provision_fill: move GPO into transaction

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 940bb1b4e020196a196d70ab97627bb5640d6e12..ce7506addb6d2a6c1b8765cd896b4bd581ab48b2 100644 (file)
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1781,6 +1781,11 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
                        dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
                        next_rid=next_rid, dc_rid=dc_rid)
 
+        # Set up group policies (domain policy and domain controller
+        # policy)
+        if serverrole == "active directory domain controller":
+            create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
+                               policyguid_dc)
     except:
         samdb.transaction_cancel()
         raise
@@ -1788,11 +1793,8 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
         samdb.transaction_commit()
 
     if serverrole == "active directory domain controller":
-
-        # Set up group policies (domain policy and domain controller
-        # policy)
-        create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
-                           policyguid_dc)
+        # Continue setting up sysvol for GPO. This appears to require being
+        # outside a transaction.
         if not skip_sysvolacl:
             setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
                          paths.root_gid, names.domainsid, names.dnsdomain,