[Samba] Win Clients and DNS

L.P.H. van Belle belle at bazuin.nl
Mon Nov 16 13:38:55 UTC 2015 

You know need icmp echo the make this work. 
Icmp echo is off also in my lan. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: maandag 16 november 2015 14:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Win Clients and DNS
> 
> 
> 
> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
> >
> >
> > On 16.11.2015 13:48, Viktor Trojanovic wrote:
> >> See replies below
> >>
> >> On 16.11.2015 12:39, Rowland Penny wrote:
> >>> On 16/11/15 11:19, Viktor Trojanovic wrote:
> >>>> So I ran a samba-tool ntacl sysvolcheck, and the following error
> >>>> message came up:
> >>>>
> >>>> --------------------snip--------------------
> >>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> >>>> exception - ProvisioningError: DB ACL on GPO directory
> >>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-
> 00C04FB984F9}/MACHINE/Scripts/Startup
> >>>>
> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;
> ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;
> ;AU)(A;OICI;0x001200a9;;;ED)
> >>>> does not match expected value
> >>>>
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >>>> from GPO object
> >>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >>>> line 175, in _run
> >>>>     return self.run(*args, **kwargs)
> >>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> >>>> line 249, in run
> >>>>     lp)
> >>>>   File
> >>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>> line 1733, in checksysvolacl
> >>>>     direct_db_access)
> >>>>   File
> >>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>> line 1684, in check_gpos_acl
> >>>>     domainsid, direct_db_access)
> >>>>   File
> >>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>> line 1650, in check_dir_acl
> >>>>     raise ProvisioningError('%s ACL on GPO directory %s %s does not
> >>>> match expected value %s from GPO object' %
> >>>> (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl,
> >>>> acl))
> >>>> --------------------snip--------------------
> >>>>
> >>>> The GPO directory in question is the Default Domain Policy.
> >>>>
> >>>> Any idea what happened here? I never touched the DDD, it's still on
> >>>> version 0, and I never did any changes to those files either. I
> >>>> manually checked the ACL, without having made a diff on it, it
> >>>> looks pretty much the same like the ACL on the other containers.
> >>>>
> >>>> Is it safe to run sysvolreset?
> >>>>
> >>>> Viktor
> >>>>
> >>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
> >>>>> I guest,
> >>>>>
> >>>>> incorrect rights on you sysvol,
> >>>>> Try : samba-tool ntacl sysvolreset
> >>>>> And check the share rights.
> >>>>>
> >>>>> By default this should work out of the box.
> >>>>> Did you change the sysvol rights?
> >>>>>
> >>>>>
> >>>>> Greetz,
> >>>>>
> >>>>> Louis
> >>>>>
> >>>>>
> >>>>>> -----Oorspronkelijk bericht-----
> >>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> >>>>>> Verzonden: maandag 16 november 2015 9:25
> >>>>>> Aan: samba at lists.samba.org
> >>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
> >>>>>>
> >>>>>> Viktor, can you manually check whether you have DNS records for
> >>>>>> your Win
> >>>>>> clients?
> >>>>>>
> >>>>>> In the DNS settings for your Win clients' network adapters you can
> >>>>>> uncheck that the current address shall be registered in DNS.
> >>>>>>
> >>>>>> Ole
> >>>>>>
> >>>>>>
> >>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
> >>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC
> >>>>>>> and the
> >>>>>>> clients all have a fixed IPv4 address.
> >>>>>>>
> >>>>>>> In the windows event viewer, I constantly see the following
> >>>>>>> warning:
> >>>>>>>
> >>>>>>> Event 8019, DNS Client Events
> >>>>>>> ------------------------------------------
> >>>>>>> The system failed to register host (A or AAA) resource records
> >>>>>>> (RRs)
> >>>>>>> for network adapter with settings:
> >>>>>>>
> >>>>>>> Adapter Name: {someGUID}
> >>>>>>> Host Name: Client-PC
> >>>>>>> Primary Domain Suffix: SAMDOM.COM
> >>>>>>> DNS Server list:
> >>>>>>>      192.168.0.1
> >>>>>>> Sent update to server: <?>
> >>>>>>> IP Addresses:
> >>>>>>>     192.168.0.15
> >>>>>>> ------------------------------------------
> >>>>>>>
> >>>>>>> Is it necessary to manually make some entries in DNS for the
> client
> >>>>>>> machines? I didn't see anything about that in the Wiki.
> >>>>>>>
> >>>>>>> I'm trying to figure out if this is connected to another problem
> >>>>>>> I'm
> >>>>>>> facing. A machine based GPO is not executed because "the file
> >>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could
> >>>>>>> not
> >>>>>>> be read", and as one of the possible reasons for the error, name
> >>>>>>> resolution is mentioned. I can access the file just fine once I'm
> >>>>>>> logged in so I really don't know what the issue is here.
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> Viktor
> >>>>>>>
> >>>>>>
> >>>>>> --
> >>>>>> To unsubscribe from this list go to the following URL and read the
> >>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>
> >>>>>
> >>>>
> >>>>
> >>>
> >>> Firstly, have you changed anything on the DC after provision? I
> >>> don't mean adding users or groups, but anything else?
> >>>
> >>> I think if you examine what samba-tool thinks is different, you will
> >>> find that it is only these:
> >>>
> >>> O:BAG:DUD and O:DAG:DAD
> >>>
> >>> To turn these into English :-)
> >>>
> >>> O = owner
> >>> BA = BUILTIN\Administrators
> >>> G = group
> >>> DU = Domain Users
> >>> DA = Domain Administrators
> >>>
> >>> BA becoming DA is fairly common and I don't think is relevant
> >>> But somehow DA has become DU
> >>>
> >> Yes, those are the ACL's I see, BA is the owner, DA has full rights,
> >> DU can read.
> >>
> >>> That is why I asked if you have changed anything.
> >>>
> >> No, I haven't. Please also check my new thread about the ACL issue.
> >>
> >>> Now as for do your computers A and PTR records need to be added to
> >>> AD, try this on the DC:
> >>>
> >>> ping -c1 member1
> >>>
> >>> where 'member1' is the hostname of one of your workstations, it
> >>> should return something like this:
> >>>
> >>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
> >>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
> >>>
> >>>
> >>>
> >> This is making things even more confusing.. if I enter the DNS
> >> records, then the command nslookup clientname will provide the
> >> correct IP address. Ping doesn't work for half of the clients but it
> >> doesn't work even using the IP address. Seems like the firewall is
> >> blocking it which is again really weird because I didn't make any
> >> changes and all clients are exactly the same.
> >>
> >
> > Off topic but some of my Win 10 clients have ICMP echo blocked in the
> > domain, some allow it. And I never even touched this setting.
> >
> To my knowledge, ping requires File and Printer Sharing on Windows. Is
> it activated on all your clients?
> 
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list