[Samba] Win Clients and DNS

L.P.H. van Belle belle at bazuin.nl
Mon Nov 16 14:19:27 UTC 2015 

Victor, 

Do a simple test. 
>From the pc which is not working correctly. 

Ping member1
Ping member1.fqdn 

Do both resolve? Or only 1 and if 1 which one. 


Greetz, 

Louis



> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> Verzonden: maandag 16 november 2015 15:08
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Win Clients and DNS
> 
> On 16/11/15 14:00, Viktor Trojanovic wrote:
> >
> >
> > On 16.11.2015 14:44, Rowland Penny wrote:
> >> On 16/11/15 13:25, Ole Traupe wrote:
> >>>
> >>>
> >>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
> >>>>
> >>>>
> >>>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
> >>>>> See replies below
> >>>>>
> >>>>> On 16.11.2015 12:39, Rowland Penny wrote:
> >>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
> >>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error
> >>>>>>> message came up:
> >>>>>>>
> >>>>>>> --------------------snip--------------------
> >>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> >>>>>>> exception - ProvisioningError: DB ACL on GPO directory
> >>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-
> 945F-00C04FB984F9}/MACHINE/Scripts/Startup
> >>>>>>>
> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;
> ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;
> ;AU)(A;OICI;0x001200a9;;;ED)
> >>>>>>> does not match expected value
> >>>>>>>
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >>>>>>> from GPO object
> >>>>>>>   File
> >>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >>>>>>> line 175, in _run
> >>>>>>>     return self.run(*args, **kwargs)
> >>>>>>>   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
> >>>>>>> line 249, in run
> >>>>>>>     lp)
> >>>>>>>   File
> >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>> line 1733, in checksysvolacl
> >>>>>>>     direct_db_access)
> >>>>>>>   File
> >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>> line 1684, in check_gpos_acl
> >>>>>>>     domainsid, direct_db_access)
> >>>>>>>   File
> >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>> line 1650, in check_dir_acl
> >>>>>>>     raise ProvisioningError('%s ACL on GPO directory %s %s does
> >>>>>>> not match expected value %s from GPO object' %
> >>>>>>> (acl_type(direct_db_access), os.path.join(root, name),
> >>>>>>> fsacl_sddl, acl))
> >>>>>>> --------------------snip--------------------
> >>>>>>>
> >>>>>>> The GPO directory in question is the Default Domain Policy.
> >>>>>>>
> >>>>>>> Any idea what happened here? I never touched the DDD, it's still
> >>>>>>> on version 0, and I never did any changes to those files either.
> >>>>>>> I manually checked the ACL, without having made a diff on it, it
> >>>>>>> looks pretty much the same like the ACL on the other containers.
> >>>>>>>
> >>>>>>> Is it safe to run sysvolreset?
> >>>>>>>
> >>>>>>> Viktor
> >>>>>>>
> >>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
> >>>>>>>> I guest,
> >>>>>>>>
> >>>>>>>> incorrect rights on you sysvol,
> >>>>>>>> Try : samba-tool ntacl sysvolreset
> >>>>>>>> And check the share rights.
> >>>>>>>>
> >>>>>>>> By default this should work out of the box.
> >>>>>>>> Did you change the sysvol rights?
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> Greetz,
> >>>>>>>>
> >>>>>>>> Louis
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>> -----Oorspronkelijk bericht-----
> >>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole
> >>>>>>>>> Traupe
> >>>>>>>>> Verzonden: maandag 16 november 2015 9:25
> >>>>>>>>> Aan: samba at lists.samba.org
> >>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
> >>>>>>>>>
> >>>>>>>>> Viktor, can you manually check whether you have DNS records
> >>>>>>>>> for your Win
> >>>>>>>>> clients?
> >>>>>>>>>
> >>>>>>>>> In the DNS settings for your Win clients' network adapters you
> >>>>>>>>> can
> >>>>>>>>> uncheck that the current address shall be registered in DNS.
> >>>>>>>>>
> >>>>>>>>> Ole
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
> >>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC
> >>>>>>>>>> and the
> >>>>>>>>>> clients all have a fixed IPv4 address.
> >>>>>>>>>>
> >>>>>>>>>> In the windows event viewer, I constantly see the following
> >>>>>>>>>> warning:
> >>>>>>>>>>
> >>>>>>>>>> Event 8019, DNS Client Events
> >>>>>>>>>> ------------------------------------------
> >>>>>>>>>> The system failed to register host (A or AAA) resource
> >>>>>>>>>> records (RRs)
> >>>>>>>>>> for network adapter with settings:
> >>>>>>>>>>
> >>>>>>>>>> Adapter Name: {someGUID}
> >>>>>>>>>> Host Name: Client-PC
> >>>>>>>>>> Primary Domain Suffix: SAMDOM.COM
> >>>>>>>>>> DNS Server list:
> >>>>>>>>>>      192.168.0.1
> >>>>>>>>>> Sent update to server: <?>
> >>>>>>>>>> IP Addresses:
> >>>>>>>>>>     192.168.0.15
> >>>>>>>>>> ------------------------------------------
> >>>>>>>>>>
> >>>>>>>>>> Is it necessary to manually make some entries in DNS for the
> >>>>>>>>>> client
> >>>>>>>>>> machines? I didn't see anything about that in the Wiki.
> >>>>>>>>>>
> >>>>>>>>>> I'm trying to figure out if this is connected to another
> >>>>>>>>>> problem I'm
> >>>>>>>>>> facing. A machine based GPO is not executed because "the file
> >>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller
> >>>>>>>>>> could not
> >>>>>>>>>> be read", and as one of the possible reasons for the error,
> name
> >>>>>>>>>> resolution is mentioned. I can access the file just fine once
> >>>>>>>>>> I'm
> >>>>>>>>>> logged in so I really don't know what the issue is here.
> >>>>>>>>>>
> >>>>>>>>>> Thanks,
> >>>>>>>>>> Viktor
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> --
> >>>>>>>>> To unsubscribe from this list go to the following URL and read
> >>>>>>>>> the
> >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> Firstly, have you changed anything on the DC after provision? I
> >>>>>> don't mean adding users or groups, but anything else?
> >>>>>>
> >>>>>> I think if you examine what samba-tool thinks is different, you
> >>>>>> will find that it is only these:
> >>>>>>
> >>>>>> O:BAG:DUD and O:DAG:DAD
> >>>>>>
> >>>>>> To turn these into English :-)
> >>>>>>
> >>>>>> O = owner
> >>>>>> BA = BUILTIN\Administrators
> >>>>>> G = group
> >>>>>> DU = Domain Users
> >>>>>> DA = Domain Administrators
> >>>>>>
> >>>>>> BA becoming DA is fairly common and I don't think is relevant
> >>>>>> But somehow DA has become DU
> >>>>>>
> >>>>> Yes, those are the ACL's I see, BA is the owner, DA has full
> >>>>> rights, DU can read.
> >>>>>
> >>>>>> That is why I asked if you have changed anything.
> >>>>>>
> >>>>> No, I haven't. Please also check my new thread about the ACL issue.
> >>>>>
> >>>>>> Now as for do your computers A and PTR records need to be added
> >>>>>> to AD, try this on the DC:
> >>>>>>
> >>>>>> ping -c1 member1
> >>>>>>
> >>>>>> where 'member1' is the hostname of one of your workstations, it
> >>>>>> should return something like this:
> >>>>>>
> >>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
> >>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>> This is making things even more confusing.. if I enter the DNS
> >>>>> records, then the command nslookup clientname will provide the
> >>>>> correct IP address. Ping doesn't work for half of the clients but
> >>>>> it doesn't work even using the IP address. Seems like the firewall
> >>>>> is blocking it which is again really weird because I didn't make
> >>>>> any changes and all clients are exactly the same.
> >>>>>
> >>>>
> >>>> Off topic but some of my Win 10 clients have ICMP echo blocked in
> >>>> the domain, some allow it. And I never even touched this setting.
> >>>>
> >>> To my knowledge, ping requires File and Printer Sharing on Windows.
> >>> Is it activated on all your clients?
> >>>
> >>>
> >>>
> >>
> >> OK, if ping is a problem, try 'nslookup member1' on the DC, it should
> >> return something like this:
> >>
> >> Server:        192.168.0.6
> >> Address:    192.168.0.6#53
> >>
> >> Name:    member1.samdom.example.com
> >> Address: 192.168.0.2
> >>
> >> If it returns this:
> >>
> >> Server:        192.168.0.6
> >> Address:    192.168.0.6#53
> >>
> >> ** server can't find member1: NXDOMAIN
> >>
> >> Then your DNS is up the spout, probably because the record for
> >> 'member1' isn't in AD.
> >>
> >> Rowland
> >>
> >>
> > It returns the expected result for all domain members, no issue here.
> >
> > Viktor
> >
> 
> OK, one final test, is the computers record in AD?
> 
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub
> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary
> 
> this (after changing the obvious) should show the dns record for 'member1'
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list