[cifs-protocol] [REG:110051073884304] RE: About GPMC and ACLs

Matthieu Patou mat at samba.org
Fri Jul 30 11:05:35 MDT 2010 

  Hongwei,

On 20/06/2010 08:25, Hongwei Sun wrote:
> Matthieu,
>
>     I will be on vacation from Wednesday (06/22) until July 22.   We can either archive it until I come back or I can transfer the case to one of my teammate.  Please let me know what you prefer.
>
> Thanks!
>
> Hongwei
>
I don't know if I wrote you about this, but I still have the pb with 
gpmc even when using the version that you indicated.


Matthieu
> -----Original Message-----
> From: Matthieu Patou [mailto:mat at samba.org]
> Sent: Saturday, June 19, 2010 3:48 PM
> To: Hongwei Sun
> Cc: pfif at tridgell.net; cifs-protocol at samba.org; MSSolve Case Email
> Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
>
> Hi Hongwei,
>
> Sorry didn't had the time on this, next week didn't seems the good one either, can you reping me at next monday (28th) ?
>
> Regards.
> Matthieu.
> On 19/06/2010 03:59, Hongwei Sun wrote:
>> Matthieu,
>>
>>     Do you have any update for this topic ?  If you don't have time to look at this issue, I may archive this case and we may visit it again after I come back from my vocation in July.  I am leaving after next Tuesday.   If you prefer, I can also transfer this case to one of my team member to continue the investigation.
>>
>> Thanks!
>>
>> Hongwei
>>
>>
>> -----Original Message-----
>> From: Hongwei Sun
>> Sent: Thursday, June 10, 2010 6:05 PM
>> To: 'mat at samba.org'; pfif at tridgell.net; cifs-protocol at samba.org
>> Cc: MSSolve Case Email
>> Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs
>>
>> Hi, Matthieu,
>>
>>      I have downloaded the GPMC with SP1 from the following link http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en and installed it on a XP machine.  I ran the same testing by opening a GPO on a Windows 2008 DC from GPMC in XP.   The attached network trace shows that the tool never queried the security descriptor of the main policy folder.  I cannot find the query in code either.   Could you verify if you are using the same GPMC download as I used ?  And it will be good if you can run GPMC against a Windows DC to see if you can see the same behavior.
>>
>>     Please let me know.
>>
>> Thanks!
>>
>> Hongwei
>>
>>
>> -----Original Message-----
>> From: Matthieu Patou [mailto:mat at samba.org]
>> Sent: Wednesday, June 02, 2010 3:35 AM
>> To: Hongwei Sun; pfif at tridgell.net; cifs-protocol at samba.org
>> Cc: MSSolve Case Email
>> Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
>>
>> Hello hongwei,
>>
>> It's downloaded from  internet as the one which comes with the administration pack is "limited".
>>
>> Version seems to be 1.0.2 (from GPMC.msc then help then about group policy management).
>>
>> Matthieu.
>>     On 02/06/2010 02:59, Hongwei Sun wrote:
>>
>>> Matthieu,
>>>
>>>      Any update ?
>>>
>>> Thanks!
>>>
>>> Hongwei
>>>
>>> -----Original Message-----
>>> From: Hongwei Sun
>>> Sent: Wednesday, May 26, 2010 6:01 PM
>>> To: 'Matthieu Patou'
>>> Cc: MSSolve Case Email
>>> Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs
>>>
>>> Matthieu,
>>>
>>>       I spent some time to investigate the behavior you reported.  I created multiple Windows DCs (Windows 2008 and Windows 2008 R2)  and used GPMC to open policies on remote DCs.  From the network captures , I don't see any SMB packet for querying the SecurityDescriptor of {Domain}\Policy folder.  It only checks the individual policy folder.  As I understand , Window XP doesn't include GPMC tool by default and user has to install it.  Which version of the GPMC tool are you using ?  Could you find the version number from the "Help" menu ?
>>>
>>>      Also could you run GPMC from a  Windows 2008 or Windows 2008 R2 machine to see if there is any difference ?
>>>
>>> Thanks!
>>>
>>> Hongwei
>>>
>>>
>>> -----Original Message-----
>>> From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net]
>>> Sent: Saturday, May 15, 2010 5:11 AM
>>> To: Hongwei Sun
>>> Cc: MSSolve Case Email
>>> Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
>>>
>>> On 15/05/2010 07:19, Hongwei Sun wrote:
>>>
>>>
>>>> Matthieu,
>>>>
>>>>        It takes a while to get back to normal after travel headache on my way back to U.S.   I spent some time to double check again the logic used for checking DS/FS ACL consistency.   I still didn't see the SD of the SYSVOL\policies folder is checked explicitly in the logic.   Only the SYSVOL\Policies\ {GUID} is queried explicitly and used in the logic.   I suspect that it is queried for some other reason.   I will have to set up the environment to repro the SMB traffic and debug further.   What OS do you use for the testing in the trace ?
>>>>
>>>>
>>>>
>>>>
>>> It was Windows XP SP2.
>>> Did you see in the trace that there is somehow a smb call to get the
>>> NTACLS of<domain>\Policies ?
>>> Also I'm not sure it's present in this trace but I had one (lost
>>> because  stored in /tmp) when I hit "OK please correct the rotten acls"
>>> that showed that GPMC was trying to set several ACLs on the GPO
>>> folder (rather different one from the previous one).
>>>
>>> Matthieu.
>>>
>>>
>>>> Thanks!
>>>>
>>>> Hongwei
>>>>
>>>> -----Original Message-----
>>>> From: Matthieu Patou [mailto:mat+Informatique.Samba at matws.net]
>>>> Sent: Thursday, May 06, 2010 5:09 PM
>>>> To: Hongwei Sun
>>>> Subject: About GPMC and ACLs
>>>>
>>>> Hongwei,
>>>>
>>>> Here is the capture,
>>>>
>>>> The most interesting is from  packet 873, when I retry to click on a newly created GPO.
>>>> At packet 1025 I receive the message that there is a mismatch and I click ok to get it fixed.
>>>>
>>>> The capture ends when the data flow stop.
>>>>
>>>> As I told you, at packet 1101 and packet 1119 you can see that windows tries to put two differents ACL (at least != number of ACEs but there is one on S-1-3-0 also).
>>>>
>>>> We can see in the capture that around the moment that GPMC is checking the DS/FS acl consistency that it also have a look at the<domain>\Policies folder.
>>>>
>>>> Regards.
>>>>
>>>> Matthieu.
>>>>
>>>>
>>>>
>>>
>> --
>> Matthieu Patou
>> Samba Team        http://samba.org
>>
>>
>>
>
> --
> Matthieu Patou
> Samba Team        http://samba.org
>
>


-- 
Matthieu Patou
Samba Team        http://samba.org

More information about the cifs-protocol mailing list