On 16.11.2015 14:44, Rowland Penny wrote:> On 16/11/15 13:25, Ole Traupe wrote: >> >> >> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic: >>> >>> >>> On 16.11.2015 13:48, Viktor Trojanovic wrote: >>>> See replies below >>>> >>>> On 16.11.2015 12:39, Rowland Penny wrote: >>>>> On 16/11/15 11:19, Viktor Trojanovic wrote: >>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error >>>>>> message came up: >>>>>> >>>>>> --------------------snip-------------------- >>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught >>>>>> exception - ProvisioningError: DB ACL on GPO directory >>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup >>>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>>>> does not match expected value >>>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>>>> from GPO object >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", line >>>>>> 175, in _run >>>>>> return self.run(*args, **kwargs) >>>>>> File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", >>>>>> line 249, in run >>>>>> lp) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>> line 1733, in checksysvolacl >>>>>> direct_db_access) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>> line 1684, in check_gpos_acl >>>>>> domainsid, direct_db_access) >>>>>> File >>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>> line 1650, in check_dir_acl >>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does >>>>>> not match expected value %s from GPO object' % >>>>>> (acl_type(direct_db_access), os.path.join(root, name), >>>>>> fsacl_sddl, acl)) >>>>>> --------------------snip-------------------- >>>>>> >>>>>> The GPO directory in question is the Default Domain Policy. >>>>>> >>>>>> Any idea what happened here? I never touched the DDD, it's still >>>>>> on version 0, and I never did any changes to those files either. >>>>>> I manually checked the ACL, without having made a diff on it, it >>>>>> looks pretty much the same like the ACL on the other containers. >>>>>> >>>>>> Is it safe to run sysvolreset? >>>>>> >>>>>> Viktor >>>>>> >>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote: >>>>>>> I guest, >>>>>>> >>>>>>> incorrect rights on you sysvol, >>>>>>> Try : samba-tool ntacl sysvolreset >>>>>>> And check the share rights. >>>>>>> >>>>>>> By default this should work out of the box. >>>>>>> Did you change the sysvol rights? >>>>>>> >>>>>>> >>>>>>> Greetz, >>>>>>> >>>>>>> Louis >>>>>>> >>>>>>> >>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole >>>>>>>> Traupe >>>>>>>> Verzonden: maandag 16 november 2015 9:25 >>>>>>>> Aan: samba at lists.samba.org >>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS >>>>>>>> >>>>>>>> Viktor, can you manually check whether you have DNS records for >>>>>>>> your Win >>>>>>>> clients? >>>>>>>> >>>>>>>> In the DNS settings for your Win clients' network adapters you can >>>>>>>> uncheck that the current address shall be registered in DNS. >>>>>>>> >>>>>>>> Ole >>>>>>>> >>>>>>>> >>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic: >>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC >>>>>>>>> and the >>>>>>>>> clients all have a fixed IPv4 address. >>>>>>>>> >>>>>>>>> In the windows event viewer, I constantly see the following >>>>>>>>> warning: >>>>>>>>> >>>>>>>>> Event 8019, DNS Client Events >>>>>>>>> ------------------------------------------ >>>>>>>>> The system failed to register host (A or AAA) resource records >>>>>>>>> (RRs) >>>>>>>>> for network adapter with settings: >>>>>>>>> >>>>>>>>> Adapter Name: {someGUID} >>>>>>>>> Host Name: Client-PC >>>>>>>>> Primary Domain Suffix: SAMDOM.COM >>>>>>>>> DNS Server list: >>>>>>>>> 192.168.0.1 >>>>>>>>> Sent update to server: <?> >>>>>>>>> IP Addresses: >>>>>>>>> 192.168.0.15 >>>>>>>>> ------------------------------------------ >>>>>>>>> >>>>>>>>> Is it necessary to manually make some entries in DNS for the >>>>>>>>> client >>>>>>>>> machines? I didn't see anything about that in the Wiki. >>>>>>>>> >>>>>>>>> I'm trying to figure out if this is connected to another >>>>>>>>> problem I'm >>>>>>>>> facing. A machine based GPO is not executed because "the file >>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller >>>>>>>>> could not >>>>>>>>> be read", and as one of the possible reasons for the error, name >>>>>>>>> resolution is mentioned. I can access the file just fine once I'm >>>>>>>>> logged in so I really don't know what the issue is here. >>>>>>>>> >>>>>>>>> Thanks, >>>>>>>>> Viktor >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> To unsubscribe from this list go to the following URL and read the >>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>> >>>>> Firstly, have you changed anything on the DC after provision? I >>>>> don't mean adding users or groups, but anything else? >>>>> >>>>> I think if you examine what samba-tool thinks is different, you >>>>> will find that it is only these: >>>>> >>>>> O:BAG:DUD and O:DAG:DAD >>>>> >>>>> To turn these into English :-) >>>>> >>>>> O = owner >>>>> BA = BUILTIN\Administrators >>>>> G = group >>>>> DU = Domain Users >>>>> DA = Domain Administrators >>>>> >>>>> BA becoming DA is fairly common and I don't think is relevant >>>>> But somehow DA has become DU >>>>> >>>> Yes, those are the ACL's I see, BA is the owner, DA has full >>>> rights, DU can read. >>>> >>>>> That is why I asked if you have changed anything. >>>>> >>>> No, I haven't. Please also check my new thread about the ACL issue. >>>> >>>>> Now as for do your computers A and PTR records need to be added to >>>>> AD, try this on the DC: >>>>> >>>>> ping -c1 member1 >>>>> >>>>> where 'member1' is the hostname of one of your workstations, it >>>>> should return something like this: >>>>> >>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data. >>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms >>>>> >>>>> >>>>> >>>> This is making things even more confusing.. if I enter the DNS >>>> records, then the command nslookup clientname will provide the >>>> correct IP address. Ping doesn't work for half of the clients but >>>> it doesn't work even using the IP address. Seems like the firewall >>>> is blocking it which is again really weird because I didn't make >>>> any changes and all clients are exactly the same. >>>> >>> >>> Off topic but some of my Win 10 clients have ICMP echo blocked in >>> the domain, some allow it. And I never even touched this setting. >>> >> To my knowledge, ping requires File and Printer Sharing on Windows. >> Is it activated on all your clients? >> >> >> > > OK, if ping is a problem, try 'nslookup member1' on the DC, it should > return something like this: > > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > Name: member1.samdom.example.com > Address: 192.168.0.2 > > If it returns this: > > Server: 192.168.0.6 > Address: 192.168.0.6#53 > > ** server can't find member1: NXDOMAIN > > Then your DNS is up the spout, probably because the record for > 'member1' isn't in AD. > > Rowland > >It returns the expected result for all domain members, no issue here. Viktor
On 16/11/15 14:00, Viktor Trojanovic wrote:> > > On 16.11.2015 14:44, Rowland Penny wrote: >> On 16/11/15 13:25, Ole Traupe wrote: >>> >>> >>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic: >>>> >>>> >>>> On 16.11.2015 13:48, Viktor Trojanovic wrote: >>>>> See replies below >>>>> >>>>> On 16.11.2015 12:39, Rowland Penny wrote: >>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote: >>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error >>>>>>> message came up: >>>>>>> >>>>>>> --------------------snip-------------------- >>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught >>>>>>> exception - ProvisioningError: DB ACL on GPO directory >>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup >>>>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>>>>> does not match expected value >>>>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>>>>> from GPO object >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", >>>>>>> line 175, in _run >>>>>>> return self.run(*args, **kwargs) >>>>>>> File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", >>>>>>> line 249, in run >>>>>>> lp) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>> line 1733, in checksysvolacl >>>>>>> direct_db_access) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>> line 1684, in check_gpos_acl >>>>>>> domainsid, direct_db_access) >>>>>>> File >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>> line 1650, in check_dir_acl >>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does >>>>>>> not match expected value %s from GPO object' % >>>>>>> (acl_type(direct_db_access), os.path.join(root, name), >>>>>>> fsacl_sddl, acl)) >>>>>>> --------------------snip-------------------- >>>>>>> >>>>>>> The GPO directory in question is the Default Domain Policy. >>>>>>> >>>>>>> Any idea what happened here? I never touched the DDD, it's still >>>>>>> on version 0, and I never did any changes to those files either. >>>>>>> I manually checked the ACL, without having made a diff on it, it >>>>>>> looks pretty much the same like the ACL on the other containers. >>>>>>> >>>>>>> Is it safe to run sysvolreset? >>>>>>> >>>>>>> Viktor >>>>>>> >>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote: >>>>>>>> I guest, >>>>>>>> >>>>>>>> incorrect rights on you sysvol, >>>>>>>> Try : samba-tool ntacl sysvolreset >>>>>>>> And check the share rights. >>>>>>>> >>>>>>>> By default this should work out of the box. >>>>>>>> Did you change the sysvol rights? >>>>>>>> >>>>>>>> >>>>>>>> Greetz, >>>>>>>> >>>>>>>> Louis >>>>>>>> >>>>>>>> >>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole >>>>>>>>> Traupe >>>>>>>>> Verzonden: maandag 16 november 2015 9:25 >>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS >>>>>>>>> >>>>>>>>> Viktor, can you manually check whether you have DNS records >>>>>>>>> for your Win >>>>>>>>> clients? >>>>>>>>> >>>>>>>>> In the DNS settings for your Win clients' network adapters you >>>>>>>>> can >>>>>>>>> uncheck that the current address shall be registered in DNS. >>>>>>>>> >>>>>>>>> Ole >>>>>>>>> >>>>>>>>> >>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic: >>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC >>>>>>>>>> and the >>>>>>>>>> clients all have a fixed IPv4 address. >>>>>>>>>> >>>>>>>>>> In the windows event viewer, I constantly see the following >>>>>>>>>> warning: >>>>>>>>>> >>>>>>>>>> Event 8019, DNS Client Events >>>>>>>>>> ------------------------------------------ >>>>>>>>>> The system failed to register host (A or AAA) resource >>>>>>>>>> records (RRs) >>>>>>>>>> for network adapter with settings: >>>>>>>>>> >>>>>>>>>> Adapter Name: {someGUID} >>>>>>>>>> Host Name: Client-PC >>>>>>>>>> Primary Domain Suffix: SAMDOM.COM >>>>>>>>>> DNS Server list: >>>>>>>>>> 192.168.0.1 >>>>>>>>>> Sent update to server: <?> >>>>>>>>>> IP Addresses: >>>>>>>>>> 192.168.0.15 >>>>>>>>>> ------------------------------------------ >>>>>>>>>> >>>>>>>>>> Is it necessary to manually make some entries in DNS for the >>>>>>>>>> client >>>>>>>>>> machines? I didn't see anything about that in the Wiki. >>>>>>>>>> >>>>>>>>>> I'm trying to figure out if this is connected to another >>>>>>>>>> problem I'm >>>>>>>>>> facing. A machine based GPO is not executed because "the file >>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller >>>>>>>>>> could not >>>>>>>>>> be read", and as one of the possible reasons for the error, name >>>>>>>>>> resolution is mentioned. I can access the file just fine once >>>>>>>>>> I'm >>>>>>>>>> logged in so I really don't know what the issue is here. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Viktor >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> To unsubscribe from this list go to the following URL and read >>>>>>>>> the >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> Firstly, have you changed anything on the DC after provision? I >>>>>> don't mean adding users or groups, but anything else? >>>>>> >>>>>> I think if you examine what samba-tool thinks is different, you >>>>>> will find that it is only these: >>>>>> >>>>>> O:BAG:DUD and O:DAG:DAD >>>>>> >>>>>> To turn these into English :-) >>>>>> >>>>>> O = owner >>>>>> BA = BUILTIN\Administrators >>>>>> G = group >>>>>> DU = Domain Users >>>>>> DA = Domain Administrators >>>>>> >>>>>> BA becoming DA is fairly common and I don't think is relevant >>>>>> But somehow DA has become DU >>>>>> >>>>> Yes, those are the ACL's I see, BA is the owner, DA has full >>>>> rights, DU can read. >>>>> >>>>>> That is why I asked if you have changed anything. >>>>>> >>>>> No, I haven't. Please also check my new thread about the ACL issue. >>>>> >>>>>> Now as for do your computers A and PTR records need to be added >>>>>> to AD, try this on the DC: >>>>>> >>>>>> ping -c1 member1 >>>>>> >>>>>> where 'member1' is the hostname of one of your workstations, it >>>>>> should return something like this: >>>>>> >>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data. >>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms >>>>>> >>>>>> >>>>>> >>>>> This is making things even more confusing.. if I enter the DNS >>>>> records, then the command nslookup clientname will provide the >>>>> correct IP address. Ping doesn't work for half of the clients but >>>>> it doesn't work even using the IP address. Seems like the firewall >>>>> is blocking it which is again really weird because I didn't make >>>>> any changes and all clients are exactly the same. >>>>> >>>> >>>> Off topic but some of my Win 10 clients have ICMP echo blocked in >>>> the domain, some allow it. And I never even touched this setting. >>>> >>> To my knowledge, ping requires File and Printer Sharing on Windows. >>> Is it activated on all your clients? >>> >>> >>> >> >> OK, if ping is a problem, try 'nslookup member1' on the DC, it should >> return something like this: >> >> Server: 192.168.0.6 >> Address: 192.168.0.6#53 >> >> Name: member1.samdom.example.com >> Address: 192.168.0.2 >> >> If it returns this: >> >> Server: 192.168.0.6 >> Address: 192.168.0.6#53 >> >> ** server can't find member1: NXDOMAIN >> >> Then your DNS is up the spout, probably because the record for >> 'member1' isn't in AD. >> >> Rowland >> >> > It returns the expected result for all domain members, no issue here. > > Viktor >OK, one final test, is the computers record in AD? ldbsearch -H /usr/local/samba/private/sam.ldb -b 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary this (after changing the obvious) should show the dns record for 'member1' Rowland
Victor, Do a simple test.>From the pc which is not working correctly.Ping member1 Ping member1.fqdn Do both resolve? Or only 1 and if 1 which one. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > Verzonden: maandag 16 november 2015 15:08 > Aan: samba at lists.samba.org > Onderwerp: Re: [Samba] Win Clients and DNS > > On 16/11/15 14:00, Viktor Trojanovic wrote: > > > > > > On 16.11.2015 14:44, Rowland Penny wrote: > >> On 16/11/15 13:25, Ole Traupe wrote: > >>> > >>> > >>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic: > >>>> > >>>> > >>>> On 16.11.2015 13:48, Viktor Trojanovic wrote: > >>>>> See replies below > >>>>> > >>>>> On 16.11.2015 12:39, Rowland Penny wrote: > >>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote: > >>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error > >>>>>>> message came up: > >>>>>>> > >>>>>>> --------------------snip-------------------- > >>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > >>>>>>> exception - ProvisioningError: DB ACL on GPO directory > >>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2- > 945F-00C04FB984F9}/MACHINE/Scripts/Startup > >>>>>>> > O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;; > ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;; > ;AU)(A;OICI;0x001200a9;;;ED) > >>>>>>> does not match expected value > >>>>>>> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001 > f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120 > 0a9;;;AU)(A;OICI;0x001200a9;;;ED) > >>>>>>> from GPO object > >>>>>>> File > >>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", > >>>>>>> line 175, in _run > >>>>>>> return self.run(*args, **kwargs) > >>>>>>> File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", > >>>>>>> line 249, in run > >>>>>>> lp) > >>>>>>> File > >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>> line 1733, in checksysvolacl > >>>>>>> direct_db_access) > >>>>>>> File > >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>> line 1684, in check_gpos_acl > >>>>>>> domainsid, direct_db_access) > >>>>>>> File > >>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>> line 1650, in check_dir_acl > >>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does > >>>>>>> not match expected value %s from GPO object' % > >>>>>>> (acl_type(direct_db_access), os.path.join(root, name), > >>>>>>> fsacl_sddl, acl)) > >>>>>>> --------------------snip-------------------- > >>>>>>> > >>>>>>> The GPO directory in question is the Default Domain Policy. > >>>>>>> > >>>>>>> Any idea what happened here? I never touched the DDD, it's still > >>>>>>> on version 0, and I never did any changes to those files either. > >>>>>>> I manually checked the ACL, without having made a diff on it, it > >>>>>>> looks pretty much the same like the ACL on the other containers. > >>>>>>> > >>>>>>> Is it safe to run sysvolreset? > >>>>>>> > >>>>>>> Viktor > >>>>>>> > >>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote: > >>>>>>>> I guest, > >>>>>>>> > >>>>>>>> incorrect rights on you sysvol, > >>>>>>>> Try : samba-tool ntacl sysvolreset > >>>>>>>> And check the share rights. > >>>>>>>> > >>>>>>>> By default this should work out of the box. > >>>>>>>> Did you change the sysvol rights? > >>>>>>>> > >>>>>>>> > >>>>>>>> Greetz, > >>>>>>>> > >>>>>>>> Louis > >>>>>>>> > >>>>>>>> > >>>>>>>>> -----Oorspronkelijk bericht----- > >>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole > >>>>>>>>> Traupe > >>>>>>>>> Verzonden: maandag 16 november 2015 9:25 > >>>>>>>>> Aan: samba at lists.samba.org > >>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS > >>>>>>>>> > >>>>>>>>> Viktor, can you manually check whether you have DNS records > >>>>>>>>> for your Win > >>>>>>>>> clients? > >>>>>>>>> > >>>>>>>>> In the DNS settings for your Win clients' network adapters you > >>>>>>>>> can > >>>>>>>>> uncheck that the current address shall be registered in DNS. > >>>>>>>>> > >>>>>>>>> Ole > >>>>>>>>> > >>>>>>>>> > >>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic: > >>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC > >>>>>>>>>> and the > >>>>>>>>>> clients all have a fixed IPv4 address. > >>>>>>>>>> > >>>>>>>>>> In the windows event viewer, I constantly see the following > >>>>>>>>>> warning: > >>>>>>>>>> > >>>>>>>>>> Event 8019, DNS Client Events > >>>>>>>>>> ------------------------------------------ > >>>>>>>>>> The system failed to register host (A or AAA) resource > >>>>>>>>>> records (RRs) > >>>>>>>>>> for network adapter with settings: > >>>>>>>>>> > >>>>>>>>>> Adapter Name: {someGUID} > >>>>>>>>>> Host Name: Client-PC > >>>>>>>>>> Primary Domain Suffix: SAMDOM.COM > >>>>>>>>>> DNS Server list: > >>>>>>>>>> 192.168.0.1 > >>>>>>>>>> Sent update to server: <?> > >>>>>>>>>> IP Addresses: > >>>>>>>>>> 192.168.0.15 > >>>>>>>>>> ------------------------------------------ > >>>>>>>>>> > >>>>>>>>>> Is it necessary to manually make some entries in DNS for the > >>>>>>>>>> client > >>>>>>>>>> machines? I didn't see anything about that in the Wiki. > >>>>>>>>>> > >>>>>>>>>> I'm trying to figure out if this is connected to another > >>>>>>>>>> problem I'm > >>>>>>>>>> facing. A machine based GPO is not executed because "the file > >>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller > >>>>>>>>>> could not > >>>>>>>>>> be read", and as one of the possible reasons for the error, > name > >>>>>>>>>> resolution is mentioned. I can access the file just fine once > >>>>>>>>>> I'm > >>>>>>>>>> logged in so I really don't know what the issue is here. > >>>>>>>>>> > >>>>>>>>>> Thanks, > >>>>>>>>>> Viktor > >>>>>>>>>> > >>>>>>>>> > >>>>>>>>> -- > >>>>>>>>> To unsubscribe from this list go to the following URL and read > >>>>>>>>> the > >>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>> > >>>>>>>> > >>>>>>> > >>>>>>> > >>>>>> > >>>>>> Firstly, have you changed anything on the DC after provision? I > >>>>>> don't mean adding users or groups, but anything else? > >>>>>> > >>>>>> I think if you examine what samba-tool thinks is different, you > >>>>>> will find that it is only these: > >>>>>> > >>>>>> O:BAG:DUD and O:DAG:DAD > >>>>>> > >>>>>> To turn these into English :-) > >>>>>> > >>>>>> O = owner > >>>>>> BA = BUILTIN\Administrators > >>>>>> G = group > >>>>>> DU = Domain Users > >>>>>> DA = Domain Administrators > >>>>>> > >>>>>> BA becoming DA is fairly common and I don't think is relevant > >>>>>> But somehow DA has become DU > >>>>>> > >>>>> Yes, those are the ACL's I see, BA is the owner, DA has full > >>>>> rights, DU can read. > >>>>> > >>>>>> That is why I asked if you have changed anything. > >>>>>> > >>>>> No, I haven't. Please also check my new thread about the ACL issue. > >>>>> > >>>>>> Now as for do your computers A and PTR records need to be added > >>>>>> to AD, try this on the DC: > >>>>>> > >>>>>> ping -c1 member1 > >>>>>> > >>>>>> where 'member1' is the hostname of one of your workstations, it > >>>>>> should return something like this: > >>>>>> > >>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data. > >>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms > >>>>>> > >>>>>> > >>>>>> > >>>>> This is making things even more confusing.. if I enter the DNS > >>>>> records, then the command nslookup clientname will provide the > >>>>> correct IP address. Ping doesn't work for half of the clients but > >>>>> it doesn't work even using the IP address. Seems like the firewall > >>>>> is blocking it which is again really weird because I didn't make > >>>>> any changes and all clients are exactly the same. > >>>>> > >>>> > >>>> Off topic but some of my Win 10 clients have ICMP echo blocked in > >>>> the domain, some allow it. And I never even touched this setting. > >>>> > >>> To my knowledge, ping requires File and Printer Sharing on Windows. > >>> Is it activated on all your clients? > >>> > >>> > >>> > >> > >> OK, if ping is a problem, try 'nslookup member1' on the DC, it should > >> return something like this: > >> > >> Server: 192.168.0.6 > >> Address: 192.168.0.6#53 > >> > >> Name: member1.samdom.example.com > >> Address: 192.168.0.2 > >> > >> If it returns this: > >> > >> Server: 192.168.0.6 > >> Address: 192.168.0.6#53 > >> > >> ** server can't find member1: NXDOMAIN > >> > >> Then your DNS is up the spout, probably because the record for > >> 'member1' isn't in AD. > >> > >> Rowland > >> > >> > > It returns the expected result for all domain members, no issue here. > > > > Viktor > > > > OK, one final test, is the computers record in AD? > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub > '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary > > this (after changing the obvious) should show the dns record for 'member1' > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba
On 16.11.2015 15:08, Rowland Penny wrote:> On 16/11/15 14:00, Viktor Trojanovic wrote: >> >> >> On 16.11.2015 14:44, Rowland Penny wrote: >>> On 16/11/15 13:25, Ole Traupe wrote: >>>> >>>> >>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic: >>>>> >>>>> >>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote: >>>>>> See replies below >>>>>> >>>>>> On 16.11.2015 12:39, Rowland Penny wrote: >>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote: >>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following >>>>>>>> error message came up: >>>>>>>> >>>>>>>> --------------------snip-------------------- >>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught >>>>>>>> exception - ProvisioningError: DB ACL on GPO directory >>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2-945F-00C04FB984F9}/MACHINE/Scripts/Startup >>>>>>>> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;;;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>>>>>> does not match expected value >>>>>>>> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>>>>>> from GPO object >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", >>>>>>>> line 175, in _run >>>>>>>> return self.run(*args, **kwargs) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", line >>>>>>>> 249, in run >>>>>>>> lp) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>>> line 1733, in checksysvolacl >>>>>>>> direct_db_access) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>>> line 1684, in check_gpos_acl >>>>>>>> domainsid, direct_db_access) >>>>>>>> File >>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>>> line 1650, in check_dir_acl >>>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does >>>>>>>> not match expected value %s from GPO object' % >>>>>>>> (acl_type(direct_db_access), os.path.join(root, name), >>>>>>>> fsacl_sddl, acl)) >>>>>>>> --------------------snip-------------------- >>>>>>>> >>>>>>>> The GPO directory in question is the Default Domain Policy. >>>>>>>> >>>>>>>> Any idea what happened here? I never touched the DDD, it's >>>>>>>> still on version 0, and I never did any changes to those files >>>>>>>> either. I manually checked the ACL, without having made a diff >>>>>>>> on it, it looks pretty much the same like the ACL on the other >>>>>>>> containers. >>>>>>>> >>>>>>>> Is it safe to run sysvolreset? >>>>>>>> >>>>>>>> Viktor >>>>>>>> >>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote: >>>>>>>>> I guest, >>>>>>>>> >>>>>>>>> incorrect rights on you sysvol, >>>>>>>>> Try : samba-tool ntacl sysvolreset >>>>>>>>> And check the share rights. >>>>>>>>> >>>>>>>>> By default this should work out of the box. >>>>>>>>> Did you change the sysvol rights? >>>>>>>>> >>>>>>>>> >>>>>>>>> Greetz, >>>>>>>>> >>>>>>>>> Louis >>>>>>>>> >>>>>>>>> >>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole >>>>>>>>>> Traupe >>>>>>>>>> Verzonden: maandag 16 november 2015 9:25 >>>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS >>>>>>>>>> >>>>>>>>>> Viktor, can you manually check whether you have DNS records >>>>>>>>>> for your Win >>>>>>>>>> clients? >>>>>>>>>> >>>>>>>>>> In the DNS settings for your Win clients' network adapters >>>>>>>>>> you can >>>>>>>>>> uncheck that the current address shall be registered in DNS. >>>>>>>>>> >>>>>>>>>> Ole >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic: >>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The >>>>>>>>>>> DC and the >>>>>>>>>>> clients all have a fixed IPv4 address. >>>>>>>>>>> >>>>>>>>>>> In the windows event viewer, I constantly see the following >>>>>>>>>>> warning: >>>>>>>>>>> >>>>>>>>>>> Event 8019, DNS Client Events >>>>>>>>>>> ------------------------------------------ >>>>>>>>>>> The system failed to register host (A or AAA) resource >>>>>>>>>>> records (RRs) >>>>>>>>>>> for network adapter with settings: >>>>>>>>>>> >>>>>>>>>>> Adapter Name: {someGUID} >>>>>>>>>>> Host Name: Client-PC >>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM >>>>>>>>>>> DNS Server list: >>>>>>>>>>> 192.168.0.1 >>>>>>>>>>> Sent update to server: <?> >>>>>>>>>>> IP Addresses: >>>>>>>>>>> 192.168.0.15 >>>>>>>>>>> ------------------------------------------ >>>>>>>>>>> >>>>>>>>>>> Is it necessary to manually make some entries in DNS for the >>>>>>>>>>> client >>>>>>>>>>> machines? I didn't see anything about that in the Wiki. >>>>>>>>>>> >>>>>>>>>>> I'm trying to figure out if this is connected to another >>>>>>>>>>> problem I'm >>>>>>>>>>> facing. A machine based GPO is not executed because "the file >>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller >>>>>>>>>>> could not >>>>>>>>>>> be read", and as one of the possible reasons for the error, >>>>>>>>>>> name >>>>>>>>>>> resolution is mentioned. I can access the file just fine >>>>>>>>>>> once I'm >>>>>>>>>>> logged in so I really don't know what the issue is here. >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Viktor >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> To unsubscribe from this list go to the following URL and >>>>>>>>>> read the >>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> Firstly, have you changed anything on the DC after provision? I >>>>>>> don't mean adding users or groups, but anything else? >>>>>>> >>>>>>> I think if you examine what samba-tool thinks is different, you >>>>>>> will find that it is only these: >>>>>>> >>>>>>> O:BAG:DUD and O:DAG:DAD >>>>>>> >>>>>>> To turn these into English :-) >>>>>>> >>>>>>> O = owner >>>>>>> BA = BUILTIN\Administrators >>>>>>> G = group >>>>>>> DU = Domain Users >>>>>>> DA = Domain Administrators >>>>>>> >>>>>>> BA becoming DA is fairly common and I don't think is relevant >>>>>>> But somehow DA has become DU >>>>>>> >>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full >>>>>> rights, DU can read. >>>>>> >>>>>>> That is why I asked if you have changed anything. >>>>>>> >>>>>> No, I haven't. Please also check my new thread about the ACL issue. >>>>>> >>>>>>> Now as for do your computers A and PTR records need to be added >>>>>>> to AD, try this on the DC: >>>>>>> >>>>>>> ping -c1 member1 >>>>>>> >>>>>>> where 'member1' is the hostname of one of your workstations, it >>>>>>> should return something like this: >>>>>>> >>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data. >>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms >>>>>>> >>>>>>> >>>>>>> >>>>>> This is making things even more confusing.. if I enter the DNS >>>>>> records, then the command nslookup clientname will provide the >>>>>> correct IP address. Ping doesn't work for half of the clients but >>>>>> it doesn't work even using the IP address. Seems like the >>>>>> firewall is blocking it which is again really weird because I >>>>>> didn't make any changes and all clients are exactly the same. >>>>>> >>>>> >>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in >>>>> the domain, some allow it. And I never even touched this setting. >>>>> >>>> To my knowledge, ping requires File and Printer Sharing on Windows. >>>> Is it activated on all your clients? >>>> >>>> >>>> >>> >>> OK, if ping is a problem, try 'nslookup member1' on the DC, it >>> should return something like this: >>> >>> Server: 192.168.0.6 >>> Address: 192.168.0.6#53 >>> >>> Name: member1.samdom.example.com >>> Address: 192.168.0.2 >>> >>> If it returns this: >>> >>> Server: 192.168.0.6 >>> Address: 192.168.0.6#53 >>> >>> ** server can't find member1: NXDOMAIN >>> >>> Then your DNS is up the spout, probably because the record for >>> 'member1' isn't in AD. >>> >>> Rowland >>> >>> >> It returns the expected result for all domain members, no issue here. >> >> Viktor >> > > OK, one final test, is the computers record in AD? > > ldbsearch -H /usr/local/samba/private/sam.ldb -b > 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub > '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary > > this (after changing the obvious) should show the dns record for > 'member1' > > Rowland > >Yes, that works and returns one record. # record 1 dn: DC=member1,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com objectClass: top objectClass: dnsNode instanceType: 4 whenCreated: 20151116123628.0Z whenChanged: 20151116123628.0Z uSNCreated: 4232 uSNChanged: 4232 showInAdvancedViewOnly: TRUE name: bh-client-3 objectGUID: 664b9068-66ad-44b3-b88f-1a1a5909827f dnsRecord: NDR: struct dnsp_DnssrvRpcRecord wDataLength : 0x0004 (4) wType : DNS_TYPE_A (1) version : 0x05 (5) rank : DNS_RANK_ZONE (240) flags : 0x0000 (0) dwSerial : 0x00000006 (6) dwTtlSeconds : 0x00000e10 (3600) dwReserved : 0x00000000 (0) dwTimeStamp : 0x00377de4 (3636708) data : union dnsRecordData(case 1) ipv4 : 192.168.0.13 objectCategory: CN=Dns-Node,CN=Schema,CN=Configuration,DC=samdom,DC=example,DC=com dc: member1 distinguishedName: DC=member1,DC=samdom.example.com,CN=MicrosoftDNS,DC=DomainDnsZones,DC=samdom,DC=example,DC=com # returned 1 records # 1 entries # 0 referrals Viktor
On 16.11.2015 15:19, L.P.H. van Belle wrote:> Victor, > > Do a simple test. > From the pc which is not working correctly. > > Ping member1 > Ping member1.fqdn > > Do both resolve? Or only 1 and if 1 which one. > > > Greetz, > > LouisJust as a side note, I am getting the DNS register warning message on *all* win clients, not just that one. And yes, both pings resolve. Viktor> > >> -----Oorspronkelijk bericht----- >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny >> Verzonden: maandag 16 november 2015 15:08 >> Aan: samba at lists.samba.org >> Onderwerp: Re: [Samba] Win Clients and DNS >> >> On 16/11/15 14:00, Viktor Trojanovic wrote: >>> >>> On 16.11.2015 14:44, Rowland Penny wrote: >>>> On 16/11/15 13:25, Ole Traupe wrote: >>>>> >>>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic: >>>>>> >>>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote: >>>>>>> See replies below >>>>>>> >>>>>>> On 16.11.2015 12:39, Rowland Penny wrote: >>>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote: >>>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error >>>>>>>>> message came up: >>>>>>>>> >>>>>>>>> --------------------snip-------------------- >>>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught >>>>>>>>> exception - ProvisioningError: DB ACL on GPO directory >>>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2- >> 945F-00C04FB984F9}/MACHINE/Scripts/Startup >> O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;; >> ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;; >> ;AU)(A;OICI;0x001200a9;;;ED) >>>>>>>>> does not match expected value >>>>>>>>> >> O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001 >> f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120 >> 0a9;;;AU)(A;OICI;0x001200a9;;;ED) >>>>>>>>> from GPO object >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", >>>>>>>>> line 175, in _run >>>>>>>>> return self.run(*args, **kwargs) >>>>>>>>> File "/usr/lib/python2.7/site-packages/samba/netcmd/ntacl.py", >>>>>>>>> line 249, in run >>>>>>>>> lp) >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>>>> line 1733, in checksysvolacl >>>>>>>>> direct_db_access) >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>>>> line 1684, in check_gpos_acl >>>>>>>>> domainsid, direct_db_access) >>>>>>>>> File >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", >>>>>>>>> line 1650, in check_dir_acl >>>>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does >>>>>>>>> not match expected value %s from GPO object' % >>>>>>>>> (acl_type(direct_db_access), os.path.join(root, name), >>>>>>>>> fsacl_sddl, acl)) >>>>>>>>> --------------------snip-------------------- >>>>>>>>> >>>>>>>>> The GPO directory in question is the Default Domain Policy. >>>>>>>>> >>>>>>>>> Any idea what happened here? I never touched the DDD, it's still >>>>>>>>> on version 0, and I never did any changes to those files either. >>>>>>>>> I manually checked the ACL, without having made a diff on it, it >>>>>>>>> looks pretty much the same like the ACL on the other containers. >>>>>>>>> >>>>>>>>> Is it safe to run sysvolreset? >>>>>>>>> >>>>>>>>> Viktor >>>>>>>>> >>>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote: >>>>>>>>>> I guest, >>>>>>>>>> >>>>>>>>>> incorrect rights on you sysvol, >>>>>>>>>> Try : samba-tool ntacl sysvolreset >>>>>>>>>> And check the share rights. >>>>>>>>>> >>>>>>>>>> By default this should work out of the box. >>>>>>>>>> Did you change the sysvol rights? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Greetz, >>>>>>>>>> >>>>>>>>>> Louis >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> -----Oorspronkelijk bericht----- >>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole >>>>>>>>>>> Traupe >>>>>>>>>>> Verzonden: maandag 16 november 2015 9:25 >>>>>>>>>>> Aan: samba at lists.samba.org >>>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS >>>>>>>>>>> >>>>>>>>>>> Viktor, can you manually check whether you have DNS records >>>>>>>>>>> for your Win >>>>>>>>>>> clients? >>>>>>>>>>> >>>>>>>>>>> In the DNS settings for your Win clients' network adapters you >>>>>>>>>>> can >>>>>>>>>>> uncheck that the current address shall be registered in DNS. >>>>>>>>>>> >>>>>>>>>>> Ole >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic: >>>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC >>>>>>>>>>>> and the >>>>>>>>>>>> clients all have a fixed IPv4 address. >>>>>>>>>>>> >>>>>>>>>>>> In the windows event viewer, I constantly see the following >>>>>>>>>>>> warning: >>>>>>>>>>>> >>>>>>>>>>>> Event 8019, DNS Client Events >>>>>>>>>>>> ------------------------------------------ >>>>>>>>>>>> The system failed to register host (A or AAA) resource >>>>>>>>>>>> records (RRs) >>>>>>>>>>>> for network adapter with settings: >>>>>>>>>>>> >>>>>>>>>>>> Adapter Name: {someGUID} >>>>>>>>>>>> Host Name: Client-PC >>>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM >>>>>>>>>>>> DNS Server list: >>>>>>>>>>>> 192.168.0.1 >>>>>>>>>>>> Sent update to server: <?> >>>>>>>>>>>> IP Addresses: >>>>>>>>>>>> 192.168.0.15 >>>>>>>>>>>> ------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> Is it necessary to manually make some entries in DNS for the >>>>>>>>>>>> client >>>>>>>>>>>> machines? I didn't see anything about that in the Wiki. >>>>>>>>>>>> >>>>>>>>>>>> I'm trying to figure out if this is connected to another >>>>>>>>>>>> problem I'm >>>>>>>>>>>> facing. A machine based GPO is not executed because "the file >>>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller >>>>>>>>>>>> could not >>>>>>>>>>>> be read", and as one of the possible reasons for the error, >> name >>>>>>>>>>>> resolution is mentioned. I can access the file just fine once >>>>>>>>>>>> I'm >>>>>>>>>>>> logged in so I really don't know what the issue is here. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> Viktor >>>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> To unsubscribe from this list go to the following URL and read >>>>>>>>>>> the >>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba >>>>>>>>>> >>>>>>>>> >>>>>>>> Firstly, have you changed anything on the DC after provision? I >>>>>>>> don't mean adding users or groups, but anything else? >>>>>>>> >>>>>>>> I think if you examine what samba-tool thinks is different, you >>>>>>>> will find that it is only these: >>>>>>>> >>>>>>>> O:BAG:DUD and O:DAG:DAD >>>>>>>> >>>>>>>> To turn these into English :-) >>>>>>>> >>>>>>>> O = owner >>>>>>>> BA = BUILTIN\Administrators >>>>>>>> G = group >>>>>>>> DU = Domain Users >>>>>>>> DA = Domain Administrators >>>>>>>> >>>>>>>> BA becoming DA is fairly common and I don't think is relevant >>>>>>>> But somehow DA has become DU >>>>>>>> >>>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full >>>>>>> rights, DU can read. >>>>>>> >>>>>>>> That is why I asked if you have changed anything. >>>>>>>> >>>>>>> No, I haven't. Please also check my new thread about the ACL issue. >>>>>>> >>>>>>>> Now as for do your computers A and PTR records need to be added >>>>>>>> to AD, try this on the DC: >>>>>>>> >>>>>>>> ping -c1 member1 >>>>>>>> >>>>>>>> where 'member1' is the hostname of one of your workstations, it >>>>>>>> should return something like this: >>>>>>>> >>>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of data. >>>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> This is making things even more confusing.. if I enter the DNS >>>>>>> records, then the command nslookup clientname will provide the >>>>>>> correct IP address. Ping doesn't work for half of the clients but >>>>>>> it doesn't work even using the IP address. Seems like the firewall >>>>>>> is blocking it which is again really weird because I didn't make >>>>>>> any changes and all clients are exactly the same. >>>>>>> >>>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in >>>>>> the domain, some allow it. And I never even touched this setting. >>>>>> >>>>> To my knowledge, ping requires File and Printer Sharing on Windows. >>>>> Is it activated on all your clients? >>>>> >>>>> >>>>> >>>> OK, if ping is a problem, try 'nslookup member1' on the DC, it should >>>> return something like this: >>>> >>>> Server: 192.168.0.6 >>>> Address: 192.168.0.6#53 >>>> >>>> Name: member1.samdom.example.com >>>> Address: 192.168.0.2 >>>> >>>> If it returns this: >>>> >>>> Server: 192.168.0.6 >>>> Address: 192.168.0.6#53 >>>> >>>> ** server can't find member1: NXDOMAIN >>>> >>>> Then your DNS is up the spout, probably because the record for >>>> 'member1' isn't in AD. >>>> >>>> Rowland >>>> >>>> >>> It returns the expected result for all domain members, no issue here. >>> >>> Viktor >>> >> OK, one final test, is the computers record in AD? >> >> ldbsearch -H /usr/local/samba/private/sam.ldb -b >> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub >> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary >> >> this (after changing the obvious) should show the dns record for 'member1' >> >> Rowland >> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba > >
Ok,> I am getting the DNS register warning message on > *all* win clients, not just that one.Good info, so, this confirms its not a bug but an incorrect setting. Type ipconfig /all on a pc. Post the output, i suspect, incorrect dnsdomain or dns search domain. Also. Check if the PTR records are set to the correct server ips. This does not change on its own. Ldbsearch from below gives 192.168.0.13 Which is different as other outputs. And check your /etc/hosts file. Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Viktor Trojanovic [mailto:viktor at troja.ch] > Verzonden: maandag 16 november 2015 15:45 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] Win Clients and DNS > > > > On 16.11.2015 15:19, L.P.H. van Belle wrote: > > Victor, > > > > Do a simple test. > > From the pc which is not working correctly. > > > > Ping member1 > > Ping member1.fqdn > > > > Do both resolve? Or only 1 and if 1 which one. > > > > > > Greetz, > > > > Louis > > Just as a side note, I am getting the DNS register warning message on > *all* win clients, not just that one. > > And yes, both pings resolve. > > Viktor > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > >> Verzonden: maandag 16 november 2015 15:08 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Win Clients and DNS > >> > >> On 16/11/15 14:00, Viktor Trojanovic wrote: > >>> > >>> On 16.11.2015 14:44, Rowland Penny wrote: > >>>> On 16/11/15 13:25, Ole Traupe wrote: > >>>>> > >>>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic: > >>>>>> > >>>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote: > >>>>>>> See replies below > >>>>>>> > >>>>>>> On 16.11.2015 12:39, Rowland Penny wrote: > >>>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote: > >>>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error > >>>>>>>>> message came up: > >>>>>>>>> > >>>>>>>>> --------------------snip-------------------- > >>>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > >>>>>>>>> exception - ProvisioningError: DB ACL on GPO directory > >>>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2- > >> 945F-00C04FB984F9}/MACHINE/Scripts/Startup > >> > O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;; > >> > ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;; > >> ;AU)(A;OICI;0x001200a9;;;ED) > >>>>>>>>> does not match expected value > >>>>>>>>> > >> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001 > >> > f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120 > >> 0a9;;;AU)(A;OICI;0x001200a9;;;ED) > >>>>>>>>> from GPO object > >>>>>>>>> File > >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", > >>>>>>>>> line 175, in _run > >>>>>>>>> return self.run(*args, **kwargs) > >>>>>>>>> File "/usr/lib/python2.7/site- > packages/samba/netcmd/ntacl.py", > >>>>>>>>> line 249, in run > >>>>>>>>> lp) > >>>>>>>>> File > >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>>>> line 1733, in checksysvolacl > >>>>>>>>> direct_db_access) > >>>>>>>>> File > >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>>>> line 1684, in check_gpos_acl > >>>>>>>>> domainsid, direct_db_access) > >>>>>>>>> File > >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>>>> line 1650, in check_dir_acl > >>>>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does > >>>>>>>>> not match expected value %s from GPO object' % > >>>>>>>>> (acl_type(direct_db_access), os.path.join(root, name), > >>>>>>>>> fsacl_sddl, acl)) > >>>>>>>>> --------------------snip-------------------- > >>>>>>>>> > >>>>>>>>> The GPO directory in question is the Default Domain Policy. > >>>>>>>>> > >>>>>>>>> Any idea what happened here? I never touched the DDD, it's still > >>>>>>>>> on version 0, and I never did any changes to those files either. > >>>>>>>>> I manually checked the ACL, without having made a diff on it, it > >>>>>>>>> looks pretty much the same like the ACL on the other containers. > >>>>>>>>> > >>>>>>>>> Is it safe to run sysvolreset? > >>>>>>>>> > >>>>>>>>> Viktor > >>>>>>>>> > >>>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote: > >>>>>>>>>> I guest, > >>>>>>>>>> > >>>>>>>>>> incorrect rights on you sysvol, > >>>>>>>>>> Try : samba-tool ntacl sysvolreset > >>>>>>>>>> And check the share rights. > >>>>>>>>>> > >>>>>>>>>> By default this should work out of the box. > >>>>>>>>>> Did you change the sysvol rights? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Greetz, > >>>>>>>>>> > >>>>>>>>>> Louis > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> -----Oorspronkelijk bericht----- > >>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole > >>>>>>>>>>> Traupe > >>>>>>>>>>> Verzonden: maandag 16 november 2015 9:25 > >>>>>>>>>>> Aan: samba at lists.samba.org > >>>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS > >>>>>>>>>>> > >>>>>>>>>>> Viktor, can you manually check whether you have DNS records > >>>>>>>>>>> for your Win > >>>>>>>>>>> clients? > >>>>>>>>>>> > >>>>>>>>>>> In the DNS settings for your Win clients' network adapters you > >>>>>>>>>>> can > >>>>>>>>>>> uncheck that the current address shall be registered in DNS. > >>>>>>>>>>> > >>>>>>>>>>> Ole > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic: > >>>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC > >>>>>>>>>>>> and the > >>>>>>>>>>>> clients all have a fixed IPv4 address. > >>>>>>>>>>>> > >>>>>>>>>>>> In the windows event viewer, I constantly see the following > >>>>>>>>>>>> warning: > >>>>>>>>>>>> > >>>>>>>>>>>> Event 8019, DNS Client Events > >>>>>>>>>>>> ------------------------------------------ > >>>>>>>>>>>> The system failed to register host (A or AAA) resource > >>>>>>>>>>>> records (RRs) > >>>>>>>>>>>> for network adapter with settings: > >>>>>>>>>>>> > >>>>>>>>>>>> Adapter Name: {someGUID} > >>>>>>>>>>>> Host Name: Client-PC > >>>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM > >>>>>>>>>>>> DNS Server list: > >>>>>>>>>>>> 192.168.0.1 > >>>>>>>>>>>> Sent update to server: <?> > >>>>>>>>>>>> IP Addresses: > >>>>>>>>>>>> 192.168.0.15 > >>>>>>>>>>>> ------------------------------------------ > >>>>>>>>>>>> > >>>>>>>>>>>> Is it necessary to manually make some entries in DNS for the > >>>>>>>>>>>> client > >>>>>>>>>>>> machines? I didn't see anything about that in the Wiki. > >>>>>>>>>>>> > >>>>>>>>>>>> I'm trying to figure out if this is connected to another > >>>>>>>>>>>> problem I'm > >>>>>>>>>>>> facing. A machine based GPO is not executed because "the file > >>>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller > >>>>>>>>>>>> could not > >>>>>>>>>>>> be read", and as one of the possible reasons for the error, > >> name > >>>>>>>>>>>> resolution is mentioned. I can access the file just fine once > >>>>>>>>>>>> I'm > >>>>>>>>>>>> logged in so I really don't know what the issue is here. > >>>>>>>>>>>> > >>>>>>>>>>>> Thanks, > >>>>>>>>>>>> Viktor > >>>>>>>>>>>> > >>>>>>>>>>> -- > >>>>>>>>>>> To unsubscribe from this list go to the following URL and read > >>>>>>>>>>> the > >>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> Firstly, have you changed anything on the DC after provision? I > >>>>>>>> don't mean adding users or groups, but anything else? > >>>>>>>> > >>>>>>>> I think if you examine what samba-tool thinks is different, you > >>>>>>>> will find that it is only these: > >>>>>>>> > >>>>>>>> O:BAG:DUD and O:DAG:DAD > >>>>>>>> > >>>>>>>> To turn these into English :-) > >>>>>>>> > >>>>>>>> O = owner > >>>>>>>> BA = BUILTIN\Administrators > >>>>>>>> G = group > >>>>>>>> DU = Domain Users > >>>>>>>> DA = Domain Administrators > >>>>>>>> > >>>>>>>> BA becoming DA is fairly common and I don't think is relevant > >>>>>>>> But somehow DA has become DU > >>>>>>>> > >>>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full > >>>>>>> rights, DU can read. > >>>>>>> > >>>>>>>> That is why I asked if you have changed anything. > >>>>>>>> > >>>>>>> No, I haven't. Please also check my new thread about the ACL > issue. > >>>>>>> > >>>>>>>> Now as for do your computers A and PTR records need to be added > >>>>>>>> to AD, try this on the DC: > >>>>>>>> > >>>>>>>> ping -c1 member1 > >>>>>>>> > >>>>>>>> where 'member1' is the hostname of one of your workstations, it > >>>>>>>> should return something like this: > >>>>>>>> > >>>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of > data. > >>>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> This is making things even more confusing.. if I enter the DNS > >>>>>>> records, then the command nslookup clientname will provide the > >>>>>>> correct IP address. Ping doesn't work for half of the clients but > >>>>>>> it doesn't work even using the IP address. Seems like the firewall > >>>>>>> is blocking it which is again really weird because I didn't make > >>>>>>> any changes and all clients are exactly the same. > >>>>>>> > >>>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in > >>>>>> the domain, some allow it. And I never even touched this setting. > >>>>>> > >>>>> To my knowledge, ping requires File and Printer Sharing on Windows. > >>>>> Is it activated on all your clients? > >>>>> > >>>>> > >>>>> > >>>> OK, if ping is a problem, try 'nslookup member1' on the DC, it should > >>>> return something like this: > >>>> > >>>> Server: 192.168.0.6 > >>>> Address: 192.168.0.6#53 > >>>> > >>>> Name: member1.samdom.example.com > >>>> Address: 192.168.0.2 > >>>> > >>>> If it returns this: > >>>> > >>>> Server: 192.168.0.6 > >>>> Address: 192.168.0.6#53 > >>>> > >>>> ** server can't find member1: NXDOMAIN > >>>> > >>>> Then your DNS is up the spout, probably because the record for > >>>> 'member1' isn't in AD. > >>>> > >>>> Rowland > >>>> > >>>> > >>> It returns the expected result for all domain members, no issue here. > >>> > >>> Viktor > >>> > >> OK, one final test, is the computers record in AD? > >> > >> ldbsearch -H /usr/local/samba/private/sam.ldb -b > >> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub > >> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary > >> > >> this (after changing the obvious) should show the dns record for > 'member1' > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > >
Othere thing. IF you domain name is like domain.tld By default, Windows does not send updates to top-level domains. If thats the case you should change it to a single-lable dns. https://support.microsoft.com/en-us/kb/300684 Greetz, Louis> -----Oorspronkelijk bericht----- > Van: Viktor Trojanovic [mailto:viktor at troja.ch] > Verzonden: maandag 16 november 2015 15:45 > Aan: L.P.H. van Belle; samba at lists.samba.org > Onderwerp: Re: [Samba] Win Clients and DNS > > > > On 16.11.2015 15:19, L.P.H. van Belle wrote: > > Victor, > > > > Do a simple test. > > From the pc which is not working correctly. > > > > Ping member1 > > Ping member1.fqdn > > > > Do both resolve? Or only 1 and if 1 which one. > > > > > > Greetz, > > > > Louis > > Just as a side note, I am getting the DNS register warning message on > *all* win clients, not just that one. > > And yes, both pings resolve. > > Viktor > > > > > > >> -----Oorspronkelijk bericht----- > >> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > >> Verzonden: maandag 16 november 2015 15:08 > >> Aan: samba at lists.samba.org > >> Onderwerp: Re: [Samba] Win Clients and DNS > >> > >> On 16/11/15 14:00, Viktor Trojanovic wrote: > >>> > >>> On 16.11.2015 14:44, Rowland Penny wrote: > >>>> On 16/11/15 13:25, Ole Traupe wrote: > >>>>> > >>>>> Am 16.11.2015 um 14:06 schrieb Viktor Trojanovic: > >>>>>> > >>>>>> On 16.11.2015 13:48, Viktor Trojanovic wrote: > >>>>>>> See replies below > >>>>>>> > >>>>>>> On 16.11.2015 12:39, Rowland Penny wrote: > >>>>>>>> On 16/11/15 11:19, Viktor Trojanovic wrote: > >>>>>>>>> So I ran a samba-tool ntacl sysvolcheck, and the following error > >>>>>>>>> message came up: > >>>>>>>>> > >>>>>>>>> --------------------snip-------------------- > >>>>>>>>> ERROR(<class 'samba.provision.ProvisioningError'>): uncaught > >>>>>>>>> exception - ProvisioningError: DB ACL on GPO directory > >>>>>>>>> /var/lib/samba/sysvol/samdom.com/Policies/{31B2F340-016D-11D2- > >> 945F-00C04FB984F9}/MACHINE/Scripts/Startup > >> > O:BAG:DUD:(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;;0x001f01ff;; > >> > ;BA)(A;OICIIO;0x001f01ff;;;CO)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x001200a9;; > >> ;AU)(A;OICI;0x001200a9;;;ED) > >>>>>>>>> does not match expected value > >>>>>>>>> > >> > O:DAG:DAD:P(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;EA)(A;OICIIO;0x001 > >> > f01ff;;;CO)(A;OICI;0x001f01ff;;;DA)(A;OICI;0x001f01ff;;;SY)(A;OICI;0x00120 > >> 0a9;;;AU)(A;OICI;0x001200a9;;;ED) > >>>>>>>>> from GPO object > >>>>>>>>> File > >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/netcmd/__init__.py", > >>>>>>>>> line 175, in _run > >>>>>>>>> return self.run(*args, **kwargs) > >>>>>>>>> File "/usr/lib/python2.7/site- > packages/samba/netcmd/ntacl.py", > >>>>>>>>> line 249, in run > >>>>>>>>> lp) > >>>>>>>>> File > >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>>>> line 1733, in checksysvolacl > >>>>>>>>> direct_db_access) > >>>>>>>>> File > >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>>>> line 1684, in check_gpos_acl > >>>>>>>>> domainsid, direct_db_access) > >>>>>>>>> File > >>>>>>>>> "/usr/lib/python2.7/site-packages/samba/provision/__init__.py", > >>>>>>>>> line 1650, in check_dir_acl > >>>>>>>>> raise ProvisioningError('%s ACL on GPO directory %s %s does > >>>>>>>>> not match expected value %s from GPO object' % > >>>>>>>>> (acl_type(direct_db_access), os.path.join(root, name), > >>>>>>>>> fsacl_sddl, acl)) > >>>>>>>>> --------------------snip-------------------- > >>>>>>>>> > >>>>>>>>> The GPO directory in question is the Default Domain Policy. > >>>>>>>>> > >>>>>>>>> Any idea what happened here? I never touched the DDD, it's still > >>>>>>>>> on version 0, and I never did any changes to those files either. > >>>>>>>>> I manually checked the ACL, without having made a diff on it, it > >>>>>>>>> looks pretty much the same like the ACL on the other containers. > >>>>>>>>> > >>>>>>>>> Is it safe to run sysvolreset? > >>>>>>>>> > >>>>>>>>> Viktor > >>>>>>>>> > >>>>>>>>> On 16.11.2015 09:34, L.P.H. van Belle wrote: > >>>>>>>>>> I guest, > >>>>>>>>>> > >>>>>>>>>> incorrect rights on you sysvol, > >>>>>>>>>> Try : samba-tool ntacl sysvolreset > >>>>>>>>>> And check the share rights. > >>>>>>>>>> > >>>>>>>>>> By default this should work out of the box. > >>>>>>>>>> Did you change the sysvol rights? > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> Greetz, > >>>>>>>>>> > >>>>>>>>>> Louis > >>>>>>>>>> > >>>>>>>>>> > >>>>>>>>>>> -----Oorspronkelijk bericht----- > >>>>>>>>>>> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Ole > >>>>>>>>>>> Traupe > >>>>>>>>>>> Verzonden: maandag 16 november 2015 9:25 > >>>>>>>>>>> Aan: samba at lists.samba.org > >>>>>>>>>>> Onderwerp: Re: [Samba] Win Clients and DNS > >>>>>>>>>>> > >>>>>>>>>>> Viktor, can you manually check whether you have DNS records > >>>>>>>>>>> for your Win > >>>>>>>>>>> clients? > >>>>>>>>>>> > >>>>>>>>>>> In the DNS settings for your Win clients' network adapters you > >>>>>>>>>>> can > >>>>>>>>>>> uncheck that the current address shall be registered in DNS. > >>>>>>>>>>> > >>>>>>>>>>> Ole > >>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>>>> Am 16.11.2015 um 01:31 schrieb Viktor Trojanovic: > >>>>>>>>>>>> I have an AD with 1 Samba DC and 5 Windows 10 clients. The DC > >>>>>>>>>>>> and the > >>>>>>>>>>>> clients all have a fixed IPv4 address. > >>>>>>>>>>>> > >>>>>>>>>>>> In the windows event viewer, I constantly see the following > >>>>>>>>>>>> warning: > >>>>>>>>>>>> > >>>>>>>>>>>> Event 8019, DNS Client Events > >>>>>>>>>>>> ------------------------------------------ > >>>>>>>>>>>> The system failed to register host (A or AAA) resource > >>>>>>>>>>>> records (RRs) > >>>>>>>>>>>> for network adapter with settings: > >>>>>>>>>>>> > >>>>>>>>>>>> Adapter Name: {someGUID} > >>>>>>>>>>>> Host Name: Client-PC > >>>>>>>>>>>> Primary Domain Suffix: SAMDOM.COM > >>>>>>>>>>>> DNS Server list: > >>>>>>>>>>>> 192.168.0.1 > >>>>>>>>>>>> Sent update to server: <?> > >>>>>>>>>>>> IP Addresses: > >>>>>>>>>>>> 192.168.0.15 > >>>>>>>>>>>> ------------------------------------------ > >>>>>>>>>>>> > >>>>>>>>>>>> Is it necessary to manually make some entries in DNS for the > >>>>>>>>>>>> client > >>>>>>>>>>>> machines? I didn't see anything about that in the Wiki. > >>>>>>>>>>>> > >>>>>>>>>>>> I'm trying to figure out if this is connected to another > >>>>>>>>>>>> problem I'm > >>>>>>>>>>>> facing. A machine based GPO is not executed because "the file > >>>>>>>>>>>> \\SAMDOM.COM\SysVol\[...]\gpt.ini from a domain controller > >>>>>>>>>>>> could not > >>>>>>>>>>>> be read", and as one of the possible reasons for the error, > >> name > >>>>>>>>>>>> resolution is mentioned. I can access the file just fine once > >>>>>>>>>>>> I'm > >>>>>>>>>>>> logged in so I really don't know what the issue is here. > >>>>>>>>>>>> > >>>>>>>>>>>> Thanks, > >>>>>>>>>>>> Viktor > >>>>>>>>>>>> > >>>>>>>>>>> -- > >>>>>>>>>>> To unsubscribe from this list go to the following URL and read > >>>>>>>>>>> the > >>>>>>>>>>> instructions: https://lists.samba.org/mailman/options/samba > >>>>>>>>>> > >>>>>>>>> > >>>>>>>> Firstly, have you changed anything on the DC after provision? I > >>>>>>>> don't mean adding users or groups, but anything else? > >>>>>>>> > >>>>>>>> I think if you examine what samba-tool thinks is different, you > >>>>>>>> will find that it is only these: > >>>>>>>> > >>>>>>>> O:BAG:DUD and O:DAG:DAD > >>>>>>>> > >>>>>>>> To turn these into English :-) > >>>>>>>> > >>>>>>>> O = owner > >>>>>>>> BA = BUILTIN\Administrators > >>>>>>>> G = group > >>>>>>>> DU = Domain Users > >>>>>>>> DA = Domain Administrators > >>>>>>>> > >>>>>>>> BA becoming DA is fairly common and I don't think is relevant > >>>>>>>> But somehow DA has become DU > >>>>>>>> > >>>>>>> Yes, those are the ACL's I see, BA is the owner, DA has full > >>>>>>> rights, DU can read. > >>>>>>> > >>>>>>>> That is why I asked if you have changed anything. > >>>>>>>> > >>>>>>> No, I haven't. Please also check my new thread about the ACL > issue. > >>>>>>> > >>>>>>>> Now as for do your computers A and PTR records need to be added > >>>>>>>> to AD, try this on the DC: > >>>>>>>> > >>>>>>>> ping -c1 member1 > >>>>>>>> > >>>>>>>> where 'member1' is the hostname of one of your workstations, it > >>>>>>>> should return something like this: > >>>>>>>> > >>>>>>>> PING member1.samdom.example.com (192.168.0.2) 56(84) bytes of > data. > >>>>>>>> 64 bytes from 192.168.0.2: icmp_seq=1 ttl=64 time=0.261 ms > >>>>>>>> > >>>>>>>> > >>>>>>>> > >>>>>>> This is making things even more confusing.. if I enter the DNS > >>>>>>> records, then the command nslookup clientname will provide the > >>>>>>> correct IP address. Ping doesn't work for half of the clients but > >>>>>>> it doesn't work even using the IP address. Seems like the firewall > >>>>>>> is blocking it which is again really weird because I didn't make > >>>>>>> any changes and all clients are exactly the same. > >>>>>>> > >>>>>> Off topic but some of my Win 10 clients have ICMP echo blocked in > >>>>>> the domain, some allow it. And I never even touched this setting. > >>>>>> > >>>>> To my knowledge, ping requires File and Printer Sharing on Windows. > >>>>> Is it activated on all your clients? > >>>>> > >>>>> > >>>>> > >>>> OK, if ping is a problem, try 'nslookup member1' on the DC, it should > >>>> return something like this: > >>>> > >>>> Server: 192.168.0.6 > >>>> Address: 192.168.0.6#53 > >>>> > >>>> Name: member1.samdom.example.com > >>>> Address: 192.168.0.2 > >>>> > >>>> If it returns this: > >>>> > >>>> Server: 192.168.0.6 > >>>> Address: 192.168.0.6#53 > >>>> > >>>> ** server can't find member1: NXDOMAIN > >>>> > >>>> Then your DNS is up the spout, probably because the record for > >>>> 'member1' isn't in AD. > >>>> > >>>> Rowland > >>>> > >>>> > >>> It returns the expected result for all domain members, no issue here. > >>> > >>> Viktor > >>> > >> OK, one final test, is the computers record in AD? > >> > >> ldbsearch -H /usr/local/samba/private/sam.ldb -b > >> 'DC=DomainDnsZones,DC=samdom,DC=example,DC=com' -s sub > >> '(&(objectclass=dnsNode)(dc=member1))' --cross-ncs --show-binary > >> > >> this (after changing the obvious) should show the dns record for > 'member1' > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba > > > >