Rick Hollinbeck
2025-Mar-20 17:56 UTC
[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol
Rowland, I'm still not able to get Policies into AD.> You should now have something like this in sysvol: > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI > 'samdom.example.com' should be your dns domain, 'MACHINE' & 'USER' are > empty directories and 'GPT.INI' are files containing: > [General] > Version=0 > That is what you get on a new DCYes, that is what I have (on my Samba 4.17.12 FSMO DC), e.g. pi at pidc3:~ $ sudo ls -al /var/lib/samba/sysvol/samdom.example.com total 40 drwxrwx---+ 5 root BUILTIN\administrators 4096 Mar 19 15:53 . drwxrwx---+ 3 root BUILTIN\administrators 4096 Mar 19 16:09 .. drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 16:02 Policies drwxrwx---+ 2 root BUILTIN\administrators 4096 Mar 27? 2024 scripts drwxrwx---+ 4 root BUILTIN\administrators 4096 Feb 18 15:00 StarterGPOs pi at pidc3:~ $ sudo ls -al /var/lib/samba/sysvol/samdom.example.com/Policies total 32 drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 16:02 . drwxrwx---+ 5 root BUILTIN\administrators 4096 Mar 19 15:53 .. drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 15:14 {31B2F340-016D-11D2-945F-00C04FB984F9} drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 15:14 {6AC1786C-016F-11D2-945F-00C04FB984F9} pi at pidc3:~ $ sudo samba-tool ntacl sysvolcheck lp_load_ex: refreshing parameters Initialising global parameters rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384) Processing section "[global]" Processing section "[sysvol]" Processing section "[netlogon]" ldb_wrap open of idmap.ldb ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or directory') ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 185, in _run ??? return self.run(*args, **kwargs) ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^ ? File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 443, in run ??? provision.checksysvolacl(samdb, netlogon, sysvol, ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1876, in checksysvolacl ??? check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1826, in check_gpos_acl ??? check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1766, in check_dir_acl ??? fsacl = getntacl(lp, path, session_info, direct_db_access=direct_db_access, service=SYSVOL_SERVICE) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ? File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112, in getntacl ??? attribute = samba.xattr_native.wrap_getxattr(file, ??????????????? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This looks to be some problem with acl's? At this point, the Policies folder is not yet appearing in AD. What triggers that to happen? Do I need to get sysvolreset to run successfully before the default GPOs are build in AD? > did your Windows DCs use any GPOs other than the empty default ones ? No, I'm just trying to get a default GPO setup in AD so Group Policy will work at all and Event Viewer errors go away on the client. ---- Meanwhile, I have built and joined a new (bookworm-backports) Samba AD 4.21.4 to the domain (pidc4). It seems to be running fine with no errors in the log. So I copied the Policies folder and files to the sysvol folder there to see if this would help. Now I'm getting a new error on that DC running sysvolcheck: pi at pidc4:~ $ sudo samba-tool ntacl sysvolcheck ERROR(<class 'OSError'>): Could not access /var/lib/samba/sysvol/samdom.example.com: No data available - [Errno 61] No data available: '/var/lib/samba/sysvol/samdom.example.com' pi at pidc4:~ $ sudo samba-tool ntacl sysvolreset set_nt_acl_conn: init_files_struct failed: NT_STATUS_OBJECT_NAME_NOT_FOUND ERROR(<class 'FileNotFoundError'>): Could not access /var/lib/samba/sysvol/samdom.example.com/Policies/{C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC}: No such file or directory - [Errno 2] No such file or directory: '/var/lib/samba/sysvol/samdom.example.com/Policies/{C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC}' pi at pidc4:~ $ sudo samba-tool ntacl sysvolcheck ERROR(<class 'FileNotFoundError'>): Could not access /var/lib/samba/sysvol/samdom.example.com/Policies/{C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC}: No such file or directory - [Errno 2] No such file or directory: '/var/lib/samba/sysvol/samdom.example.com/Policies/{C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC}' Where is this new GUID {C50CFE0F-0461-46ED-9DE3-4F28DAB49DDC} coming from now? Is this new to 4.21?
Rowland Penny
2025-Mar-20 19:41 UTC
[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol
On Thu, 20 Mar 2025 11:56:23 -0600 Rick Hollinbeck via samba <samba at lists.samba.org> wrote:> Rowland, > > I'm still not able to get Policies into AD. > > > You should now have something like this in sysvol: > > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE > > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/USER > > samdom.example.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI > > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/MACHINE > > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/USER > > samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}/GPT.INI > > 'samdom.example.com' should be your dns domain, 'MACHINE' & 'USER' > > are empty directories and 'GPT.INI' are files containing: > > [General] > > Version=0 > > That is what you get on a new DC > > Yes, that is what I have (on my Samba 4.17.12 FSMO DC), e.g. > > pi at pidc3:~ $ sudo ls -al /var/lib/samba/sysvol/samdom.example.com > total 40 > drwxrwx---+ 5 root BUILTIN\administrators 4096 Mar 19 15:53 . > drwxrwx---+ 3 root BUILTIN\administrators 4096 Mar 19 16:09 .. > drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 16:02 Policies > drwxrwx---+ 2 root BUILTIN\administrators 4096 Mar 27? 2024 scripts > drwxrwx---+ 4 root BUILTIN\administrators 4096 Feb 18 15:00 > StarterGPOs > > pi at pidc3:~ $ sudo ls -al > /var/lib/samba/sysvol/samdom.example.com/Policies total 32 > drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 16:02 . > drwxrwx---+ 5 root BUILTIN\administrators 4096 Mar 19 15:53 .. > drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 15:14 > {31B2F340-016D-11D2-945F-00C04FB984F9} > drwxrwx---+ 4 root BUILTIN\administrators 4096 Mar 19 15:14 > {6AC1786C-016F-11D2-945F-00C04FB984F9} > > pi at pidc3:~ $ sudo samba-tool ntacl sysvolcheck > lp_load_ex: refreshing parameters > Initialising global parameters > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit > (16384) Processing section "[global]" > Processing section "[sysvol]" > Processing section "[netlogon]" > ldb_wrap open of idmap.ldb > ERROR(<class 'TypeError'>): uncaught exception - (2, 'No such file or > directory') > ? File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", > line 185, in _run > ??? return self.run(*args, **kwargs) > ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^ > ? File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line > 443, in run > ??? provision.checksysvolacl(samdb, netlogon, sysvol, > ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", > line 1876, in checksysvolacl > ??? check_gpos_acl(sysvol, dnsdomain, domainsid, domaindn, samdb, lp, > ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", > line 1826, in check_gpos_acl > ??? check_dir_acl(policy_path, dsacl2fsacl(acl, domainsid), lp, > ? File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", > line 1766, in check_dir_acl > ??? fsacl = getntacl(lp, path, session_info, > direct_db_access=direct_db_access, service=SYSVOL_SERVICE) > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > ? File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 112, > in getntacl > ??? attribute = samba.xattr_native.wrap_getxattr(file, > ??????????????? ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > This looks to be some problem with acl's? > > At this point, the Policies folder is not yet appearing in AD. > > What triggers that to happen? > > Do I need to get sysvolreset to run successfully before the default > GPOs are build in AD? > > > did your Windows DCs use any GPOs other than the empty default > > ones ? > > No, I'm just trying to get a default GPO setup in AD so Group Policy > will work at all and Event Viewer errors go away on the client. >Try running this on your Samba DC (altered to your setup): sudo ldbsearch --show-binary -H /var/lib/samba/private/sam.ldb -P -b 'CN=Policies,CN=System,DC=samdom,DC=example,DC=com' -s one It is supposed to be all on one line. Rowland