[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol
Rowland Penny
rpenny at samba.org
Thu Mar 20 19:41:29 UTC 2025
On Thu, 20 Mar 2025 11:56:23 -0600
Rick Hollinbeck via samba <samba at lists.samba.org> wrote:
> Rowland,
>
> I'm still not able to get Policies into AD.
>
> > You should now have something like this in sysvol:
> > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
> > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
> > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
> > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE
> > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER
> > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI
> > 'samdom.example.com' should be your dns domain, 'MACHINE' & 'USER'
> > are empty directories and 'GPT.INI' are files containing:
> > [General]
> > Version=0
> > That is what you get on a new DC
>
> Yes, that is what I have (on my Samba 4.17.12 FSMO DC), e.g.
>
> pi at pidc3:~ $ sudo ls -al /var/lib/samba/sysvol/samdom.example.com
> total 40
> drwxrwx---+ 5 root BUILTIN\administrators 4096 Mar 19 15:53 .
> drwxrwx---+ 3 root BUILTIN\administrators 4096 Mar 19 16:09 ..
> drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 16:02 Policies
> drwxrwx---+ 2 root BUILTIN\administrators 4096 Mar 27 2024 scripts
> drwxrwx---+ 4 root BUILTIN\administrators 4096 Feb 18 15:00
> StarterGPOs
>
> pi at pidc3:~ $ sudo ls -al
> /var/lib/samba/sysvol/samdom.example.com/Policies total 32
> drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 16:02 .
> drwxrwx---+ 5 root BUILTIN\administrators 4096 Mar 19 15:53 ..
> drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 15:14
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 15:14
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
>
> pi at pidc3:~ $ sudo samba-tool ntacl sysvolcheck
> lp_load_ex: refreshing parameters
> Initialising global parameters
> rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> (16384) Processing section "[global]"
> Processing section "[sysvol]"
> Processing section "[netlogon]"
> ldb_wrap open of idmap.ldb
> ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or
> directory')
> File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 185, in _run
> return self.run(*args, **kwargs)
> ^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line
> 443, in run
> provision.checksysvolacl(samdb, netlogon, sysvol,
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1876, in checksysvolacl
> check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp,
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1826, in check_gpos_acl
> check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
> File "/usr/lib/python3/dist-packages/samba/provision/__init__.py",
> line 1766, in check_dir_acl
> fsacl = getntacl(lp, path, session_info,
> direct_db_access=direct_db_access, service=SYSVOL_SERVICE)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112,
> in getntacl
> attribute = samba.xattr_native.wrap_getxattr(file,
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
> This looks to be some problem with acl's?
>
> At this point, the Policies folder is not yet appearing in AD.
>
> What triggers that to happen?
>
> Do I need to get sysvolreset to run successfully before the default
> GPOs are build in AD?
>
> > did your Windows DCs use any GPOs other than the empty default
> > ones ?
>
> No, I'm just trying to get a default GPO setup in AD so Group Policy
> will work at all and Event Viewer errors go away on the client.
>
Try running this on your Samba DC (altered to your setup):
sudo ldbsearch --show-binary -H /var/lib/samba/private/sam.ldb -P -b
'CN=Policies,CN=System,DC=samdom,DC=example,DC=com' -s one
It is supposed to be all on one line.
Rowland
More information about the samba
mailing list