[Samba] Win Clients and DNS

Ole Traupe ole.traupe at tu-berlin.de
Mon Nov 16 13:25:14 UTC 2015 


Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
>
>
> On 16.11.2015 13:48, Viktor Trojanovic wrote:
>> See replies below
>>
>> On 16.11.2015 12:39, Rowland Penny wrote:
>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error 
>>>> message came up:
>>>>
>>>> --------------------snip--------------------
>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
>>>> exception - ProvisioningError: DB ACL on GPO directory 
>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>> does not match expected value 
>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>> from GPO object
>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>> line 175, in _run
>>>>     return self.run(*args, **kwargs)
>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
>>>> line 249, in run
>>>>     lp)
>>>>   File 
>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>> line 1733, in checksysvolacl
>>>>     direct_db_access)
>>>>   File 
>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>> line 1684, in check_gpos_acl
>>>>     domainsid, direct_db_access)
>>>>   File 
>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>> line 1650, in check_dir_acl
>>>>     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
>>>> match expected value %s from GPO object' % 
>>>> (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, 
>>>> acl))
>>>> --------------------snip--------------------
>>>>
>>>> The GPO directory in question is the Default Domain Policy.
>>>>
>>>> Any idea what happened here? I never touched the DDD, it's still on 
>>>> version 0, and I never did any changes to those files either. I 
>>>> manually checked the ACL, without having made a diff on it, it 
>>>> looks pretty much the same like the ACL on the other containers.
>>>>
>>>> Is it safe to run sysvolreset?
>>>>
>>>> Viktor
>>>>
>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>>> I guest,
>>>>>
>>>>> incorrect rights on you sysvol,
>>>>> Try : samba-tool ntacl sysvolreset
>>>>> And check the share rights.
>>>>>
>>>>> By default this should work out of the box.
>>>>> Did you change the sysvol rights?
>>>>>
>>>>>
>>>>> Greetz,
>>>>>
>>>>> Louis
>>>>>
>>>>>
>>>>>> -----Oorspronkelijk bericht-----
>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>>> Aan: samba at lists.samba.org
>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>>
>>>>>> Viktor, can you manually check whether you have DNS records for 
>>>>>> your Win
>>>>>> clients?
>>>>>>
>>>>>> In the DNS settings for your Win clients' network adapters you can
>>>>>> uncheck that the current address shall be registered in DNS.
>>>>>>
>>>>>> Ole
>>>>>>
>>>>>>
>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC 
>>>>>>> and the
>>>>>>> clients all have a fixed IPv4 address.
>>>>>>>
>>>>>>> In the windows event viewer, I constantly see the following 
>>>>>>> warning:
>>>>>>>
>>>>>>> Event 8019, DNS Client Events
>>>>>>> ------------------------------------------
>>>>>>> The system failed to register host (A or AAA) resource records 
>>>>>>> (RRs)
>>>>>>> for network adapter with settings:
>>>>>>>
>>>>>>> Adapter Name: {someGUID}
>>>>>>> Host Name: Client-PC
>>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>>> DNS Server list:
>>>>>>>      192.168.0.1
>>>>>>> Sent update to server: <?>
>>>>>>> IP Addresses:
>>>>>>>     192.168.0.15
>>>>>>> ------------------------------------------
>>>>>>>
>>>>>>> Is it necessary to manually make some entries in DNS for the client
>>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>>
>>>>>>> I'm trying to figure out if this is connected to another problem 
>>>>>>> I'm
>>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could 
>>>>>>> not
>>>>>>> be read", and as one of the possible reasons for the error, name
>>>>>>> resolution is mentioned. I can access the file just fine once I'm
>>>>>>> logged in so I really don't know what the issue is here.
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Viktor
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> Firstly, have you changed anything on the DC after provision? I 
>>> don't mean adding users or groups, but anything else?
>>>
>>> I think if you examine what samba-tool thinks is different, you will 
>>> find that it is only these:
>>>
>>> O:BAG:DUD and O:DAG:DAD
>>>
>>> To turn these into English :-)
>>>
>>> O = owner
>>> BA = BUILTIN\Administrators
>>> G = group
>>> DU = Domain Users
>>> DA = Domain Administrators
>>>
>>> BA becoming DA is fairly common and I don't think is relevant
>>> But somehow DA has become DU
>>>
>> Yes, those are the ACL's I see, BA is the owner, DA has full rights, 
>> DU can read.
>>
>>> That is why I asked if you have changed anything.
>>>
>> No, I haven't. Please also check my new thread about the ACL issue.
>>
>>> Now as for do your computers A and PTR records need to be added to 
>>> AD, try this on the DC:
>>>
>>> ping -c1 member1
>>>
>>> where 'member1' is the hostname of one of your workstations, it 
>>> should return something like this:
>>>
>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>>
>>>
>>>
>> This is making things even more confusing.. if I enter the DNS 
>> records, then the command nslookup clientname will provide the 
>> correct IP address. Ping doesn't work for half of the clients but it 
>> doesn't work even using the IP address. Seems like the firewall is 
>> blocking it which is again really weird because I didn't make any 
>> changes and all clients are exactly the same.
>>
>
> Off topic but some of my Win 10 clients have ICMP echo blocked in the 
> domain, some allow it. And I never even touched this setting.
>
To my knowledge, ping requires File and Printer Sharing on Windows. Is 
it activated on all your clients?

More information about the samba mailing list