[Samba] Win Clients and DNS

Viktor Trojanovic viktor at troja.ch
Mon Nov 16 11:19:15 UTC 2015

So I ran a samba-tool ntacl sysvolcheck, and the following error message 
came up:

ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception - 
ProvisioningError: DB ACL on GPO directory 
does not match expected value 
from GPO object
   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 
249, in run
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1733, in checksysvolacl
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1684, in check_gpos_acl
     domainsid, direct_db_access)
   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
line 1650, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))

The GPO directory in question is the Default Domain Policy.

Any idea what happened here? I never touched the DDD, it's still on 
version 0, and I never did any changes to those files either. I manually 
checked the ACL, without having made a diff on it, it looks pretty much 
the same like the ACL on the other containers.

Is it safe to run sysvolreset?


On 16.11.2015 09:34, L.P.H. van Belle wrote:
> I guest,
> incorrect rights on you sysvol,
> Try : samba-tool ntacl sysvolreset
> And check the share rights.
> By default this should work out of the box.
> Did you change the sysvol rights?
> Greetz,
> Louis
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: maandag 16 november 2015 9:25
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Win Clients and DNS
>> Viktor, can you manually check whether you have DNS records for your Win
>> clients?
>> In the DNS settings for your Win clients' network adapters you can
>> uncheck that the current address shall be registered in DNS.
>> Ole
>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the
>>> clients all have a fixed IPv4 address.
>>> In the windows event viewer, I constantly see the following warning:
>>> Event 8019, DNS Client Events
>>> ------------------------------------------
>>> The system failed to register host (A or AAA) resource records (RRs)
>>> for network adapter with settings:
>>> Adapter Name: {someGUID}
>>> Host Name: Client-PC
>>> Primary Domain Suffix: SAMDOM.COM
>>> DNS Server list:
>>> Sent update to server: <?>
>>> IP Addresses:
>>> ------------------------------------------
>>> Is it necessary to manually make some entries in DNS for the client
>>> machines? I didn't see anything about that in the Wiki.
>>> I'm trying to figure out if this is connected to another problem I'm
>>> facing. A machine based GPO is not executed because "the file
>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not
>>> be read", and as one of the possible reasons for the error, name
>>> resolution is mentioned. I can access the file just fine once I'm
>>> logged in so I really don't know what the issue is here.
>>> Thanks,
>>> Viktor
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list