[Samba4] Group policies in AD

Matthias Dieter Wallnöfer mdw at samba.org
Mon Sep 21 07:34:56 MDT 2009

Hi Matthieu!

Matthias Dieter Wallnöfer schrieb:
> Hi Matthieu!
> Matthieu Patou schrieb:
>> On 09/21/2009 02:04 PM, Matthias Dieter Wallnöfer wrote:
>>> Hi Andrews,
>>> we all know that we made big progress to support GPOs on the (Windows)
>>> client side. I added now also the second default group policy for the
>>> domain controllers. For now it will not be very import since s4 itself
>>> doesn't inherit policies yet (hope that we make some progress here in
>>> future - that someone is willing to take this) but so we have it for
>>> future use.
>> I saw tridge todo on this point.
>> I would like that this point can be developed a bit more, I am 
>> thinking about the server side of policy since a long time now and 
>> was thinking about a inotify script that would watch the policies 
>> directory for policy creation and modification. On change this script 
>> would parse the policy files for changes needed to be done at server 
>> side (the easiest one that comes to my mind is the validity period 
>> for password).
>> Is it this way that is envisioned or is it something completely 
>> different ?
> Ah, you would propose this... I personally thought to use the GPO 
> library (libgpo) and integrate it in s4 to inherit the GPOs. I think 
> it would need some work, but it should be worth.
>>> Now some restant issues:
>>> - We have to be more careful regarding the permissions on the
>>> directories and files of them; consider bug #5483:
>>> https://bugzilla.samba.org/show_bug.cgi?id=5483
>>> - Our default group policies are empty and the one which are shipped
>>> with Windows Server are not. They contain templates and files with
>>> default settings. So my question here: do we need to open a new file
>>> copy permission request (like schema and display specifier files)? I
>>> personally think so. It would be nice if MS could ship them as an
>>> archive so we could decompress the whole content on provision time.
>> The files are available for download from Internet: 
>> http://www.microsoft.com/downloads/details.aspx?familyid=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en
Sorry, I lost to comment about this point. Matthieu, I controlled those 
files but have some concerns:
- They provide only the ADM templates (that's not everything)
- They are packed in MSI format (not very useful for us)
- The licensing isn't clear for us
>> So if we can't get them at least we can clearly propose to users to 
>> download the adm package.
>> Matthieu.
> Matthias

More information about the samba-technical mailing list