SYSVOL ACLs (Re: [Release Planning 4.0] Samba 4.0.0rc6 on Tuesday December 4, 2012)

Stefan (metze) Metzmacher metze at
Tue Dec 4 00:17:10 MST 2012

Am 04.12.2012 04:43, schrieb Andrew Bartlett:
> On Tue, 2012-11-27 at 10:11 +0100, Karolin Seeger wrote:
>> Hi all,
>> On Tue, Nov 20, 2012 at 09:52:27AM +0100, Karolin Seeger wrote:
>>> this is a reminder that rc6 will be released on Tuesday November 27.
>>> Please make sure to provide/review your patchsets until Sunday November
>>> 25.
>> I would like to propose to delay Samba 4.0.0rc6
>> until Tuesday, December 4.
>> The ACL patches (bugs #8620, #8621 and #7711) need to be finished and
>> reviewed before the last release candidate.
>> has been updated accordingly. We are going to stick to the final release
>> date (Tuesday, December 11) if possible.
>> Are there any objections?
> Thanks Karolin.  It's been great to see these patches finally land and I
> agree that making an RC without these would not have been helpful.
> We should include something like this in the WHATSNEW, to explain the
> situation:
> In this release candidate, we have a significant number of improvements
> to our Access Control List (ACL) code, particularly for the Active
> Directory Domain Controller, but also in our general purpose file
> server.
> These changes are important, as they enable Group Policy Objects to work
> correctly, allow administrators to impose restrictions on some users
> reading certain parts of the directory and correctly propagating
> inherited ACLs down the LDAP directory tree.
> It is unusual to make such changes so late in the RC series, however we
> felt uncomfortable knowingly releasing Samba 4.0 without having these
> features working.  In particular, this does address the regression in
> Group Policy support seen during the beta series. 
> Users of the Active Directory Domain Controller upgrading from any
> previous release should run 'samba-tool ntacl sysvolreset' to re-sync
> ACLs on the sysvol share with those matching the GPOs in LDAP and the
> defaults from an initial provision.  This will set an underlying POSIX
> ACL if required (eg not using the NTVFS file server).

Thanks, that sounds useful for WHATNEW.

But please note that I think we should improve our SYSVAL ACL behaviour
a bit
further. We still don't match a Windows 2008R2 server.

I think I understand how it works on Windows I can also explain the
ACLs on the default policies.

I changed our code to match, but that discovered some additional ACL
bugs in both
of our file servers and make test doesn't pass anymore...



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list