/var/lib/samba/sysvol/

The /var/lib/samba/sysvol/ directory is a critical directory in a Samba Active Directory Domain Controller (AD DC). It holds the SYSVOL share, which is used to store public domain-wide data, including Group Policy Objects (GPOs), logon scripts, and other system policies in an Active Directory environment.

Key Points about /var/lib/samba/sysvol/:

  1. SYSVOL Directory:

    • In a Windows-based domain controller, the SYSVOL directory is where domain-wide public files are stored, such as Group Policy Objects (GPOs) and scripts. Samba, when configured as an Active Directory Domain Controller, emulates this functionality in the /var/lib/samba/sysvol/ directory.

    • Samba’s SYSVOL is synchronized between domain controllers to ensure that all domain controllers have the same GPOs, scripts, and other files required for domain-wide policy application.

  2. Contents of /var/lib/samba/sysvol/:

    • The directory contains Group Policy Objects (GPOs), logon scripts, startup scripts, and other shared configuration files for the domain.

    • Inside this directory, you may find subdirectories such as:

      • <Domain Name>: The top-level directory for the domain (e.g., /var/lib/samba/sysvol/example.com/).

      • Policies/: Contains Group Policy Objects (GPOs) for the domain.

      • Scripts/: Stores logon or startup scripts that are applied when users log on to the domain.

    Example structure:

    /var/lib/samba/sysvol/
        └── example.com/
            ├── Policies/
            │   ├── {31B2F340-016D-11D2-945F-00C04FB984F9}  # Example GPO GUID
            │   └── {D2D9D755-EE8F-47E9-B0CC-DDA78B6E6A23}  # Another GPO
            └── Scripts/
                ├── logon.bat
                └── startup.bat
  3. Replication of SYSVOL:

    • In a Samba AD DC setup with multiple domain controllers, the contents of /var/lib/samba/sysvol/ must be replicated between all domain controllers, ensuring consistency for all domain-joined machines.

    • Samba uses the File Replication Service (FRS) or Distributed File System Replication (DFSR) to replicate SYSVOL content. This allows for consistent application of GPOs and scripts across all domain controllers in the network.

  4. Permissions:

    • The files in SYSVOL are typically accessible to all domain users and computers, which means the directory and its subdirectories should be configured with proper permissions to prevent unauthorized access while ensuring that domain members can read and apply the contents.

    • Samba ensures the correct NTFS-like permissions and ownerships for the files within SYSVOL.

  5. Configuration and Setup:

    • When Samba is set up as an Active Directory Domain Controller, the SYSVOL directory is created automatically, and GPOs and scripts can be managed using Windows administrative tools (such as the Group Policy Management Console) or Samba’s tools.

    • Administrators may need to ensure that the samba-tool and other related tools are used to add or modify GPOs and scripts within this directory.

Example Usage:

  • GPO Management: Administrators may configure GPOs (e.g., password policies, user rights) that are stored in /var/lib/samba/sysvol/<domain>/Policies/.

    You can manage these using Windows tools like Group Policy Management Console (GPMC), or you can use samba-tool to apply certain policies or set parameters.

  • Logon Scripts: You may place logon scripts inside /var/lib/samba/sysvol/<domain>/Scripts/. These scripts are applied to users or computers during the login process.

Conclusion:

The /var/lib/samba/sysvol/ directory is integral to Samba’s role as an Active Directory Domain Controller. It mirrors the Windows SYSVOL share, storing critical domain-wide data like Group Policy Objects (GPOs) and logon scripts. Proper configuration and replication of this directory are essential for maintaining a consistent environment across multiple Samba domain controllers and ensuring correct application of policies and scripts to all domain-joined machines.

Last updated