[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol
Rick Hollinbeck
admin at westernwares.com
Sun Mar 23 00:40:32 UTC 2025
> sudo ldbsearch --show-binary -H /var/lib/samba/private/sam.ldb -P -b
> 'CN=Policies,CN=System,DC=samdom,DC=example,DC=com' -s one
>> Ok, I ran this on my server and...
>> The GPO records were now there!
> Yes, but how many ?
> Please post the output.
/var/lib/samba/sysvol
└── samdom.example.com
├── Policies
│ ├── {31B2F340-016D-11D2-945F-00C04FB984F9}
│ │ ├── GPT.INI
│ │ ├── MACHINE
│ │ └── USER
│ └── {6AC1786C-016F-11D2-945F-00C04FB984F9}
│ ├── GPT.INI
│ ├── MACHINE
│ └── USER
└── scripts
10 directories, 2 files
The content of sysvol in AD is also the same using the Windows DNS utility on a client.
So things look ok to me as far as what's there.
> And... The Policies folder is also showing in Windows explorer.
>
> And... My GPO error events went away.
> That 'ldbsearch' line will not have fixed anything.
I understand.
But new records in AD WERE created for the Default GPO's
some time after I set up /var/lib/samba/sysvol../Policies folders and files.
So this seemed to work fine.
> The population of sysvol in AD seems to have happened overnight,
> so perhaps this is done on some kind of schedule by Samba.
> There is nothing in Samba to sync the Sysvol directories, but AD
> replication will ensure that the databases on all DCs match (unless
> something goes wrong and there are always non replicating attributes)
I understand.
> But...
> sysvolcheck still fails on both my FSMO samba 4.17.12 DC and
> my secondary 4.21.4 DC as I showed in my last email.
> I think you are now conflating what is in AD and what is in the sysvol
> directories, they should correspond, sysvolreset uses the information
> from AD to set the permissions in the sysvol directories. If there are
> GPOs in AD, but not in sysvol, you get an error like the one you are
> getting.
...but that is odd because the entries in AD were apparently created
from the files I placed manually in /var/lib/samba/sysvol in the first place...
Is there a samba-tool command to show the sysvol in AD?
> But, as long as GPO seems to work now, I guess I don't need
> sysvolcheck to work.
> Yes you do.
Ok, I'll keep troubleshooting.
> Rowland
More information about the samba
mailing list