[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol

Rowland Penny rpenny at samba.org
Mon Mar 24 17:03:42 UTC 2025 

On Mon, 24 Mar 2025 10:39:31 -0600
Rick Hollinbeck via samba <samba at lists.samba.org> wrote:

> > Probably because AD says there are three GPOs and there are only
> > two on disc in /var/lib/samba/sysvol.
> >
> > Provided there are the required directories and files in sysvol and
> > you delete the GPO in AD that has the DN
> > 'CN={C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC},CN=Policies,CN=System,DC=samdom,DC=example,DC=com'
> > I think sysvolreset should work.
> >
> > Rowland
> 
> I was able to delete the third GPO using Group Policy Management on
> the Windows client.
> 
> Now, ldbsearch shows just the two GUIDs that are also in the 
> /var/lib/samba/sysvol folders.
> 
> However, when I run sysvolreset, the same error still occurs:
> 
> ...
> set_nt_acl_conn: init_files_struct failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND ERROR(runtime): uncaught exception -
> (3221225524, 'The object name is not found.')
> ...
> 
> 
> One thing I notice...
> 
> In Group Policy Management (on Windows), if I click on either of the
> two default GPO's
> an error message box pops up telling me that there is a mismatch in 
> permissions between AD and the sysvol folder.
> Clicking 'Ok' to supposedly fix this does not remove the error.
> (I assume that if I can get sysvolreset to work on the Samba DC, this 
> error will go away.)
> 
> For now, I'm still stumped.
> 
> 
> 

It has been some time since I took a long look at the code, but, from
memory, this is how it is supposed to work:

When you first provision a new domain, two empty default GPOs are
created (the ones I referred to earlier). These GPOs are stored in two
places, on disk in sysvol and in objects in AD.

When you run 'sysvolreset' it connects to AD and reads what GPOs are in
use and using that data resets the ownership and permissions of the
directories and files in sysvol, that is why the GPOs in AD and sysvol
have to match. 
One other 'gotcha' is if you are using rfc2307 attributes and have
given Domain Admins a gidNumber attribute, doing this turns the Windows
group into a Unix group and a Unix group cannot own anything.

If everything is correct, it should work, try comparing what is the
test AD you created with what is your non working AD, the same for
sysvol.

Rowland

More information about the samba mailing list