About ACL

Sassy Natan sassyn at gmail.com
Mon Oct 12 06:33:28 MDT 2009 

 I will be happy to help

What we need to change in the S4?
Is this change need to change some paraterms on the schema?
Or this is internal issues?


On Sun, Oct 11, 2009 at 10:43 PM, Matthieu Patou
<mat+Informatique.Samba at matws.net> wrote:
> On 10/11/2009 11:55 PM, Sassy Natan wrote:
>>
>> Hi All
>>
>> Can GPO now control the password age, history etc?
>>
> GPO can control everything on client
>>
>> In Alpha 8 GPO parameters on the Default Domain Policy didn't effect
>> the password systems (Which mean they were using the default - Complex
>> Password for example)
>
> This is server side (or DC side) parameters, for the moment nothing is done,
> but a set of script should help you already to change some of them.
>
> We had a talk once with Mathias about this, tridge also noted it (check
> http://wiki.samba.org/index.php/Samba4_DRS_TODO_List#Group_policies).
> My vision is to use inotify api (for linux and equivalent on other os) to
> watch for creation and/or modification of GPO, then use libgpo to parse it
> and then update the interesting attributes in S4 provision that needs to be
> updated.
> I'm not sure that everybody share this vision, feel free to contribute a
> solution !
>
> Matthieu.
>>
>> 10x
>>
>> Sassy
>>
>> On Sun, Oct 11, 2009 at 9:23 PM, Matthieu Patou<mat at matws.net>  wrote:
>>>
>>> Hello Nadya,
>>>
>>> I made a few tests today on GPO and it's back online, good job.
>>> Now that's it's working and that I think I found a the root cause of
>>> rights
>>> problems with GPO (sDrightEffective attribute see bug 6801), I am
>>> starting
>>> to be more picky about the differences between w2kx and s4.
>>>
>>> For some reason it seems that s4 is doing inheritance on ACLs when w2kx
>>> (w2k3 for sure) is not doing it. It' clearly visible in GPMC because
>>> there
>>> is a delegation for Pre  Windows 2000 group and Domain Admins group when
>>> there is none in w2k3.
>>>
>>> A deeper analysis on SDDL show it more clearly.
>>>
>>> For the moment it does no harm but I think it means that we are now
>>> calculating all the ACL in the correct way and maybe one day it'll bite
>>> us
>>> ...
>>>
>>> I attached to this email sddl for s4 and w2k3, I normalized them so that
>>> it's quite easy to see the difference in xxdiff (but any graphical diff
>>> would do).
>>>
>>> Matthieu
>>>
>
>

More information about the samba-technical mailing list