[Samba4] Group policies in AD

Matthias Dieter Wallnöfer mdw at samba.org
Mon Sep 21 05:49:01 MDT 2009

Hi Matthieu!

Matthieu Patou schrieb:
> On 09/21/2009 02:04 PM, Matthias Dieter Wallnöfer wrote:
>> Hi Andrews,
>> we all know that we made big progress to support GPOs on the (Windows)
>> client side. I added now also the second default group policy for the
>> domain controllers. For now it will not be very import since s4 itself
>> doesn't inherit policies yet (hope that we make some progress here in
>> future - that someone is willing to take this) but so we have it for
>> future use.
> I saw tridge todo on this point.
> I would like that this point can be developed a bit more, I am 
> thinking about the server side of policy since a long time now and was 
> thinking about a inotify script that would watch the policies 
> directory for policy creation and modification. On change this script 
> would parse the policy files for changes needed to be done at server 
> side (the easiest one that comes to my mind is the validity period for 
> password).
> Is it this way that is envisioned or is it something completely 
> different ?
Ah, you would propose this... I personally thought to use the GPO 
library (libgpo) and integrate it in s4 to inherit the GPOs. I think it 
would need some work, but it should be worth.
>> Now some restant issues:
>> - We have to be more careful regarding the permissions on the
>> directories and files of them; consider bug #5483:
>> https://bugzilla.samba.org/show_bug.cgi?id=5483
>> - Our default group policies are empty and the one which are shipped
>> with Windows Server are not. They contain templates and files with
>> default settings. So my question here: do we need to open a new file
>> copy permission request (like schema and display specifier files)? I
>> personally think so. It would be nice if MS could ship them as an
>> archive so we could decompress the whole content on provision time.
> The files are available for download from Internet: 
> http://www.microsoft.com/downloads/details.aspx?familyid=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en 
> So if we can't get them at least we can clearly propose to users to 
> download the adm package.
> Matthieu.

More information about the samba-technical mailing list