[PATCH] Fix GPOs by fixing 'vfs objects' handling in loadparm (this time for sure...)

Andrew Bartlett abartlet at samba.org
Tue Nov 13 18:55:45 MST 2012

The attached patch fixes up GPO handling for me.  This is what I've been
able to do, with a Windows 7 client running GPMC:

 - as a "Domain Admin" who isn't actually "administrator"
 - create a new group policy
 - assign it to the domain
 - use it to remove the "games" menu and the recycle bin
 - select the default domain policy, and not get any errors

Then I logged in as an unprivileged user, and the policy was correctly

Attached is also a patch to add a "samba-tool gpo aclcheck" tool, which
does much the same ACL check that GPMC does, and can be run remotely.

As you will see in the patch, and particularly if you run testparm
before and after the change to loadparm ensures the [netlogon] and
[sysvol] shares actually use the required VFS modules.

Hopefully this really is the final fix - and it is nice because it shows
at at least some of this was working before August, when I 'tidied this
up', and broke it.  However, I've felt like I was at the end of this
road many times before, and so we will persevere.


Andrew Bartlett
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-s3-param-Handle-setting-default-vfs-objects-in-init_.patch
Type: text/x-patch
Size: 6177 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121114/58c964a7/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-samba-tool-Add-new-samba-tool-gpo-aclcheck-and-test.patch
Type: text/x-patch
Size: 4620 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20121114/58c964a7/attachment-0003.bin>

More information about the samba-technical mailing list