[Samba] Win Clients and DNS

Rowland Penny rowlandpenny241155 at gmail.com
Mon Nov 16 11:39:40 UTC 2015 

On 16/11/15 11:19, Viktor Trojanovic wrote:
> So I ran a samba-tool ntacl sysvolcheck, and the following error 
> message came up:
>
> --------------------snip--------------------
> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught exception 
> - ProvisioningError: DB ACL on GPO directory 
> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> does not match expected value 
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
> from GPO object
>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
> line 175, in _run
>     return self.run(*args, **kwargs)
>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line 
> 249, in run
>     lp)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1733, in checksysvolacl
>     direct_db_access)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1684, in check_gpos_acl
>     domainsid, direct_db_access)
>   File "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
> line 1650, in check_dir_acl
>     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
> match expected value %s from GPO object' % 
> (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, acl))
> --------------------snip--------------------
>
> The GPO directory in question is the Default Domain Policy.
>
> Any idea what happened here? I never touched the DDD, it's still on 
> version 0, and I never did any changes to those files either. I 
> manually checked the ACL, without having made a diff on it, it looks 
> pretty much the same like the ACL on the other containers.
>
> Is it safe to run sysvolreset?
>
> Viktor
>
> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>> I guest,
>>
>> incorrect rights on you sysvol,
>> Try : samba-tool ntacl sysvolreset
>> And check the share rights.
>>
>> By default this should work out of the box.
>> Did you change the sysvol rights?
>>
>>
>> Greetz,
>>
>> Louis
>>
>>
>>> -----Oorspronkelijk bericht-----
>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>>> Verzonden: maandag 16 november 2015 9:25
>>> Aan: samba at lists.samba.org
>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>
>>> Viktor, can you manually check whether you have DNS records for your 
>>> Win
>>> clients?
>>>
>>> In the DNS settings for your Win clients' network adapters you can
>>> uncheck that the current address shall be registered in DNS.
>>>
>>> Ole
>>>
>>>
>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the
>>>> clients all have a fixed IPv4 address.
>>>>
>>>> In the windows event viewer, I constantly see the following warning:
>>>>
>>>> Event 8019, DNS Client Events
>>>> ------------------------------------------
>>>> The system failed to register host (A or AAA) resource records (RRs)
>>>> for network adapter with settings:
>>>>
>>>> Adapter Name: {someGUID}
>>>> Host Name: Client-PC
>>>> Primary Domain Suffix: SAMDOM.COM
>>>> DNS Server list:
>>>>      192.168.0.1
>>>> Sent update to server: <?>
>>>> IP Addresses:
>>>>     192.168.0.15
>>>> ------------------------------------------
>>>>
>>>> Is it necessary to manually make some entries in DNS for the client
>>>> machines? I didn't see anything about that in the Wiki.
>>>>
>>>> I'm trying to figure out if this is connected to another problem I'm
>>>> facing. A machine based GPO is not executed because "the file
>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not
>>>> be read", and as one of the possible reasons for the error, name
>>>> resolution is mentioned. I can access the file just fine once I'm
>>>> logged in so I really don't know what the issue is here.
>>>>
>>>> Thanks,
>>>> Viktor
>>>>
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
>

Firstly, have you changed anything on the DC after provision? I don't 
mean adding users or groups, but anything else?

I think if you examine what samba-tool thinks is different, you will 
find that it is only these:

O:BAG:DUD and O:DAG:DAD

To turn these into English :-)

O = owner
BA = BUILTIN\Administrators
G = group
DU = Domain Users
DA = Domain Administrators

BA becoming DA is fairly common and I don't think is relevant
But somehow DA has become DU

That is why I asked if you have changed anything.

Now as for do your computers A and PTR records need to be added to AD, 
try this on the DC:

ping -c1 member1

where 'member1' is the hostname of one of your workstations, it should 
return something like this:

PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms

--- member1.samdom.example.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.261/0.261/0.261/0.000 ms

Not like this:

ping: unknown host member1

If you get the later, you need to add the records manually.

Rowland

More information about the samba mailing list