Status on GPO ACLs
Andrew Bartlett
abartlet at samba.org
Mon Nov 5 04:13:05 MST 2012
The status for me on GPO ACLs is that I've written more tests (attached
for the curious), but not ready as they don't pass make test.
The new code is a 'samba-tool gpo aclcheck' command. It is very much
the same idea as 'samba-tool ntacl sysvolcheck', but remote, and so can
be run against windows.
The more serious issue is while they almost pass in Samba4, they don't
even come close on Windows 2008R2. They show that everything I thought
I knew about GPO ACLs I don't know - the dsacl2fsacl function is not
what happens on a windows DC, at least for the default group policy at
install time.
I need to play around more, but in short I need to understand the
requirements here much better before I proceed on any more work to 'fix'
the code any further.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-samba-tool-Add-new-samba-tool-gpo-aclcheck-and-test.patch
Type: text/x-patch
Size: 4702 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121105/089e9687/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pysmb-Ask-for-SEC_FLAG_SYSTEM_SECURITY-in-case-we-wa.patch
Type: text/x-patch
Size: 1000 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121105/089e9687/attachment-0001.bin>
More information about the samba-technical
mailing list