samba - Mar 2021 - Sysvol issues after DC migration

On 16/03/2021 15:09, Oleg Blyahher via samba wrote:
> Hi,
>
> After running *samba-tool ntacl sysvolreset *everything is now MUCH 
> better. I can edit GPO and sysvol permissions without problems. Thanks 
> you!
>
> I did get some errors though, when running this:

GPO's are stored in two places, in Sysvol and in AD, it looks like they 
do not match.

How many GPO's do you have in Sysvol ?

How many are shown by 'samba-tool gpo listall' ?

Rowland

Yup, you are absolutely right, in both GPO management and 'samba-tool 
gpo listall' I get 4 GPOs, but only 3 are listed in 
/var/lib/samba/sysvol/domain.com/Policies

The one missing there is "*Default Domain Controllers Policy*", aka 
{6AC1786C-016F-11D2-945F-00C04FB984F9}

If I rerun samba-tool ntacl sysvolreset, I get the same error:

connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol set_nt_acl_conn: 
init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND 
ERROR(runtime): uncaught exception - (3221225524, 'The object name is 
not found.') File 
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186,
in
_run return self.run(*args, **kwargs) File 
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 415, in
run
lp, use_ntvfs=use_ntvfs) File 
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1782,
in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, 
samdb, lp, use_ntvfs, passdb=s4_passdb) File 
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1676,
in set_gpos_acl passdb=passdb) File 
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1637,
in set_dir_acl setntacl(lp, path, acl, domsid, session_info, 
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb, 
service=service) File
"/usr/lib/python3/dist-packages/samba/ntacls.py",
line 238, in setntacl service=service, session_info=session_info)

Should I delete this policy from AD? Or maybe recreate the internal 
structure somehow? 'samba-tool gpo create ....'?

Oleg