[Samba4] Group policies in AD

Matthieu Patou mat+Informatique.Samba at matws.net
Mon Sep 21 08:49:22 MDT 2009

Hi Matthias,
>>> I saw tridge todo on this point.
>>> I would like that this point can be developed a bit more, I am 
>>> thinking about the server side of policy since a long time now and 
>>> was thinking about a inotify script that would watch the policies 
>>> directory for policy creation and modification. On change this 
>>> script would parse the policy files for changes needed to be done at 
>>> server side (the easiest one that comes to my mind is the validity 
>>> period for password).
>>> Is it this way that is envisioned or is it something completely 
>>> different ?
>> Ah, you would propose this... I personally thought to use the GPO 
>> library (libgpo) and integrate it in s4 to inherit the GPOs. I think 
>> it would need some work, but it should be worth.
I forgot about libgpo, but as far as I know this lib just do the parsing 
and the storing, but something must still be done to tell it what to 
care about in the GPO, and in anycase the libgpo must be triggered by 
something to tell it to (re)parse GPO and so update configuration.
>>>> Now some restant issues:
>>>> - We have to be more careful regarding the permissions on the
>>>> directories and files of them; consider bug #5483:
>>>> https://bugzilla.samba.org/show_bug.cgi?id=5483
>>>> - Our default group policies are empty and the one which are shipped
>>>> with Windows Server are not. They contain templates and files with
>>>> default settings. So my question here: do we need to open a new file
>>>> copy permission request (like schema and display specifier files)? I
>>>> personally think so. It would be nice if MS could ship them as an
>>>> archive so we could decompress the whole content on provision time.
>>> The files are available for download from Internet: 
>>> http://www.microsoft.com/downloads/details.aspx?familyid=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en 
> Sorry, I lost to comment about this point. Matthieu, I controlled 
> those files but have some concerns:
> - They provide only the ADM templates (that's not everything)
What else do we need ?
> - They are packed in MSI format (not very useful for us)
> - The licensing isn't clear for us
I didn't say that's it's the solution, but mostly a backup solution as 
it can be used by a SA from an XP/Vista/W2K3/... workstation to install 
templates. Because I'm far from being sure that we will be allowed to 
redistribute this (and in any case you need to download Windows 
2003/2008 administration pack if you do not have a Windows 2kx server 
version to access ADCU).


More information about the samba-technical mailing list