[Samba] Win Clients and DNS
Rowland Penny
rowlandpenny241155 at gmail.com
Mon Nov 16 14:41:39 UTC 2015
On 16/11/15 14:38, Viktor Trojanovic wrote:
>
>
> On 16.11.2015 15:08, Rowland Penny wrote:
>> On 16/11/15 14:00, Viktor Trojanovic wrote:
>>>
>>>
>>> On 16.11.2015 14:44, Rowland Penny wrote:
>>>> On 16/11/15 13:25, Ole Traupe wrote:
>>>>>
>>>>>
>>>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
>>>>>>
>>>>>>
>>>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
>>>>>>> See replies below
>>>>>>>
>>>>>>> On 16.11.2015 12:39, Rowland Penny wrote:
>>>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following
>>>>>>>>> error message came up:
>>>>>>>>>
>>>>>>>>> --------------------snip--------------------
>>>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>>>>>>>>> exception - ProvisioningError: DB ACL on GPO directory
>>>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup
>>>>>>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>>>>>>> does not match expected value
>>>>>>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>>>>>>> from GPO object
>>>>>>>>> File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>>>> line 175, in _run
>>>>>>>>> return self.run(*args, **kwargs)
>>>>>>>>> File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
>>>>>>>>> 249, in run
>>>>>>>>> lp)
>>>>>>>>> File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", line
>>>>>>>>> 1733, in checksysvolacl
>>>>>>>>> direct_db_access)
>>>>>>>>> File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", line
>>>>>>>>> 1684, in check_gpos_acl
>>>>>>>>> domainsid, direct_db_access)
>>>>>>>>> File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", line
>>>>>>>>> 1650, in check_dir_acl
>>>>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s
>>>>>>>>> does not match expected value %s from GPO object' %
>>>>>>>>> (acl_type(direct_db_access), os.path.join(root, name),
>>>>>>>>> fsacl_sddl, acl))
>>>>>>>>> --------------------snip--------------------
>>>>>>>>>
>>>>>>>>> The GPO directory in question is the Default Domain Policy.
>>>>>>>>>
>>>>>>>>> Any idea what happened here? I never touched the DDD, it's
>>>>>>>>> still on version 0, and I never did any changes to those files
>>>>>>>>> either. I manually checked the ACL, without having made a diff
>>>>>>>>> on it, it looks pretty much the same like the ACL on the other
>>>>>>>>> containers.
>>>>>>>>>
>>>>>>>>> Is it safe to run sysvolreset?
>>>>>>>>>
>>>>>>>>> Viktor
>>>>>>>>>
>>>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>>>>>>>> I guest,
>>>>>>>>>>
>>>>>>>>>> incorrect rights on you sysvol,
>>>>>>>>>> Try : samba-tool ntacl sysvolreset
>>>>>>>>>> And check the share rights.
>>>>>>>>>>
>>>>>>>>>> By default this should work out of the box.
>>>>>>>>>> Did you change the sysvol rights?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Greetz,
>>>>>>>>>>
>>>>>>>>>> Louis
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole
>>>>>>>>>>> Traupe
>>>>>>>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>>>>>>>
>>>>>>>>>>> Viktor, can you manually check whether you have DNS records
>>>>>>>>>>> for your Win
>>>>>>>>>>> clients?
>>>>>>>>>>>
>>>>>>>>>>> In the DNS settings for your Win clients' network adapters
>>>>>>>>>>> you can
>>>>>>>>>>> uncheck that the current address shall be registered in DNS.
>>>>>>>>>>>
>>>>>>>>>>> Ole
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The
>>>>>>>>>>>> DC and the
>>>>>>>>>>>> clients all have a fixed IPv4 address.
>>>>>>>>>>>>
>>>>>>>>>>>> In the windows event viewer, I constantly see the following
>>>>>>>>>>>> warning:
>>>>>>>>>>>>
>>>>>>>>>>>> Event 8019, DNS Client Events
>>>>>>>>>>>> ------------------------------------------
>>>>>>>>>>>> The system failed to register host (A or AAA) resource
>>>>>>>>>>>> records (RRs)
>>>>>>>>>>>> for network adapter with settings:
>>>>>>>>>>>>
>>>>>>>>>>>> Adapter Name: {someGUID}
>>>>>>>>>>>> Host Name: Client-PC
>>>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>>>>>>>> DNS Server list:
>>>>>>>>>>>> 192.168.0.1
>>>>>>>>>>>> Sent update to server: <?>
>>>>>>>>>>>> IP Addresses:
>>>>>>>>>>>> 192.168.0.15
>>>>>>>>>>>> ------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> Is it necessary to manually make some entries in DNS for
>>>>>>>>>>>> the client
>>>>>>>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to figure out if this is connected to another
>>>>>>>>>>>> problem I'm
>>>>>>>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller
>>>>>>>>>>>> could not
>>>>>>>>>>>> be read", and as one of the possible reasons for the error,
>>>>>>>>>>>> name
>>>>>>>>>>>> resolution is mentioned. I can access the file just fine
>>>>>>>>>>>> once I'm
>>>>>>>>>>>> logged in so I really don't know what the issue is here.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Viktor
>>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> To unsubscribe from this list go to the following URL and
>>>>>>>>>>> read the
>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>> Firstly, have you changed anything on the DC after provision? I
>>>>>>>> don't mean adding users or groups, but anything else?
>>>>>>>>
>>>>>>>> I think if you examine what samba-tool thinks is different, you
>>>>>>>> will find that it is only these:
>>>>>>>>
>>>>>>>> O:BAG:DUD and O:DAG:DAD
>>>>>>>>
>>>>>>>> To turn these into English :-)
>>>>>>>>
>>>>>>>> O = owner
>>>>>>>> BA = BUILTIN\Administrators
>>>>>>>> G = group
>>>>>>>> DU = Domain Users
>>>>>>>> DA = Domain Administrators
>>>>>>>>
>>>>>>>> BA becoming DA is fairly common and I don't think is relevant
>>>>>>>> But somehow DA has become DU
>>>>>>>>
>>>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full
>>>>>>> rights, DU can read.
>>>>>>>
>>>>>>>> That is why I asked if you have changed anything.
>>>>>>>>
>>>>>>> No, I haven't. Please also check my new thread about the ACL issue.
>>>>>>>
>>>>>>>> Now as for do your computers A and PTR records need to be added
>>>>>>>> to AD, try this on the DC:
>>>>>>>>
>>>>>>>> ping -c1 member1
>>>>>>>>
>>>>>>>> where 'member1' is the hostname of one of your workstations, it
>>>>>>>> should return something like this:
>>>>>>>>
>>>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of
>>>>>>>> data.
>>>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> This is making things even more confusing.. if I enter the DNS
>>>>>>> records, then the command nslookup clientname will provide the
>>>>>>> correct IP address. Ping doesn't work for half of the clients
>>>>>>> but it doesn't work even using the IP address. Seems like the
>>>>>>> firewall is blocking it which is again really weird because I
>>>>>>> didn't make any changes and all clients are exactly the same.
>>>>>>>
>>>>>>
>>>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in
>>>>>> the domain, some allow it. And I never even touched this setting.
>>>>>>
>>>>> To my knowledge, ping requires File and Printer Sharing on
>>>>> Windows. Is it activated on all your clients?
>>>>>
>>>>>
>>>>>
>>>>
>>>> OK, if ping is a problem, try 'nslookup member1' on the DC, it
>>>> should return something like this:
>>>>
>>>> Server: 192.168.0.6
>>>> Address: 192.168.0.6#53
>>>>
>>>> Name: member1.samdom.example.com
>>>> Address: 192.168.0.2
>>>>
>>>> If it returns this:
>>>>
>>>> Server: 192.168.0.6
>>>> Address: 192.168.0.6#53
>>>>
>>>> ** server can't find member1: NXDOMAIN
>>>>
>>>> Then your DNS is up the spout, probably because the record for
>>>> 'member1' isn't in AD.
>>>>
>>>> Rowland
>>>>
>>>>
>>> It returns the expected result for all domain members, no issue here.
>>>
>>> Viktor
>>>
>>
>> OK, one final test, is the computers record in AD?
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub
>> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary
>>
>> this (after changing the obvious) should show the dns record for
>> 'member1'
>>
>> Rowland
>>
>>
> Yes, that works and returns one record.
>
> # record 1
> dn:
> DC=member1,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
> objectClass: top
> objectClass: dnsNode
> instanceType: 4
> whenCreated: 20151116123628.0Z
> whenChanged: 20151116123628.0Z
> uSNCreated: 4232
> uSNChanged: 4232
> showInAdvancedViewOnly: TRUE
> name: bh-client-3
> objectGUID: 664b9068-66ad-44b3-b88f-1a1a5909827f
> dnsRecord: NDR: struct dnsp_DnssrvRpcRecord
> wDataLength : 0x0004 (4)
> wType : DNS_TYPE_A (1)
> version : 0x05 (5)
> rank : DNS_RANK_ZONE (240)
> flags : 0x0000 (0)
> dwSerial : 0x00000006 (6)
> dwTtlSeconds : 0x00000e10 (3600)
> dwReserved : 0x00000000 (0)
> dwTimeStamp : 0x00377de4 (3636708)
> data : union dnsRecordData(case 1)
> ipv4 : 192.168.0.13
>
> objectCategory:
> CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com
> dc: member1
> distinguishedName:
> DC=member1,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com
>
> # returned 1 records
> # 1 entries
> # 0 referrals
>
>
> Viktor
well, that proves that dns is not the problem
Rowland
More information about the samba
mailing list