[Samba] Win Clients and DNS

Viktor Trojanovic viktor at troja.ch
Mon Nov 16 15:12:04 UTC 2015 


On 16.11.2015 15:53, L.P.H. van Belle wrote:
> Ok,
>> I am getting the DNS register warning message on
>> *all* win clients, not just that one.
> Good info, so, this confirms its not a bug but an incorrect setting.
>
> Type ipconfig /all on a pc.
> Post the output, i suspect, incorrect dnsdomain or dns search domain.
>
> Also.
> Check if the PTR records are set to the correct server ips.
> This does not change on its own.
>
> Ldbsearch from below gives 192.168.0.13
> Which is different as other outputs.
>
> And check your /etc/hosts file.
>
> Greetz,
>
> Louis
>

ipconfig /all is returning

Hostname:                        member1
Primary DNS-Suffix:         samdom.example.com
Node type:                        hybrid
IP Routing Enabled:           no
WINS Proxy Enabled:        no
DNS Suffix Search list:     samdom.example.com

Ethernet adapter Ethernet:

Connection-specific DNS suffix:         (empty)
Autoconf enabled:                                Yes

The rest is not relevant so I will omit it here. Just one thing: My 
standard gateway is set to the router (192.168.0.2) and is therefore 
different from my Samba DC (192.168.0.1). But I guess that shouldn't be 
an issue.

Viktor

>
>> -----Oorspronkelijk bericht-----
>> Van: Viktor Trojanovic [mailto:viktor at troja.ch]
>> Verzonden: maandag 16 november 2015 15:45
>> Aan: L.P.H. van Belle; samba at lists.samba.org
>> Onderwerp: Re: [Samba] Win Clients and DNS
>>
>>
>>
>> On 16.11.2015 15:19, L.P.H. van Belle wrote:
>>> Victor,
>>>
>>> Do a simple test.
>>>   From the pc which is not working correctly.
>>>
>>> Ping member1
>>> Ping member1.fqdn
>>>
>>> Do both resolve? Or only 1 and if 1 which one.
>>>
>>>
>>> Greetz,
>>>
>>> Louis
>> Just as a side note, I am getting the DNS register warning message on
>> *all* win clients, not just that one.
>>
>> And yes, both pings resolve.
>>
>> Viktor
>>
>>>
>>>> -----Oorspronkelijk bericht-----
>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
>>>> Verzonden: maandag 16 november 2015 15:08
>>>> Aan: samba at lists.samba.org
>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>
>>>> On 16/11/15 14:00, Viktor Trojanovic wrote:
>>>>> On 16.11.2015 14:44, Rowland Penny wrote:
>>>>>> On 16/11/15 13:25, Ole Traupe wrote:
>>>>>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic:
>>>>>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote:
>>>>>>>>> See replies below
>>>>>>>>>
>>>>>>>>> On 16.11.2015 12:39, Rowland Penny wrote:
>>>>>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote:
>>>>>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error
>>>>>>>>>>> message came up:
>>>>>>>>>>>
>>>>>>>>>>> --------------------snip--------------------
>>>>>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
>>>>>>>>>>> exception - ProvisioningError: DB ACL on GPO directory
>>>>>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-
>>>> 945F-00C04FB984F9}/MACHINE/Scripts/Startup
>>>>
>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;
>> ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;
>>>> ;AU)(A;OICI;0x001200a9;;;ED)
>>>>>>>>>>> does not match expected value
>>>>>>>>>>>
>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001
>> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120
>>>> 0a9;;;AU)(A;OICI;0x001200a9;;;ED)
>>>>>>>>>>> from GPO object
>>>>>>>>>>>     File
>>>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py",
>>>>>>>>>>> line 175, in _run
>>>>>>>>>>>       return self.run(*args, **kwargs)
>>>>>>>>>>>     File "/usr/lib/python2.7/site-
>> packages/samba/netcmd/ntacl.py",
>>>>>>>>>>> line 249, in run
>>>>>>>>>>>       lp)
>>>>>>>>>>>     File
>>>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>>>>> line 1733, in checksysvolacl
>>>>>>>>>>>       direct_db_access)
>>>>>>>>>>>     File
>>>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>>>>> line 1684, in check_gpos_acl
>>>>>>>>>>>       domainsid, direct_db_access)
>>>>>>>>>>>     File
>>>>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
>>>>>>>>>>> line 1650, in check_dir_acl
>>>>>>>>>>>       raise ProvisioningError('%s ACL on GPO directory %s %s does
>>>>>>>>>>> not match expected value %s from GPO object' %
>>>>>>>>>>> (acl_type(direct_db_access), os.path.join(root, name),
>>>>>>>>>>> fsacl_sddl, acl))
>>>>>>>>>>> --------------------snip--------------------
>>>>>>>>>>>
>>>>>>>>>>> The GPO directory in question is the Default Domain Policy.
>>>>>>>>>>>
>>>>>>>>>>> Any idea what happened here? I never touched the DDD, it's still
>>>>>>>>>>> on version 0, and I never did any changes to those files either.
>>>>>>>>>>> I manually checked the ACL, without having made a diff on it, it
>>>>>>>>>>> looks pretty much the same like the ACL on the other containers.
>>>>>>>>>>>
>>>>>>>>>>> Is it safe to run sysvolreset?
>>>>>>>>>>>
>>>>>>>>>>> Viktor
>>>>>>>>>>>
>>>>>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote:
>>>>>>>>>>>> I guest,
>>>>>>>>>>>>
>>>>>>>>>>>> incorrect rights on you sysvol,
>>>>>>>>>>>> Try : samba-tool ntacl sysvolreset
>>>>>>>>>>>> And check the share rights.
>>>>>>>>>>>>
>>>>>>>>>>>> By default this should work out of the box.
>>>>>>>>>>>> Did you change the sysvol rights?
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> Greetz,
>>>>>>>>>>>>
>>>>>>>>>>>> Louis
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> -----Oorspronkelijk bericht-----
>>>>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole
>>>>>>>>>>>>> Traupe
>>>>>>>>>>>>> Verzonden: maandag 16 november 2015 9:25
>>>>>>>>>>>>> Aan: samba at lists.samba.org
>>>>>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS
>>>>>>>>>>>>>
>>>>>>>>>>>>> Viktor, can you manually check whether you have DNS records
>>>>>>>>>>>>> for your Win
>>>>>>>>>>>>> clients?
>>>>>>>>>>>>>
>>>>>>>>>>>>> In the DNS settings for your Win clients' network adapters you
>>>>>>>>>>>>> can
>>>>>>>>>>>>> uncheck that the current address shall be registered in DNS.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Ole
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>>>>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC
>>>>>>>>>>>>>> and the
>>>>>>>>>>>>>> clients all have a fixed IPv4 address.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> In the windows event viewer, I constantly see the following
>>>>>>>>>>>>>> warning:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Event 8019, DNS Client Events
>>>>>>>>>>>>>> ------------------------------------------
>>>>>>>>>>>>>> The system failed to register host (A or AAA) resource
>>>>>>>>>>>>>> records (RRs)
>>>>>>>>>>>>>> for network adapter with settings:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Adapter Name: {someGUID}
>>>>>>>>>>>>>> Host Name: Client-PC
>>>>>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM
>>>>>>>>>>>>>> DNS Server list:
>>>>>>>>>>>>>>        192.168.0.1
>>>>>>>>>>>>>> Sent update to server: <?>
>>>>>>>>>>>>>> IP Addresses:
>>>>>>>>>>>>>>       192.168.0.15
>>>>>>>>>>>>>> ------------------------------------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Is it necessary to manually make some entries in DNS for the
>>>>>>>>>>>>>> client
>>>>>>>>>>>>>> machines? I didn't see anything about that in the Wiki.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I'm trying to figure out if this is connected to another
>>>>>>>>>>>>>> problem I'm
>>>>>>>>>>>>>> facing. A machine based GPO is not executed because "the file
>>>>>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller
>>>>>>>>>>>>>> could not
>>>>>>>>>>>>>> be read", and as one of the possible reasons for the error,
>>>> name
>>>>>>>>>>>>>> resolution is mentioned. I can access the file just fine once
>>>>>>>>>>>>>> I'm
>>>>>>>>>>>>>> logged in so I really don't know what the issue is here.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks,
>>>>>>>>>>>>>> Viktor
>>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>> To unsubscribe from this list go to the following URL and read
>>>>>>>>>>>>> the
>>>>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba
>>>>>>>>>> Firstly, have you changed anything on the DC after provision? I
>>>>>>>>>> don't mean adding users or groups, but anything else?
>>>>>>>>>>
>>>>>>>>>> I think if you examine what samba-tool thinks is different, you
>>>>>>>>>> will find that it is only these:
>>>>>>>>>>
>>>>>>>>>> O:BAG:DUD and O:DAG:DAD
>>>>>>>>>>
>>>>>>>>>> To turn these into English :-)
>>>>>>>>>>
>>>>>>>>>> O = owner
>>>>>>>>>> BA = BUILTIN\Administrators
>>>>>>>>>> G = group
>>>>>>>>>> DU = Domain Users
>>>>>>>>>> DA = Domain Administrators
>>>>>>>>>>
>>>>>>>>>> BA becoming DA is fairly common and I don't think is relevant
>>>>>>>>>> But somehow DA has become DU
>>>>>>>>>>
>>>>>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full
>>>>>>>>> rights, DU can read.
>>>>>>>>>
>>>>>>>>>> That is why I asked if you have changed anything.
>>>>>>>>>>
>>>>>>>>> No, I haven't. Please also check my new thread about the ACL
>> issue.
>>>>>>>>>> Now as for do your computers A and PTR records need to be added
>>>>>>>>>> to AD, try this on the DC:
>>>>>>>>>>
>>>>>>>>>> ping -c1 member1
>>>>>>>>>>
>>>>>>>>>> where 'member1' is the hostname of one of your workstations, it
>>>>>>>>>> should return something like this:
>>>>>>>>>>
>>>>>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of
>> data.
>>>>>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> This is making things even more confusing.. if I enter the DNS
>>>>>>>>> records, then the command nslookup clientname will provide the
>>>>>>>>> correct IP address. Ping doesn't work for half of the clients but
>>>>>>>>> it doesn't work even using the IP address. Seems like the firewall
>>>>>>>>> is blocking it which is again really weird because I didn't make
>>>>>>>>> any changes and all clients are exactly the same.
>>>>>>>>>
>>>>>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in
>>>>>>>> the domain, some allow it. And I never even touched this setting.
>>>>>>>>
>>>>>>> To my knowledge, ping requires File and Printer Sharing on Windows.
>>>>>>> Is it activated on all your clients?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> OK, if ping is a problem, try 'nslookup member1' on the DC, it should
>>>>>> return something like this:
>>>>>>
>>>>>> Server:        192.168.0.6
>>>>>> Address:    192.168.0.6#53
>>>>>>
>>>>>> Name:    member1.samdom.example.com
>>>>>> Address: 192.168.0.2
>>>>>>
>>>>>> If it returns this:
>>>>>>
>>>>>> Server:        192.168.0.6
>>>>>> Address:    192.168.0.6#53
>>>>>>
>>>>>> ** server can't find member1: NXDOMAIN
>>>>>>
>>>>>> Then your DNS is up the spout, probably because the record for
>>>>>> 'member1' isn't in AD.
>>>>>>
>>>>>> Rowland
>>>>>>
>>>>>>
>>>>> It returns the expected result for all domain members, no issue here.
>>>>>
>>>>> Viktor
>>>>>
>>>> OK, one final test, is the computers record in AD?
>>>>
>>>> ldbsearch -H /usr/local/samba/private/sam.ldb -b
>>>> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub
>>>> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary
>>>>
>>>> this (after changing the obvious) should show the dns record for
>> 'member1'
>>>> Rowland
>>>>
>>>>
>>>> --
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
>
>

More information about the samba mailing list