How to:
These instructions are used to install the Samba templates and new Microsoft templates for Samba so that new GPOs can be created and used.
https://wiki.samba.org/index.php/Group_Policy#Samba_Group_Policies
Step 1: Backup from existing templates on the Primary Node
Create a backup folder to copy the existing templates.
mkdir ~/univention-support
Then copy the templates into the newly created folder. The path from your domain will be different, so you have to adjust it. My domain is miro.intranet.
cp -rp /var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/ ~/univention-support/
This will create a backup of the old/existing templates to be saved.
Step 2: Unset the cronjob for sysvol on all nodes
The sysvol sync works on all nodes where Samba is installed. If the templates on one node are not the same as on the other nodes, they will be pulled immediately. Therefore, it is important to disable the cronjob on all nodes, otherwise a sync from backup to primary or replica to primary may occur.
Information from the UCRV ucr info samba4/sysvol/sync/cron
samba4/sysvol/sync/cron: */5 * * * *
This variable configures the time/interval when the Sysvol replication occurs. The format is documented under 'man 5 crontab'.
Categories: service-samba
Default: (not set)
Type: cron
Unset the UCRV with the following command on all nodes:
ucr unset samba4/sysvol/sync/cron
Step 3: Remove the existing templates on all nodes to make a clean install on the Primary Node
Change the directory where the templates are stored.
cd /var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/
Remove the templates.
rm -rf *
For example, the output from my Primary Node
root@ucs5primary:/var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions# ls -lah
insgesamt 28K
drwxrwx---+ 2 Administrator Administrators 16K Nov 18 10:59 .
drwxrwx---+ 6 Administrator Administrators 4,0K Nov 15 21:22 ..
Step 4: Install Samba ADMX templates
It is possible to install the templates as described in the Samba wiki.
https://wiki.samba.org/index.php/Group_Policy#Installing_Samba_ADMX_templates
Hint:
If you install the Samba ADMX templates, you MUST also install Microsoft’s ADMX templates, otherwise you will be unable to administer Windows domain members.
This command copies the Samba ADMX templates to the <domain>/Policies/PolicyDefinitions directory on the SYSVOL share.
samba-tool gpo admxload -H ldap:$(hostname -f) -U Administrator
Step 5: Install the Microsoft ADMX templates - Windows 10 October 2022
To install Microsoft’s ADMX templates, download the latest Administrative Templates for your OS version, then (example with ADMX for Windows 10 2022):
https://wiki.samba.org/index.php/Group_Policy#Installing_Microsoft’s_ADMX_templates
Change the directory to univention-support.
cd ~/univention-support
Download the Windows 10 October 2022 Update.msi with the following command on the Primary Node
wget "https://download.microsoft.com/download/c/3/c/c3cd85c0-0785-4cf7-a48e-cdc9b8e20108/Administrative%20Templates%20(.admx)%20for%20Windows%2010%20October%202022%20Update.msi"
Output:
--2024-12-31 11:58:07-- https://download.microsoft.com/download/c/3/c/c3cd85c0-0785-4cf7-a48e-cdc9b8e20108/Administrative%20Templates%20(.admx)%20for%20Windows%2010%20October%202022%20Update.msi
Auflösen des Hostnamens download.microsoft.com (download.microsoft.com)… 23.37.237.201, 2a02:26f0:e200:599::317f, 2a02:26f0:e200:5bc::317f
Verbindungsaufbau zu download.microsoft.com (download.microsoft.com)|23.37.237.201|:443 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: 13774848 (13M) [application/octet-stream]
Wird in »Administrative Templates (.admx) for Windows 10 October 2022 Update.msi« gespeichert.
Administrative Templates (.admx) for Windows 10 Octo 100%[=====================================================================================================================>] 13,14M 20,1MB/s in 0,7s
2024-12-31 11:58:08 (20,1 MB/s) - »Administrative Templates (.admx) for Windows 10 October 2022 Update.msi« gespeichert [13774848/13774848]
Now you need install the package msitools to could extract the msi file you downloaded.
The
msiextractcommand can be found in themsitoolspackage on most distributions, including Debian/Ubuntu, RHEL/CentOS, and Arch linux in the AUR.
univention-install msitools
Extract the downloaded msi file, this will create the directory Program Files
msiextract Administrative\ Templates\ \(.admx\)\ for\ Windows\ 10\ October\ 2022\ Update.msi
root@ucs5primary:~/univention-support/test# ls -lah
insgesamt 14M
drwxr-xr-x 3 root root 4,0K Dez 31 12:09 .
drwxr-xr-x 8 root root 4,0K Dez 31 11:57 ..
-rw-r--r-- 1 root root 14M Okt 19 2022 'Administrative Templates (.admx) for Windows 10 October 2022 Update.msi'
drwxr-xr-x 3 root root 4,0K Dez 31 12:09 'Program Files'
Install the extracted files with the samba-tool and the Administrator account.
samba-tool gpo admxload -U Administrator --admx-dir=Program\ Files/Microsoft\ Group\ Policy/Windows\ 10\ October\ 2022\ Update\ \(22H2\)/PolicyDefinitions/
Hint
The installation may take a while and you will get the following message, that could be confusing:
Installing ADMX templates to the Central Store prevents Windows from displaying its own templates in the Group Policy Management Console. You will need to install these templates from https://www.microsoft.com/en-us/download/102157 to continue using Windows Administrative Templates.
I found this information directly from samba:
https://lists.samba.org/archive/samba/2021-November/238657.html
Sorry that the message is confusing. The message was added to remind
users to do exactly what you are doing. If you run that command without
–admx-dir, it installs the default samba admx files, which causes RSAT
to only use the admx files on the SYSVOL, ignoring local templates. At
this point, the Windows Administrative templates disappear from RSAT.
I suppose I could try to disable that message when you’re installing the
Windows templates.
Step 6: Install the Microsoft ADMX templates - Windows 11 September 2024
Download the Windows 11 Sep 2024 Update.msi with the following command on the Primary Node
wget "https://download.microsoft.com/download/9/5/b/95be347e-c49e-4ede-a205-467c85eb1674/Administrative%20Templates%20(.admx)%20for%20Windows%2011%20Sep%202024%20Update.msi"
Output:
--2024-12-31 12:58:36-- https://download.microsoft.com/download/9/5/b/95be347e-c49e-4ede-a205-467c85eb1674/Administrative%20Templates%20(.admx)%20for%20Windows%2011%20Sep%202024%20Update.msi
Auflösen des Hostnamens download.microsoft.com (download.microsoft.com)… 23.37.237.201, 2a02:26f0:e200:5bc::317f, 2a02:26f0:e200:599::317f
Verbindungsaufbau zu download.microsoft.com (download.microsoft.com)|23.37.237.201|:443 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: 14753792 (14M) [application/octet-stream]
Wird in »Administrative Templates (.admx) for Windows 11 Sep 2024 Update.msi« gespeichert.
Administrative Templates (.admx) for Windows 11 Sep 100%[=====================================================================================================================>] 14,07M 47,3MB/s in 0,3s
2024-12-31 12:58:36 (47,3 MB/s) - »Administrative Templates (.admx) for Windows 11 Sep 2024 Update.msi« gespeichert [14753792/14753792]
Extract the downloaded msi file, this will create the directory Program Files
msiextract Administrative\ Templates\ \(.admx\)\ for\ Windows\ 11\ Sep\ 2024\ Update.msi
root@ucs5primary:~/univention-support/test# ls -lah
insgesamt 15M
drwxr-xr-x 3 root root 4,0K Dez 31 13:03 .
drwxr-xr-x 8 root root 4,0K Dez 31 11:57 ..
-rw-r--r-- 1 root root 15M Sep 30 12:47 'Administrative Templates (.admx) for Windows 11 Sep 2024 Update.msi'
drwxr-xr-x 3 root root 4,0K Dez 31 13:03 'Program Files'
Install the extracted files with the samba-tool and the Administrator account.
samba-tool gpo admxload -U Administrator --admx-dir=Program\ Files/Microsoft\ Group\ Policy/Windows\ 11\ Sep\ 2024\ Update\ \(24H2\)/PolicyDefinitions/
Password for [MIRO\Administrator]:
Installing ADMX templates to the Central Store prevents Windows from displaying its own templates in the Group Policy Management Console. You will need to install these templates from https://www.microsoft.com/en-us/download/102157 to continue using Windows Administrative Templates.
Step 7: Activate the cronjob for sysvol-sync via UCRV on all nodes.
After the new templates have been successfully installed on the primary node under /var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/, the cronjob for the sysvol sync is reactivated or set on all nodes so that the templates are synchronized on all nodes.
ucr set samba4/sysvol/sync/cron="*/5 * * * *"
Create samba4/sysvol/sync/cron
Multifile: /etc/samba/smb.conf
File: /etc/cron.d/sysvol-sync
Optional, you could trigger the sync by using the sysvol-sync.sh script with:
/usr/share/univention-samba4/scripts/sysvol-sync.sh
Restart the samba service:
/etc/init.d/samba restart
[ ok ] Stopping samba-ad-dc (via systemctl): samba-ad-dc.service.
[ ok ] Stopping nmbd (via systemctl): nmbd.service.
[ ok ] Starting nmbd (via systemctl): nmbd.service.
[ ok ] Starting samba-ad-dc (via systemctl): samba-ad-dc.service.
(Optional) Step 8:
Check the backup template files with the new ones to see if they are the same. In my case, samba.admx and Gnome_Settings.admx files were in the backups, and the corresponding language files were not in the new templates.
root@ucs5primary:~/univention-support# ls -lah /root/univention-support/PolicyDefinitions/ | grep samba*
-rwxrwx---+ 1 Administrator Administrators 228K Nov 15 13:43 samba.admx
root@ucs5primary:~/univention-support# ls -lah /root/univention-support/PolicyDefinitions/ | grep Gnome*
-rwxrwx---+ 1 Administrator Administrators 7,6K Nov 15 13:43 GNOME_Settings.admx
root@ucs5primary:~/univention-support# ls -lah /root/univention-support/PolicyDefinitions/en-US/ | grep samba*
-rwxrwx---+ 1 Administrator Administrators 337K Nov 15 13:39 samba.adml
root@ucs5primary:~/univention-support# ls -lah /root/univention-support/PolicyDefinitions/en-US/ | grep Gnome*
-rwxrwx---+ 1 Administrator Administrators 9,4K Nov 15 13:39 GNOME_Settings.adml
You could just copy the file into the following directory’s:
/var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/
/var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/en-US/
Commands to copy the templates.
cp /root/univention-support/PolicyDefinitions/samba.admx /var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/
cp /root/univention-support/PolicyDefinitions/Gnome_Settings.admx /var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/
Copy the language files for the templates.
cp /root/univention-support/PolicyDefinitions/en-US/samba.adml /var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/en-US/
cp /root/univention-support/PolicyDefinitions/en-US/GNOME_Settings.adml /var/lib/samba/sysvol/miro.intranet/Policies/PolicyDefinitions/en-US/