Yup, you are absolutely right, in both GPO management and 'samba-tool
gpo listall' I get 4 GPOs, but only 3 are listed in
/var/lib/samba/sysvol/domain.com/Policies
The one missing there is "*Default Domain Controllers Policy*", aka
{6AC1786C-016F-11D2-945F-00C04FB984F9}
If I rerun samba-tool ntacl sysvolreset, I get the same error:
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol set_nt_acl_conn:
init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is
not found.') File
"/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 186,
in
_run return self.run(*args, **kwargs) File
"/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 415, in
run
lp, use_ntvfs=use_ntvfs) File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1782,
in setsysvolacl set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn,
samdb, lp, use_ntvfs, passdb=s4_passdb) File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1676,
in set_gpos_acl passdb=passdb) File
"/usr/lib/python3/dist-packages/samba/provision/__init__.py", line
1637,
in set_dir_acl setntacl(lp, path, acl, domsid, session_info,
use_ntvfs=use_ntvfs, skip_invalid_chown=True, passdb=passdb,
service=service) File
"/usr/lib/python3/dist-packages/samba/ntacls.py",
line 238, in setntacl service=service, session_info=session_info)
Should I delete this policy from AD? Or maybe recreate the internal
structure somehow? 'samba-tool gpo create ....'?
Oleg
On 16/03/2021 15:41, Oleg Blyahher via samba wrote:> Yup, you are absolutely right, in both GPO management and 'samba-tool > gpo listall' I get 4 GPOs, but only 3 are listed in > /var/lib/samba/sysvol/domain.com/Policies > > The one missing there is "*Default Domain Controllers Policy*", aka > {6AC1786C-016F-11D2-945F-00C04FB984F9} > > Should I delete this policy from AD? Or maybe recreate the internal > structure somehow? 'samba-tool gpo create ....'?No, it is one of the default GPO's and is basically empty, so should be easy to recreate, try these commands: mkdir /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\} chown 'domain admins:'domain admins' /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\} mkdir /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/MACHINE chown 'domain admins:'domain admins' /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/MACHINE mkdir /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/USER chown 'domain admins:'domain admins' /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/USER printf "[General]\nVersion=0\n" > /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/GPT.INI unix2dos /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/GPT.INI chown 'domain admins:'domain admins' /var/lib/samba/sysvol/$(hostname -d)/Policies/\{6AC1786C-016F-11D2-945F-00C04FB984F9\}/GPT.INI Rowland