samba - Nov 2015 - Win Clients and DNS

I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the 
clients all have a fixed IPv4 address.

In the windows event viewer, I constantly see the following warning:

Event 8019, DNS Client Events
------------------------------------------
The system failed to register host (A or AAA) resource records (RRs) for 
network adapter with settings:

Adapter Name: {someGUID}
Host Name: Client-PC
Primary Domain Suffix: SAMDOM.COM
DNS Server list:
     192.168.0.1
Sent update to server: <?>
IP Addresses:
    192.168.0.15
------------------------------------------

Is it necessary to manually make some entries in DNS for the client 
machines? I didn't see anything about that in the Wiki.

I'm trying to figure out if this is connected to another problem I'm 
facing. A machine based GPO is not executed because "the file 
\\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not be 
read", and as one of the possible reasons for the error, name resolution 
is mentioned. I can access the file just fine once I'm logged in so I 
really don't know what the issue is here.

Thanks,
Viktor

Viktor, can you manually check whether you have DNS records for your Win 
clients?

In the DNS settings for your Win clients' network adapters you can 
uncheck that the current address shall be registered in DNS.

Ole


Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the 
> clients all have a fixed IPv4 address.
>
> In the windows event viewer, I constantly see the following warning:
>
> Event 8019, DNS Client Events
> ------------------------------------------
> The system failed to register host (A or AAA) resource records (RRs) 
> for network adapter with settings:
>
> Adapter Name: {someGUID}
> Host Name: Client-PC
> Primary Domain Suffix: SAMDOM.COM
> DNS Server list:
>     192.168.0.1
> Sent update to server: <?>
> IP Addresses:
>    192.168.0.15
> ------------------------------------------
>
> Is it necessary to manually make some entries in DNS for the client 
> machines? I didn't see anything about that in the Wiki.
>
> I'm trying to figure out if this is connected to another problem
I'm
> facing. A machine based GPO is not executed because "the file 
> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not 
> be read", and as one of the possible reasons for the error, name 
> resolution is mentioned. I can access the file just fine once I'm 
> logged in so I really don't know what the issue is here.
>
> Thanks,
> Viktor
>

I guest, 

incorrect rights on you sysvol, 
Try : samba-tool ntacl sysvolreset 
And check the share rights. 

By default this should work out of the box. 
Did you change the sysvol rights? 


Greetz, 

Louis

> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
> Verzonden: maandag 16 november 2015 9:25
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] Win Clients and DNS
> 
> Viktor, can you manually check whether you have DNS records for your Win
> clients?
> 
> In the DNS settings for your Win clients' network adapters you can
> uncheck that the current address shall be registered in DNS.
> 
> Ole
> 
> 
> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
> > I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the
> > clients all have a fixed IPv4 address.
> >
> > In the windows event viewer, I constantly see the following warning:
> >
> > Event 8019, DNS Client Events
> > ------------------------------------------
> > The system failed to register host (A or AAA) resource records (RRs)
> > for network adapter with settings:
> >
> > Adapter Name: {someGUID}
> > Host Name: Client-PC
> > Primary Domain Suffix: SAMDOM.COM
> > DNS Server list:
> >     192.168.0.1
> > Sent update to server: <?>
> > IP Addresses:
> >    192.168.0.15
> > ------------------------------------------
> >
> > Is it necessary to manually make some entries in DNS for the client
> > machines? I didn't see anything about that in the Wiki.
> >
> > I'm trying to figure out if this is connected to another problem
I'm
> > facing. A machine based GPO is not executed because "the file
> > \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not
> > be read", and as one of the possible reasons for the error, name
> > resolution is mentioned. I can access the file just fine once I'm
> > logged in so I really don't know what the issue is here.
> >
> > Thanks,
> > Viktor
> >
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

On 16/11/15 00:31, Viktor Trojanovic wrote:
> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the 
> clients all have a fixed IPv4 address.
>
> In the windows event viewer, I constantly see the following warning:
>
> Event 8019, DNS Client Events
> ------------------------------------------
> The system failed to register host (A or AAA) resource records (RRs) 
> for network adapter with settings:
>
> Adapter Name: {someGUID}
> Host Name: Client-PC
> Primary Domain Suffix: SAMDOM.COM
> DNS Server list:
>     192.168.0.1
> Sent update to server: <?>
> IP Addresses:
>    192.168.0.15
> ------------------------------------------
>
> Is it necessary to manually make some entries in DNS for the client 
> machines? I didn't see anything about that in the Wiki.
>
> I'm trying to figure out if this is connected to another problem
I'm
> facing. A machine based GPO is not executed because "the file 
> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not 
> be read", and as one of the possible reasons for the error, name 
> resolution is mentioned. I can access the file just fine once I'm 
> logged in so I really don't know what the issue is here.
>
> Thanks,
> Viktor
>
Is there anything in syslog on the DC, it may be that whilst your 
clients are trying to update their dns records in AD, they are being denied.
If the clients were Unix based, you would have to add their records to 
AD manually, It is probably the same for fixed window clients.
There is something on the wiki about adding dns records, but it is a bit 
unclear as to why you would need to do this:

https://wiki.samba.org/index.php/DNS_administration#Adding_new_records

Rowland

Hi Ole,

I am using Samba DNS. I didn't manually create records for the clients 
so they are not there. Are they necessary? Are A records enough?

And thanks about the tip with the DNS settings for the clients, I will 
uncheck the box.

Viktor

On 16.11.2015 09:25, Ole Traupe wrote:
> Viktor, can you manually check whether you have DNS records for your 
> Win clients?
>
> In the DNS settings for your Win clients' network adapters you can 
> uncheck that the current address shall be registered in DNS.
>
> Ole
>
>
> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the 
>> clients all have a fixed IPv4 address.
>>
>> In the windows event viewer, I constantly see the following warning:
>>
>> Event 8019, DNS Client Events
>> ------------------------------------------
>> The system failed to register host (A or AAA) resource records (RRs) 
>> for network adapter with settings:
>>
>> Adapter Name: {someGUID}
>> Host Name: Client-PC
>> Primary Domain Suffix: SAMDOM.COM
>> DNS Server list:
>>     192.168.0.1
>> Sent update to server: <?>
>> IP Addresses:
>>    192.168.0.15
>> ------------------------------------------
>>
>> Is it necessary to manually make some entries in DNS for the client 
>> machines? I didn't see anything about that in the Wiki.
>>
>> I'm trying to figure out if this is connected to another problem
I'm
>> facing. A machine based GPO is not executed because "the file 
>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not 
>> be read", and as one of the possible reasons for the error, name 
>> resolution is mentioned. I can access the file just fine once I'm 
>> logged in so I really don't know what the issue is here.
>>
>> Thanks,
>> Viktor
>>
>
>

Hi Louis,

I never touched the sysvol rights, neither from Windows nor from Linux, 
and they seem to be intact. The share rights are correct, too, and on a 
separate server by the way.

As I said, I can easily access them myself, it's just that error in the 
event log which makes it seem as if, during the startup phase, there is 
a problem to access certain information.

Thanks,
Viktor


On 16.11.2015 09:34, L.P.H. van Belle wrote:
> I guest,
>
> incorrect rights on you sysvol,
> Try : samba-tool ntacl sysvolreset
> And check the share rights.
>
> By default this should work out of the box.
> Did you change the sysvol rights?
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: maandag 16 november 2015 9:25
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Win Clients and DNS
>>
>> Viktor, can you manually check whether you have DNS records for your
Win
>> clients?
>>
>> In the DNS settings for your Win clients' network adapters you can
>> uncheck that the current address shall be registered in DNS.
>>
>> Ole
>>
>>
>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and
the
>>> clients all have a fixed IPv4 address.
>>>
>>> In the windows event viewer, I constantly see the following
warning:
>>>
>>> Event 8019, DNS Client Events
>>> ------------------------------------------
>>> The system failed to register host (A or AAA) resource records
(RRs)
>>> for network adapter with settings:
>>>
>>> Adapter Name: {someGUID}
>>> Host Name: Client-PC
>>> Primary Domain Suffix: SAMDOM.COM
>>> DNS Server list:
>>>      192.168.0.1
>>> Sent update to server: <?>
>>> IP Addresses:
>>>     192.168.0.15
>>> ------------------------------------------
>>>
>>> Is it necessary to manually make some entries in DNS for the client
>>> machines? I didn't see anything about that in the Wiki.
>>>
>>> I'm trying to figure out if this is connected to another
problem I'm
>>> facing. A machine based GPO is not executed because "the file
>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could
not
>>> be read", and as one of the possible reasons for the error,
name
>>> resolution is mentioned. I can access the file just fine once
I'm
>>> logged in so I really don't know what the issue is here.
>>>
>>> Thanks,
>>> Viktor
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>

On 16.11.2015 09:57, Rowland Penny wrote:
> On 16/11/15 00:31, Viktor Trojanovic wrote:
>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and the 
>> clients all have a fixed IPv4 address.
>>
>> In the windows event viewer, I constantly see the following warning:
>>
>> Event 8019, DNS Client Events
>> ------------------------------------------
>> The system failed to register host (A or AAA) resource records (RRs) 
>> for network adapter with settings:
>>
>> Adapter Name: {someGUID}
>> Host Name: Client-PC
>> Primary Domain Suffix: SAMDOM.COM
>> DNS Server list:
>>     192.168.0.1
>> Sent update to server: <?>
>> IP Addresses:
>>    192.168.0.15
>> ------------------------------------------
>>
>> Is it necessary to manually make some entries in DNS for the client 
>> machines? I didn't see anything about that in the Wiki.
>>
>> I'm trying to figure out if this is connected to another problem
I'm
>> facing. A machine based GPO is not executed because "the file 
>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could not 
>> be read", and as one of the possible reasons for the error, name 
>> resolution is mentioned. I can access the file just fine once I'm 
>> logged in so I really don't know what the issue is here.
>>
>> Thanks,
>> Viktor
>>
>
> Is there anything in syslog on the DC, it may be that whilst your 
> clients are trying to update their dns records in AD, they are being 
> denied.
> If the clients were Unix based, you would have to add their records to 
> AD manually, It is probably the same for fixed window clients.
> There is something on the wiki about adding dns records, but it is a 
> bit unclear as to why you would need to do this:
>
> https://wiki.samba.org/index.php/DNS_administration#Adding_new_records
>
> Rowland
Yes, I read that, and I'm not clear either on why the clients need 
registration and what the disadvantages would be if they aren't. But 
Ole's tip to remove the "Register DNS" checkbox from the network 
interface on Win Clients does seem like valuable information for the wiki.

Viktor

Hai, 

I suggest you dont remove the "Register DNS" checkbox from the
network" option.

If you setup if correct, when you join a computer to the domain,
It wil automatily registere the computer en the AD DNS. 
And todo so you need the "Register DNS" checkbox from the
network"

For example, i use for now an dhcp server
! the DHCP server i use it NOT in any of the MS domains and/or Samba AD !
So its just a dhcp server, not linked to any domain. 
And i have 3 MS domains here. 

If i join the domain with an pc with dhcp ip, it is registered as it should. 
And same with pc's that have a dedicated IP. 

So, 
or the dhcp server is giving the wrong options to the pc. 
or your missing the reverse DNS zone. 

This should work out of the box, without any registry modification etc.. 

Greetz, 

Louis


> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Viktor
Trojanovic
> Verzonden: maandag 16 november 2015 10:47
> Aan: Rowland Penny; samba at lists.samba.org
> Onderwerp: Re: [Samba] Win Clients and DNS
> 
> 
> 
> On 16.11.2015 09:57, Rowland Penny wrote:
> > On 16/11/15 00:31, Viktor Trojanovic wrote:
> >> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and
the
> >> clients all have a fixed IPv4 address.
> >>
> >> In the windows event viewer, I constantly see the following
warning:
> >>
> >> Event 8019, DNS Client Events
> >> ------------------------------------------
> >> The system failed to register host (A or AAA) resource records
(RRs)
> >> for network adapter with settings:
> >>
> >> Adapter Name: {someGUID}
> >> Host Name: Client-PC
> >> Primary Domain Suffix: SAMDOM.COM
> >> DNS Server list:
> >>     192.168.0.1
> >> Sent update to server: <?>
> >> IP Addresses:
> >>    192.168.0.15
> >> ------------------------------------------
> >>
> >> Is it necessary to manually make some entries in DNS for the
client
> >> machines? I didn't see anything about that in the Wiki.
> >>
> >> I'm trying to figure out if this is connected to another
problem I'm
> >> facing. A machine based GPO is not executed because "the file
> >> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could
not
> >> be read", and as one of the possible reasons for the error,
name
> >> resolution is mentioned. I can access the file just fine once
I'm
> >> logged in so I really don't know what the issue is here.
> >>
> >> Thanks,
> >> Viktor
> >>
> >
> > Is there anything in syslog on the DC, it may be that whilst your
> > clients are trying to update their dns records in AD, they are being
> > denied.
> > If the clients were Unix based, you would have to add their records to
> > AD manually, It is probably the same for fixed window clients.
> > There is something on the wiki about adding dns records, but it is a
> > bit unclear as to why you would need to do this:
> >
> > https://wiki.samba.org/index.php/DNS_administration#Adding_new_records
> >
> > Rowland
> 
> Yes, I read that, and I'm not clear either on why the clients need
> registration and what the disadvantages would be if they aren't. But
> Ole's tip to remove the "Register DNS" checkbox from the
network
> interface on Win Clients does seem like valuable information for the wiki.
> 
> Viktor
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba

So I ran a samba-tool ntacl sysvolcheck, and the following error message 
came up:

--------------------snip--------------------
ERROR(<class 'samba.provision.ProvisioningError'>): uncaught
exception -
ProvisioningError: DB ACL on GPO directory 
/var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup
O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
does not match expected value 
O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED)
from GPO object
   File "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", 
line 175, in _run
     return self.run(*args, **kwargs)
   File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line
249, in run
     lp)
   File
"/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1733, in checksysvolacl
     direct_db_access)
   File
"/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1684, in check_gpos_acl
     domainsid, direct_db_access)
   File
"/usr/lib/python2.7/site-packages/samba/provision/__init__.py",
line 1650, in check_dir_acl
     raise ProvisioningError('%s ACL on GPO directory %s %s does not 
match expected value %s from GPO object' % (acl_type(direct_db_access), 
os.path.join(root, name), fsacl_sddl, acl))
--------------------snip--------------------

The GPO directory in question is the Default Domain Policy.

Any idea what happened here? I never touched the DDD, it's still on 
version 0, and I never did any changes to those files either. I manually 
checked the ACL, without having made a diff on it, it looks pretty much 
the same like the ACL on the other containers.

Is it safe to run sysvolreset?

Viktor

On 16.11.2015 09:34, L.P.H. van Belle wrote:
> I guest,
>
> incorrect rights on you sysvol,
> Try : samba-tool ntacl sysvolreset
> And check the share rights.
>
> By default this should work out of the box.
> Did you change the sysvol rights?
>
>
> Greetz,
>
> Louis
>
>
>> -----Oorspronkelijk bericht-----
>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole Traupe
>> Verzonden: maandag 16 november 2015 9:25
>> Aan: samba at lists.samba.org
>> Onderwerp: Re: [Samba] Win Clients and DNS
>>
>> Viktor, can you manually check whether you have DNS records for your
Win
>> clients?
>>
>> In the DNS settings for your Win clients' network adapters you can
>> uncheck that the current address shall be registered in DNS.
>>
>> Ole
>>
>>
>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic:
>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC and
the
>>> clients all have a fixed IPv4 address.
>>>
>>> In the windows event viewer, I constantly see the following
warning:
>>>
>>> Event 8019, DNS Client Events
>>> ------------------------------------------
>>> The system failed to register host (A or AAA) resource records
(RRs)
>>> for network adapter with settings:
>>>
>>> Adapter Name: {someGUID}
>>> Host Name: Client-PC
>>> Primary Domain Suffix: SAMDOM.COM
>>> DNS Server list:
>>>      192.168.0.1
>>> Sent update to server: <?>
>>> IP Addresses:
>>>     192.168.0.15
>>> ------------------------------------------
>>>
>>> Is it necessary to manually make some entries in DNS for the client
>>> machines? I didn't see anything about that in the Wiki.
>>>
>>> I'm trying to figure out if this is connected to another
problem I'm
>>> facing. A machine based GPO is not executed because "the file
>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller could
not
>>> be read", and as one of the possible reasons for the error,
name
>>> resolution is mentioned. I can access the file just fine once
I'm
>>> logged in so I really don't know what the issue is here.
>>>
>>> Thanks,
>>> Viktor
>>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>
>