[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol

Thu Mar 20 17:56:23 UTC 2025

Rowland,

I'm still not able to get Policies into AD.

> You should now have something like this in sysvol:
> samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
> samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
> samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
> samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE
> samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER
> samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI
> 'samdom.example.com' should be your dns domain, 'MACHINE' & 'USER' are
> empty directories and 'GPT.INI' are files containing:
> [General]
> Version=0
> That is what you get on a new DC

Yes, that is what I have (on my Samba 4.17.12 FSMO DC), e.g.

pi at pidc3:~ $ sudo ls -al /var/lib/samba/sysvol/samdom.example.com
total 40
drwxrwx---+ 5 root BUILTIN\administrators 4096 Mar 19 15:53 .
drwxrwx---+ 3 root BUILTIN\administrators 4096 Mar 19 16:09 ..
drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 16:02 Policies
drwxrwx---+ 2 root BUILTIN\administrators 4096 Mar 27  2024 scripts
drwxrwx---+ 4 root BUILTIN\administrators 4096 Feb 18 15:00 StarterGPOs

pi at pidc3:~ $ sudo ls -al /var/lib/samba/sysvol/samdom.example.com/Policies
total 32
drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 16:02 .
drwxrwx---+ 5 root BUILTIN\administrators 4096 Mar 19 15:53 ..
drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 15:14 
{31B2F340-016D-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 15:14 
{6AC1786C-016F-11D2-945F-00C04FB984F9}

pi at pidc3:~ $ sudo samba-tool ntacl sysvolcheck
lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
ldb_wrap open of idmap.ldb
ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or 
directory')
   File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 
185, in _run
     return self.run(*args, **kwargs)
            ^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
443, in run
     provision.checksysvolacl(samdb, netlogon, sysvol,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1876, in checksysvolacl
     check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1826, in check_gpos_acl
     check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
   File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1766, in check_dir_acl
     fsacl = getntacl(lp, path, session_info, 
direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112, in 
getntacl
     attribute = samba.xattr_native.wrap_getxattr(file,
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

This looks to be some problem with acl's?

At this point, the Policies folder is not yet appearing in AD.

What triggers that to happen?

Do I need to get sysvolreset to run successfully before the default GPOs 
are build in AD?

 > did your Windows DCs use any GPOs other than the empty default ones ?

No, I'm just trying to get a default GPO setup in AD so Group Policy 
will work at all and Event Viewer errors go away on the client.

----

Meanwhile, I have built and joined a new (bookworm-backports) Samba AD 4.21.4 to the domain (pidc4).
It seems to be running fine with no errors in the log.

So I copied the Policies folder and files to the sysvol folder there to see if this would help.

Now I'm getting a new error on that DC running sysvolcheck:

pi at pidc4:~ $ sudo samba-tool ntacl sysvolcheck
ERROR(<class 'OSError'>): Could not access /var/lib/samba/sysvol/samdom.example.com: No data available - [Errno 61] No data available: '/var/lib/samba/sysvol/samdom.example.com'

pi at pidc4:~ $ sudo samba-tool ntacl sysvolreset
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(<class 'FileNotFoundError'>): Could not access /var/lib/samba/sysvol/samdom.example.com/Policies/{C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC}: No such file or directory - [Errno 2] No such file or directory: '/var/lib/samba/sysvol/samdom.example.com/Policies/{C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC}'

pi at pidc4:~ $ sudo samba-tool ntacl sysvolcheck
ERROR(<class 'FileNotFoundError'>): Could not access /var/lib/samba/sysvol/samdom.example.com/Policies/{C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC}: No such file or directory - [Errno 2] No such file or directory: '/var/lib/samba/sysvol/samdom.example.com/Policies/{C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC}'

Where is this new GUID {C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC} coming from now?
Is this new to 4.21?