samba - Feb 2021 - How to sort out GPO problems

Hello;
A few months ago I installed an additional domain controller on my network,
directory replication worked fine and then I transferred all roles to this new
AD DC. I never shut down or discontinued the other server.
  
  Old Active Directory Domain Controller - gtmad.gtm.onat.gob.cu - 
192.168.41.17 - CentOS 7
  New Active Directory Domain Controller - gtmad1.gtm.onat.gob.cu -
192.168.41.18 - CentOS 8
  
 Recently I have realized that in this new server there are no GPOs
 
 When I look at the content of this directory
(sysvol/gtm.onat.gob.cu/Policies/), there is nothing while on the old domain
controller there is something

[root at gtmad1 locks]# ls
/usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/Policies/
[root at gtmad1 locks]# ls
/usr/local/samba/var/locks/sysvol/gtm.onat.gob.cu/scripts/


[root at gtmad gtm.onat.gob.cu]# ls
/var/lib/samba/sysvol/gtm.onat.gob.cu/Policies/
{31B2F340-016D-11D2-945F-00C04FB984F9}  {6AC1786C-016F-11D2-945F-00C04FB984F9} 
{E7C5A149-6347-4716-AD04-DB6B050F1EFE}


 Using samba-tool gpo listall the same policies are listed on both domain
controllers:

[root at gtmad1 locks]# samba-tool gpo listall
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.GTM.ONAT.GOB.CU<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
gtmad1.gtm.onat.gob.cu<0x20>
GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path         :
\\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn           :
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version      : 0
flags        : NONE

GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path         :
\\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn           :
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version      : 1835101
flags        : NONE


[root at gtmad gtm.onat.gob.cu]# samba-tool gpo listall
ldb_wrap open of secrets.ldb
GENSEC backend 'gssapi_spnego' registered
GENSEC backend 'gssapi_krb5' registered
GENSEC backend 'gssapi_krb5_sasl' registered
GENSEC backend 'spnego' registered
GENSEC backend 'schannel' registered
GENSEC backend 'naclrpc_as_system' registered
GENSEC backend 'sasl-EXTERNAL' registered
GENSEC backend 'ntlmssp' registered
GENSEC backend 'ntlmssp_resume_ccache' registered
GENSEC backend 'http_basic' registered
GENSEC backend 'http_ntlm' registered
GENSEC backend 'http_negotiate' registered
GENSEC backend 'krb5' registered
GENSEC backend 'fake_gssapi_krb5' registered
resolve_lmhosts: Attempting lmhosts lookup for name
_ldap._tcp.GTM.ONAT.GOB.CU<0x0>
resolve_lmhosts: Attempting lmhosts lookup for name
gtmad.gtm.onat.gob.cu<0x20>
GPO          : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path         :
\\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn           :
CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version      : 0
flags        : NONE

GPO          : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path         :
\\gtm.onat.gob.cu\sysvol\gtm.onat.gob.cu\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn           :
CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=gtm,DC=onat,DC=gob,DC=cu
version      : 1835101
flags        : NONE




 I have noticed that the permissions of the directory where the GPOs are are
different:

[root at gtmad1 locks]# ls -l /usr/local/samba/var/locks/sysvol/
total 4
drwxr-xr-x 4 root root 4096 feb 12 09:53 gtm.onat.gob.cu
 
 
[root at gtmad gtm.onat.gob.cu]# ls -l /var/lib/samba/sysvol/
total 8
drwxrwx---+ 4 root BUILTIN\administrators 4096 nov 13  2015 gtm.onat.gob.cu


 Would changing the permissions of this directory solve the problem?
 How can I change the permissions to that directory and what would be the
correct permissions?

 Any other suggestions or tests before shutting down or discontinuing the old
domain controller?

-- 
Rommel Rodriguez Toirac
rommelrt at nauta.cu

On 15/02/2021 15:43, Rommel Rodriguez Toirac via samba
wrote:
> Hello;
> A few months ago I installed an additional domain controller on my network,
directory replication worked fine and then I transferred all roles to this new
AD DC. I never shut down or discontinued the other server.
>    
>    Old Active Directory Domain Controller - gtmad.gtm.onat.gob.cu - 
192.168.41.17 - CentOS 7
>    New Active Directory Domain Controller - gtmad1.gtm.onat.gob.cu -
192.168.41.18 - CentOS 8
>    
>   Recently I have realized that in this new server there are no GPOs

One of the limitations of Samba DC's, there is no Sysvol replication, 
try reading this:

https://wiki.samba.org/index.php/SysVol_replication_(DFS-R)

Follow the links.

Rowland