[Samba4] Group policies in AD
Matthias Dieter Wallnöfer
mdw at samba.org
Mon Sep 21 05:49:01 MDT 2009
Hi Matthieu!
Matthieu Patou schrieb:
> On 09/21/2009 02:04 PM, Matthias Dieter Wallnöfer wrote:
>> Hi Andrews,
>>
>> we all know that we made big progress to support GPOs on the (Windows)
>> client side. I added now also the second default group policy for the
>> domain controllers. For now it will not be very import since s4 itself
>> doesn't inherit policies yet (hope that we make some progress here in
>> future - that someone is willing to take this) but so we have it for
>> future use.
>>
> I saw tridge todo on this point.
> I would like that this point can be developed a bit more, I am
> thinking about the server side of policy since a long time now and was
> thinking about a inotify script that would watch the policies
> directory for policy creation and modification. On change this script
> would parse the policy files for changes needed to be done at server
> side (the easiest one that comes to my mind is the validity period for
> password).
>
> Is it this way that is envisioned or is it something completely
> different ?
Ah, you would propose this... I personally thought to use the GPO
library (libgpo) and integrate it in s4 to inherit the GPOs. I think it
would need some work, but it should be worth.
>> Now some restant issues:
>> - We have to be more careful regarding the permissions on the
>> directories and files of them; consider bug #5483:
>> https://bugzilla.samba.org/show_bug.cgi?id=5483
>> - Our default group policies are empty and the one which are shipped
>> with Windows Server are not. They contain templates and files with
>> default settings. So my question here: do we need to open a new file
>> copy permission request (like schema and display specifier files)? I
>> personally think so. It would be nice if MS could ship them as an
>> archive so we could decompress the whole content on provision time.
> The files are available for download from Internet:
> http://www.microsoft.com/downloads/details.aspx?familyid=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en
>
>
> So if we can't get them at least we can clearly propose to users to
> download the adm package.
>
> Matthieu.
Matthias
More information about the samba-technical
mailing list