Where (and why) it all began
While trying to join an Ubuntu client to my Samba domain, I got this error that most likely prevented a successful login. From the sssd’s log files I got this as a first hint:
<...>
(2025-10-14 5:46:34): [be[MYDOMAIN.DE]] [gpo_cse_done] (0x0020): [RID#46] ad_gpo_parse_gpo_child_response failed: [22][Invalid argument]. Broken GPO data received from AD. Check AD child logs for more information.
* ... skipping repetitive backtrace ...
(2025-10-14 5:46:34): [be[MYDOMAIN.DE]] [ad_gpo_cse_done] (0x0400): [RID#46] gpo_guid: {31B2F340-016D-11D2-945F-00C04FB984F9}
(2025-10-14 5:46:34): [be[MYDOMAIN.DE]] [ad_gpo_cse_done] (0x0040): [RID#46] Unable to retrieve policy data: [22](Invalid argument}
* ... skipping repetitive backtrace ...
(2025-10-14 5:46:34): [be[MYDOMAIN.DE]] [ad_gpo_access_done] (0x0040): [RID#46] GPO-based access control failed.
<...>So it looks like we got a problem with my Samba domain not serving GPO {31B2F340-016D-11D2-945F-00C04FB984F9} aka “Default domain policy“.
TL;DR
I spent the better part of the day finding the solution. In the end it turned out quite simple: Put a very basic GPT.INI file at the right place:
In the samba DC’s SYSVOL directory (/var/lib/samba/state/sysvol/ in my case) do this:
linux # cd /var/lib/samba/state/sysvol/
linux # mkdir -p 'mydomain.de/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}'
linux # cat << EOF > 'mydomain.de/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/GPT.INI'
[General]]
Version = 0
EOFMake sure to replace “mydomain.de” with your own.
This should be enough for sssd to apply its GPO filter.
But if you’re wondering about my wonderful journey through all kinds of mess, feel free to continue reading.
Samba and GPOs
Something I never thought I’d ever care about: GPOs … on Linux!
linux # samba-tool gpo listall -UAdministrator
Password for [MYDOMAIN\Administrator]:
GPO : {6AC1786C-016F-11D2-945F-00C04FB984F9}
display name : Default Domain Controllers Policy
path : \\mydomain.de\sysvol\mydomain.de\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}
dn : CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=de
version : 0
flags : NONE
GPO : {31B2F340-016D-11D2-945F-00C04FB984F9}
display name : Default Domain Policy
path : \\mydomain.de\sysvol\mydomain.de\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
dn : CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=mydomain,DC=de
version : 0
flags : NONESo we now got some GPOs, even “{31B2F340-016D-11D2-945F-00C04FB984F9}“, however the client still complains about not being able to get this GPO.
Seems like these GPOs are defined in Sama/AD itself (can be seen via LDAP under CN=Policies,CN=System) but no files are available in SYSVOL.
So I tried (more or less) random commands found in in samba-tool man page:
linux # samba-tool gpo manage security set "{31B2F340-016D-11D2-945F-00C04FB984F9}" MaxTicketAge 10 -U Administrator
Password for [MYDOMAIN\Administrator]:
ERROR(<class 'AttributeError'>): uncaught exception - 'str' object has no attribute 'decode'
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 387, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/gpo.py", line 2419, in run
reg.increment_gpt_ini(machine_changed=True)
File "/usr/lib/python3/dist-packages/samba/policies.py", line 175, in increment_gpt_ini
parser.parse(data)
File "/usr/lib/python3/dist-packages/samba/gp_parse/gp_ini.py", line 112, in parse
super().parse(contents)
File "/usr/lib/python3/dist-packages/samba/gp_parse/gp_ini.py", line 41, in parse
self.ini_conf.read_file(StringIO(contents.decode(self.encoding)))
^^^^^^^^^^^^^^^And yes, this does create a directory $SYSVOL/mydomain.de/Policies/{...}/ with a little content (despite the error message).
So if managing works, why not try to create a new GPO:
linux # samba-tool gpo create "Dummy Test" -U Administrator
Password for [MYDOMAIN\Administrator]:That resulted in different kinds of file permission/ACL/Extended Attribute errors.
As already mentioned I spent the better half of the day looking for ZFS settings to prevent that (ZFS is a little special when it comes to ACLs), tried different settings and other filesystems, but it turns out the problem seems to be more global (and – of course – still unresolved):
s. https://bugzilla.opensuse.org/show_bug.cgi?id=1206475#
Anyway, I did as mentioned at the end of the bugzilla post and just removed the set_acl call in samba-tool’s gpo.py. That got me a step further:
linux # samba-tool gpo create "Dummy Test" -U Administrator
Password for [MYDOMAIN\Administrator]:
Initialising global parameters
Processing section "[global]"
GPO 'Dummy Test' created as {25EA38BB-09C6-466F-8E76-D2571ABA1F57}Still reading? Wanna feel my pain? Just go on …
Filesystem permission / ACL hell
Of course just removing some line of code and hoping that things will work out nicely isn’t very professional. So I made quite a few attempts to get that permission problem solved.
linux # samba-tool ntacl sysvolcheck
ERROR(<class 'OSError'>): Could not access /var/lib/samba/state/sysvol/mydomain.de: No data available - [Errno 61] No data available: '/var/lib/samba/state/sysvol/mydomain.de'More:
linux # samba-tool ntacl sysvolreset
set_nt_acl_conn: fset_nt_acl returned NT_STATUS_ACCESS_DENIED.
ERROR(runtime): uncaught exception - (3221225506, '{Access Denied} A process has requested access to an object but has not been granted those access rights.')
File "/usr/lib/python3/dist-packages/samba/netcmd/__init__.py", line 387, in _run
return self.run(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/netcmd/ntacl.py", line 449, in run
provision.setsysvolacl(samdb, sysvol,
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1751, in setsysvolacl
_setntacl(sysvol)
File "/usr/lib/python3/dist-packages/samba/provision/__init__.py", line 1745, in _setntacl
return setntacl(
^^^^^^^^^
File "/usr/lib/python3/dist-packages/samba/ntacls.py", line 229, in setntacl
smbd.set_nt_acl(Fix permissions with script mentioned in Samba Wiki:
linux # wget https://raw.githubusercontent.com/thctlo/samba4/master/samba-check-set-sysvol.sh
linux # chmod +x ./samba-check-set-sysvol.sh
linux # ./samba-check-set-sysvol.sh
INFO 2025-10-14 06:37:51,443 pid:263 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #87: Loaded smb config files from /etc/samba/smb.conf
INFO 2025-10-14 06:37:51,443 pid:263 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #88: Loaded services file OK.
Review the file : default-rights-sysvol.acl, these contains the defaults for sysvol.
The sysvol ACLS info.....
Please check your share rights for sysvol from within windows.
If these are incorrect, correct them and run this script again.
Set your sysvol SHARE permissions as followed.
EVERYONE: READ
Authenticated Users: FULL CONTROL
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
User/Group system is added compaired to a win2008R2 sysvol, you need this for some GPO settings.
Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROLAnd now apply settings (change APPLY_CHANGES_DIRECT=”yes” in the script) :
linux # apt install acl
linux # ./samba-check-set-sysvol.sh
INFO 2025-10-14 06:39:00,667 pid:400 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #87: Loaded smb config files from /etc/samba/smb.conf
INFO 2025-10-14 06:39:00,667 pid:400 /usr/lib/python3/dist-packages/samba/netcmd/testparm.py #88: Loaded services file OK.
The sysvol ACLS info.....
Please check your share rights for sysvol from within windows.
If these are incorrect, correct them and run this script again.
Set your sysvol SHARE permissions as followed.
EVERYONE: READ
Authenticated Users: FULL CONTROL
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
User/Group system is added compaired to a win2008R2 sysvol, you need this for some GPO settings.
Set your sysvol FOLDER permissions as followed.
Authenticated Users: Read & Exec, Show folder content, Read
(BUILTIN or NTDOM)\Administrators: FULL CONTROL
(BUILTIN or NTDOM)\SYSTEM, FULL CONTROL
linux # getfacl /var/lib/samba/state/sysvol/mydomain.de/
getfacl: Removing leading '/' from absolute path names
# file: var/lib/samba/state/sysvol/mydomain.de/
# owner: root
# group: root
user::rwx
user:root:rwx
user:BUILTIN\\administrators:rwx
user:NT\040Authority\\authenticated\040users:r-x
user:BUILTIN\\server\040operators:r-x
user:NT\040Authority\\system:rwx
group::rwx
group:BUILTIN\\administrators:rwx
group:NT\040Authority\\authenticated\040users:r-x
group:BUILTIN\\server\040operators:r-x
group:NT\040Authority\\system:rwx
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:user:BUILTIN\\administrators:rwx
default:user:NT\040Authority\\authenticated\040users:r-x
default:user:BUILTIN\\server\040operators:r-x
default:user:NT\040Authority\\system:rwx
default:group::---
default:group:BUILTIN\\administrators:rwx
default:group:NT\040Authority\\authenticated\040users:r-x
default:group:BUILTIN\\server\040operators:r-x
default:group:NT\040Authority\\system:rwx
default:mask::rwx
default:other::---And here I stopped writing down my desperate attempts … nothing worked.
However, on my way there I also found some things that may become useful one day (like adding policies – not only for Windows machines).
Adding policies to Samba DC
Installing Windows policies
linux # apt install msitools
linux # msiextract -C /tmp/gpo /tmp/Administrative\ Templates\ \(.admx\)\ for\ Windows\ 11\ Sep\ 2024\ Update.msi
linux # samba-tool gpo admxload -U Administrator --admx-dir /tmp/gpo/Program\ Files/Microsoft\ Group\ Policy/Windows\ 11\ Sep\ 2024\ Update\ \(24H2\)/PolicyDefinitions/
Password for [MYDOMAIN\Administrator]:
Installing ADMX templates to the Central Store prevents Windows from displaying its own templates in the Group Policy Management Console. You will need to install these templates from https://www.microsoft.com/en-us/download/102157 to continue using Windows Administrative Templates.
linux # find /var/lib/samba/state/sysvol/
/var/lib/samba/state/sysvol/
/var/lib/samba/state/sysvol/mydomain.de
/var/lib/samba/state/sysvol/mydomain.de/Policies
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/ServiceControlManager.admx
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/RacWmiProv.admx
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/AppPrivacy.admx
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/SoundRec.admx
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/WinInit.admx
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/PeerToPeerCaching.admx
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/SharedFolders.admx
/var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/EAIME.admx
<...>Installing Ubuntu policies
Now lets get some real Ubuntu policies installed (like described here):
linux # mkdir /var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions
linux # mkdir /var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/en-US
linux # curl -o /var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/Ubuntu.admx https://raw.githubusercontent.com/ubuntu/adsys/refs/heads/main/policies/Ubuntu/all/Ubuntu.admx
linux # curl -o /var/lib/samba/state/sysvol/mydomain.de/Policies/PolicyDefinitions/en-US/Ubuntu.adml https://raw.githubusercontent.com/ubuntu/adsys/refs/heads/main/policies/Ubuntu/all/Ubuntu.admlBut there seems to be no way to apply those policies if not from a Windows PC … ok, that’s not the way to go.