Web lists-archives.com

[Samba] dynamic update for reverse lookup zone denied - insufficient access rights




Hello,

I'm struggling with an error for secure dynamic dns updates for reverse lookup zones.

My environment:

2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos 7.5. Samba was compiled from source with default heimdal kerberos (./configure --with-systemd --enable-gnutls) /I know now that --with-systemd is not needed, but didn't now that the time of compilation/.

BIND was installed from default centos repo. I read about supposed issues with secure updates, but :

a) secure updates for forward lookup zone work fine

b) reverse updates were working fine prior to update (more on this later on)

my DC smb.conf (2nd dc has the same, just name is DC2):

[global]
        netbios name = DC1
        realm = SOMEREALM.COM
        workgroup = SOMEREALM
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        load printers = no
        printing = bsd
        printcap name = /dev/null
        disable spoolss = yes

        allow dns updates = secure
        server services = -dns
        tls enabled = yes
        tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
        tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
        tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem

        apply group policies = yes

        ntlm auth = mschapv2-and-ntlmv2-only



[netlogon]
        path = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts
        read only = No

[sysvol]
        path = /usr/local/samba/var/locks/sysvol
        read only = No


Secure updates for forward lookup zone work generally fine with the small exception: if I add to AD host that previously existed, it won't allow update either, but ALL reverse lookup updates fail. I can add client manually.


Named output looks like this:

ov 02 20:14:45 dc1.somerealm.com named[1075]: client 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 'somerealm.com/NONE': deleting rrset at 'WINDOWS-PC.somerealm.com' A Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.        1200        IN        A 192.168.210.16' Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com' A Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.        1200        IN        A 192.168.210.16' Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed transaction on zone somerealm.com Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting transaction on zone 210.168.192.in-addr.arpa Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing update of signer=WINDOWS-PC\$\@somerealm.com name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone '210.168.192.in-addr.arpa/NONE': update failed: rejected by secure update (REFUSED) Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling transaction on zone 210.168.192.in-addr.arpa

It's not general secure update issue, rather something specific to reverse zones (all of them), but i'm not sure how to handle this, so any general advice is appreciated, or direction where to look.

Regards,

Kacper





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba