[Samba] Win Clients and DNS
Viktor Trojanovic
viktor at troja.ch
Mon Nov 16 14:38:03 UTC 2015
On 16.11.2015 15:08, Rowland Penny wrote:
> On 16/11/15 14:00, Viktor Trojanovic wrote:
>>
>>
>> On 16.11.2015 14:44, Rowland Penny wrote:
>>> On 16/11/15 13:25, Ole Traupe wrote:
>>>>
>>>>
>>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
>>>>>
>>>>>
>>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
>>>>>> See replies below
>>>>>>
>>>>>> On 16.11.2015 12:39, Rowland Penny wrote:
>>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following
>>>>>>>> error message came up:
>>>>>>>>
>>>>>>>> --------------------snip--------------------
>>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>>>>>>>> exception - ProvisioningError: DB ACL on GPO directory
>>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup
>>>>>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>>>>>> does not match expected value
>>>>>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>>>>>> from GPO object
>>>>>>>> File
>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>>> line 175, in _run
>>>>>>>> return self.run(*args, **kwargs)
>>>>>>>> File
>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
>>>>>>>> 249, in run
>>>>>>>> lp)
>>>>>>>> File
>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>> line 1733, in checksysvolacl
>>>>>>>> direct_db_access)
>>>>>>>> File
>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>> line 1684, in check_gpos_acl
>>>>>>>> domainsid, direct_db_access)
>>>>>>>> File
>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>> line 1650, in check_dir_acl
>>>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does
>>>>>>>> not match expected value %s from GPO object' %
>>>>>>>> (acl_type(direct_db_access), os.path.join(root, name),
>>>>>>>> fsacl_sddl, acl))
>>>>>>>> --------------------snip--------------------
>>>>>>>>
>>>>>>>> The GPO directory in question is the Default Domain Policy.
>>>>>>>>
>>>>>>>> Any idea what happened here? I never touched the DDD, it's
>>>>>>>> still on version 0, and I never did any changes to those files
>>>>>>>> either. I manually checked the ACL, without having made a diff
>>>>>>>> on it, it looks pretty much the same like the ACL on the other
>>>>>>>> containers.
>>>>>>>>
>>>>>>>> Is it safe to run sysvolreset?
>>>>>>>>
>>>>>>>> Viktor
>>>>>>>>
>>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>>>>>>> I guest,
>>>>>>>>>
>>>>>>>>> incorrect rights on you sysvol,
>>>>>>>>> Try : samba-tool ntacl sysvolreset
>>>>>>>>> And check the share rights.
>>>>>>>>>
>>>>>>>>> By default this should work out of the box.
>>>>>>>>> Did you change the sysvol rights?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Greetz,
>>>>>>>>>
>>>>>>>>> Louis
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole
>>>>>>>>>> Traupe
>>>>>>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>>>>>>
>>>>>>>>>> Viktor, can you manually check whether you have DNS records
>>>>>>>>>> for your Win
>>>>>>>>>> clients?
>>>>>>>>>>
>>>>>>>>>> In the DNS settings for your Win clients' network adapters
>>>>>>>>>> you can
>>>>>>>>>> uncheck that the current address shall be registered in DNS.
>>>>>>>>>>
>>>>>>>>>> Ole
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The
>>>>>>>>>>> DC and the
>>>>>>>>>>> clients all have a fixed IPv4 address.
>>>>>>>>>>>
>>>>>>>>>>> In the windows event viewer, I constantly see the following
>>>>>>>>>>> warning:
>>>>>>>>>>>
>>>>>>>>>>> Event 8019, DNS Client Events
>>>>>>>>>>> ------------------------------------------
>>>>>>>>>>> The system failed to register host (A or AAA) resource
>>>>>>>>>>> records (RRs)
>>>>>>>>>>> for network adapter with settings:
>>>>>>>>>>>
>>>>>>>>>>> Adapter Name: {someGUID}
>>>>>>>>>>> Host Name: Client-PC
>>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>>>>>>> DNS Server list:
>>>>>>>>>>> 192.168.0.1
>>>>>>>>>>> Sent update to server: <?>
>>>>>>>>>>> IP Addresses:
>>>>>>>>>>> 192.168.0.15
>>>>>>>>>>> ------------------------------------------
>>>>>>>>>>>
>>>>>>>>>>> Is it necessary to manually make some entries in DNS for the
>>>>>>>>>>> client
>>>>>>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>>>>>>
>>>>>>>>>>> I'm trying to figure out if this is connected to another
>>>>>>>>>>> problem I'm
>>>>>>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller
>>>>>>>>>>> could not
>>>>>>>>>>> be read", and as one of the possible reasons for the error,
>>>>>>>>>>> name
>>>>>>>>>>> resolution is mentioned. I can access the file just fine
>>>>>>>>>>> once I'm
>>>>>>>>>>> logged in so I really don't know what the issue is here.
>>>>>>>>>>>
>>>>>>>>>>> Thanks,
>>>>>>>>>>> Viktor
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>> read the
>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Firstly, have you changed anything on the DC after provision? I
>>>>>>> don't mean adding users or groups, but anything else?
>>>>>>>
>>>>>>> I think if you examine what samba-tool thinks is different, you
>>>>>>> will find that it is only these:
>>>>>>>
>>>>>>> O:BAG:DUD and O:DAG:DAD
>>>>>>>
>>>>>>> To turn these into English :-)
>>>>>>>
>>>>>>> O = owner
>>>>>>> BA = BUILTIN\Administrators
>>>>>>> G = group
>>>>>>> DU = Domain Users
>>>>>>> DA = Domain Administrators
>>>>>>>
>>>>>>> BA becoming DA is fairly common and I don't think is relevant
>>>>>>> But somehow DA has become DU
>>>>>>>
>>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full
>>>>>> rights, DU can read.
>>>>>>
>>>>>>> That is why I asked if you have changed anything.
>>>>>>>
>>>>>> No, I haven't. Please also check my new thread about the ACL issue.
>>>>>>
>>>>>>> Now as for do your computers A and PTR records need to be added
>>>>>>> to AD, try this on the DC:
>>>>>>>
>>>>>>> ping -c1 member1
>>>>>>>
>>>>>>> where 'member1' is the hostname of one of your workstations, it
>>>>>>> should return something like this:
>>>>>>>
>>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
>>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> This is making things even more confusing.. if I enter the DNS
>>>>>> records, then the command nslookup clientname will provide the
>>>>>> correct IP address. Ping doesn't work for half of the clients but
>>>>>> it doesn't work even using the IP address. Seems like the
>>>>>> firewall is blocking it which is again really weird because I
>>>>>> didn't make any changes and all clients are exactly the same.
>>>>>>
>>>>>
>>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in
>>>>> the domain, some allow it. And I never even touched this setting.
>>>>>
>>>> To my knowledge, ping requires File and Printer Sharing on Windows.
>>>> Is it activated on all your clients?
>>>>
>>>>
>>>>
>>>
>>> OK, if ping is a problem, try 'nslookup member1' on the DC, it
>>> should return something like this:
>>>
>>> Server: 192.168.0.6
>>> Address: 192.168.0.6#53
>>>
>>> Name: member1.samdom.example.com
>>> Address: 192.168.0.2
>>>
>>> If it returns this:
>>>
>>> Server: 192.168.0.6
>>> Address: 192.168.0.6#53
>>>
>>> ** server can't find member1: NXDOMAIN
>>>
>>> Then your DNS is up the spout, probably because the record for
>>> 'member1' isn't in AD.
>>>
>>> Rowland
>>>
>>>
>> It returns the expected result for all domain members, no issue here.
>>
>> Viktor
>>
>
> OK, one final test, is the computers record in AD?
>
> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub
> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary
>
> this (after changing the obvious) should show the dns record for
> 'member1'
>
> Rowland
>
>
Yes, that works and returns one record.
# record 1
dn:
DC=member1,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20151116123628.0Z
whenChanged: 20151116123628.0Z
uSNCreated: 4232
uSNChanged: 4232
showInAdvancedViewOnly: TRUE
name: bh-client-3
objectGUID: 664b9068-66ad-44b3-b88f-1a1a5909827f
dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
wDataLength : 0x0004 (4)
wType : DNS_TYPE_A (1)
version : 0x05 (5)
rank : DNS_RANK_ZONE (240)
flags : 0x0000 (0)
dwSerial : 0x00000006 (6)
dwTtlSeconds : 0x00000e10 (3600)
dwReserved : 0x00000000 (0)
dwTimeStamp : 0x00377de4 (3636708)
data : union dnsRecordData(case 1)
ipv4 : 192.168.0.13
objectCategory:
CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
dc: member1
distinguishedName:
DC=member1,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
# returned 1 records
# 1 entries
# 0 referrals
Viktor
More information about the samba
mailing list