Created attachment 13621 [details] Proposed patch for master (needs bugID adding). From "Lutz Justen" <ljusten@google.com> The patches make sure that the order of GPOs in net ads gpo list matches the expected application order: - Local first, then site GPOs, then domain GPOs, then OU GPOs. - Domains and OUs: parent-to-child. - GPOs within same domain/OU: Link order. - Enforced GPOs are applied last, so they override all non-enforced GPOs. I don't know if net ads gpo list was supposed to list GPOs in the proper order, but our code depends on it. I didn't see any other place outside of ads_get_gpo_list where Samba is making sure that GPOs are applied in the right order.
Comment on attachment 13621 [details] Proposed patch for master (needs bugID adding). Patch is bad. As Lutz pointed out: Concerning your patch, I've found an issue: This loop will iterate forever since i is unsigned, so i-- will wrap to (uint32_t)-1 once it reaches 0: uint32_t i; for (i = gp_link->num_links - 1; i >= 0; i--) { Thus, i needs to be int and num_links has to be casted to int, anyway, and the check for num_links==0 is unnecessary. Other than that, it looks OK.
Created attachment 13625 [details] Updated git-am patch for master with loop termination fix.
Comment on attachment 13625 [details] Updated git-am patch for master with loop termination fix. Looks good, pushed to autobuild (with one cosmetic correction)
Created attachment 13647 [details] git-am fix for 4.7.next, 4.6.next. Cherry-pick from what went into master.
Comment on attachment 13647 [details] git-am fix for 4.7.next, 4.6.next. LGTM
Karolin, please add to 4.7 and 4.6. Thanks!
(In reply to Guenther Deschner from comment #6) Pushed to autobuild-v4-{7,6}-test.
(In reply to Karolin Seeger from comment #7) Pushed to both branches. Closing out bug report. Thanks!