Rick Hollinbeck
2025-Mar-23 00:40 UTC
[Samba] Missing Policies folder in AD and /var/lib/samba/sysvol
> sudo ldbsearch --show-binary -H /var/lib/samba/private/sam.ldb -P -b > 'CN=Policies,CN=System,DC=samdom,DC=example,DC=com' -s one>> Ok, I ran this on my server and... >> The GPO records were now there!> Yes, but how many ? > Please post the output./var/lib/samba/sysvol ??? samdom.example.com ??? Policies ??? ??? {31B2F340-016D-11D2-945F-00C04FB984F9} ??? ??? ??? GPT.INI ??? ??? ??? MACHINE ??? ??? ??? USER ??? ??? {6AC1786C-016F-11D2-945F-00C04FB984F9} ??? ??? GPT.INI ??? ??? MACHINE ??? ??? USER ??? scripts 10 directories, 2 files The content of sysvol in AD is also the same using the Windows DNS utility on a client. So things look ok to me as far as what's there.> And... The Policies folder is also showing in Windows explorer. > > And... My GPO error events went away.> That 'ldbsearch' line will not have fixed anything.I understand. But new records in AD WERE created for the Default GPO's some time after I set up /var/lib/samba/sysvol../Policies folders and files. So this seemed to work fine.> The population of sysvol in AD seems to have happened overnight, > so perhaps this is done on some kind of schedule by Samba.> There is nothing in Samba to sync the Sysvol directories, but AD > replication will ensure that the databases on all DCs match (unless > something goes wrong and there are always non replicating attributes)I understand.> But... > sysvolcheck still fails on both my FSMO samba 4.17.12 DC and > my secondary 4.21.4 DC as I showed in my last email.> I think you are now conflating what is in AD and what is in the sysvol > directories, they should correspond, sysvolreset uses the information > from AD to set the permissions in the sysvol directories. If there are > GPOs in AD, but not in sysvol, you get an error like the one you are > getting....but that is odd because the entries in AD were apparently created from the files I placed manually in /var/lib/samba/sysvol in the first place... Is there a samba-tool command to show the sysvol in AD?> But, as long as GPO seems to work now, I guess I don't need > sysvolcheck to work.> Yes you do.Ok, I'll keep troubleshooting.> Rowland