The Samba-Bugzilla – Bug 9342
Sysvol ACLs have regressed on the AD DC
Last modified: 2012-12-04 11:12:28 UTC
If we don't get this sorted out, we may have to recommend the ntvfs file server instead.
We have numerous reports from users that either the posix ACL is unusable or the NT ACL is incorrect or unable to be set to the right value.
Nice bug report! ;)
Andrew, could you provide a some more technical background and dump a summary here, of what fails and how, since I have to admit that I did not follow the various mail threads about this issue closely enough...
Thanks - Michael
I am still waiting for a slightly more detailed description of this issue. :-)
*** Bug 9140 has been marked as a duplicate of this bug. ***
So, some of the issues have crystallised down into:
- umask wasn't 0 (bug 9355)
- 'samba-tool ntacl sysvolreset' will not always save an ACL that 'samba-tool ntacl sysvolcheck' can find (bug 9381)
- the NT4 compat ACLs option (bug 9383)
- new samba-tool gpo aclcheck command doesn't pass on windows (bug 9384)
- Whatever errors windows GPO tools still give once we fix all of the above (I'll file a bug once I have concrete errors to report)
New bug description:
Since Beta1, GPO support on the AD DC has regressed. This has happened in stages, as the migration to the smbd file server and using the smbd VFS on-disk ACL structure was implemented.
This bug depends on the various concrete issues that have been identified.
Should be fixed in Samba 4.0.0rc6.
Please feel free to re-open if it's still an issue.