[Samba] Win Clients and DNS

L.P.H. van Belle belle at bazuin.nl
Mon Nov 16 15:02:15 UTC 2015 

Othere thing. 

IF you domain name is like 
domain.tld 

By default, Windows does not send updates to top-level domains.
If thats the case you should change it to a single-lable dns. 

https://support.microsoft.com/en-us/kb/300684 

Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: Viktor Trojanovic [mailto:viktor at troja.ch]
> Verzonden: maandag 16 november 2015 15:45
> Aan: L.P.H. van Belle; samba at lists.samba.org
> Onderwerp: Re: [Samba] Win Clients and DNS
> 
> 
> 
> On 16.11.2015 15:19, L.P.H. van Belle wrote:
> > Victor,
> >
> > Do a simple test.
> >  From the pc which is not working correctly.
> >
> > Ping member1
> > Ping member1.fqdn
> >
> > Do both resolve? Or only 1 and if 1 which one.
> >
> >
> > Greetz,
> >
> > Louis
> 
> Just as a side note, I am getting the DNS register warning message on
> *all* win clients, not just that one.
> 
> And yes, both pings resolve.
> 
> Viktor
> 
> >
> >
> >> -----Oorspronkelijk bericht-----
> >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
> >> Verzonden: maandag 16 november 2015 15:08
> >> Aan: samba at lists.samba.org
> >> Onderwerp: Re: [Samba] Win Clients and DNS
> >>
> >> On 16/11/15 14:00, Viktor Trojanovic wrote:
> >>>
> >>> On 16.11.2015 14:44, Rowland Penny wrote:
> >>>> On 16/11/15 13:25, Ole Traupe wrote:
> >>>>>
> >>>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
> >>>>>>
> >>>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
> >>>>>>> See replies below
> >>>>>>>
> >>>>>>> On 16.11.2015 12:39, Rowland Penny wrote:
> >>>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
> >>>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error
> >>>>>>>>> message came up:
> >>>>>>>>>
> >>>>>>>>> --------------------snip--------------------
> >>>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
> >>>>>>>>> exception - ProvisioningError: DB ACL on GPO directory
> >>>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-
> >> 945F-00C04FB984F9}/MACHINE/Scripts/Startup
> >>
> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;
> >>
> ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;
> >> ;AU)(A;OICI;0x001200a9;;;ED)
> >>>>>>>>> does not match expected value
> >>>>>>>>>
> >>
> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
> >>
> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
> >> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
> >>>>>>>>> from GPO object
> >>>>>>>>>    File
> >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
> >>>>>>>>> line 175, in _run
> >>>>>>>>>      return self.run(*args, **kwargs)
> >>>>>>>>>    File "/usr/lib/python2.7/site-
> packages/samba/netcmd/ntacl.py",
> >>>>>>>>> line 249, in run
> >>>>>>>>>      lp)
> >>>>>>>>>    File
> >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>>>> line 1733, in checksysvolacl
> >>>>>>>>>      direct_db_access)
> >>>>>>>>>    File
> >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>>>> line 1684, in check_gpos_acl
> >>>>>>>>>      domainsid, direct_db_access)
> >>>>>>>>>    File
> >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
> >>>>>>>>> line 1650, in check_dir_acl
> >>>>>>>>>      raise ProvisioningError('%s ACL on GPO directory %s %s does
> >>>>>>>>> not match expected value %s from GPO object' %
> >>>>>>>>> (acl_type(direct_db_access), os.path.join(root, name),
> >>>>>>>>> fsacl_sddl, acl))
> >>>>>>>>> --------------------snip--------------------
> >>>>>>>>>
> >>>>>>>>> The GPO directory in question is the Default Domain Policy.
> >>>>>>>>>
> >>>>>>>>> Any idea what happened here? I never touched the DDD, it's still
> >>>>>>>>> on version 0, and I never did any changes to those files either.
> >>>>>>>>> I manually checked the ACL, without having made a diff on it, it
> >>>>>>>>> looks pretty much the same like the ACL on the other containers.
> >>>>>>>>>
> >>>>>>>>> Is it safe to run sysvolreset?
> >>>>>>>>>
> >>>>>>>>> Viktor
> >>>>>>>>>
> >>>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
> >>>>>>>>>> I guest,
> >>>>>>>>>>
> >>>>>>>>>> incorrect rights on you sysvol,
> >>>>>>>>>> Try : samba-tool ntacl sysvolreset
> >>>>>>>>>> And check the share rights.
> >>>>>>>>>>
> >>>>>>>>>> By default this should work out of the box.
> >>>>>>>>>> Did you change the sysvol rights?
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Greetz,
> >>>>>>>>>>
> >>>>>>>>>> Louis
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>> -----Oorspronkelijk bericht-----
> >>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole
> >>>>>>>>>>> Traupe
> >>>>>>>>>>> Verzonden: maandag 16 november 2015 9:25
> >>>>>>>>>>> Aan: samba at lists.samba.org
> >>>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
> >>>>>>>>>>>
> >>>>>>>>>>> Viktor, can you manually check whether you have DNS records
> >>>>>>>>>>> for your Win
> >>>>>>>>>>> clients?
> >>>>>>>>>>>
> >>>>>>>>>>> In the DNS settings for your Win clients' network adapters you
> >>>>>>>>>>> can
> >>>>>>>>>>> uncheck that the current address shall be registered in DNS.
> >>>>>>>>>>>
> >>>>>>>>>>> Ole
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
> >>>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC
> >>>>>>>>>>>> and the
> >>>>>>>>>>>> clients all have a fixed IPv4 address.
> >>>>>>>>>>>>
> >>>>>>>>>>>> In the windows event viewer, I constantly see the following
> >>>>>>>>>>>> warning:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Event 8019, DNS Client Events
> >>>>>>>>>>>> ------------------------------------------
> >>>>>>>>>>>> The system failed to register host (A or AAA) resource
> >>>>>>>>>>>> records (RRs)
> >>>>>>>>>>>> for network adapter with settings:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Adapter Name: {someGUID}
> >>>>>>>>>>>> Host Name: Client-PC
> >>>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM
> >>>>>>>>>>>> DNS Server list:
> >>>>>>>>>>>>       192.168.0.1
> >>>>>>>>>>>> Sent update to server: <?>
> >>>>>>>>>>>> IP Addresses:
> >>>>>>>>>>>>      192.168.0.15
> >>>>>>>>>>>> ------------------------------------------
> >>>>>>>>>>>>
> >>>>>>>>>>>> Is it necessary to manually make some entries in DNS for the
> >>>>>>>>>>>> client
> >>>>>>>>>>>> machines? I didn't see anything about that in the Wiki.
> >>>>>>>>>>>>
> >>>>>>>>>>>> I'm trying to figure out if this is connected to another
> >>>>>>>>>>>> problem I'm
> >>>>>>>>>>>> facing. A machine based GPO is not executed because "the file
> >>>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller
> >>>>>>>>>>>> could not
> >>>>>>>>>>>> be read", and as one of the possible reasons for the error,
> >> name
> >>>>>>>>>>>> resolution is mentioned. I can access the file just fine once
> >>>>>>>>>>>> I'm
> >>>>>>>>>>>> logged in so I really don't know what the issue is here.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Thanks,
> >>>>>>>>>>>> Viktor
> >>>>>>>>>>>>
> >>>>>>>>>>> --
> >>>>>>>>>>> To unsubscribe from this list go to the following URL and read
> >>>>>>>>>>> the
> >>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>> Firstly, have you changed anything on the DC after provision? I
> >>>>>>>> don't mean adding users or groups, but anything else?
> >>>>>>>>
> >>>>>>>> I think if you examine what samba-tool thinks is different, you
> >>>>>>>> will find that it is only these:
> >>>>>>>>
> >>>>>>>> O:BAG:DUD and O:DAG:DAD
> >>>>>>>>
> >>>>>>>> To turn these into English :-)
> >>>>>>>>
> >>>>>>>> O = owner
> >>>>>>>> BA = BUILTIN\Administrators
> >>>>>>>> G = group
> >>>>>>>> DU = Domain Users
> >>>>>>>> DA = Domain Administrators
> >>>>>>>>
> >>>>>>>> BA becoming DA is fairly common and I don't think is relevant
> >>>>>>>> But somehow DA has become DU
> >>>>>>>>
> >>>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full
> >>>>>>> rights, DU can read.
> >>>>>>>
> >>>>>>>> That is why I asked if you have changed anything.
> >>>>>>>>
> >>>>>>> No, I haven't. Please also check my new thread about the ACL
> issue.
> >>>>>>>
> >>>>>>>> Now as for do your computers A and PTR records need to be added
> >>>>>>>> to AD, try this on the DC:
> >>>>>>>>
> >>>>>>>> ping -c1 member1
> >>>>>>>>
> >>>>>>>> where 'member1' is the hostname of one of your workstations, it
> >>>>>>>> should return something like this:
> >>>>>>>>
> >>>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of
> data.
> >>>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>> This is making things even more confusing.. if I enter the DNS
> >>>>>>> records, then the command nslookup clientname will provide the
> >>>>>>> correct IP address. Ping doesn't work for half of the clients but
> >>>>>>> it doesn't work even using the IP address. Seems like the firewall
> >>>>>>> is blocking it which is again really weird because I didn't make
> >>>>>>> any changes and all clients are exactly the same.
> >>>>>>>
> >>>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in
> >>>>>> the domain, some allow it. And I never even touched this setting.
> >>>>>>
> >>>>> To my knowledge, ping requires File and Printer Sharing on Windows.
> >>>>> Is it activated on all your clients?
> >>>>>
> >>>>>
> >>>>>
> >>>> OK, if ping is a problem, try 'nslookup member1' on the DC, it should
> >>>> return something like this:
> >>>>
> >>>> Server:        192.168.0.6
> >>>> Address:    192.168.0.6#53
> >>>>
> >>>> Name:    member1.samdom.example.com
> >>>> Address: 192.168.0.2
> >>>>
> >>>> If it returns this:
> >>>>
> >>>> Server:        192.168.0.6
> >>>> Address:    192.168.0.6#53
> >>>>
> >>>> ** server can't find member1: NXDOMAIN
> >>>>
> >>>> Then your DNS is up the spout, probably because the record for
> >>>> 'member1' isn't in AD.
> >>>>
> >>>> Rowland
> >>>>
> >>>>
> >>> It returns the expected result for all domain members, no issue here.
> >>>
> >>> Viktor
> >>>
> >> OK, one final test, is the computers record in AD?
> >>
> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b
> >> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub
> >> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary
> >>
> >> this (after changing the obvious) should show the dns record for
> 'member1'
> >>
> >> Rowland
> >>
> >>
> >> --
> >> To unsubscribe from this list go to the following URL and read the
> >> instructions:  https://lists.samba.org/mailman/options/samba
> >
> >

More information about the samba mailing list