From c76b0090ae03d2fabc500b03eb8d7076d6af762b Mon Sep 17 00:00:00 2001
From: Bob Campbell <bobcampbell@catalyst.net.nz>
Date: Thu, 30 Jun 2016 10:40:51 +1200
Subject: [PATCH] provision_fill: move GPO into transaction

Signed-off-by: Bob Campbell <bobcampbell@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
---
 python/samba/provision/__init__.py | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/python/samba/provision/__init__.py b/python/samba/provision/__init__.py
index 940bb1b4e02..ce7506addb6 100644
--- a/python/samba/provision/__init__.py
+++ b/python/samba/provision/__init__.py
@@ -1781,6 +1781,11 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
                        dom_for_fun_level=dom_for_fun_level, am_rodc=am_rodc,
                        next_rid=next_rid, dc_rid=dc_rid)
 
+        # Set up group policies (domain policy and domain controller
+        # policy)
+        if serverrole == "active directory domain controller":
+            create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
+                               policyguid_dc)
     except:
         samdb.transaction_cancel()
         raise
@@ -1788,11 +1793,8 @@ def provision_fill(samdb, secrets_ldb, logger, names, paths,
         samdb.transaction_commit()
 
     if serverrole == "active directory domain controller":
-
-        # Set up group policies (domain policy and domain controller
-        # policy)
-        create_default_gpo(paths.sysvol, names.dnsdomain, policyguid,
-                           policyguid_dc)
+        # Continue setting up sysvol for GPO. This appears to require being
+        # outside a transaction.
         if not skip_sysvolacl:
             setsysvolacl(samdb, paths.netlogon, paths.sysvol, paths.root_uid,
                          paths.root_gid, names.domainsid, names.dnsdomain,
-- 
2.47.3