Bug 6756 - Group policy management tool fails to propose to correct incoherent permissions on GPO
Group policy management tool fails to propose to correct incoherent permissio...
Status: RESOLVED FIXED
Product: Samba 4.0
Classification: Unclassified
Component: Other
unspecified
Other Linux
: P3 normal
: ---
Assigned To: Andrew Bartlett
samba4-qa@samba.org
:
Depends on: 6757
Blocks: 6600
  Show dependency treegraph
 
Reported: 2009-09-24 08:12 UTC by Matthieu Patou
Modified: 2009-12-22 05:39 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2009-09-24 08:12:35 UTC
With samba4 git f8425b73.
According to this article
http://support.microsoft.com/default.aspx?scid=kb;en-us;828760

If GPO permission between ones in the AD and the other in the FS are not coherent then Group policy management should propose you to modify the latter to correct this problem.

Running this tool with the domain administrator give just this message "The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. Contact an administrator who has rights to modify security on this GPO." 

Which means that we do not have enough rights, the security descriptor state of course the opposite: 
O:DOMAIN_SID-512G:S-1-5-2 1-3382745771-3108645516-1830732068-512D:AI(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DOMAIN_SID-512(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;SY)(A;;RPLCLORC;;;AU)(A;CIID;RPWPCRCCLCLORCWOWDSDSW;;;BA)(A;CIID;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DOMAIN_SID-519)(A;CIID;LC;;;RU)(A;CIIOID;RPWPCCDCLCLORCWOWDSDDTSW;;;CO)S:(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3 bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)
Comment 1 Matthias Dieter Wallnöfer 2009-09-28 10:57:52 UTC
Is this working now?
Comment 2 Matthieu Patou 2009-10-04 16:01:39 UTC
No still have the message:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. Contact an administrator who has rights to modify security on this GPO.

When we should receive this one:

The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory. It is recommended that these permissions be consistent. To change the permissions in SYSVOL to those in Active Directory, click OK

Note that it's like this since the beginning of S4, it's not a regression.
Comment 3 Matthieu Patou 2009-12-22 05:39:17 UTC
The changeset  56b754e09ad5cd926e1dd0747252b7c359294938 fix this problem.