|
23 |
class cmd_ntacl(SuperCommand): |
23 |
class cmd_ntacl(SuperCommand): |
24 |
--- a/python/samba/provision/__init__.py |
24 |
--- a/python/samba/provision/__init__.py |
25 |
+++ b/python/samba/provision/__init__.py |
25 |
+++ b/python/samba/provision/__init__.py |
26 |
@@ -1834,8 +1834,179 @@ |
26 |
@@ -1834,8 +1834,180 @@ |
27 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl)) |
27 |
raise ProvisioningError('%s NTACL of GPO directory %s %s does not match value %s expected from GPO object' % (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl_mapped, acl)) |
28 |
|
28 |
|
29 |
|
29 |
|
|
68 |
+ ## at least in UCS, all base GPO directories have AI set, so expect that |
68 |
+ ## at least in UCS, all base GPO directories have AI set, so expect that |
69 |
+ sd = security.descriptor.from_sddl(acl_expected_for_gpo, domainsid) |
69 |
+ sd = security.descriptor.from_sddl(acl_expected_for_gpo, domainsid) |
70 |
+ sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED |
70 |
+ sd.type |= security.SEC_DESC_DACL_AUTO_INHERITED |
|
|
71 |
+ sd.type &= ~ security.SEC_DESC_DACL_AUTO_INHERIT_REQ |
71 |
+ acl_expected_for_gpo = sd.as_sddl(domainsid) |
72 |
+ acl_expected_for_gpo = sd.as_sddl(domainsid) |
72 |
+ |
73 |
+ |
73 |
+ if fsacl_sddl_mapped != acl_expected_for_gpo: |
74 |
+ if fsacl_sddl_mapped != acl_expected_for_gpo: |