Matthieu, Do you mean that even with the same version I used , you are still seeing that the GPMC is checking the security descriptor of root policy folder ? This is interesting since I clearly cannot see between Windows. I think that we may need to capture TTT trace of GPMC tool when it is connected to Samba DC. I can send you the instruction and tool installation if you haven't had one already. Please let me know.
Thanks! Hongwei -----Original Message----- From: Matthieu Patou [mailto:[email protected]] Sent: Friday, July 30, 2010 12:06 PM To: Hongwei Sun Cc: [email protected]; [email protected]; MSSolve Case Email Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs Hongwei, On 20/06/2010 08:25, Hongwei Sun wrote: > Matthieu, > > I will be on vacation from Wednesday (06/22) until July 22. We can > either archive it until I come back or I can transfer the case to one of my > teammate. Please let me know what you prefer. > > Thanks! > > Hongwei > I don't know if I wrote you about this, but I still have the pb with gpmc even when using the version that you indicated. Matthieu > -----Original Message----- > From: Matthieu Patou [mailto:[email protected]] > Sent: Saturday, June 19, 2010 3:48 PM > To: Hongwei Sun > Cc: [email protected]; [email protected]; MSSolve Case Email > Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs > > Hi Hongwei, > > Sorry didn't had the time on this, next week didn't seems the good one > either, can you reping me at next monday (28th) ? > > Regards. > Matthieu. > On 19/06/2010 03:59, Hongwei Sun wrote: >> Matthieu, >> >> Do you have any update for this topic ? If you don't have time to look >> at this issue, I may archive this case and we may visit it again after I >> come back from my vocation in July. I am leaving after next Tuesday. If >> you prefer, I can also transfer this case to one of my team member to >> continue the investigation. >> >> Thanks! >> >> Hongwei >> >> >> -----Original Message----- >> From: Hongwei Sun >> Sent: Thursday, June 10, 2010 6:05 PM >> To: '[email protected]'; [email protected]; [email protected] >> Cc: MSSolve Case Email >> Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs >> >> Hi, Matthieu, >> >> I have downloaded the GPMC with SP1 from the following link >> http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en >> and installed it on a XP machine. I ran the same testing by opening a GPO >> on a Windows 2008 DC from GPMC in XP. The attached network trace shows >> that the tool never queried the security descriptor of the main policy >> folder. I cannot find the query in code either. Could you verify if you >> are using the same GPMC download as I used ? And it will be good if you can >> run GPMC against a Windows DC to see if you can see the same behavior. >> >> Please let me know. >> >> Thanks! >> >> Hongwei >> >> >> -----Original Message----- >> From: Matthieu Patou [mailto:[email protected]] >> Sent: Wednesday, June 02, 2010 3:35 AM >> To: Hongwei Sun; [email protected]; [email protected] >> Cc: MSSolve Case Email >> Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs >> >> Hello hongwei, >> >> It's downloaded from internet as the one which comes with the >> administration pack is "limited". >> >> Version seems to be 1.0.2 (from GPMC.msc then help then about group policy >> management). >> >> Matthieu. >> On 02/06/2010 02:59, Hongwei Sun wrote: >> >>> Matthieu, >>> >>> Any update ? >>> >>> Thanks! >>> >>> Hongwei >>> >>> -----Original Message----- >>> From: Hongwei Sun >>> Sent: Wednesday, May 26, 2010 6:01 PM >>> To: 'Matthieu Patou' >>> Cc: MSSolve Case Email >>> Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs >>> >>> Matthieu, >>> >>> I spent some time to investigate the behavior you reported. I >>> created multiple Windows DCs (Windows 2008 and Windows 2008 R2) and used >>> GPMC to open policies on remote DCs. From the network captures , I don't >>> see any SMB packet for querying the SecurityDescriptor of {Domain}\Policy >>> folder. It only checks the individual policy folder. As I understand , >>> Window XP doesn't include GPMC tool by default and user has to install it. >>> Which version of the GPMC tool are you using ? Could you find the version >>> number from the "Help" menu ? >>> >>> Also could you run GPMC from a Windows 2008 or Windows 2008 R2 >>> machine to see if there is any difference ? >>> >>> Thanks! >>> >>> Hongwei >>> >>> >>> -----Original Message----- >>> From: Matthieu Patou [mailto:[email protected]] >>> Sent: Saturday, May 15, 2010 5:11 AM >>> To: Hongwei Sun >>> Cc: MSSolve Case Email >>> Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs >>> >>> On 15/05/2010 07:19, Hongwei Sun wrote: >>> >>> >>>> Matthieu, >>>> >>>> It takes a while to get back to normal after travel headache on my >>>> way back to U.S. I spent some time to double check again the logic used >>>> for checking DS/FS ACL consistency. I still didn't see the SD of the >>>> SYSVOL\policies folder is checked explicitly in the logic. Only the >>>> SYSVOL\Policies\ {GUID} is queried explicitly and used in the logic. I >>>> suspect that it is queried for some other reason. I will have to set up >>>> the environment to repro the SMB traffic and debug further. What OS do >>>> you use for the testing in the trace ? >>>> >>>> >>>> >>>> >>> It was Windows XP SP2. >>> Did you see in the trace that there is somehow a smb call to get the >>> NTACLS of<domain>\Policies ? >>> Also I'm not sure it's present in this trace but I had one (lost >>> because stored in /tmp) when I hit "OK please correct the rotten acls" >>> that showed that GPMC was trying to set several ACLs on the GPO >>> folder (rather different one from the previous one). >>> >>> Matthieu. >>> >>> >>>> Thanks! >>>> >>>> Hongwei >>>> >>>> -----Original Message----- >>>> From: Matthieu Patou [mailto:[email protected]] >>>> Sent: Thursday, May 06, 2010 5:09 PM >>>> To: Hongwei Sun >>>> Subject: About GPMC and ACLs >>>> >>>> Hongwei, >>>> >>>> Here is the capture, >>>> >>>> The most interesting is from packet 873, when I retry to click on a newly >>>> created GPO. >>>> At packet 1025 I receive the message that there is a mismatch and I click >>>> ok to get it fixed. >>>> >>>> The capture ends when the data flow stop. >>>> >>>> As I told you, at packet 1101 and packet 1119 you can see that windows >>>> tries to put two differents ACL (at least != number of ACEs but there is >>>> one on S-1-3-0 also). >>>> >>>> We can see in the capture that around the moment that GPMC is checking the >>>> DS/FS acl consistency that it also have a look at the<domain>\Policies >>>> folder. >>>> >>>> Regards. >>>> >>>> Matthieu. >>>> >>>> >>>> >>> >> -- >> Matthieu Patou >> Samba Team http://samba.org >> >> >> > > -- > Matthieu Patou > Samba Team http://samba.org > > -- Matthieu Patou Samba Team http://samba.org _______________________________________________ cifs-protocol mailing list [email protected] https://lists.samba.org/mailman/listinfo/cifs-protocol
