samba - Mar 2025 - Missing Policies folder in AD and /var/lib/samba/sysvol

Progress maybe...

I tried running sysvolcheck with strace and noticed something really odd....

This was in the trace:

getxattr("/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}",
"security.NTACL", NULL, 0) = -1 ENOENT

But I knew that folder was in my sysvol folder:

??? [drwxrwx--- root???? BUILTIN\administrators] 
{31B2F340-016D-11D2-945F-00C04FB984F9}
??? ??? [-rwxrwx--- root???? BUILTIN\administrators]? GPT.INI
??? ??? [drwxrwx--- root???? BUILTIN\administrators]? MACHINE
??? ??? [drwxrwx--- root???? BUILTIN\administrators]? USER
??? [drwxrwx--- root???? BUILTIN\administrators] 
{6AC1786C-016F-11D2-945F-00C04FB984F9}
 ??? ??? [-rwxrwx--- root???? BUILTIN\administrators]? GPT.INI
 ??? ??? [drwxrwx--- root???? BUILTIN\administrators]? MACHINE
 ??? ??? [drwxrwx--- root???? BUILTIN\administrators]? USER

But this command also failed when I cut and pasted the folder name from 
the strace:

pi at pidc3:~ $ sudo ls -al 
/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
ls: cannot access 
'/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}':
No such file or directory

It took me awhile to spot the problem...

Somehow sysvolcheck is using a LOWER CASE 'f' in the GUID folder name 
for the default GPO!

Where is this coming from? Of course, in Windows this doesn't matter. 
But in linux it is a showstopper.

How can I convince sysvolcheck and sysvolreset to use the correct 
subfolder name - all uppercase?

On Wed, 26 Mar 2025 15:26:46 -0600
Rick Hollinbeck via samba <samba at lists.samba.org> wrote:
> Progress maybe...
> 
> I tried running sysvolcheck with strace and noticed something really
> odd....
> 
> This was in the trace:
> 
>
getxattr("/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}",
> "security.NTACL", NULL, 0) = -1 ENOENT
> 
> But I knew that folder was in my sysvol folder:
> 
> ??? [drwxrwx--- root???? BUILTIN\administrators] 
> {31B2F340-016D-11D2-945F-00C04FB984F9}
> ??? ??? [-rwxrwx--- root???? BUILTIN\administrators]? GPT.INI
> ??? ??? [drwxrwx--- root???? BUILTIN\administrators]? MACHINE
> ??? ??? [drwxrwx--- root???? BUILTIN\administrators]? USER
> ??? [drwxrwx--- root???? BUILTIN\administrators] 
> {6AC1786C-016F-11D2-945F-00C04FB984F9}
>  ??? ??? [-rwxrwx--- root???? BUILTIN\administrators]? GPT.INI
>  ??? ??? [drwxrwx--- root???? BUILTIN\administrators]? MACHINE
>  ??? ??? [drwxrwx--- root???? BUILTIN\administrators]? USER
> 
> But this command also failed when I cut and pasted the folder name
> from the strace:
> 
> pi at pidc3:~ $ sudo ls -al 
>
/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
> ls: cannot access 
>
'/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}':
> No such file or directory
> 
> It took me awhile to spot the problem...
> 
> Somehow sysvolcheck is using a LOWER CASE 'f' in the GUID folder
name
> for the default GPO!
> 
> Where is this coming from? Of course, in Windows this doesn't matter. 
> But in linux it is a showstopper.
I think it is coming from AD.
If you search in AD, both '{6AC1786C-016F-11D2-945F-00C04fB984F9}' and
'{6AC1786C-016F-11D2-945F-00C04FB984F9}' will work, but searching for
the directory in the filesystem with a lowercase 'f' produces this:

ls -ld
/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}
ls: cannot access
'/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04fB984F9}':
No such file or directory

But using an uppercase 'F' produces this:

s -ld
/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
drwxrwx---+ 4 SAMDOM\domain admins SAMDOM\domain admins 4096 Sep 19  2022
/var/lib/samba/sysvol/samdom.example.com/Policies/{6AC1786C-016F-11D2-945F-00C04FB984F9}
> 
> How can I convince sysvolcheck and sysvolreset to use the correct 
> subfolder name - all uppercase?
You will probably have to rename the GPO in AD, possibly along with the
'name' attribute.

Rowland