Bug 9342 - Sysvol ACLs have regressed on the AD DC
Summary: Sysvol ACLs have regressed on the AD DC
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.0.0rc4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
: 9140 (view as bug list)
Depends on: 9160 9284 9355 9381 9383 9406
Blocks: 9207 8622 9202 9313
  Show dependency treegraph
Reported: 2012-10-30 11:44 UTC by Andrew Bartlett
Modified: 2012-12-04 11:12 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2012-10-30 11:44:23 UTC
If we don't get this sorted out, we may have to recommend the ntvfs file server instead.  

We have numerous reports from users that either the posix ACL is unusable or the NT ACL is incorrect or unable to be set to the right value.
Comment 1 Michael Adam 2012-10-30 12:04:47 UTC
Nice bug report! ;)

Andrew, could you provide a some more technical background and dump a summary here, of what fails and how, since I have to admit that I did not follow the various mail threads about this issue closely enough...

Thanks - Michael
Comment 2 Michael Adam 2012-11-06 10:10:39 UTC
I am still waiting for a slightly more detailed description of this issue. :-)
Comment 3 Stefan Metzmacher 2012-11-07 12:05:36 UTC
*** Bug 9140 has been marked as a duplicate of this bug. ***
Comment 4 Andrew Bartlett 2012-11-12 09:37:06 UTC
So, some of the issues have crystallised down into:

 - umask wasn't 0 (bug 9355)
 - 'samba-tool ntacl sysvolreset' will not always save an ACL that 'samba-tool ntacl sysvolcheck' can find (bug 9381)
 - the NT4 compat ACLs option (bug 9383)
 - new samba-tool gpo aclcheck command doesn't pass on windows (bug 9384)
 - Whatever errors windows GPO tools still give once we fix all of the above (I'll file a bug once I have concrete errors to report)
Comment 5 Andrew Bartlett 2012-12-03 20:42:07 UTC
New bug description:

Since Beta1, GPO support on the AD DC has regressed.  This has happened in stages, as the migration to the smbd file server and using the smbd VFS on-disk ACL structure was implemented.  

This bug depends on the various concrete issues that have been identified.
Comment 6 Karolin Seeger 2012-12-04 11:12:28 UTC
Should be fixed in Samba 4.0.0rc6.
Please feel free to re-open if it's still an issue.