Rick Hollinbeck
2025-Mar-21 18:34 UTC
[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol
Thanks, Rowland> Try running this on your Samba DC (altered to your setup):> sudo ldbsearch --show-binary -H /var/lib/samba/private/sam.ldb -P -b > 'CN=Policies,CN=System,DC=samdom,DC=example,DC=com' -s oneOk, I ran this on my server and... The GPO records were now there! And... The Policies folder is also showing in Windows explorer. And... My GPO error events went away. The population of sysvol in AD seems to have happened overnight, so perhaps this is done on some kind of schedule by Samba. But... sysvolcheck still fails on both my FSMO samba 4.17.12 DC and my secondary 4.21.4 DC as I showed in my last email. But, as long as GPO seems to work now, I guess I don't need sysvolcheck to work. Thanks again for your help.
Rowland Penny
2025-Mar-21 19:03 UTC
[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol
On Fri, 21 Mar 2025 12:34:11 -0600 Rick Hollinbeck via samba <samba at lists.samba.org> wrote:> Thanks, Rowland > > > Try running this on your Samba DC (altered to your setup): > > > sudo ldbsearch --show-binary -H /var/lib/samba/private/sam.ldb -P -b > > 'CN=Policies,CN=System,DC=samdom,DC=example,DC=com' -s one > > Ok, I ran this on my server and... > The GPO records were now there!Yes, but how many ? Please post the output.> > And... The Policies folder is also showing in Windows explorer. > > And... My GPO error events went away.That 'ldbsearch' line will not have fixed anything.> > The population of sysvol in AD seems to have happened overnight, > so perhaps this is done on some kind of schedule by Samba.There is nothing in Samba to sync the Sysvol directories, but AD replication will ensure that the databases on all DCs match (unless something goes wrong and there are always non replicating attributes)> > But... > sysvolcheck still fails on both my FSMO samba 4.17.12 DC and > my secondary 4.21.4 DC as I showed in my last email.I think you are now conflating what is in AD and what is in the sysvol directories, they should correspond, sysvolreset uses the information from AD to set the permissions in the sysvol directories. If there are GPOs in AD, but not in sysvol, you get an error like the one you are getting.> > But, as long as GPO seems to work now, I guess I don't need > sysvolcheck to work.Yes you do. Rowland