[Samba] Joining a new Samba AD DC

Fri Jul 28 21:04:21 UTC 2023

on Fri Jul 28 14:30:33 2023 Rowland Penny via samba <samba at lists.samba.org> wrote:

> On 28/07/2023 19:04, Mark Foley via samba wrote:
> > 
> > After checking with the previous run, these sysvolreset errors are the same as
> > before, so syncing the sysvol didn't make any different.
> > 
> > You wrote: "It looks to me that you have more GPO's in AD than you have on
> > disk, ...". So, where are the "AD" versus "on disk" GPOs located? Is one of
> > these locations /var/lib/samba/sysvol/hprs.local/policies/? I've rsync'ed the
> > sysvol again. They are identical between the machines.
> > 
> > Is this error possibly ignorable? I've checked and the rsync did copy the ACL
> > attributes to the sysvol files and folders, so maybe this "ntacl sysvolreset"
> > isn't really making any changes?
> > 
> > Thanks --Mark
> > 
>
> The Policies are stored in AD under 'CN=Policies,CN=System....', so to 
> see them you need to run something like this (changed to match your 
> setup) on a DC:
>
> sudo ldbsearch -H /var/lib/samba/private/sam.ldb -b 
> "CN=Policies,CN=System,DC=samdom,DC=example,DC=com" -s one dn
>
> You should get lines like this:
>
> dn: 
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com
>
> There should be one for every GPO stored on disk in sysvol.
>
> Rowland

OK! Below are the ldbsearch results:

# ldbsearch -H /var/lib/samba/private/sam.ldb -b "CN=Policies,CN=System,DC=hprs,DC=local" -s one dn
# record 1
dn: CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hprs,DC=local

# record 2
dn: CN={6A076178-76C0-4FAB-B556-89CF817D10A3},CN=Policies,CN=System,DC=hprs,DC=local

# record 3
dn: CN={BCA8FAF8-6904-44C4-9D32-28400BE61028},CN=Policies,CN=System,DC=hprs,DC=local

# record 4
dn: CN={55936226-0069-4278-AABB-88B9072A5818},CN=Policies,CN=System,DC=hprs,DC=local

# record 5
dn: CN={3C103F7B-7250-4610-BC45-8B06353CAA7C},CN=Policies,CN=System,DC=hprs,DC=local

# record 6
dn: CN={B73A6A00-9CB8-47C5-A6AA-DA8A86D1D247},CN=Policies,CN=System,DC=hprs,DC=local

# record 7
dn: CN={B78D19CB-914B-48F4-AA63-FD8708A553D7},CN=Policies,CN=System,DC=hprs,DC=local

# record 8
dn: CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=hprs,DC=local

# record 9
dn: CN={178C3418-E432-414A-9185-DCD1AB359A3B},CN=Policies,CN=System,DC=hprs,DC=local

# returned 9 records
# 9 entries
# 0 referrals

And the following is a list of the sysvol policies:

# ls -ld /var/lib/samba/sysvol/hprs.local/policies/\{*
drwxrwx---+ 4 root 3000000 4096 2015-09-09 00:43 /var/lib/samba/sysvol/hprs.local/policies/{178C3418-E432-414A-9185-DCD1AB359A3B}/
drwxrwx---+ 4 root 3000000 4096 2014-08-29 13:19 /var/lib/samba/sysvol/hprs.local/policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/
drwxrwx---+ 4 root 3000000 4096 2014-10-08 22:37 /var/lib/samba/sysvol/hprs.local/policies/{3C103F7B-7250-4610-BC45-8B06353CAA7C}/
drwxrwx---+ 4 root 3000000 4096 2019-12-10 01:51 /var/lib/samba/sysvol/hprs.local/policies/{55936226-0069-4278-AABB-88B9072A5818}/
drwxrwx---+ 4 root 3000000 4096 2020-09-28 15:38 /var/lib/samba/sysvol/hprs.local/policies/{6A076178-76C0-4FAB-B556-89CF817D10A3}/
drwxrwx---+ 4 root 3000000 4096 2014-08-29 13:19 /var/lib/samba/sysvol/hprs.local/policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/
drwxrwx---+ 4 root 3000000 4096 2015-09-08 23:53 /var/lib/samba/sysvol/hprs.local/policies/{B73A6A00-9CB8-47C5-A6AA-DA8A86D1D247}/
drwxrwx---+ 4 root 3000000 4096 2014-09-13 03:08 /var/lib/samba/sysvol/hprs.local/policies/{B78D19CB-914B-48F4-AA63-FD8708A553D7}/
drwxrwx---+ 4 root 3000000 4096 2015-05-15 14:16 /var/lib/samba/sysvol/hprs.local/policies/{BCA8FAF8-6904-44C4-9D32-28400BE61028}/

I've checked each dn returned by ldbsearch against the above list and they are all
there. Apparently the sysvolreset errors are not because of missing GPOs, right?

Suggestions on moving forwars?

Thanks --Mark