Some applications use a file backend to store their data, using those applications with different user (having full right in NT ACL and rwx in unix) leads to truncated files. One of this application is the policy editor. To reproduce the problem: Create a policy with the domain administrator (Administrator), set the number of days for password expiration ( Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy) Save Ensure that the domain admin groups has full rights on the domain policy folder (\\myadserver.domain\sysvol\domain\Policies) Set group write right on all files and dir in the <samba_base_dir>/var/locks/sysvol directory. Ensure that this folder and subfolder and files are owned by the unix group of the domain users (check idmap.tdb for the group mapping). Login with a different user member of the domain admin group as well. Try to modify the same policy (ie. add one more day) and receive an error message. In my case it's this file: "smb4.tst/Policies/{4c3e9dec-4702-4a69-b9f2-895ec7d5b35b}/Machine/Microsoft/Windows NT/SecEdit/GptTmpl.inf" ls "{4c3e9dec-4702-4a69-b9f2-895ec7d5b35b}/Machine/Microsoft/Windows NT/SecEdit"/ -l -rw-rw-r-- 1 root 3000005 314 2009-04-30 16:45 GptTmpl.inf The account used is user_adm which is part of the "domain admins" group which translate to unix group 3000005.
Created attachment 4190 [details] Tcpdump capture of the exchange while trying to edit policy
Hi Matthieu, I reproduced your bug. It's perfectly valid. I get an error box telling me: "Not saved. Not saved. <GPO path>\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf". In the directory of "GptTmpl.inf" I locate the file empty and the old content in a "GptTmpl.tmp" file (which the GPO editor for sure created as a backup). After clicking on "OK" both files are totally cleared. But as said I marked the bug as "critical" and as "must-have" for the upcoming first beta release (consider the tracking bug). I hope Tridge is able to fix this nasty problem soon (I personally am not skilled to fix file server issues).
smb.conf content: [globals] netbios name = test workgroup = SAMBA4 realm = smb4.tst server role = domain controller debug level = 2 [tests] path = /tmp/tests read only = no [netlogon] path = /usr/local/samba/var/locks/sysvol/smb4.tst/scripts read only = no [sysvol] path = /usr/local/samba/var/locks/sysvol read only = no
This has been fixed with git commit 00a8ff5fe9acf965395b99b39b0c24a5517b6e2b Please test!