samba - Aug 2025 - sysvol owner after rsync

Hi everybody.

A month ago I "renew" our addc controllers. I installed new, fresh
samba servers based on devuan5 including samba 4.21.5, connect them to the
domain, move FSMO to new master controller and disconnect old controllers from
domain. I have three controllers in total. One master, one backup at the same
location and third is at remote place connected through vpn.
Last week I discovered the GPO are not processed at one PC at remote office.
gpupdate /force generate the message:

The computer policy could not be successfully updated. The following problems
occurred:
Error processing the group policy. The attempt to read the file
?\\domain.com\sysvol\domain.com\Policies\{F93CC6D6-748A-4B1A-8717-D2DA0C9D40B9}\gpt.ini?
from a domain controller was unsuccessful. Group policy settings cannot be
applied until this event is resolved. This may be a temporary problem that can
have at least one of the following causes:
a) Name resolution/network connection with the current domain controller.
b) File Replication Service latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

The user policy could not be successfully updated. The following problems
occurred:
Error processing the group policy. The attempt to read the file
?\\domain.com\sysvol\domain.com\Policies\{F93CC6D6-748A-4B1A-8717-D2DA0C9D40B9}\gpt.ini?
from a domain controller was unsuccessful. Group policy settings cannot be
applied until this event is resolved. This may be a temporary problem that can
have at least one of the following causes:
a) Name resolution/network connection with the current domain controller.
b) File replication service wait time (a file created on another domain
controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the error, read the event log or run the command ?GPRESULT /H
GPReport.html? to access information about Group Policy results.


I looked at the servers and discovered, the GPOs' in backup and remote addc
controller are not owned by "domain\domain admins" like in master
controller but by some domain user. The funny is at each controller the user is
different.

GPOs' are synced by rsync in crontab: rsync -XAavz --delete-after
--password-file=/var/lib/samba/private/rsync-sysvol.secret
rsync://sysvol-replicator at 10.0.0.248/SysVol/ /var/lib/samba/sysvol/ >
/var/log/sysvol-replication.log 2>&1

cron runs rsync as a root, no rules are synced (by log) but owner and group of
the GPOs' are changed each the time.

Can somebody give me advice, how to avoid this behaviour? Thank you very much
for any help.

--
Greetings, ladas

On Mon, 25 Aug 2025 10:57:38 +0200
ladas via samba <samba at lists.samba.org> wrote:
> Hi everybody.
> 
> A month ago I "renew" our addc controllers. I installed new,
fresh
> samba servers based on devuan5 including samba 4.21.5, connect them
> to the domain, move FSMO to new master controller and disconnect old
> controllers from domain. I have three controllers in total. One
> master, one backup at the same location and third is at remote place
> connected through vpn.

First, you do not have a master or backup DC, you just have three DCs.
All DCs are equal apart from the FSMO roles and they can be on any DC.
> Last week I discovered the GPO are not
> processed at one PC at remote office. gpupdate /force generate the
> message:
> 
> The computer policy could not be successfully updated. The following
> problems occurred: Error processing the group policy. The attempt to
> read the file
>
?\\domain.com\sysvol\domain.com\Policies\{F93CC6D6-748A-4B1A-8717-D2DA0C9D40B9}\gpt.ini?
> from a domain controller was unsuccessful. Group policy settings
> cannot be applied until this event is resolved. This may be a
> temporary problem that can have at least one of the following causes:
> a) Name resolution/network connection with the current domain
> controller. b) File Replication Service latency (a file created on
> another domain controller has not replicated to the current domain
> controller). c) The Distributed File System (DFS) client has been
> disabled.
> 
> The user policy could not be successfully updated. The following
> problems occurred: Error processing the group policy. The attempt to
> read the file
>
?\\domain.com\sysvol\domain.com\Policies\{F93CC6D6-748A-4B1A-8717-D2DA0C9D40B9}\gpt.ini?
> from a domain controller was unsuccessful. Group policy settings
> cannot be applied until this event is resolved. This may be a
> temporary problem that can have at least one of the following causes:
> a) Name resolution/network connection with the current domain
> controller. b) File replication service wait time (a file created on
> another domain controller has not replicated to the current domain
> controller). c) The Distributed File System (DFS) client has been
> disabled.
> 
> To diagnose the error, read the event log or run the command
> ?GPRESULT /H GPReport.html? to access information about Group Policy
> results.
> 
> 
> I looked at the servers and discovered, the GPOs' in backup and
> remote addc controller are not owned by "domain\domain admins"
like
> in master controller but by some domain user. The funny is at each
> controller the user is different. 
> 
> GPOs' are synced by rsync in crontab: rsync -XAavz --delete-after
> --password-file=/var/lib/samba/private/rsync-sysvol.secret
> rsync://sysvol-replicator at 10.0.0.248/SysVol/ /var/lib/samba/sysvol/ >
> /var/log/sysvol-replication.log 2>&1
> 
> cron runs rsync as a root, no rules are synced (by log) but owner and
> group of the GPOs' are changed each the time.
> 
> Can somebody give me advice, how to avoid this behaviour? Thank you
> very much for any help.
You appear to have missed a step, I suggest you read this:

https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)

Rowland