samba - Mar 2025 - Missing Policies folder in AD and /var/lib/samba/sysvol

> Probably because AD says there are three GPOs and there are only two on
> disc in /var/lib/samba/sysvol.
>
> Provided there are the required directories and files in sysvol and you
> delete the GPO in AD that has the DN
>
'CN={C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC},CN=Policies,CN=System,DC=samdom,DC=example,DC=com'
> I think sysvolreset should work.
>
> Rowland
I was able to delete the third GPO using Group Policy Management on the 
Windows client.

Now, ldbsearch shows just the two GUIDs that are also in the 
/var/lib/samba/sysvol folders.

However, when I run sysvolreset, the same error still occurs:

...
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is 
not found.')
...


One thing I notice...

In Group Policy Management (on Windows), if I click on either of the two 
default GPO's
an error message box pops up telling me that there is a mismatch in 
permissions between AD and the sysvol folder.
Clicking 'Ok' to supposedly fix this does not remove the error.
(I assume that if I can get sysvolreset to work on the Samba DC, this 
error will go away.)

For now, I'm still stumped.

On Mon, 24 Mar 2025 10:39:31 -0600
Rick Hollinbeck via samba <samba at lists.samba.org> wrote:
> > Probably because AD says there are three GPOs and there are only
> > two on disc in /var/lib/samba/sysvol.
> >
> > Provided there are the required directories and files in sysvol and
> > you delete the GPO in AD that has the DN
> >
'CN={C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC},CN=Policies,CN=System,DC=samdom,DC=example,DC=com'
> > I think sysvolreset should work.
> >
> > Rowland
> 
> I was able to delete the third GPO using Group Policy Management on
> the Windows client.
> 
> Now, ldbsearch shows just the two GUIDs that are also in the 
> /var/lib/samba/sysvol folders.
> 
> However, when I run sysvolreset, the same error still occurs:
> 
> ...
> set_nt_acl_conn: init_files_struct failed:
> NT_STATUS_OBJECT_NAME_NOT_FOUND ERROR(runtime): uncaught exception -
> (3221225524, 'The object name is not found.')
> ...
> 
> 
> One thing I notice...
> 
> In Group Policy Management (on Windows), if I click on either of the
> two default GPO's
> an error message box pops up telling me that there is a mismatch in 
> permissions between AD and the sysvol folder.
> Clicking 'Ok' to supposedly fix this does not remove the error.
> (I assume that if I can get sysvolreset to work on the Samba DC, this 
> error will go away.)
> 
> For now, I'm still stumped.
> 
> 
> 
It has been some time since I took a long look at the code, but, from
memory, this is how it is supposed to work:

When you first provision a new domain, two empty default GPOs are
created (the ones I referred to earlier). These GPOs are stored in two
places, on disk in sysvol and in objects in AD.

When you run 'sysvolreset' it connects to AD and reads what GPOs are in
use and using that data resets the ownership and permissions of the
directories and files in sysvol, that is why the GPOs in AD and sysvol
have to match. 
One other 'gotcha' is if you are using rfc2307 attributes and have
given Domain Admins a gidNumber attribute, doing this turns the Windows
group into a Unix group and a Unix group cannot own anything.

If everything is correct, it should work, try comparing what is the
test AD you created with what is your non working AD, the same for
sysvol.

Rowland

24.03.2025 19:39, Rick Hollinbeck via samba wrote:
...
> However, when I run sysvolreset, the same error still occurs:
> 
> ...
> set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
> ERROR(runtime): uncaught exception - (3221225524, 'The object name is
not found.')
How about running sysvolreset under strace, and seeing which syscall receives
ENOENT?

Thanks,

/mjt