Samba4 : bug #5483 marked as invalid
manu.b2007 at gmail.com
Mon Aug 4 02:45:34 GMT 2008
I noticed that bug #5483 was marked invalid, this bug still exists.
As reported, when a GPO object is selected, (not a link to a GPO), the Group
Policy Management (version 1.0.2) throws the following :
"The permissions for this GPO in the SYSVOL folder are inconsistent with
those in Active Directory. It is recommended that these permissions be
consistent. Contact an administrator who has rights to modify security on
This happens because GPMC compares NT ACLS of the directories in
"sysvol/Policies" with the "NTSecurityDescriptor" stored in LDAP, in
I already tried to change the NT ACLS on directories in sysvol to make these
identical to those in LDAP, and then avoid this message but never succeeded.
I think more work should be done with NT ACLs handling in Samba4,
particularly, the default ACLs. I looked into the code some time ago and it
doesn't seem very easy.
To demonstrate this error under Windows 2003 server :
Create a GPO, then, change the NT ACLs on the GPO directory in SYSVOL, for
example, delete one entry.
When you will select the GPO object, the message will pop up, with an "Ok"
button, and a "Cancel" one (I think).
If you click "Ok", w2k3 changes the ACLs back to conform values on the
directory and the message don't show up again.
With Samba 4, you only get an "Ok" button but the ACLs are not modified on
the GPO directory.
This is the MS article about this :
I Also found the following glitches :
- The Unix root group is not correctly mapped. (S-1-22-2-0)
A workaround is to chown root:users and set the GID, then the group is
mapped to "Domain Users".
- Also, the ACL inheritance flag seems to be set for any directory and sub
directory of a shared, but inheritance doesn't "take effect". A w2k3 server
won't set the defaults ACLs this way, it uses inheritance, I think.
(not sure that I'm very clear. but, comparing default NT ACLs on a Samba
shared and those in a w2k3 show differences, virtual machines are helpful
These are not really major bugs, but that shows other visible lacks in basic
functionalities, IMHO that might prevent admins to use Samba 4. That's very
unfortunate because I'm quite sure that small or medium organisations might
be very interested to use Samba 4.
I don't claim for anything, I just try kindly to focus on some points ;)
More information about the samba-technical