On Thu, 2012-11-01 at 14:54 +0000, Alex Matthews wrote:
> On 30/10/2012 00:08, Jeremy Allison wrote:
> > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> >>>> be a particular trigger - but it shouldn't be able to make a
> >>>> modification that doesn't go via vfs_acl_xattr.
> >>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
> >>>> level 10 on samba-tool ntacl sysvolcheck):
> >>>> get_nt_acl_internal: blob hash does not match for
> >>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340 -016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
> >>> Is this message from smbd, or from samba-tool ?
> >> That's what vfs_acl_common is printing, being run from samba-tool ntacl
> >> sysvolcheck. It links to the VFS layer.
> > So this looks like it's running the Group Policy tools on WinXP
> > that causes the problem ?
> > Can we get a debug level 10 log of that activity going on
> > against smbd ?
> > Jeremy.
> Ok I have some additional info.
> Using the GPMC I cannot create new GPOs. I get the message: "This > security ID may not be assigned as the owner of this object"
> If I use samba-tool gpo create I get the following:
> # bin/samba-tool gpo create "SMC Students"
> ERROR(ldb): uncaught exception - LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on > CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
> File > "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run
> return self.run(*args, **kwargs)
> File > "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", > line 952, in run
> self.samdb.add(m)
> If I supply administrator as username I get:
> # bin/samba-tool gpo create "SMC Students" -U administrator
> Password for [SMC\administrator]:
> ERROR(runtime): uncaught exception - (-1073741734, > 'NT_STATUS_INVALID_OWNER')
> File > "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run
> return self.run(*args, **kwargs)
> File > "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", > line 987, in run
> conn.set_acl(sharepath, fs_sd, sio)
> However this time it has successfully created the GPO. (GPMC still > throws the same warnings about inconsistent ACLs).
> I would hazard a guess and say the GPMC error (when creating a GPO) is > the same error as the samba-tool error.
It is certainly very helpful to have this happen with samba-tool. Can
you remind me the history of this domain, is it the upgrade I was trying
to suggest you do, or a fresh provision?
If you can tell me what provision command-line you run, if it was
provisioned with an older version, which branch and git revision that
was and what branch and git revision as you running now?
I've tried to replicate this in 'make test' but failed (the tests pass).
The patch for that is attached for review.
On Mon, 2012-11-05 at 22:02 +0100, Jelmer Vernooij wrote:
> On Mon, Nov 05, 2012 at 01:10:13PM +1100, Andrew Bartlett wrote:
> > On Thu, 2012-11-01 at 14:54 +0000, Alex Matthews wrote:
> > > On 30/10/2012 00:08, Jeremy Allison wrote:
> > > > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> [...]
> > It is certainly very helpful to have this happen with samba-tool. Can
> > you remind me the history of this domain, is it the upgrade I was trying
> > to suggest you do, or a fresh provision?
> > If you can tell me what provision command-line you run, if it was
> > provisioned with an older version, which branch and git revision that
> > was and what branch and git revision as you running now?
> > I've tried to replicate this in 'make test' but failed (the tests pass).
> > The patch for that is attached for review.
> Thanks. Yay for more tests; please find some minor notes below:
> > diff --git a/source4/scripting/python/samba/tests/samba_tool/gpo.py b/source4/scripting/python/samba/tests/samba_tool/gpo.py
> > new file mode 100644
> > index 0000000..0cd39dc
> > --- /dev/null
> > +++ b/source4/scripting/python/samba/tests/samba_tool/gpo.py
> > @@ -0,0 +1,59 @@
> > +# Unix SMB/CIFS implementation.
> > +# Copyright (C) Andrew Bartlett 2012
> > +#
> > +# based on time.py:
> > +# Copyright (C) Sean Dague <sda...@linux.vnet.ibm.com> 2011
> > +#
> > +# This program is free software; you can redistribute it and/or modify
> > +# it under the terms of the GNU General Public License as published by
> > +# the Free Software Foundation; either version 3 of the License, or
> > +# (at your option) any later version.
> > +#
> > +# This program is distributed in the hope that it will be useful,
> > +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> > +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> > +# GNU General Public License for more details.
> > +#
> > +# You should have received a copy of the GNU General Public License
> > +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> > +#
> > +
> > +import os
> > +from samba.tests.samba_tool.base import SambaToolCmdTest
> > +
> > +class GpoCmdTestCase(SambaToolCmdTest):
> > + """Tests for samba-tool time subcommands"""
> > +
> > + gpo_name = "testgpo"
> > +
> > + def test_gpo_list(self):
> > + """Run gpo list against the server and make sure it looks accurate"""
> > + (result, out, err) = self.runsubcmd("gpo", "listall", "-H", "ldap://%s" % os.environ["SERVER"])
> > + self.assertCmdSuccess(result, "Ensuring gpo listall ran successfully")
> > +
> > + def test_fetchfail(self):
> > + """Run against a non-existent GPO, and make sure it fails (this hard-coded UUID is very unlikely to exist"""
> > + (result, out, err) = self.runsubcmd("gpo", "fetch", "c25cac17-a02a-4151-835d-fae17446ee43", "-H", "ldap://%s" % > > +os.environ["SERVER"])
> > + self.assertEquals(result, -1, "check for result code")
> > +
> > + def test_fetch(self):
> > + """Run against a real GPO, and make sure it passes"""
> > + (result, out, err) = self.runsubcmd("gpo", "fetch", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "--tmpdir", os.environ['SELFTEST_PREFIX'])
> > + self.assertCmdSuccess(result, "Ensuring gpo fetched successfully")
> > +
> > + def setUp(self):
> > + """set up a tempoary GPO to work with"""
> ^^^ temporary :-)
On Mon, Nov 05, 2012 at 01:10:13PM +1100, Andrew Bartlett wrote:
> On Thu, 2012-11-01 at 14:54 +0000, Alex Matthews wrote:
> > On 30/10/2012 00:08, Jeremy Allison wrote:
> > > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
[...]
> It is certainly very helpful to have this happen with samba-tool. Can
> you remind me the history of this domain, is it the upgrade I was trying
> to suggest you do, or a fresh provision?
> If you can tell me what provision command-line you run, if it was
> provisioned with an older version, which branch and git revision that
> was and what branch and git revision as you running now?
> I've tried to replicate this in 'make test' but failed (the tests pass).
> The patch for that is attached for review.
Thanks. Yay for more tests; please find some minor notes below:
> diff --git a/source4/scripting/python/samba/tests/samba_tool/gpo.py b/source4/scripting/python/samba/tests/samba_tool/gpo.py
> new file mode 100644
> index 0000000..0cd39dc
> --- /dev/null
> +++ b/source4/scripting/python/samba/tests/samba_tool/gpo.py
> @@ -0,0 +1,59 @@
> +# Unix SMB/CIFS implementation.
> +# Copyright (C) Andrew Bartlett 2012
> +#
> +# based on time.py:
> +# Copyright (C) Sean Dague <sda...@linux.vnet.ibm.com> 2011
> +#
> +# This program is free software; you can redistribute it and/or modify
> +# it under the terms of the GNU General Public License as published by
> +# the Free Software Foundation; either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see <http://www.gnu.org/licenses/>.
> +#
> +
> +import os
> +from samba.tests.samba_tool.base import SambaToolCmdTest
> +
> +class GpoCmdTestCase(SambaToolCmdTest):
> + """Tests for samba-tool time subcommands"""
> +
> + gpo_name = "testgpo"
> +
> + def test_gpo_list(self):
> + """Run gpo list against the server and make sure it looks accurate"""
> + (result, out, err) = self.runsubcmd("gpo", "listall", "-H", "ldap://%s" % os.environ["SERVER"])
> + self.assertCmdSuccess(result, "Ensuring gpo listall ran successfully")
> +
> + def test_fetchfail(self):
> + """Run against a non-existent GPO, and make sure it fails (this hard-coded UUID is very unlikely to exist"""
> + (result, out, err) = self.runsubcmd("gpo", "fetch", "c25cac17-a02a-4151-835d-fae17446ee43", "-H", "ldap://%s" % > +os.environ["SERVER"])
> + self.assertEquals(result, -1, "check for result code")
> +
> + def test_fetch(self):
> + """Run against a real GPO, and make sure it passes"""
> + (result, out, err) = self.runsubcmd("gpo", "fetch", self.gpo_guid, "-H", "ldap://%s" % os.environ["SERVER"], "--tmpdir", os.environ['SELFTEST_PREFIX'])
> + self.assertCmdSuccess(result, "Ensuring gpo fetched successfully")
> +
> + def setUp(self):
> + """set up a tempoary GPO to work with"""
Do we really need to run these tests against both environments? These
tests ought to be testing that the samba-tool gpo subcommand works
well, not our server side GPO support.
As far as I know the gpo subcommands don't have any different
behaviour for these two environments.
On Tue, Nov 06, 2012 at 08:04:44AM +1100, Andrew Bartlett wrote:
> On Mon, 2012-11-05 at 22:02 +0100, Jelmer Vernooij wrote:
> > On Mon, Nov 05, 2012 at 01:10:13PM +1100, Andrew Bartlett wrote:
> > > diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
> > > index ca5bdd3..61540d0 100755
> > > --- a/source4/selftest/tests.py
> > > +++ b/source4/selftest/tests.py
> > > @@ -405,6 +405,8 @@ planpythontestsuite("dc:local", "samba.tests.dcerpc.bare")
> > > planpythontestsuite("dc:local", "samba.tests.dcerpc.unix")
> > > planpythontestsuite("dc:local", "samba.tests.dcerpc.srvsvc")
> > > planpythontestsuite("dc:local", "samba.tests.samba_tool.timecmd")
> > > +planpythontestsuite("dc:local", "samba.tests.samba_tool.gpo")
> > > +planpythontestsuite("plugin_s4_dc:local", "samba.tests.samba_tool.gpo")
> > Do we really need to run these tests against both environments? These
> > tests ought to be testing that the samba-tool gpo subcommand works
> > well, not our server side GPO support.
> > As far as I know the gpo subcommands don't have any different
> > behaviour for these two environments.
> It's the only test we have at the moment for our server-side support
> (being able to add the GPO, with a valid acl and owner etc).
> Indeed, that was why I added it, because it was suggested this tool
> showed up the issues we have been having (it didn't).
If we really want to run these tests against both environments, for
lack of any more appropriate tests, it would be nice to add a comment
saying so.
> It is certainly very helpful to have this happen with samba-tool. Can
> you remind me the history of this domain, is it the upgrade I was trying
> to suggest you do, or a fresh provision?
> If you can tell me what provision command-line you run, if it was
> provisioned with an older version, which branch and git revision that
> was and what branch and git revision as you running now?
> I've tried to replicate this in 'make test' but failed (the tests pass).
> The patch for that is attached for review.
> Thanks,
> Andrew Bartlett
Ok, I think we've got a bit lost in issues here, so I'll start from the very beginning (I've heard it's a very good place to start).
I have set up two domains:
home.lillimoth.com - a test domain set up on virtual machines at home. This domain has been provisioned from scratch.
internal.stmaryscollege.co.uk - a production domain at my work place. This domain was migrated from a samba 3 domain.
My issue is that when I run gpmc (the group policy management console) on a windows machine (XP or 7) and selected a gpo to edit I get the message:
"The permissions for this GPO in the SYSVOL folder are inconsistent with those in Active Directory.
It is recommended that these permissions be consistent.
To change the SYSVOL permissions to those in Active Directory, click OK." - Please see: http://support.microsoft.com/kb/828760
This occurs on both domains.
Clicking 'ok' to the popup should correct the ACLs on the files/folders it believes are incorrect.
Please note that before clicking 'ok' sysvolcheck passes with no errors however after clicking it would fail with the following error:
"ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - ProvisioningError: VFS ACL on GPO directory /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9} O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) does not match expected value O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) from GPO object"
This suggests that the gpmc did change the ACLs however when reselecting the same GPO it pops up with the same message again!
Both servers have the correct mount options (user_xattr,acl) and acls work when set manually.
I did some research into what the ACLs should be on the sysvol share and came up with these: http://pastebin.com/sSURWrDf which were taken from a WS2003 machine.
I have not yet attempted to set these on my S4 server but will try that tonight.
The issue seems to revolve around:
Incorrect initial ACLs on the sysvol share and its subfolders.
The inability of the GPMC to correct the issue. Suggesting that there is some issue setting ACLs on the sysvol share from a windows client.
There we a couple of issues with samba-tool creating GPOs but I will run through those in an email later this evening when I have had chance to test them on my test domain.
> On 05/11/2012 02:10, Andrew Bartlett wrote:
>> It is certainly very helpful to have this happen with samba-tool. Can
>> you remind me the history of this domain, is it the upgrade I was trying
>> to suggest you do, or a fresh provision?
>> If you can tell me what provision command-line you run, if it was
>> provisioned with an older version, which branch and git revision that
>> was and what branch and git revision as you running now?
>> I've tried to replicate this in 'make test' but failed (the tests pass).
>> The patch for that is attached for review.
>> Thanks,
>> Andrew Bartlett
> Ok, I think we've got a bit lost in issues here, so I'll start from > the very beginning (I've heard it's a very good place to start).
> I have set up two domains:
> home.lillimoth.com - a test domain set up on virtual machines at home. > This domain has been provisioned from scratch.
> internal.stmaryscollege.co.uk - a production domain at my work place. > This domain was migrated from a samba 3 domain.
> My issue is that when I run gpmc (the group policy management console) > on a windows machine (XP or 7) and selected a gpo to edit I get the > message:
> "The permissions for this GPO in the SYSVOL folder are inconsistent > with those in Active Directory.
> It is recommended that these permissions be consistent.
> To change the SYSVOL permissions to those in Active Directory, click > OK." - Please see: http://support.microsoft.com/kb/828760
> This occurs on both domains.
> Clicking 'ok' to the popup should correct the ACLs on the > files/folders it believes are incorrect.
> Please note that before clicking 'ok' sysvolcheck passes with no > errors however after clicking it would fail with the following error:
> "ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > exception - ProvisioningError: VFS ACL on GPO directory > /usr/local/samba/var/locks/sysvol/home.lillimoth.com/Policies/{31B2F340-016 D-11D2-945F-00C04FB984F9} > O:DAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001200a9;;;ED)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001f01ff;;;DA)(A;;0x001200a9;;;DA)(A;;0x001200a9;;;EA)(A;; 0x001200a9;;;SY)(A;OICIIO;0x001f01ff;;;CO)(A;OICIIO;WO;;;CG)(A;OICIIO;0x001 f01ff;;;EA)(A;OICIIO;0x001f01ff;;;SY) > does not match expected value > O:DAG:DUD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f 01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a 9;;;AU)(A;OICI;0x001200a9;;;ED)S:AI(OU;CIIDSA;WP;f30e3bbe-9ff0-11d1-b603-00 00f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CIIDSA;WP;f30e3bbf-9 ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD) > from GPO object"
> This suggests that the gpmc did change the ACLs however when > reselecting the same GPO it pops up with the same message again!
> Both servers have the correct mount options (user_xattr,acl) and acls > work when set manually.
> I did some research into what the ACLs should be on the sysvol share > and came up with these: http://pastebin.com/sSURWrDf which were taken > from a WS2003 machine.
> I have not yet attempted to set these on my S4 server but will try > that tonight.
> The issue seems to revolve around:
> Incorrect initial ACLs on the sysvol share and its subfolders.
> The inability of the GPMC to correct the issue. Suggesting that > there is some issue setting ACLs on the sysvol share from a windows > client.
> There we a couple of issues with samba-tool creating GPOs but I will > run through those in an email later this evening when I have had > chance to test them on my test domain.
> Thanks,
> Alex
I have just attempted to set the ACL on the sysvol directory using samba-tool ntacl set and got the following message:
/usr/local/samba/var/locks# ../../bin/samba-tool ntacl set "D:AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICII OID;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;G A;;;SY)(A;OICIIOID;GA;;;CO)" sysvol -d 2
lpcfg_load: refreshing parameters from /usr/local/samba/etc/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]"
Processing section "[sysvol]"
Unknown flag - FA in FA
Badly formatted SDDL 'AI(A;ID;0x1200a9;;;AU)(A;OICIIOID;GXGR;;;AU)(A;ID;0x1200a9;;;SO)(A;OICIIOI D;GXGR;;;SO)(A;ID;FA;;;BA)(A;OICIIOID;GA;;;BA)(A;ID;FA;;;SY)(A;OICIIOID;GA; ;;SY)(A;OICIIOID;GA;;;CO)'
ERROR(<type 'exceptions.TypeError'>): uncaught exception - Unable to parse SDDL
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
return self.run(*args, **kwargs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 90, in run
setntacl(lp, file, acl, str(domain_sid), xattr_backend, eadb_file, use_ntvfs=use_ntvfs)
File "/usr/local/samba/lib/python2.7/site-packages/samba/ntacls.py", line 89, in setntacl
sd = security.descriptor.from_sddl(sddl, sid)
On Thu, 2012-11-01 at 14:54 +0000, Alex Matthews wrote:
> On 30/10/2012 00:08, Jeremy Allison wrote:
> > On Tue, Oct 30, 2012 at 11:00:31AM +1100, Andrew Bartlett wrote:
> >>>> be a particular trigger - but it shouldn't be able to make a
> >>>> modification that doesn't go via vfs_acl_xattr.
> >>>> For Alex, before running the Group Policy tools on WinXP, he gets (at
> >>>> level 10 on samba-tool ntacl sysvolcheck):
> >>>> get_nt_acl_internal: blob hash does not match for
> >>>> file /root/samba_test/build_master/var/locks/sysvol/realm.com/Policies/{31B2F340 -016D-11D2-945F-00C04FB984F9} - returning file system SD mapping.
> >>> Is this message from smbd, or from samba-tool ?
> >> That's what vfs_acl_common is printing, being run from samba-tool ntacl
> >> sysvolcheck. It links to the VFS layer.
> > So this looks like it's running the Group Policy tools on WinXP
> > that causes the problem ?
> > Can we get a debug level 10 log of that activity going on
> > against smbd ?
> > Jeremy.
> Ok I have some additional info.
> Using the GPMC I cannot create new GPOs. I get the message: "This > security ID may not be assigned as the owner of this object"
> If I use samba-tool gpo create I get the following:
> # bin/samba-tool gpo create "SMC Students"
> ERROR(ldb): uncaught exception - LDAP error 50 > LDAP_INSUFFICIENT_ACCESS_RIGHTS - <dsdb_access: Access check failed on > CN=Policies,CN=System,DC=internal,DC=stmaryscollege,DC=co,DC=uk> <>
> File > "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run
> return self.run(*args, **kwargs)
> File > "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", > line 952, in run
> self.samdb.add(m)
> If I supply administrator as username I get:
> # bin/samba-tool gpo create "SMC Students" -U administrator
> Password for [SMC\administrator]:
> ERROR(runtime): uncaught exception - (-1073741734, > 'NT_STATUS_INVALID_OWNER')
> File > "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/__init__.py", > line 175, in _run
> return self.run(*args, **kwargs)
> File > "/vol/samba4/build/lib64/python2.7/site-packages/samba/netcmd/gpo.py", > line 987, in run
> conn.set_acl(sharepath, fs_sd, sio)
> However this time it has successfully created the GPO. (GPMC still > throws the same warnings about inconsistent ACLs).
> I would hazard a guess and say the GPMC error (when creating a GPO) is > the same error as the samba-tool error.
Jeremy,
You said earlier in the thread that you were going to look into this.
I'll continue to try and find angles on this, but did you get anywhere
with sorting out Alex's issues?
> On Fri, 2012-10-26 at 09:36 +0200, Olivier BILHAUT wrote: >> Hi Andrew, Hi Alex,
>> Pleased to see that you figured this out. >> We've got exactly the same problem from a blank provisioned domain (not >> a migration), with a setup with 2 gpo. (Ubuntu 12.04 - S4 rc3). >> Since our instance is in a semi-production environment, we'll wait for >> your fix. But if needed, we could give you more level 10 logs.
>> Note that when the sysvolreset is launched and that sysvolcheck returns >> no errors, then the windows clients can't "gpupdate" anymore on some gpo. >> Note also that when syslvolreset isn't launched at S4 update, the >> sysvolcheck command return the Alex's error but the client can update >> their gpo. > This I think is the umask issue I addressed with this patch. A > sysvolreset with this patch applied should fix that. steve noticed that > permissions were missing from the posix ACL that was generated.
