[Samba] Win Clients and DNS

Viktor Trojanovic viktor at troja.ch
Mon Nov 16 14:00:27 UTC 2015 


On 16.11.2015 14:44, Rowland Penny wrote:
> On 16/11/15 13:25, Ole Traupe wrote:
>>
>>
>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
>>>
>>>
>>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
>>>> See replies below
>>>>
>>>> On 16.11.2015 12:39, Rowland Penny wrote:
>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error 
>>>>>> message came up:
>>>>>>
>>>>>> --------------------snip--------------------
>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
>>>>>> exception - ProvisioningError: DB ACL on GPO directory 
>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
>>>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>>>> does not match expected value 
>>>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>>>> from GPO object
>>>>>>   File 
>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line 
>>>>>> 175, in _run
>>>>>>     return self.run(*args, **kwargs)
>>>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
>>>>>> line 249, in run
>>>>>>     lp)
>>>>>>   File 
>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>> line 1733, in checksysvolacl
>>>>>>     direct_db_access)
>>>>>>   File 
>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>> line 1684, in check_gpos_acl
>>>>>>     domainsid, direct_db_access)
>>>>>>   File 
>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>> line 1650, in check_dir_acl
>>>>>>     raise ProvisioningError('%s ACL on GPO directory %s %s does 
>>>>>> not match expected value %s from GPO object' % 
>>>>>> (acl_type(direct_db_access), os.path.join(root, name), 
>>>>>> fsacl_sddl, acl))
>>>>>> --------------------snip--------------------
>>>>>>
>>>>>> The GPO directory in question is the Default Domain Policy.
>>>>>>
>>>>>> Any idea what happened here? I never touched the DDD, it's still 
>>>>>> on version 0, and I never did any changes to those files either. 
>>>>>> I manually checked the ACL, without having made a diff on it, it 
>>>>>> looks pretty much the same like the ACL on the other containers.
>>>>>>
>>>>>> Is it safe to run sysvolreset?
>>>>>>
>>>>>> Viktor
>>>>>>
>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>>>>> I guest,
>>>>>>>
>>>>>>> incorrect rights on you sysvol,
>>>>>>> Try : samba-tool ntacl sysvolreset
>>>>>>> And check the share rights.
>>>>>>>
>>>>>>> By default this should work out of the box.
>>>>>>> Did you change the sysvol rights?
>>>>>>>
>>>>>>>
>>>>>>> Greetz,
>>>>>>>
>>>>>>> Louis
>>>>>>>
>>>>>>>
>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole 
>>>>>>>> Traupe
>>>>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>>>>
>>>>>>>> Viktor, can you manually check whether you have DNS records for 
>>>>>>>> your Win
>>>>>>>> clients?
>>>>>>>>
>>>>>>>> In the DNS settings for your Win clients' network adapters you can
>>>>>>>> uncheck that the current address shall be registered in DNS.
>>>>>>>>
>>>>>>>> Ole
>>>>>>>>
>>>>>>>>
>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC 
>>>>>>>>> and the
>>>>>>>>> clients all have a fixed IPv4 address.
>>>>>>>>>
>>>>>>>>> In the windows event viewer, I constantly see the following 
>>>>>>>>> warning:
>>>>>>>>>
>>>>>>>>> Event 8019, DNS Client Events
>>>>>>>>> ------------------------------------------
>>>>>>>>> The system failed to register host (A or AAA) resource records 
>>>>>>>>> (RRs)
>>>>>>>>> for network adapter with settings:
>>>>>>>>>
>>>>>>>>> Adapter Name: {someGUID}
>>>>>>>>> Host Name: Client-PC
>>>>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>>>>> DNS Server list:
>>>>>>>>>      192.168.0.1
>>>>>>>>> Sent update to server: <?>
>>>>>>>>> IP Addresses:
>>>>>>>>>     192.168.0.15
>>>>>>>>> ------------------------------------------
>>>>>>>>>
>>>>>>>>> Is it necessary to manually make some entries in DNS for the 
>>>>>>>>> client
>>>>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>>>>
>>>>>>>>> I'm trying to figure out if this is connected to another 
>>>>>>>>> problem I'm
>>>>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller 
>>>>>>>>> could not
>>>>>>>>> be read", and as one of the possible reasons for the error, name
>>>>>>>>> resolution is mentioned. I can access the file just fine once I'm
>>>>>>>>> logged in so I really don't know what the issue is here.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Viktor
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> To unsubscribe from this list go to the following URL and read the
>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> Firstly, have you changed anything on the DC after provision? I 
>>>>> don't mean adding users or groups, but anything else?
>>>>>
>>>>> I think if you examine what samba-tool thinks is different, you 
>>>>> will find that it is only these:
>>>>>
>>>>> O:BAG:DUD and O:DAG:DAD
>>>>>
>>>>> To turn these into English :-)
>>>>>
>>>>> O = owner
>>>>> BA = BUILTIN\Administrators
>>>>> G = group
>>>>> DU = Domain Users
>>>>> DA = Domain Administrators
>>>>>
>>>>> BA becoming DA is fairly common and I don't think is relevant
>>>>> But somehow DA has become DU
>>>>>
>>>> Yes, those are the ACL's I see, BA is the owner, DA has full 
>>>> rights, DU can read.
>>>>
>>>>> That is why I asked if you have changed anything.
>>>>>
>>>> No, I haven't. Please also check my new thread about the ACL issue.
>>>>
>>>>> Now as for do your computers A and PTR records need to be added to 
>>>>> AD, try this on the DC:
>>>>>
>>>>> ping -c1 member1
>>>>>
>>>>> where 'member1' is the hostname of one of your workstations, it 
>>>>> should return something like this:
>>>>>
>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>>>>
>>>>>
>>>>>
>>>> This is making things even more confusing.. if I enter the DNS 
>>>> records, then the command nslookup clientname will provide the 
>>>> correct IP address. Ping doesn't work for half of the clients but 
>>>> it doesn't work even using the IP address. Seems like the firewall 
>>>> is blocking it which is again really weird because I didn't make 
>>>> any changes and all clients are exactly the same.
>>>>
>>>
>>> Off topic but some of my Win 10 clients have ICMP echo blocked in 
>>> the domain, some allow it. And I never even touched this setting.
>>>
>> To my knowledge, ping requires File and Printer Sharing on Windows. 
>> Is it activated on all your clients?
>>
>>
>>
>
> OK, if ping is a problem, try 'nslookup member1' on the DC, it should 
> return something like this:
>
> Server:        192.168.0.6
> Address:    192.168.0.6#53
>
> Name:    member1.samdom.example.com
> Address: 192.168.0.2
>
> If it returns this:
>
> Server:        192.168.0.6
> Address:    192.168.0.6#53
>
> ** server can't find member1: NXDOMAIN
>
> Then your DNS is up the spout, probably because the record for 
> 'member1' isn't in AD.
>
> Rowland
>
>
It returns the expected result for all domain members, no issue here.

Viktor

More information about the samba mailing list