Web lists-archives.com

Re: [Samba] Access denied editing DNS using RSAT




On Tue, 2017-09-12 at 11:21 +0200, Daniel Carrasco via samba wrote:
> Hello,
> 
> I'm trying to replace an old Windows Server 2003 with Samba 4 and I've got
> a problem trying to add some DNS entries. When I open the RSAT DNS manager
> I got an Access Denied error and I can't edit the zones.
> 
> My config file is the generated by samba-tool and I'm using Samba 4.7.0rc5
> compiled on a Debian 8 amd64:
> [global]
>         netbios name = DC1
>         realm = DOMAIN.DOM
>         workgroup = DOMAIN
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = 8.8.8.8
> 
> [netlogon]
>         path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts
>         read only = No
> 
> [sysvol]
>         path = /server/samba/bin/var/locks/sysvol
>         read only = No
> 
> All seems to be working fine, because I'm able to join the domain, login on
> that computer and manage other things like Users and Groups, Policies...
> but DNS just drops me an Acces Denied message.
> 
> The log shows this:
> [2017/09/12 11:17:01.416939,  2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
>   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013]
> [2017/09/12 11:17:01.444307,  2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
>   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015]
> [2017/09/12 11:17:01.469071,  2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
>   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017]
> [2017/09/12 11:17:01.494096,  2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
>   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019]
> 
> 
> Is there any way to fix this?, Maybe I forgot something like add the
> computer to a group for example... I'm using the Administrator user, so it
> should have access to all.
> 
> Thanks, and greetings!!

We have a restriction to disallow un-protected dce/rpc sessions, as
they are just too each to hijack.  You can use samba-tool or set

allow dcerpc auth level connect = yes

I hope this helps,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba