[Samba] Fwd: GPO incomplete / missing -> samba-tool crash

Kees van Vloten keesvanvloten at gmail.com
Mon Jan 10 17:53:21 UTC 2022

On 10-01-2022 18:32, Rowland Penny via samba wrote:
> On Mon, 2022-01-10 at 18:23 +0100, Kees van Vloten via samba wrote:
>> On 10-01-2022 18:10, Rowland Penny via samba wrote:
>>> On Mon, 2022-01-10 at 18:04 +0100, Kees van Vloten via samba wrote:
>>>> On 10-01-2022 17:59, David Mulder via samba wrote:
>>>>> Check in adsi under CN=Policies,CN=System. You probably have
>>>>> the
>>>>> policy listed there in ldap still, which I assume needs to be
>>>>> removed.
>>>>> It'll be called CN={75991237-941B-47B9-AF67-853781EA44B3}
>>>> Thanks David!
>>>> I have no Windows machine at hand, will 'ldb*' do the same?
>>> Yes it would, but if you have another DC and if it is still there,
>>> you
>>> could sync it back.
>>> Rowland
>> I have 2 DCs and it is gone on both. I guess the automatic sync did
>> what
>> it is supposed to do :-) .
>> I am using the osync solution from wiki:
>> https://wiki.samba.org/index.php/Bidirectional_Rsync/osync_based_SysVol_replication_workaround.
>> Since I have the default policies only at the moment, I am a bit
>> puzzled
>> what happened, since there are still 2 policies on the filesystem
>> but
>> indeed 3 in LDAP in 'CN=Policies,CN=System,DC=samdom,DC=net'.
>> Would there be any way to find a clue what the 3rd was?
> Possibly, if it is using a standard GUID, but this unlikely.
> You are going to have to remove it from AD, not entirely sure how.
> Do you have a backup you could obtain it from ?
> Rowland
Nope, there is not backup yet, as I am still busy setting up these systems.
That implies that there is no serious harm done, it just should not have 
happened. I will try to remove the entries with ldbdel and then run the 
sysvolcheck and sysvolreset again.

I do have a feature request: samba-tool does not react nicely on this 
situation. Either it crashes hard without a descent error message or (on 
delete) it tells me the policy does not exist (which is only partially 
true). Would be nice to have better error handling and in the case of 
the delete to just remove the remaining parts of the the policy. What 
would be the best way to address this? Create a bug?

- Kees

More information about the samba mailing list