Web lists-archives.com

Re: [Samba] samba Digest, Vol 172, Issue 2




Hallo Rowland

I change the right from 600 (root:root) to 660 (root:bind) and i get following errormessage.


02-Apr-2017 14:56:15.190 client 192.168.99.6#54534 (client006.my.domain.de): query: client006.my.domain.de IN SOA + (192.168.99.8) 02-Apr-2017 14:56:15.194 client 192.168.99.6#64810 (client008.my.domain.de): query: client008.my.domain.de IN A + (192.168.99.8) 02-Apr-2017 14:56:15.199 samba_dlz: starting transaction on zone MY.DOMAIN.DE 02-Apr-2017 14:56:15.200 client 192.168.99.6#51349: update 'MY.DOMAIN.DE/IN' denied 02-Apr-2017 14:56:15.200 samba_dlz: cancelling transaction on zone MY.DOMAIN.DE 02-Apr-2017 14:56:15.203 client 192.168.99.6#52735 (336-ms-7.59-ad98ae7.04ad5620-15fc-11e7-b5ab-525400186fdb): query: 336-ms-7.59-ad98ae7.04ad5620-15fc-11e7-b5ab-525400186fdb IN TKEY -T (192.168.99.8) 02-Apr-2017 14:56:15.238 samba_dlz: starting transaction on zone MY.DOMAIN.DE 02-Apr-2017 14:56:15.240 samba_dlz: disallowing update of signer=client006\$\@MY.DOMAIN.DE name=client006.my.domain.de type=AAAA error=insufficient access rights 02-Apr-2017 14:56:15.240 client 192.168.99.6#54726/key client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE': update failed: rejected by secure update (REFUSED) 02-Apr-2017 14:56:15.240 samba_dlz: cancelling transaction on zone MY.DOMAIN.DE 02-Apr-2017 14:56:15.242 client 192.168.99.6#55115 (6.99.168.192.in-addr.arpa): query: 6.99.168.192.in-addr.arpa IN SOA + (192.168.99.8) 02-Apr-2017 14:56:15.246 client 192.168.99.6#63569 (client008.my.domain.de): query: client008.my.domain.de IN A + (192.168.99.8) 02-Apr-2017 14:56:15.251 samba_dlz: starting transaction on zone 99.168.192.in-addr.arpa 02-Apr-2017 14:56:15.252 client 192.168.99.6#58125: update '99.168.192.in-addr.arpa/IN' denied 02-Apr-2017 14:56:15.252 samba_dlz: cancelling transaction on zone 99.168.192.in-addr.arpa 02-Apr-2017 14:56:15.253 samba_dlz: starting transaction on zone 99.168.192.in-addr.arpa 02-Apr-2017 14:56:15.255 samba_dlz: disallowing update of signer=client006\$\@MY.DOMAIN.DE name=6.99.168.192.in-addr.arpa type=PTR error=insufficient access rights 02-Apr-2017 14:56:15.255 client 192.168.99.6#60594/key client006\$\@MY.DOMAIN.DE: updating zone '99.168.192.in-addr.arpa/NONE': update failed: rejected by secure update (REFUSED) 02-Apr-2017 14:56:15.256 samba_dlz: cancelling transaction on zone 99.168.192.in-addr.arpa 02-Apr-2017 14:56:18.189 client 192.168.99.6#60714 (client006.my.domain.de): query: client006.my.domain.de IN SOA + (192.168.99.8) 02-Apr-2017 14:56:18.194 client 192.168.99.6#49834 (client008.my.domain.de): query: client008.my.domain.de IN A + (192.168.99.8) 02-Apr-2017 14:56:18.199 samba_dlz: starting transaction on zone MY.DOMAIN.DE 02-Apr-2017 14:56:18.200 client 192.168.99.6#58125: update 'MY.DOMAIN.DE/IN' denied 02-Apr-2017 14:56:18.200 samba_dlz: cancelling transaction on zone MY.DOMAIN.DE 02-Apr-2017 14:56:18.202 samba_dlz: starting transaction on zone MY.DOMAIN.DE 02-Apr-2017 14:56:18.204 samba_dlz: disallowing update of signer=client006\$\@MY.DOMAIN.DE name=client006.my.domain.de type=AAAA error=insufficient access rights 02-Apr-2017 14:56:18.204 client 192.168.99.6#49384/key client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE': update failed: rejected by secure update (REFUSED) 02-Apr-2017 14:56:18.204 samba_dlz: cancelling transaction on zone MY.DOMAIN.DE 02-Apr-2017 14:56:18.207 client 192.168.99.6#50993 (6.99.168.192.in-addr.arpa): query: 6.99.168.192.in-addr.arpa IN SOA + (192.168.99.8) 02-Apr-2017 14:56:18.211 client 192.168.99.6#52455 (client008.my.domain.de): query: client008.my.domain.de IN A + (192.168.99.8) 02-Apr-2017 14:56:18.216 samba_dlz: starting transaction on zone 99.168.192.in-addr.arpa 02-Apr-2017 14:56:18.216 client 192.168.99.6#50421: update '99.168.192.in-addr.arpa/IN' denied 02-Apr-2017 14:56:18.217 samba_dlz: cancelling transaction on zone 99.168.192.in-addr.arpa 02-Apr-2017 14:56:18.218 samba_dlz: starting transaction on zone 99.168.192.in-addr.arpa 02-Apr-2017 14:56:18.220 samba_dlz: disallowing update of signer=client006\$\@MY.DOMAIN.DE name=6.99.168.192.in-addr.arpa type=PTR error=insufficient access rights 02-Apr-2017 14:56:18.220 client 192.168.99.6#51170/key client006\$\@MY.DOMAIN.DE: updating zone '99.168.192.in-addr.arpa/NONE': update failed: rejected by secure update (REFUSED) 02-Apr-2017 14:56:18.220 samba_dlz: cancelling transaction on zone 99.168.192.in-addr.arpa


The right of the /var/lib/samba/private/ are

drwxrwx--- 3 root bind 4,0K Mär 31 12:12 dns
-rw-r----- 1 root bind  792 Mär 31 10:49 dns.backup
-rw-r----- 1 root bind  792 Mär 31 12:12 dns.keytab
-rw------- 1 root root 1,9K Jul  8  2015 dns_update_cache
-rw-r--r-- 1 root root 3,2K Jul  8  2015 dns_update_list
-rw------- 1 root root 1,3M Jul  8  2015 hkcr.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hkcu.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hklm.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hku.ldb
-rw------- 1 root root 5,9M Mär 30 14:23 idmap.ldb
-rw------- 1 root root 5,9M Okt 18 13:24 idmap.ldb.old
-rw-r--r-- 1 root root   93 Jul  8  2015 krb5.conf
srwxrwxrwx 1 root root    0 Apr  2 14:42 ldapi
drwxr-x--- 2 root root 4,0K Apr  2 14:42 ldap_priv
drwx------ 2 root root 4,0K Apr  2 15:07 msg.sock
-rw-r--r-- 1 root root  780 Mär 31 12:12 named.conf
-r--r--r-- 1 root root  408 Mär 31 09:46 named.conf.update
-rw-r--r-- 1 root root 2,1K Mär 31 12:12 named.txt
-rw------- 1 root root  696 Apr  2 14:42 netlogon_creds_cli.tdb
-rw------- 1 root root 1,3M Jul  8  2015 privilege.ldb
-rw------- 1 root root  696 Jul  8  2015 randseed.tdb
-rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
-rw------- 1 root root  696 Apr  2 14:42 schannel_store.tdb
-rw------- 1 root root 1,2K Jul  8  2015 secrets.keytab
-rw------- 1 root root 1,3M Mär 31 12:12 secrets.ldb
-rw------- 1 root root 420K Jul  8  2015 secrets.tdb
-rw------- 1 root root 1,3M Jul  8  2015 share.ldb
drwxr-xr-x 3 root root 4,0K Feb 16  2016 smbd.tmp
-rw-r--r-- 1 root root  955 Jul  8  2015 spn_update_list
drwx------ 2 root root 4,0K Jul  8  2015 tls

Are the rights ok?


I created the dns entry with samba-tool. Is this a problem?

How can i check if i had problems with access rights? For example if bind can not read or write a file. Currently i check the bind with " named -u bind -f -g 2>&1 | tee /etc/bind/named.log ".

For testing i assign bind a shell (bash) and i can read the file sam.ldb as user bind.

Karl Heinz


Am 02.04.2017 um 14:00 schrieb samba-request@xxxxxxxxxxxxxxx:

Hello

We have installed 4 Sernet AD controllers on Debian 8.7 with bind9. If
we run ipconfig /registerdns on a windowsclient , an
error message is in the logfiles:

31-Mar-2017 11:08:49.270 client 192.168.99.6#50357
(client006.my.domain.de): query: client006.my.domain.de IN SOA +
(192.168.99.8)
31-Mar-2017 11:08:49.274 client 192.168.99.6#51046
(client008.my.domain.de): query: client008.my.domain.de IN A +
(192.168.99.8)
31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone
my.domain.de
31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update
'my.domain.de/IN' denied
31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone
my.domain.de
31-Mar-2017 11:08:49.282 client 192.168.99.6#58242
(196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
(192.168.99.8)
31-Mar-2017 11:08:49.285 client 192.168.99.6#51560
(6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA +
(192.168.99.8)
31-Mar-2017 11:08:49.288 client 192.168.99.6#58260
(client008.my.domain.de): query: client008.my.domain.de IN A +
(192.168.99.8)
31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone
99.30.172.in-addr.arpa
31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update
'99.30.172.in-addr.arpa/IN' denied
31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone
99.30.172.in-addr.arpa
31-Mar-2017 11:08:49.297 client 192.168.99.6#60163
(196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
(192.168.99.8)
31-Mar-2017 11:08:49.270 client 192.168.99.6#50357
(client006.my.domain.de): query: client006.my.domain.de IN SOA +
(192.168.99.8)
31-Mar-2017 11:08:49.274 client 192.168.99.6#51046
(client008.my.domain.de): query: client008.my.domain.de IN A +
(192.168.99.8)
31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone
my.domain.de
31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update
'my.domain.de/IN' denied
31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone
my.domain.de
31-Mar-2017 11:08:49.282 client 192.168.99.6#58242
(196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
(192.168.99.8)
31-Mar-2017 11:08:49.285 client 192.168.99.6#51560
(6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA +
(192.168.99.8)
31-Mar-2017 11:08:49.288 client 192.168.99.6#58260
(client008.my.domain.de): query: client008.my.domain.de IN A +
(192.168.99.8)
31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone
99.30.172.in-addr.arpa
31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update
'99.30.172.in-addr.arpa/IN' denied
31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone
99.30.172.in-addr.arpa
31-Mar-2017 11:08:49.297 client 192.168.99.6#60163
(196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
(192.168.99.8)

If we executed
samba_dnsupdate --verbose --all-names
no errors are displayed.

The rights of /var/lib/samba/private/dns/sam.ldb.d/*
are 660.

relevated content of /etc/bind/named.conf.options
-------------------------------------------------
allow-update { any;};
tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
dnssec-validation no;
dnssec-enable no;

We run
------
samba_upgradedns --dns-backend=BIND9_DLZ

/etc/samba/smb.conf
-------------------
server services = -dns

named -V
--------
BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) <id:f9b8a50e>
built by make with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info'
'--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
'--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static'
'--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
'--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
'--enable-filter-aaaa'
'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks
-DDIG_SIGCHASE -O2'
compiled by GCC 4.9.2
using OpenSSL version: OpenSSL 1.0.1t  3 May 2016
using libxml2 version: 2.9.1

Timesync
---------
correct time

In the named.config.local we have not create an zone for "my.domain.de".
I think this is not nessesary.

dpkg -l | grep sernet
----------------------
ii  libwbclient0:amd64               99:4.5.7-16 amd64        Glue
package for sernet-samba-libs.
ii  sernet-samba                     99:4.5.7-16 amd64        SMB/CIFS
file, print, and login server for Unix
ii  sernet-samba-ad                  99:4.5.7-16 amd64        Samba
Active Directory Domain Controller
ii  sernet-samba-client              99:4.5.7-16 amd64        a
LanManager-like simple client for Unix
ii  sernet-samba-common              99:4.5.7-16 all          Samba
common files used by both the server and the client
ii  sernet-samba-keyring             1.5 all          GnuPG archive keys
of the SerNet Samba archive
ii  sernet-samba-libs:amd64          99:4.5.7-16 amd64        Samba
common library files used by both the server and the client
ii  sernet-samba-libsmbclient0:amd64 99:4.5.7-16 amd64        Shared
library that allows applications to talk to SMB servers
ii  sernet-samba-winbind             99:4.5.7-16 amd64        Samba
nameservice integration server

Can anybody help me?



Re: [Samba] Dynamic updates of windows clients.eml

Betreff:
Re: [Samba] Dynamic updates of windows clients
Von:
Rowland Penny <rpenny@xxxxxxxxx>
Datum:
01.04.2017 17:24

An:
samba@xxxxxxxxxxxxxxx


On Sat, 1 Apr 2017 16:44:38 +0200
Karl Heinz Wichmann via samba <samba@xxxxxxxxxxxxxxx> wrote:


The rights of /var/lib/samba/private/dns/sam.ldb.d/*
are 660.

Just in case you don't know, do not touch the files inside
private/dns/sam.ldb.d or private/sam.ldb.d

Right having got that out of the way, who
owns /var/lib/samba/private/sam.ldb ?

It should be root:bind with 660 permissions.

Rowland





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba