[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol

Sun Mar 23 15:58:32 UTC 2025

On Sun, 23 Mar 2025 09:36:20 -0600
Rick Hollinbeck via samba <samba at lists.samba.org> wrote:

> More troubleshooting info:
> 
> ldbsearch output of Policies in AD:
> 
> sudo ldbsearch --show-binary -H /var/lib/samba/private/sam.ldb -P -b 
> 'CN=Policies,CN=System,DC=samdom,DC=example,DC=com' -s one
> 

OUTPUT shortened for brevity:

> # record 1
> dn: 
> CN={C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC},CN=Policies,CN=System,DC=samdom,DC=example,DC=com
> 
> # record 2
> dn: 
> CN={6AC1786C-016F-11D2-945F-00C04fB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com
> 
> # record 3
> dn: 
> CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=samdom,DC=example,DC=com
> 
> # returned 3 records
> # 3 entries
> 

You have three GPOs, a new domain only has 2, the last two, the ones
that start with '6A' and '31B', I have no idea what the other one does.

> 
> Attempt to run sysvolreset:
> 
> sudo samba-tool ntacl sysvolreset
> 
> set_nt_acl_conn: init_files_struct failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND ERROR(runtime): uncaught exception -
> (3221225524, 'The object name is not found.')
>    File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
> line 185, in _run
>      return self.run(*args, **kwargs)
>             ^^^^^^^^^^^^^^^^^^^^^^^^^
>    File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
> 412, in run
>      provision.setsysvolacl(samdb, netlogon, sysvol,
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
> line 1754, in setsysvolacl
>      set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
> use_ntvfs, passdb=s4_passdb)
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
> line 1641, in set_gpos_acl
>      set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
>    File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
> line 1604, in set_dir_acl
>      setntacl(lp, path, acl, domsid, session_info,
> use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
> service=service) File
> "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228, in
> setntacl smbd.set_nt_acl(
> 
> 
> The question now is:
> 
> Why does sysvolreset fail?

Probably because AD says there are three GPOs and there are only two on
disc in /var/lib/samba/sysvol.

Provided there are the required directories and files in sysvol and you
delete the GPO in AD that has the DN
'CN={C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC},CN=Policies,CN=System,DC=samdom,DC=example,DC=com'
I think sysvolreset should work.

Rowland