[Samba] Sysvol issues after DC migration

Oleg Blyahher oleg.blyahher at bluetest.se
Mon Mar 15 16:07:37 UTC 2021

Hi again everyone, starting a new thread as I was able to find some 
things... I had sent an email earlier on about domain members not 
synchronizing time, and instead using the CMOS time.

I tried to understand why machines in my domain don't react to the group 
policy I've set up that tells them to get the time from some nice NTP 
server somewhere. So I've realized that newly joined computers don't get 
any GPO rules from the DC at all.

The DC is fairly new, and took over the PDC role in the domain instead 
of an old broken one running Samba 4 with Zentyal, that in its own turn 
replaced a Samba 3 server that was not a DC.

I downloaded the script recommended in the wiki, and got results exactly 
like in this thread: 

Or, in short:

# bash samba-check-set-sysvol.sh INFO 2021-03-15 16:52:29,860 pid:20629 
/usr/lib/python3/dist-packages/samba/netcmd/testparm.py #96: Loaded smb 
config files from /etc/samba/smb.conf INFO 2021-03-15 16:52:29,861 
pid:20629 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #97: 
Loaded services file OK. failed to call wbcSidToUid: 
WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid S-1-5-32-544 to uid 
Error, UID2SID and GID2SID are not matching, exiting now.

What do I do now? If I run `wbinfo -g`, BUILTIN\Administrators is not 
listed there. I don't mind recreating my existing GPOs from scratch.

Note: I can edit existing Group Policies, but when I try to create a new 
one, I simply get "Access is denied".

Not sure where to even begin here (I've read quite a lot on the thread 
mentioned above, got stuck directly on "Check your AD and remove any 
gidNumber or uidNumber attributes from any users or groups that appear 
on that page except for 'Domain Users'"), so any help is very appreciated.


More information about the samba mailing list