[Samba] Win Clients and DNS

Rowland Penny rowlandpenny241155 at gmail.com
Mon Nov 16 14:08:04 UTC 2015 

On 16/11/15 14:00, Viktor Trojanovic wrote:
>
>
> On 16.11.2015 14:44, Rowland Penny wrote:
>> On 16/11/15 13:25, Ole Traupe wrote:
>>>
>>>
>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
>>>>
>>>>
>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
>>>>> See replies below
>>>>>
>>>>> On 16.11.2015 12:39, Rowland Penny wrote:
>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error 
>>>>>>> message came up:
>>>>>>>
>>>>>>> --------------------snip--------------------
>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught 
>>>>>>> exception - ProvisioningError: DB ACL on GPO directory 
>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup 
>>>>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>>>>> does not match expected value 
>>>>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) 
>>>>>>> from GPO object
>>>>>>>   File 
>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
>>>>>>> line 175, in _run
>>>>>>>     return self.run(*args, **kwargs)
>>>>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", 
>>>>>>> line 249, in run
>>>>>>>     lp)
>>>>>>>   File 
>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>>> line 1733, in checksysvolacl
>>>>>>>     direct_db_access)
>>>>>>>   File 
>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>>> line 1684, in check_gpos_acl
>>>>>>>     domainsid, direct_db_access)
>>>>>>>   File 
>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", 
>>>>>>> line 1650, in check_dir_acl
>>>>>>>     raise ProvisioningError('%s ACL on GPO directory %s %s does 
>>>>>>> not match expected value %s from GPO object' % 
>>>>>>> (acl_type(direct_db_access), os.path.join(root, name), 
>>>>>>> fsacl_sddl, acl))
>>>>>>> --------------------snip--------------------
>>>>>>>
>>>>>>> The GPO directory in question is the Default Domain Policy.
>>>>>>>
>>>>>>> Any idea what happened here? I never touched the DDD, it's still 
>>>>>>> on version 0, and I never did any changes to those files either. 
>>>>>>> I manually checked the ACL, without having made a diff on it, it 
>>>>>>> looks pretty much the same like the ACL on the other containers.
>>>>>>>
>>>>>>> Is it safe to run sysvolreset?
>>>>>>>
>>>>>>> Viktor
>>>>>>>
>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>>>>>> I guest,
>>>>>>>>
>>>>>>>> incorrect rights on you sysvol,
>>>>>>>> Try : samba-tool ntacl sysvolreset
>>>>>>>> And check the share rights.
>>>>>>>>
>>>>>>>> By default this should work out of the box.
>>>>>>>> Did you change the sysvol rights?
>>>>>>>>
>>>>>>>>
>>>>>>>> Greetz,
>>>>>>>>
>>>>>>>> Louis
>>>>>>>>
>>>>>>>>
>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole 
>>>>>>>>> Traupe
>>>>>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>>>>>
>>>>>>>>> Viktor, can you manually check whether you have DNS records 
>>>>>>>>> for your Win
>>>>>>>>> clients?
>>>>>>>>>
>>>>>>>>> In the DNS settings for your Win clients' network adapters you 
>>>>>>>>> can
>>>>>>>>> uncheck that the current address shall be registered in DNS.
>>>>>>>>>
>>>>>>>>> Ole
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC 
>>>>>>>>>> and the
>>>>>>>>>> clients all have a fixed IPv4 address.
>>>>>>>>>>
>>>>>>>>>> In the windows event viewer, I constantly see the following 
>>>>>>>>>> warning:
>>>>>>>>>>
>>>>>>>>>> Event 8019, DNS Client Events
>>>>>>>>>> ------------------------------------------
>>>>>>>>>> The system failed to register host (A or AAA) resource 
>>>>>>>>>> records (RRs)
>>>>>>>>>> for network adapter with settings:
>>>>>>>>>>
>>>>>>>>>> Adapter Name: {someGUID}
>>>>>>>>>> Host Name: Client-PC
>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>>>>>> DNS Server list:
>>>>>>>>>>      192.168.0.1
>>>>>>>>>> Sent update to server: <?>
>>>>>>>>>> IP Addresses:
>>>>>>>>>>     192.168.0.15
>>>>>>>>>> ------------------------------------------
>>>>>>>>>>
>>>>>>>>>> Is it necessary to manually make some entries in DNS for the 
>>>>>>>>>> client
>>>>>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>>>>>
>>>>>>>>>> I'm trying to figure out if this is connected to another 
>>>>>>>>>> problem I'm
>>>>>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller 
>>>>>>>>>> could not
>>>>>>>>>> be read", and as one of the possible reasons for the error, name
>>>>>>>>>> resolution is mentioned. I can access the file just fine once 
>>>>>>>>>> I'm
>>>>>>>>>> logged in so I really don't know what the issue is here.
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Viktor
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -- 
>>>>>>>>> To unsubscribe from this list go to the following URL and read 
>>>>>>>>> the
>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>> Firstly, have you changed anything on the DC after provision? I 
>>>>>> don't mean adding users or groups, but anything else?
>>>>>>
>>>>>> I think if you examine what samba-tool thinks is different, you 
>>>>>> will find that it is only these:
>>>>>>
>>>>>> O:BAG:DUD and O:DAG:DAD
>>>>>>
>>>>>> To turn these into English :-)
>>>>>>
>>>>>> O = owner
>>>>>> BA = BUILTIN\Administrators
>>>>>> G = group
>>>>>> DU = Domain Users
>>>>>> DA = Domain Administrators
>>>>>>
>>>>>> BA becoming DA is fairly common and I don't think is relevant
>>>>>> But somehow DA has become DU
>>>>>>
>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full 
>>>>> rights, DU can read.
>>>>>
>>>>>> That is why I asked if you have changed anything.
>>>>>>
>>>>> No, I haven't. Please also check my new thread about the ACL issue.
>>>>>
>>>>>> Now as for do your computers A and PTR records need to be added 
>>>>>> to AD, try this on the DC:
>>>>>>
>>>>>> ping -c1 member1
>>>>>>
>>>>>> where 'member1' is the hostname of one of your workstations, it 
>>>>>> should return something like this:
>>>>>>
>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>>>>>
>>>>>>
>>>>>>
>>>>> This is making things even more confusing.. if I enter the DNS 
>>>>> records, then the command nslookup clientname will provide the 
>>>>> correct IP address. Ping doesn't work for half of the clients but 
>>>>> it doesn't work even using the IP address. Seems like the firewall 
>>>>> is blocking it which is again really weird because I didn't make 
>>>>> any changes and all clients are exactly the same.
>>>>>
>>>>
>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in 
>>>> the domain, some allow it. And I never even touched this setting.
>>>>
>>> To my knowledge, ping requires File and Printer Sharing on Windows. 
>>> Is it activated on all your clients?
>>>
>>>
>>>
>>
>> OK, if ping is a problem, try 'nslookup member1' on the DC, it should 
>> return something like this:
>>
>> Server:        192.168.0.6
>> Address:    192.168.0.6#53
>>
>> Name:    member1.samdom.example.com
>> Address: 192.168.0.2
>>
>> If it returns this:
>>
>> Server:        192.168.0.6
>> Address:    192.168.0.6#53
>>
>> ** server can't find member1: NXDOMAIN
>>
>> Then your DNS is up the spout, probably because the record for 
>> 'member1' isn't in AD.
>>
>> Rowland
>>
>>
> It returns the expected result for all domain members, no issue here.
>
> Viktor
>

OK, one final test, is the computers record in AD?

ldbsearch -H /usr/local/samba/private/sam.ldb -b 
'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub 
'(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary

this (after changing the obvious) should show the dns record for 'member1'

Rowland

More information about the samba mailing list