Bug 37188

Summary: GPO security filter for domain computers doesn't work
Product: UCS Reporter: Tim Petersen <petersen>
Component: Samba4Assignee: Stefan Gohmann <gohmann>
Status: CLOSED WONTFIX QA Contact: Felix Botner <botner>
Severity: normal    
Priority: P5 CC: gohmann, grandjean, requate
Version: UCS 3.2   
Target Milestone: UCS 3.2-5-errata   
Hardware: Other   
OS: Linux   
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 37101, 37136    
Bug Blocks:    

Description Tim Petersen univentionstaff 2014-12-05 08:07:16 CET 
+++ This bug was initially created as a clone of Bug #37101 +++

Ticket #2014090221000218

With UCS 4.0 and S4 you cannot use the group "Domain Computers" as a security filter - gpresult doesn't "see" the clients as members of the security group and so the gpo is not executed.
In AD Users- and Groups Tool the membership is correct, samba-tool shows it also.


With a native 2012R2 AD, the same thing works like expected. I only saw one difference: UCS 4.0 with Samba 4 uses the english names, the  AD used "Domänencomputer".
But as this is the same for every other relevent naming I don't think that this could be the part in question...


The group itself is shown correctly in S4, also the well know sid (515) is correct.
Comment 1 Stefan Gohmann univentionstaff 2015-04-08 16:48:15 CEST 
First, we will only fix it for UCS 4. If it is a problem, please reopen.
Comment 2 Felix Botner univentionstaff 2015-04-14 09:27:09 CEST 
OK