[Samba] Win Clients and DNS

Viktor Trojanovic viktor at troja.ch
Mon Nov 16 14:45:23 UTC 2015 


On 16.11.2015 15:19, L.P.H. van Belle wrote:
> Victor,
>
> Do a simple test.
>  From the pc which is not working correctly.
>
> Ping member1
> Ping member1.fqdn
>
> Do both resolve? Or only 1 and if 1 which one.
>
>
> Greetz,
>
> Louis

Just as a side note, I am getting the DNS register warning message on 
*all* win clients, not just that one.

And yes, both pings resolve.

Viktor

>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>> Verzonden: maandag 16 november 2015 15:08
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Win Clients and DNS
>>
>> On 16/11/15 14:00, Viktor Trojanovic wrote:
>>>
>>> On 16.11.2015 14:44, Rowland Penny wrote:
>>>> On 16/11/15 13:25, Ole Traupe wrote:
>>>>>
>>>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
>>>>>>
>>>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
>>>>>>> See replies below
>>>>>>>
>>>>>>> On 16.11.2015 12:39, Rowland Penny wrote:
>>>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error
>>>>>>>>> message came up:
>>>>>>>>>
>>>>>>>>> --------------------snip--------------------
>>>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>>>>>>>>> exception - ProvisioningError: DB ACL on GPO directory
>>>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-
>> 945F-00C04FB984F9}/MACHINE/Scripts/Startup
>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;
>> ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;
>> ;AU)(A;OICI;0x001200a9;;;ED)
>>>>>>>>> does not match expected value
>>>>>>>>>
>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
>> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
>> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>>>>>>> from GPO object
>>>>>>>>>    File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>>>> line 175, in _run
>>>>>>>>>      return self.run(*args, **kwargs)
>>>>>>>>>    File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py",
>>>>>>>>> line 249, in run
>>>>>>>>>      lp)
>>>>>>>>>    File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>>> line 1733, in checksysvolacl
>>>>>>>>>      direct_db_access)
>>>>>>>>>    File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>>> line 1684, in check_gpos_acl
>>>>>>>>>      domainsid, direct_db_access)
>>>>>>>>>    File
>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>>> line 1650, in check_dir_acl
>>>>>>>>>      raise ProvisioningError('%s ACL on GPO directory %s %s does
>>>>>>>>> not match expected value %s from GPO object' %
>>>>>>>>> (acl_type(direct_db_access), os.path.join(root, name),
>>>>>>>>> fsacl_sddl, acl))
>>>>>>>>> --------------------snip--------------------
>>>>>>>>>
>>>>>>>>> The GPO directory in question is the Default Domain Policy.
>>>>>>>>>
>>>>>>>>> Any idea what happened here? I never touched the DDD, it's still
>>>>>>>>> on version 0, and I never did any changes to those files either.
>>>>>>>>> I manually checked the ACL, without having made a diff on it, it
>>>>>>>>> looks pretty much the same like the ACL on the other containers.
>>>>>>>>>
>>>>>>>>> Is it safe to run sysvolreset?
>>>>>>>>>
>>>>>>>>> Viktor
>>>>>>>>>
>>>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>>>>>>>> I guest,
>>>>>>>>>>
>>>>>>>>>> incorrect rights on you sysvol,
>>>>>>>>>> Try : samba-tool ntacl sysvolreset
>>>>>>>>>> And check the share rights.
>>>>>>>>>>
>>>>>>>>>> By default this should work out of the box.
>>>>>>>>>> Did you change the sysvol rights?
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Greetz,
>>>>>>>>>>
>>>>>>>>>> Louis
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole
>>>>>>>>>>> Traupe
>>>>>>>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>>>>>>>
>>>>>>>>>>> Viktor, can you manually check whether you have DNS records
>>>>>>>>>>> for your Win
>>>>>>>>>>> clients?
>>>>>>>>>>>
>>>>>>>>>>> In the DNS settings for your Win clients' network adapters you
>>>>>>>>>>> can
>>>>>>>>>>> uncheck that the current address shall be registered in DNS.
>>>>>>>>>>>
>>>>>>>>>>> Ole
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC
>>>>>>>>>>>> and the
>>>>>>>>>>>> clients all have a fixed IPv4 address.
>>>>>>>>>>>>
>>>>>>>>>>>> In the windows event viewer, I constantly see the following
>>>>>>>>>>>> warning:
>>>>>>>>>>>>
>>>>>>>>>>>> Event 8019, DNS Client Events
>>>>>>>>>>>> ------------------------------------------
>>>>>>>>>>>> The system failed to register host (A or AAA) resource
>>>>>>>>>>>> records (RRs)
>>>>>>>>>>>> for network adapter with settings:
>>>>>>>>>>>>
>>>>>>>>>>>> Adapter Name: {someGUID}
>>>>>>>>>>>> Host Name: Client-PC
>>>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>>>>>>>> DNS Server list:
>>>>>>>>>>>>       192.168.0.1
>>>>>>>>>>>> Sent update to server: <?>
>>>>>>>>>>>> IP Addresses:
>>>>>>>>>>>>      192.168.0.15
>>>>>>>>>>>> ------------------------------------------
>>>>>>>>>>>>
>>>>>>>>>>>> Is it necessary to manually make some entries in DNS for the
>>>>>>>>>>>> client
>>>>>>>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>>>>>>>
>>>>>>>>>>>> I'm trying to figure out if this is connected to another
>>>>>>>>>>>> problem I'm
>>>>>>>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller
>>>>>>>>>>>> could not
>>>>>>>>>>>> be read", and as one of the possible reasons for the error,
>> name
>>>>>>>>>>>> resolution is mentioned. I can access the file just fine once
>>>>>>>>>>>> I'm
>>>>>>>>>>>> logged in so I really don't know what the issue is here.
>>>>>>>>>>>>
>>>>>>>>>>>> Thanks,
>>>>>>>>>>>> Viktor
>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>>>> the
>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>>
>>>>>>>>>
>>>>>>>> Firstly, have you changed anything on the DC after provision? I
>>>>>>>> don't mean adding users or groups, but anything else?
>>>>>>>>
>>>>>>>> I think if you examine what samba-tool thinks is different, you
>>>>>>>> will find that it is only these:
>>>>>>>>
>>>>>>>> O:BAG:DUD and O:DAG:DAD
>>>>>>>>
>>>>>>>> To turn these into English :-)
>>>>>>>>
>>>>>>>> O = owner
>>>>>>>> BA = BUILTIN\Administrators
>>>>>>>> G = group
>>>>>>>> DU = Domain Users
>>>>>>>> DA = Domain Administrators
>>>>>>>>
>>>>>>>> BA becoming DA is fairly common and I don't think is relevant
>>>>>>>> But somehow DA has become DU
>>>>>>>>
>>>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full
>>>>>>> rights, DU can read.
>>>>>>>
>>>>>>>> That is why I asked if you have changed anything.
>>>>>>>>
>>>>>>> No, I haven't. Please also check my new thread about the ACL issue.
>>>>>>>
>>>>>>>> Now as for do your computers A and PTR records need to be added
>>>>>>>> to AD, try this on the DC:
>>>>>>>>
>>>>>>>> ping -c1 member1
>>>>>>>>
>>>>>>>> where 'member1' is the hostname of one of your workstations, it
>>>>>>>> should return something like this:
>>>>>>>>
>>>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data.
>>>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> This is making things even more confusing.. if I enter the DNS
>>>>>>> records, then the command nslookup clientname will provide the
>>>>>>> correct IP address. Ping doesn't work for half of the clients but
>>>>>>> it doesn't work even using the IP address. Seems like the firewall
>>>>>>> is blocking it which is again really weird because I didn't make
>>>>>>> any changes and all clients are exactly the same.
>>>>>>>
>>>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in
>>>>>> the domain, some allow it. And I never even touched this setting.
>>>>>>
>>>>> To my knowledge, ping requires File and Printer Sharing on Windows.
>>>>> Is it activated on all your clients?
>>>>>
>>>>>
>>>>>
>>>> OK, if ping is a problem, try 'nslookup member1' on the DC, it should
>>>> return something like this:
>>>>
>>>> Server:        192.168.0.6
>>>> Address:    192.168.0.6#53
>>>>
>>>> Name:    member1.samdom.example.com
>>>> Address: 192.168.0.2
>>>>
>>>> If it returns this:
>>>>
>>>> Server:        192.168.0.6
>>>> Address:    192.168.0.6#53
>>>>
>>>> ** server can't find member1: NXDOMAIN
>>>>
>>>> Then your DNS is up the spout, probably because the record for
>>>> 'member1' isn't in AD.
>>>>
>>>> Rowland
>>>>
>>>>
>>> It returns the expected result for all domain members, no issue here.
>>>
>>> Viktor
>>>
>> OK, one final test, is the computers record in AD?
>>
>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub
>> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary
>>
>> this (after changing the obvious) should show the dns record for 'member1'
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

More information about the samba mailing list