[Samba4] Group policies in AD

Matthias Dieter Wallnöfer mdw at samba.org
Mon Sep 21 09:16:59 MDT 2009

Hi Matthieu!

Matthieu Patou schrieb:
> Hi Matthias,
>>>> I saw tridge todo on this point.
>>>> I would like that this point can be developed a bit more, I am 
>>>> thinking about the server side of policy since a long time now and 
>>>> was thinking about a inotify script that would watch the policies 
>>>> directory for policy creation and modification. On change this 
>>>> script would parse the policy files for changes needed to be done 
>>>> at server side (the easiest one that comes to my mind is the 
>>>> validity period for password).
>>>> Is it this way that is envisioned or is it something completely 
>>>> different ?
>>> Ah, you would propose this... I personally thought to use the GPO 
>>> library (libgpo) and integrate it in s4 to inherit the GPOs. I think 
>>> it would need some work, but it should be worth.
> I forgot about libgpo, but as far as I know this lib just do the 
> parsing and the storing, but something must still be done to tell it 
> what to care about in the GPO, and in anycase the libgpo must be 
> triggered by something to tell it to (re)parse GPO and so update 
> configuration.
>>>>> Now some restant issues:
>>>>> - We have to be more careful regarding the permissions on the
>>>>> directories and files of them; consider bug #5483:
>>>>> https://bugzilla.samba.org/show_bug.cgi?id=5483
>>>>> - Our default group policies are empty and the one which are shipped
>>>>> with Windows Server are not. They contain templates and files with
>>>>> default settings. So my question here: do we need to open a new file
>>>>> copy permission request (like schema and display specifier files)? I
>>>>> personally think so. It would be nice if MS could ship them as an
>>>>> archive so we could decompress the whole content on provision time.
>>>> The files are available for download from Internet: 
>>>> http://www.microsoft.com/downloads/details.aspx?familyid=92759d4b-7112-4b6c-ad4a-bbf3802a5c9b&displaylang=en 
>> Sorry, I lost to comment about this point. Matthieu, I controlled 
>> those files but have some concerns:
>> - They provide only the ADM templates (that's not everything)
> What else do we need ?
E.g. the directory structure, the "secTmpl.inf" file
>> - They are packed in MSI format (not very useful for us)
>> - The licensing isn't clear for us
> I didn't say that's it's the solution, but mostly a backup solution as 
> it can be used by a SA from an XP/Vista/W2K3/... workstation to 
> install templates. Because I'm far from being sure that we will be 
> allowed to redistribute this (and in any case you need to download 
> Windows 2003/2008 administration pack if you do not have a Windows 2kx 
> server version to access ADCU).
Okay, but the administration pack we don't redistribute with s4. But the 
group policy templates we want to ship.
> Matthieu.


More information about the samba-technical mailing list