Sysvol replication + GPOs in Samba4

Stefan (metze) Metzmacher metze at
Wed Jan 24 19:00:14 GMT 2007

Hash: SHA1

> OK. If people say 'it is not too hard' then I would like to take my chances
> and at least try to add a group policy support (IMHO the implementation of
> SYSVOL replication doesn't make sense if a group policy is not supported at
> all). And please don't laugh at me - I know the implementation may take
> several months. I don't think I can handle that alone, without your support
> and your contribution, so expect a lot of my questions.
> What I already know about group policy is it depends on working LDAP, DNS,
> SMB and RPC services. At least a client machines (group policy engines) use
> these services to identify, download and apply GPOs. 
> LDAP stores information about sites, domains, OUs and applied GPOs. DNS is
> mainly used to locate a DC. SMB is used to browse SYSVOL and download
> appropriate group policies to the client. It looks like group policies are
> always pulled by the client machine (never pushed by the server), but I'm
> not sure of it. There must be a way to force client machines to refresh
> loaded group polices.
> LDAP and DNS servers must contain some pieces of information and provide
> them to a client machine during its startup and logon to recognize required
> group polices. I hope a protocol sniffer is all what we need to identify a
> group-policy-related communication between a domain controller and a client
> machines.
> Anyway I'd like to know if the following features are already implemented:
> 1) Can I already access SYSVOL share? Is it accessible thru
> \\<domainname>\SYSVOL ? 
> 2) Are LDAP and DNS servers integrated with Samba4 (contain AD related
> information)? If I recall correctly the Samba4 technology previews were
> fully functional AD domain controllers and were properly recognized by
> client machines. Is that correct?

the dns server isn't builtin but we generated a zone file for the Bind9

the SYSVOL and NETLOGON shares should hopefully just normal file shares,
which you need to configure in smb.conf.

LDAP and KRB5 is integrated and hopefully all of the related RPC calls.

So first try to setup a samba4 dc configure the SYSVOL and NETLOGON
shares and then try to join a windows client to it (and record it with

Then go through the wireshark capture and see what LDAP queries failed.
and put the missing LDAP attriutes into the LDAP database (our sam.ldb
via ldbedit or so)

Then retry it and see with what it fails next....

Hopefully it's just a matter of adding LDAP attributes and objects
and filesystem directories and files.

The FRS Replication is a much more complicated thing. We don't know
the protocol yet. We only have this documentation

(FRS Technical Reference)

(How FRS Works)

maybe also join us on the #samba-technical channel on

Version: GnuPG v1.4.2 (GNU/Linux)
Comment: Using GnuPG with SUSE -


More information about the samba-technical mailing list