Group Policy settings are stored in Group Policy Objects (GPO). A GPO consists of the following:
Group Policy Container: Stored in the directory.
Group Policy Template: Stored in the SYSVOL SMB volume.
The default configuration of SYSVOL resides in the /etc/samba/smb.conf file.
[sysvol] comment = Group Policies path = /var/opt/novell/xad/sysvol/sysvol writable = Yes share modes = No nt acl support = No
Group Policy Template is stored in the SYSVOL SMB volume.
The group of security settings in the GPO is called Account Policies and contains the following policies:
Password Policy
Account Lockout Policy
Kerberos Policy
In a Domain Services for Windows domain, the password policies are stored in the container cn=Domain Password Policy,cn=Password Policies,cn=System, <domain root>.
The Password Policy and the Account Lockout Policy are enforced by eDirectory. The Account Policies settings are not read directly by eDirectory or KDC.
The Kerberos Policy is enforced by the Kerberos Key Distribution Center (KDC). The eDirectory server enforces only those policies that are stored in its Directory Information Base (DIB). The Kerberos KDC expects the Kerberos Policy to be stored in eDirectory.
The following Account Policies settings are supported:
Table 17-1 GPO and eDirectory Parameter Mapping for Password Policies
GPO Parameter |
eDirectory Parameter |
---|---|
Enforce Password History |
pwdInHistory |
Maximum Password Age |
passwordExpirationInterval |
Minimum Password Age |
nspmMinPasswordLifetime |
Minimum Password Length |
passwordMinimumLength |
Table 17-2 GPO and eDirectory Parameter Mapping for Account Lockout Policies
GPO Parameter |
eDirectory Parameter |
---|---|
Account Lockout Duration |
intruderLockoutResetInterval |
Account Lockout Threshold |
loginIntruderLimit |
Reset Account Lockout Counter After |
intruderAttemptResetInterval |
Table 17-3 GPO and eDirectory Parameter Mapping for Kerberos Policies
GPO Parameter |
eDirectory Parameter |
---|---|
Maximum Lifetime for User Ticket |
maxTicketAge |
Maximum Lifetime for User Ticket Renewal |
maxRenewAge |
The gposync tool synchronizes the policies stored in eDirectory with those in SYSVOL.
This tool is programmed to run every 30 minutes by using the cron service. If the policies stored in eDirectory are newer than the Account Policies in SYSVOL, gposync updates the Account Policies. Similarly, it updates the policies in eDirectory if they are older than Account Policies maintained in SYSVOL.When you modify the Account Policies in SYSVOL by using Group Policy Management Console (GPMC), gposync makes the relevant changes to the policies in eDirectory when it runs the next time.
The gposync utility parses all the applied GPO policies and synchronizes appropriately to containers it is associated with. A typical output gposync utility on success will be as follows:
The list of Group Policies present in the domain dc=multizone,dc=com are: {31B2F340-016D-11D2-945F-00C04FB984F9} Syncing {31B2F340-016D-11D2-945F-00C04FB984F9} Group Policy Update NMAS Password Policy Links Link present at : dc=multizone,dc=com Group Policy Template is older than NMAS login policy <cn=Domain Password Policy,cn=Password Policies,cn=System,dc=multizone,dc=com>. DOMAIN\intruderLockoutResetInterval[1800] => System Access\LockoutDuration[30] DOMAIN\intruderAttemptResetInterval[1800] => System Access\ResetLockoutCount[30] DOMAIN\loginIntruderLimit[0] => System Access\LockoutBadCount[0] NMAS\passwordExpirationInterval[3628800] => System Access\MaximumPasswordAge[42] NMAS->GPO synchronization OK.
DSfW supports computer configuration and user configuration settings in GPOs. You can change the computer configuration settings, such as customizing the start menu, desktop, and Internet Explorer, and the user configuration settings, such as roaming profiles and desktop customization.
If you receive a message indicating that the computer configuration or user configuration is not applicable, do one of the following:
Verify that winbindd is running and functional. The getent passwd <username> command returns the information for the local users and the domain users.
If you are using the getent utility in the DSfW environment, substitute the username with the domain user name.
Check the Samba log files in /var/log/samba for any errors.