SYSVOL ACLs (Re: [Release Planning 4.0] Samba 4.0.0rc6 on Tuesday December 4, 2012)
Stefan (metze) Metzmacher
metze at samba.org
Tue Dec 4 00:17:10 MST 2012
Am 04.12.2012 04:43, schrieb Andrew Bartlett:
> On Tue, 2012-11-27 at 10:11 +0100, Karolin Seeger wrote:
>> Hi all,
>>
>> On Tue, Nov 20, 2012 at 09:52:27AM +0100, Karolin Seeger wrote:
>>> this is a reminder that rc6 will be released on Tuesday November 27.
>>> Please make sure to provide/review your patchsets until Sunday November
>>> 25.
>>
>> I would like to propose to delay Samba 4.0.0rc6
>> until Tuesday, December 4.
>> The ACL patches (bugs #8620, #8621 and #7711) need to be finished and
>> reviewed before the last release candidate.
>>
>> https://wiki.samba.org/index.php/Release_Planning_for_Samba_4.0
>> has been updated accordingly. We are going to stick to the final release
>> date (Tuesday, December 11) if possible.
>>
>> Are there any objections?
>
> Thanks Karolin. It's been great to see these patches finally land and I
> agree that making an RC without these would not have been helpful.
>
> We should include something like this in the WHATSNEW, to explain the
> situation:
>
> In this release candidate, we have a significant number of improvements
> to our Access Control List (ACL) code, particularly for the Active
> Directory Domain Controller, but also in our general purpose file
> server.
>
> These changes are important, as they enable Group Policy Objects to work
> correctly, allow administrators to impose restrictions on some users
> reading certain parts of the directory and correctly propagating
> inherited ACLs down the LDAP directory tree.
>
> It is unusual to make such changes so late in the RC series, however we
> felt uncomfortable knowingly releasing Samba 4.0 without having these
> features working. In particular, this does address the regression in
> Group Policy support seen during the beta series.
>
> Users of the Active Directory Domain Controller upgrading from any
> previous release should run 'samba-tool ntacl sysvolreset' to re-sync
> ACLs on the sysvol share with those matching the GPOs in LDAP and the
> defaults from an initial provision. This will set an underlying POSIX
> ACL if required (eg not using the NTVFS file server).
Thanks, that sounds useful for WHATNEW.
But please note that I think we should improve our SYSVAL ACL behaviour
a bit
further. We still don't match a Windows 2008R2 server.
I think I understand how it works on Windows I can also explain the
different
ACLs on the default policies.
I changed our code to match, but that discovered some additional ACL
bugs in both
of our file servers and make test doesn't pass anymore...
See
https://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-ad-acls
metze
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121204/d88eebd1/attachment.pgp>
More information about the samba-technical
mailing list