samba - Mar 2025 - Missing Policies folder in AD and /var/lib/samba/sysvol

Rowland,

I took your advice and spun up a Debian bookworm VM and provisioned a 
new dummy DOMAIN.COM with Samba 4.17.12.

And yes, the sysvol Policies folder was created with the two GUIDs.

I zipped up and copied the Policies folders to my active FSMO Samba DC.

Now, running

#samba-tool ntacl sysvolreset

lp_load_ex: refreshing parameters
Initialising global parameters
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
ldb_wrap open of idmap.ldb
lp_load_ex: refreshing parameters
Processing section "[global]"
Processing section "[sysvol]"
Processing section "[netlogon]"
... etc. ...

Initialising default vfs hooks
Initialising custom vfs hooks from [/[Default VFS]/]
Initialising custom vfs hooks from [acl_xattr]
Initialising custom vfs hooks from [dfs_samba4]
connect_acl_xattr: setting 'inherit acls = true' 'dos filemode =
true'
and 'force unknown acl user = true' for service sysvol
set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND
ERROR(runtime): uncaught exception - (3221225524, 'The object name is 
not found.')
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py",
line
185, in _run
 ??? return self.run(*args, **kwargs)
 ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^
 ? File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 
412, in run
 ??? provision.setsysvolacl(samdb, netlogon, sysvol,
 ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1754, in setsysvolacl
 ??? set_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, 
use_ntvfs, passdb=s4_passdb)
 ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1641, in set_gpos_acl
 ??? set_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp,
 ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", 
line 1604, in set_dir_acl
 ??? setntacl(lp, path, acl, domsid, session_info, use_ntvfs=use_ntvfs, 
skip_invalid_chown=True, passdb=passdb, service=service)
 ? File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 228, in
setntacl
 ??? smbd.set_nt_acl(

I must still be missing something.

Do I need to do something besides copy the Policies folder to /var/lib?

Is this wiki page still relevant?
https://wiki.samba.org/index.php/Sysvolreset

On Wed, 19 Mar 2025 16:32:16 -0600
Rick Hollinbeck via samba <samba at lists.samba.org> wrote:
> Rowland,
> 
> I took your advice and spun up a Debian bookworm VM and provisioned a 
> new dummy DOMAIN.COM with Samba 4.17.12.
> 
> And yes, the sysvol Policies folder was created with the two GUIDs.
> 
> I zipped up and copied the Policies folders to my active FSMO Samba
> DC.
> 
> I must still be missing something.
> 
> Do I need to do something besides copy the Policies folder to
> /var/lib?
> 
You should now have something like this in sysvol:

samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE
samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER
samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI
samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE
samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER
samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI

'samdom.example.com' should be your dns domain, 'MACHINE' &
'USER' are
empty directories and 'GPT.INI' are files containing:

[General]
Version=0

Which must be DOS formatted.

That is what you get on a new DC

However, I said that the GPOs are not synced automatically when a Samba
DC is joined, well that isn't entirely true, the contents of the sysvol
directory aren't synced or created, but the GPOs are also stored in AD
and they are replicated. The question is, did your Windows DCs use any
GPOs other than the empty default ones ?
If there are extra GPOs in AD, then you need to either delete them from
AD or create them in sysvol on your Samba DCs.

> Is this wiki page still relevant?
> https://wiki.samba.org/index.php/Sysvolreset
Do you mean the one that has (right at the top):

This page was initially created in 2018 and is now outdated and should
be ignored

Rowland