[Samba] Win Clients and DNS

Rowland Penny rowlandpenny241155 at gmail.com
Mon Nov 16 13:44:26 UTC 2015 

On 16/11/15 13:25, Ole Traupe wrote:
>
>
> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
>>
>>
>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
>>> See replies below
>>>
>>> On 16.11.2015 12:39, Rowland Penny wrote:
>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error 
>>>>> message came up:
>>>>>
>>>>> --------------------snip--------------------
>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
>>>>> exception - ProvisioningError: DB ACL on GPO directory 
>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
>>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>>> does not match expected value 
>>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>>> from GPO object
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 
>>>>> 175, in _run
>>>>>     return self.run(*args, **kwargs)
>>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
>>>>> line 249, in run
>>>>>     lp)
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>> line 1733, in checksysvolacl
>>>>>     direct_db_access)
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>> line 1684, in check_gpos_acl
>>>>>     domainsid, direct_db_access)
>>>>>   File 
>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>> line 1650, in check_dir_acl
>>>>>     raise ProvisioningError('%s ACL on GPO directory %s %s does 
>>>>> not match expected value %s from GPO object' % 
>>>>> (acl_type(direct_db_access), os.path.join(root, name), fsacl_sddl, 
>>>>> acl))
>>>>> --------------------snip--------------------
>>>>>
>>>>> The GPO directory in question is the Default Domain Policy.
>>>>>
>>>>> Any idea what happened here? I never touched the DDD, it's still 
>>>>> on version 0, and I never did any changes to those files either. I 
>>>>> manually checked the ACL, without having made a diff on it, it 
>>>>> looks pretty much the same like the ACL on the other containers.
>>>>>
>>>>> Is it safe to run sysvolreset?
>>>>>
>>>>> Viktor
>>>>>
>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>>>> I guest,
>>>>>>
>>>>>> incorrect rights on you sysvol,
>>>>>> Try : samba-tool ntacl sysvolreset
>>>>>> And check the share rights.
>>>>>>
>>>>>> By default this should work out of the box.
>>>>>> Did you change the sysvol rights?
>>>>>>
>>>>>>
>>>>>> Greetz,
>>>>>>
>>>>>> Louis
>>>>>>
>>>>>>
>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>>>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>>>> Aan: samba at lists.samba.org
>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>>>
>>>>>>> Viktor, can you manually check whether you have DNS records for 
>>>>>>> your Win
>>>>>>> clients?
>>>>>>>
>>>>>>> In the DNS settings for your Win clients' network adapters you can
>>>>>>> uncheck that the current address shall be registered in DNS.
>>>>>>>
>>>>>>> Ole
>>>>>>>
>>>>>>>
>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC 
>>>>>>>> and the
>>>>>>>> clients all have a fixed IPv4 address.
>>>>>>>>
>>>>>>>> In the windows event viewer, I constantly see the following 
>>>>>>>> warning:
>>>>>>>>
>>>>>>>> Event 8019, DNS Client Events
>>>>>>>> ------------------------------------------
>>>>>>>> The system failed to register host (A or AAA) resource records 
>>>>>>>> (RRs)
>>>>>>>> for network adapter with settings:
>>>>>>>>
>>>>>>>> Adapter Name: {someGUID}
>>>>>>>> Host Name: Client-PC
>>>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>>>> DNS Server list:
>>>>>>>>      192.168.0.1
>>>>>>>> Sent update to server: <?>
>>>>>>>> IP Addresses:
>>>>>>>>     192.168.0.15
>>>>>>>> ------------------------------------------
>>>>>>>>
>>>>>>>> Is it necessary to manually make some entries in DNS for the 
>>>>>>>> client
>>>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>>>
>>>>>>>> I'm trying to figure out if this is connected to another 
>>>>>>>> problem I'm
>>>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller 
>>>>>>>> could not
>>>>>>>> be read", and as one of the possible reasons for the error, name
>>>>>>>> resolution is mentioned. I can access the file just fine once I'm
>>>>>>>> logged in so I really don't know what the issue is here.
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Viktor
>>>>>>>>
>>>>>>>
>>>>>>> -- 
>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>
>>>> Firstly, have you changed anything on the DC after provision? I 
>>>> don't mean adding users or groups, but anything else?
>>>>
>>>> I think if you examine what samba-tool thinks is different, you 
>>>> will find that it is only these:
>>>>
>>>> O:BAG:DUD and O:DAG:DAD
>>>>
>>>> To turn these into English :-)
>>>>
>>>> O = owner
>>>> BA = BUILTIN\Administrators
>>>> G = group
>>>> DU = Domain Users
>>>> DA = Domain Administrators
>>>>
>>>> BA becoming DA is fairly common and I don't think is relevant
>>>> But somehow DA has become DU
>>>>
>>> Yes, those are the ACL's I see, BA is the owner, DA has full rights, 
>>> DU can read.
>>>
>>>> That is why I asked if you have changed anything.
>>>>
>>> No, I haven't. Please also check my new thread about the ACL issue.
>>>
>>>> Now as for do your computers A and PTR records need to be added to 
>>>> AD, try this on the DC:
>>>>
>>>> ping -c1 member1
>>>>
>>>> where 'member1' is the hostname of one of your workstations, it 
>>>> should return something like this:
>>>>
>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>>>
>>>>
>>>>
>>> This is making things even more confusing.. if I enter the DNS 
>>> records, then the command nslookup clientname will provide the 
>>> correct IP address. Ping doesn't work for half of the clients but it 
>>> doesn't work even using the IP address. Seems like the firewall is 
>>> blocking it which is again really weird because I didn't make any 
>>> changes and all clients are exactly the same.
>>>
>>
>> Off topic but some of my Win 10 clients have ICMP echo blocked in the 
>> domain, some allow it. And I never even touched this setting.
>>
> To my knowledge, ping requires File and Printer Sharing on Windows. Is 
> it activated on all your clients?
>
>
>

OK, if ping is a problem, try 'nslookup member1' on the DC, it should 
return something like this:

Server:        192.168.0.6
Address:    192.168.0.6#53

Name:    member1.samdom.example.com
Address: 192.168.0.2

If it returns this:

Server:        192.168.0.6
Address:    192.168.0.6#53

** server can't find member1: NXDOMAIN

Then your DNS is up the spout, probably because the record for 'member1' 
isn't in AD.

Rowland

More information about the samba mailing list