba/smb.conf.BAK
+++ /etc/samba/smb.conf
@@ -1,5 +1,6 @@
 # Global parameters
 [global]
+   apply group policies = Yes
    kerberos method = secrets and keytab
    logon drive = P:
    logon home = \\%L\%U\.9xprofile

If for whatever reason the policy did not apply, it is sometimes helpful to look at the Group Policy Cache, which keeps track of applied policies. 

> sudo tdbdump /var/lib/samba/gpo.tdb -k "TESTSYSDM$" \
| sed -r "s/\\\22/\"/g" | sed -r "s/\\\5C/\\\\/g" \
| xmllint --xpath "//gp_ext[@name='smb.conf']" - \
| xmllint --format -
<?xml version="1.0"?>
<gp_ext name="smb.conf">
  <attribute name="apply group policies">yes</attribute>
</gp_ext>

Where TESTSYSDM$ is the system name. You can see in our case Samba has recorded applying the Group Policy Object, and that it set apply group policies = yes in our smb.conf.