[Samba] Default Group Policies and Default Domain Controller Policy are empty

kaffeesurrogat kaffeesurrogat at posteo.de
Mon Feb 17 13:32:22 UTC 2020

Dear List,

again a problem I'm not able to solve. I've been trying to add a test
user. Since it is a testuser I'm going to delete quite soon, I've wanted
to use a simple password without any complexity.

Not knowing it better, I wanted to change the default group policy
object of my domain using rsat. First thing I've noticed, that it was
completely empty. Not a singe rule or entry. Same thing holds for my
Default Domain Controller Policy.

Using the "Gruppenrichtlinieneditor" i've added a view rules, like
turning complexity off....

Creating a user with a simple password is still not working.

I've provisioned my samba ADDC with

samba-tool domain provision --use-rfc2307 --domain=XXX
--targetdir=/smbaddc --interactive

ls /smbaddc/state/sysvol/XXX.YY/Policies returns

three entries with long {...} names.

Judging by the date of creation, those entries by me adding the
Complexity Turn Off Policy to the default policies.

gupdate /force on my windowsmachine runs without complains


samba-tool ntacl sysvolcheck

does not complain


samba-tool gpo aclcheck -UAdministrator

does not complain


I did a

samba-tool ntacl sysvolreset

with success.


my smb.conf from /smbaddc/etc/smb.conf
# Global parameters
   binddns dir = /smbaddc/bind-dns
   cache directory = /smbaddc/cache
   dns forwarder =
   lock directory = /smbaddc
   netbios name = PLFA1
   private dir = /smbaddc/private
   realm = LFA.LS
   server role = active directory domain controller
   state directory = /smbaddc/state
   workgroup = LFA
   idmap_ldb:use rfc2307 = yes
   bind interfaces only = yes
   interfaces = lo br0

   log file = /var/log/samba/log.%m
   log level = 3

   path = /smbaddc/state/sysvol
   read only = No

   path = /smbaddc/state/sysvol/lfa.ls/scripts
   read only = No

wich is strange. Why is there a binddns dir? I've used INTERNAL SAMBA DNS.


long story cut short. Shouldn't there be same default domain policies
after provisioning ?

Have fun,


More information about the samba mailing list