About ACL
Matthieu Patou
mat at matws.net
Sun Oct 11 13:23:26 MDT 2009
Hello Nadya,
I made a few tests today on GPO and it's back online, good job.
Now that's it's working and that I think I found a the root cause of
rights problems with GPO (sDrightEffective attribute see bug 6801), I am
starting to be more picky about the differences between w2kx and s4.
For some reason it seems that s4 is doing inheritance on ACLs when w2kx
(w2k3 for sure) is not doing it. It' clearly visible in GPMC because
there is a delegation for Pre Windows 2000 group and Domain Admins
group when there is none in w2k3.
A deeper analysis on SDDL show it more clearly.
For the moment it does no harm but I think it means that we are now
calculating all the ACL in the correct way and maybe one day it'll bite
us ...
I attached to this email sddl for s4 and w2k3, I normalized them so that
it's quite easy to see the difference in xxdiff (but any graphical diff
would do).
Matthieu
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: s4_acl
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091011/b78234df/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: w2k3_acl
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20091011/b78234df/attachment-0001.ksh>
More information about the samba-technical
mailing list