Hongwei,
On 20/06/2010 08:25, Hongwei Sun wrote:
Matthieu,
I will be on vacation from Wednesday (06/22) until July 22. We can either
archive it until I come back or I can transfer the case to one of my teammate.
Please let me know what you prefer.
Thanks!
Hongwei
I don't know if I wrote you about this, but I still have the pb with
gpmc even when using the version that you indicated.
Matthieu
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Saturday, June 19, 2010 3:48 PM
To: Hongwei Sun
Cc: [email protected]; [email protected]; MSSolve Case Email
Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
Hi Hongwei,
Sorry didn't had the time on this, next week didn't seems the good one either,
can you reping me at next monday (28th) ?
Regards.
Matthieu.
On 19/06/2010 03:59, Hongwei Sun wrote:
Matthieu,
Do you have any update for this topic ? If you don't have time to look at
this issue, I may archive this case and we may visit it again after I come back
from my vocation in July. I am leaving after next Tuesday. If you prefer, I
can also transfer this case to one of my team member to continue the
investigation.
Thanks!
Hongwei
-----Original Message-----
From: Hongwei Sun
Sent: Thursday, June 10, 2010 6:05 PM
To: '[email protected]'; [email protected]; [email protected]
Cc: MSSolve Case Email
Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs
Hi, Matthieu,
I have downloaded the GPMC with SP1 from the following link
http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en
and installed it on a XP machine. I ran the same testing by opening a GPO on a
Windows 2008 DC from GPMC in XP. The attached network trace shows that the tool
never queried the security descriptor of the main policy folder. I cannot find the
query in code either. Could you verify if you are using the same GPMC download as
I used ? And it will be good if you can run GPMC against a Windows DC to see if
you can see the same behavior.
Please let me know.
Thanks!
Hongwei
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Wednesday, June 02, 2010 3:35 AM
To: Hongwei Sun; [email protected]; [email protected]
Cc: MSSolve Case Email
Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
Hello hongwei,
It's downloaded from internet as the one which comes with the administration pack is
"limited".
Version seems to be 1.0.2 (from GPMC.msc then help then about group policy
management).
Matthieu.
On 02/06/2010 02:59, Hongwei Sun wrote:
Matthieu,
Any update ?
Thanks!
Hongwei
-----Original Message-----
From: Hongwei Sun
Sent: Wednesday, May 26, 2010 6:01 PM
To: 'Matthieu Patou'
Cc: MSSolve Case Email
Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs
Matthieu,
I spent some time to investigate the behavior you reported. I created multiple
Windows DCs (Windows 2008 and Windows 2008 R2) and used GPMC to open policies on remote
DCs. From the network captures , I don't see any SMB packet for querying the
SecurityDescriptor of {Domain}\Policy folder. It only checks the individual policy
folder. As I understand , Window XP doesn't include GPMC tool by default and user has to
install it. Which version of the GPMC tool are you using ? Could you find the version
number from the "Help" menu ?
Also could you run GPMC from a Windows 2008 or Windows 2008 R2 machine to
see if there is any difference ?
Thanks!
Hongwei
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Saturday, May 15, 2010 5:11 AM
To: Hongwei Sun
Cc: MSSolve Case Email
Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
On 15/05/2010 07:19, Hongwei Sun wrote:
Matthieu,
It takes a while to get back to normal after travel headache on my way
back to U.S. I spent some time to double check again the logic used for
checking DS/FS ACL consistency. I still didn't see the SD of the
SYSVOL\policies folder is checked explicitly in the logic. Only the
SYSVOL\Policies\ {GUID} is queried explicitly and used in the logic. I
suspect that it is queried for some other reason. I will have to set up the
environment to repro the SMB traffic and debug further. What OS do you use
for the testing in the trace ?
It was Windows XP SP2.
Did you see in the trace that there is somehow a smb call to get the
NTACLS of<domain>\Policies ?
Also I'm not sure it's present in this trace but I had one (lost
because stored in /tmp) when I hit "OK please correct the rotten acls"
that showed that GPMC was trying to set several ACLs on the GPO
folder (rather different one from the previous one).
Matthieu.
Thanks!
Hongwei
-----Original Message-----
From: Matthieu Patou [mailto:[email protected]]
Sent: Thursday, May 06, 2010 5:09 PM
To: Hongwei Sun
Subject: About GPMC and ACLs
Hongwei,
Here is the capture,
The most interesting is from packet 873, when I retry to click on a newly
created GPO.
At packet 1025 I receive the message that there is a mismatch and I click ok to
get it fixed.
The capture ends when the data flow stop.
As I told you, at packet 1101 and packet 1119 you can see that windows tries to
put two differents ACL (at least != number of ACEs but there is one on S-1-3-0
also).
We can see in the capture that around the moment that GPMC is checking the DS/FS acl
consistency that it also have a look at the<domain>\Policies folder.
Regards.
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
--
Matthieu Patou
Samba Team http://samba.org
--
Matthieu Patou
Samba Team http://samba.org
_______________________________________________
cifs-protocol mailing list
[email protected]
https://lists.samba.org/mailman/listinfo/cifs-protocol
