[Samba] Win Clients and DNS

Viktor Trojanovic viktor at troja.ch
Mon Nov 16 11:19:15 UTC 2015 

So I ran a samba-tool ntacl sysvolcheck, and the following error message 
came up:

--------------------snip--------------------
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
from GPO object
   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 
249, in run
     lp)
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1733, in checksysvolacl
     direct_db_access)
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1684, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1650, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))
--------------------snip--------------------

The GPO directory in question is the Default Domain Policy.

Any idea what happened here? I never touched the DDD, it's still on 
version 0, and I never did any changes to those files either. I manually 
checked the ACL, without having made a diff on it, it looks pretty much 
the same like the ACL on the other containers.

Is it safe to run sysvolreset?

Viktor

On 16.11.2015 09:34, L.P.H. van Belle wrote:
> I guest,
>
> incorrect rights on you sysvol,
> Try : samba-tool ntacl sysvolreset
> And check the share rights.
>
> By default this should work out of the box.
> Did you change the sysvol rights?
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: maandag 16 november 2015 9:25
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Win Clients and DNS
>>
>> Viktor, can you manually check whether you have DNS records for your Win
>> clients?
>>
>> In the DNS settings for your Win clients' network adapters you can
>> uncheck that the current address shall be registered in DNS.
>>
>> Ole
>>
>>
>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the
>>> clients all have a fixed IPv4 address.
>>>
>>> In the windows event viewer, I constantly see the following warning:
>>>
>>> Event 8019, DNS Client Events
>>> ------------------------------------------
>>> The system failed to register host (A or AAA) resource records (RRs)
>>> for network adapter with settings:
>>>
>>> Adapter Name: {someGUID}
>>> Host Name: Client-PC
>>> Primary Domain Suffix: SAMDOM.COM
>>> DNS Server list:
>>>      192.168.0.1
>>> Sent update to server: <?>
>>> IP Addresses:
>>>     192.168.0.15
>>> ------------------------------------------
>>>
>>> Is it necessary to manually make some entries in DNS for the client
>>> machines? I didn't see anything about that in the Wiki.
>>>
>>> I'm trying to figure out if this is connected to another problem I'm
>>> facing. A machine based GPO is not executed because "the file
>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not
>>> be read", and as one of the possible reasons for the error, name
>>> resolution is mentioned. I can access the file just fine once I'm
>>> logged in so I really don't know what the issue is here.
>>>
>>> Thanks,
>>> Viktor
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list