[Samba] Win Clients and DNS

Viktor Trojanovic viktor at troja.ch
Mon Nov 16 13:06:59 UTC 2015 


On 16.11.2015 13:48, Viktor Trojanovic wrote:
> See replies below
>
> On 16.11.2015 12:39, Rowland Penny wrote:
>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>> So I ran a samba-tool ntacl sysvolcheck, and the following error 
>>> message came up:
>>>
>>> --------------------snip--------------------
>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
>>> exception - ProvisioningError: DB ACL on GPO directory 
>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>> does not match expected value 
>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>> from GPO object
>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>> line 175, in _run
>>>     return self.run(*args, **kwargs)
>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
>>> line 249, in run
>>>     lp)
>>>   File 
>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", line 
>>> 1733, in checksysvolacl
>>>     direct_db_access)
>>>   File 
>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", line 
>>> 1684, in check_gpos_acl
>>>     domainsid, direct_db_access)
>>>   File 
>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", line 
>>> 1650, in check_dir_acl
>>>     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
>>> match expected value %s from GPO object' % 
>>> (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, 
>>> acl))
>>> --------------------snip--------------------
>>>
>>> The GPO directory in question is the Default Domain Policy.
>>>
>>> Any idea what happened here? I never touched the DDD, it's still on 
>>> version 0, and I never did any changes to those files either. I 
>>> manually checked the ACL, without having made a diff on it, it looks 
>>> pretty much the same like the ACL on the other containers.
>>>
>>> Is it safe to run sysvolreset?
>>>
>>> Viktor
>>>
>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>> I guest,
>>>>
>>>> incorrect rights on you sysvol,
>>>> Try : samba-tool ntacl sysvolreset
>>>> And check the share rights.
>>>>
>>>> By default this should work out of the box.
>>>> Did you change the sysvol rights?
>>>>
>>>>
>>>> Greetz,
>>>>
>>>> Louis
>>>>
>>>>
>>>>> -----Oorspronkelijk bericht-----
>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>> Aan: samba at lists.samba.org
>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>
>>>>> Viktor, can you manually check whether you have DNS records for 
>>>>> your Win
>>>>> clients?
>>>>>
>>>>> In the DNS settings for your Win clients' network adapters you can
>>>>> uncheck that the current address shall be registered in DNS.
>>>>>
>>>>> Ole
>>>>>
>>>>>
>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and 
>>>>>> the
>>>>>> clients all have a fixed IPv4 address.
>>>>>>
>>>>>> In the windows event viewer, I constantly see the following warning:
>>>>>>
>>>>>> Event 8019, DNS Client Events
>>>>>> ------------------------------------------
>>>>>> The system failed to register host (A or AAA) resource records (RRs)
>>>>>> for network adapter with settings:
>>>>>>
>>>>>> Adapter Name: {someGUID}
>>>>>> Host Name: Client-PC
>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>> DNS Server list:
>>>>>>      192.168.0.1
>>>>>> Sent update to server: <?>
>>>>>> IP Addresses:
>>>>>>     192.168.0.15
>>>>>> ------------------------------------------
>>>>>>
>>>>>> Is it necessary to manually make some entries in DNS for the client
>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>
>>>>>> I'm trying to figure out if this is connected to another problem I'm
>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not
>>>>>> be read", and as one of the possible reasons for the error, name
>>>>>> resolution is mentioned. I can access the file just fine once I'm
>>>>>> logged in so I really don't know what the issue is here.
>>>>>>
>>>>>> Thanks,
>>>>>> Viktor
>>>>>>
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>
>>>>
>>>
>>>
>>
>> Firstly, have you changed anything on the DC after provision? I don't 
>> mean adding users or groups, but anything else?
>>
>> I think if you examine what samba-tool thinks is different, you will 
>> find that it is only these:
>>
>> O:BAG:DUD and O:DAG:DAD
>>
>> To turn these into English :-)
>>
>> O = owner
>> BA = BUILTIN\Administrators
>> G = group
>> DU = Domain Users
>> DA = Domain Administrators
>>
>> BA becoming DA is fairly common and I don't think is relevant
>> But somehow DA has become DU
>>
> Yes, those are the ACL's I see, BA is the owner, DA has full rights, 
> DU can read.
>
>> That is why I asked if you have changed anything.
>>
> No, I haven't. Please also check my new thread about the ACL issue.
>
>> Now as for do your computers A and PTR records need to be added to 
>> AD, try this on the DC:
>>
>> ping -c1 member1
>>
>> where 'member1' is the hostname of one of your workstations, it 
>> should return something like this:
>>
>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>
>>
>>
> This is making things even more confusing.. if I enter the DNS 
> records, then the command nslookup clientname will provide the correct 
> IP address. Ping doesn't work for half of the clients but it doesn't 
> work even using the IP address. Seems like the firewall is blocking it 
> which is again really weird because I didn't make any changes and all 
> clients are exactly the same.
>

Off topic but some of my Win 10 clients have ICMP echo blocked in the 
domain, some allow it. And I never even touched this setting.

More information about the samba mailing list