[prev in list] [next in list] [prev in thread] [next in thread]
List: cifs-protocol
Subject: Re: [cifs-protocol] [REG:110051073884304] RE: About GPMC and ACLs
From: Hongwei Sun <hongweis () microsoft ! com>
Date: 2010-08-20 16:42:47
Message-ID: 8CB643DFD8557F4E821C7C9DB352098612ABCF73 () TK5EX14MBXC125 ! redmond ! corp ! microsoft ! com
[Download RAW message or body]
Matthieu,
Do you mean that even with the same version I used , you are still seeing that the \
GPMC is checking the security descriptor of root policy folder ? This is interesting \
since I clearly cannot see between Windows. I think that we may need to capture TTT \
trace of GPMC tool when it is connected to Samba DC. I can send you the instruction \
and tool installation if you haven't had one already. Please let me know.
Thanks!
Hongwei
-----Original Message-----
From: Matthieu Patou [mailto:mat@samba.org]
Sent: Friday, July 30, 2010 12:06 PM
To: Hongwei Sun
Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email
Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
Hongwei,
On 20/06/2010 08:25, Hongwei Sun wrote:
> Matthieu,
>
> I will be on vacation from Wednesday (06/22) until July 22. We can either archive \
> it until I come back or I can transfer the case to one of my teammate. Please let \
> me know what you prefer.
> Thanks!
>
> Hongwei
>
I don't know if I wrote you about this, but I still have the pb with
gpmc even when using the version that you indicated.
Matthieu
> -----Original Message-----
> From: Matthieu Patou [mailto:mat@samba.org]
> Sent: Saturday, June 19, 2010 3:48 PM
> To: Hongwei Sun
> Cc: pfif@tridgell.net; cifs-protocol@samba.org; MSSolve Case Email
> Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
>
> Hi Hongwei,
>
> Sorry didn't had the time on this, next week didn't seems the good one either, can \
> you reping me at next monday (28th) ?
> Regards.
> Matthieu.
> On 19/06/2010 03:59, Hongwei Sun wrote:
> > Matthieu,
> >
> > Do you have any update for this topic ? If you don't have time to look at this \
> > issue, I may archive this case and we may visit it again after I come back from \
> > my vocation in July. I am leaving after next Tuesday. If you prefer, I can \
> > also transfer this case to one of my team member to continue the investigation.
> > Thanks!
> >
> > Hongwei
> >
> >
> > -----Original Message-----
> > From: Hongwei Sun
> > Sent: Thursday, June 10, 2010 6:05 PM
> > To: 'mat@samba.org'; pfif@tridgell.net; cifs-protocol@samba.org
> > Cc: MSSolve Case Email
> > Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs
> >
> > Hi, Matthieu,
> >
> > I have downloaded the GPMC with SP1 from the following link \
> > http://www.microsoft.com/downloads/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887&DisplayLang=en \
> > and installed it on a XP machine. I ran the same testing by opening a GPO on a \
> > Windows 2008 DC from GPMC in XP. The attached network trace shows that the tool \
> > never queried the security descriptor of the main policy folder. I cannot find \
> > the query in code either. Could you verify if you are using the same GPMC \
> > download as I used ? And it will be good if you can run GPMC against a Windows \
> > DC to see if you can see the same behavior.
> > Please let me know.
> >
> > Thanks!
> >
> > Hongwei
> >
> >
> > -----Original Message-----
> > From: Matthieu Patou [mailto:mat@samba.org]
> > Sent: Wednesday, June 02, 2010 3:35 AM
> > To: Hongwei Sun; pfif@tridgell.net; cifs-protocol@samba.org
> > Cc: MSSolve Case Email
> > Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
> >
> > Hello hongwei,
> >
> > It's downloaded from internet as the one which comes with the administration \
> > pack is "limited".
> > Version seems to be 1.0.2 (from GPMC.msc then help then about group policy \
> > management).
> > Matthieu.
> > On 02/06/2010 02:59, Hongwei Sun wrote:
> >
> > > Matthieu,
> > >
> > > Any update ?
> > >
> > > Thanks!
> > >
> > > Hongwei
> > >
> > > -----Original Message-----
> > > From: Hongwei Sun
> > > Sent: Wednesday, May 26, 2010 6:01 PM
> > > To: 'Matthieu Patou'
> > > Cc: MSSolve Case Email
> > > Subject: RE: [REG:110051073884304] RE: About GPMC and ACLs
> > >
> > > Matthieu,
> > >
> > > I spent some time to investigate the behavior you reported. I created multiple \
> > > Windows DCs (Windows 2008 and Windows 2008 R2) and used GPMC to open policies \
> > > on remote DCs. From the network captures , I don't see any SMB packet for \
> > > querying the SecurityDescriptor of {Domain}\Policy folder. It only checks the \
> > > individual policy folder. As I understand , Window XP doesn't include GPMC \
> > > tool by default and user has to install it. Which version of the GPMC tool are \
> > > you using ? Could you find the version number from the "Help" menu ?
> > > Also could you run GPMC from a Windows 2008 or Windows 2008 R2 machine to see \
> > > if there is any difference ?
> > > Thanks!
> > >
> > > Hongwei
> > >
> > >
> > > -----Original Message-----
> > > From: Matthieu Patou [mailto:mat+Informatique.Samba@matws.net]
> > > Sent: Saturday, May 15, 2010 5:11 AM
> > > To: Hongwei Sun
> > > Cc: MSSolve Case Email
> > > Subject: Re: [REG:110051073884304] RE: About GPMC and ACLs
> > >
> > > On 15/05/2010 07:19, Hongwei Sun wrote:
> > >
> > >
> > > > Matthieu,
> > > >
> > > > It takes a while to get back to normal after travel headache on my way back \
> > > > to U.S. I spent some time to double check again the logic used for checking \
> > > > DS/FS ACL consistency. I still didn't see the SD of the SYSVOL\policies \
> > > > folder is checked explicitly in the logic. Only the SYSVOL\Policies\ {GUID} \
> > > > is queried explicitly and used in the logic. I suspect that it is queried \
> > > > for some other reason. I will have to set up the environment to repro the \
> > > > SMB traffic and debug further. What OS do you use for the testing in the \
> > > > trace ?
> > > >
> > > >
> > > >
> > > It was Windows XP SP2.
> > > Did you see in the trace that there is somehow a smb call to get the
> > > NTACLS of<domain>\Policies ?
> > > Also I'm not sure it's present in this trace but I had one (lost
> > > because stored in /tmp) when I hit "OK please correct the rotten acls"
> > > that showed that GPMC was trying to set several ACLs on the GPO
> > > folder (rather different one from the previous one).
> > >
> > > Matthieu.
> > >
> > >
> > > > Thanks!
> > > >
> > > > Hongwei
> > > >
> > > > -----Original Message-----
> > > > From: Matthieu Patou [mailto:mat+Informatique.Samba@matws.net]
> > > > Sent: Thursday, May 06, 2010 5:09 PM
> > > > To: Hongwei Sun
> > > > Subject: About GPMC and ACLs
> > > >
> > > > Hongwei,
> > > >
> > > > Here is the capture,
> > > >
> > > > The most interesting is from packet 873, when I retry to click on a newly \
> > > > created GPO. At packet 1025 I receive the message that there is a mismatch \
> > > > and I click ok to get it fixed.
> > > > The capture ends when the data flow stop.
> > > >
> > > > As I told you, at packet 1101 and packet 1119 you can see that windows tries \
> > > > to put two differents ACL (at least != number of ACEs but there is one on \
> > > > S-1-3-0 also).
> > > > We can see in the capture that around the moment that GPMC is checking the \
> > > > DS/FS acl consistency that it also have a look at the<domain>\Policies \
> > > > folder.
> > > > Regards.
> > > >
> > > > Matthieu.
> > > >
> > > >
> > > >
> > >
> > --
> > Matthieu Patou
> > Samba Team http://samba.org
> >
> >
> >
>
> --
> Matthieu Patou
> Samba Team http://samba.org
>
>
--
Matthieu Patou
Samba Team http://samba.org
_______________________________________________
cifs-protocol mailing list
cifs-protocol@cifs.org
https://lists.samba.org/mailman/listinfo/cifs-protocol
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic