[Samba] sysvol right error and how to correct it.

karel.de.macil at free.fr karel.de.macil at free.fr
Fri Jan 8 12:48:01 UTC 2021

Hi all,

having some trouble with my samba 4 ad gpo's, i have launch a sysvol 
reset BEFORE reading it was wrong.
I'm attemting to fix thing now following this page :


but thing's don't goes well and i'm stuck.

My AD have two DC :

- 1 :a debian 8.11 jessie with samba 4.2.14
- 2 :a debian bulleye with samba 4.13.2

Current situation is :

- any attempt to create a new GPO get a "Group Policy Object Creation 
Failed - This security ID may not be assigned as the owner of this 
object" msg
- when a try to change folder permissions on sysvol for the second DC 
from a windows computer permissions display instantly reset to no 
as soon as i apply the permissions BUT they still appear in the advanced 
permissions management windows...
- when i go to my  /var/lib/samba/sysvol/domain/Policies repository i 
have something like this :

drwxrwxr--+  5 3000008 3000008 4,0K sept. 24  2014 
drwxrwxr--+  4   10001   20012 4,0K mai   21  2019 
drwxrwxr--+  4 3000008 3000008 4,0K mai    9  2014 
drwxrwxr--+  4   10001   20012 4,0K juil.  3  2015 

wbinfo --gid-to-sid=3000008
  wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
Domain\Domain Admins 2
wbinfo --gid-to-sid=20012
wbinfo --sid-to-name=S-1-5-21-2718981395-2814295682-4030710678-512
Domain\Domain Admins 2
wbinfo --gid-to-sid=10001
wbinfo --sid-to-name=S-1-22-2-10001
failed to call wbcLookupSid: WBC_ERR_DOMAIN_NOT_FOUND
Could not lookup sid S-1-22-2-10001
wbinfo --sid-to-gid=S-1-5-21-2718981395-2814295682-4030710678-512


so, my question are :

- is there a way to fix the : two gid leading to a same sid thing ? any 
clue on what have lead to a change ?
- should i change the owner of the GPO i have with the 10001 user 
considering the fact that this correspond to no real user ?

- is there a way to fix my sysvol right so i can create GPO again.

- in the worst case scenario is there a way to recreate sysvol with no 
gpo inside BUT with some correct right.

- subsidiary question but linked to the previous one :
- does anyone know (or can lead my to some documentation on the subject) 
how to
understand the answer given by the samba-tools ntacl get command as this 
one :

samba-tool ntacl get /var/lib/samba/sysvol --as-sddl 2> /dev/null

- does anyone know what Linux user and group  should own 
/var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, 
- does anyone know what Windows user and group should own 
/var/lib/samba/sysvol, /var/lib/samba/sysvol/domain, 

As usual, any advice ,any help will be most welcome.

More information about the samba mailing list