We need to understand how to correctly convert GPO ACLs in LDAP into FS ACLs, and have a tool that proves we know this by passing against windows and Samba.
The new test, which now passes against windows for new GPOs (but not the default ones, unfortunately) is in master and in the mega-patch for 4.0 in bug #9406.
In particular, we simply do not set and avoid comparing the SACL, the rest of the conversion seems to be OK.
The state in 4.0 should be ok, but still not compatible with windows.
I have some further patches under:
No 4.1 blocker => 4.2
Any news on this one?