Web lists-archives.com

Re: [Samba] dynamic update for reverse lookup zone denied - insufficient access rights




On Tue, 6 Nov 2018 11:24:43 +0100
Kacper Wirski via samba <samba@xxxxxxxxxxxxxxx> wrote:

> Hello,
> 
> I'm struggling with an error for secure dynamic dns updates for
> reverse lookup zones.
> 
> My environment:
> 
> 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos
> 7.5. Samba was compiled from source with default heimdal kerberos 
> (./configure --with-systemd --enable-gnutls) /I know now that 
> --with-systemd is not needed, but didn't now that the time of
> compilation/.
> 
> BIND was installed from default centos repo. I read about supposed 
> issues with secure updates, but :
> 
> a) secure updates for forward lookup zone work fine
> 
> b) reverse updates were working fine prior to update (more on this
> later on)
> 
> my DC smb.conf (2nd dc has the same, just name is DC2):
> 
> [global]
>          netbios name = DC1
>          realm = SOMEREALM.COM
>          workgroup = SOMEREALM
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> 
>          allow dns updates = secure
>          server services = -dns
>          tls enabled = yes
>          tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
>          tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
>          tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem
> 
>          apply group policies = yes
> 
>          ntlm auth = mschapv2-and-ntlmv2-only
> 
> 
> 
> [netlogon]
>          path
> = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts read only =
> No
> 
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> 
> 
> Secure updates for forward lookup zone work generally fine with the 
> small exception: if I add to AD host that previously existed, it
> won't allow update either, but ALL reverse lookup updates fail. I can
> add client manually.
> 
> 
> Named output looks like this:
> 
> ov 02 20:14:45 dc1.somerealm.com named[1075]: client 
> 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 
> 'somerealm.com/NONE': deleting rrset at 'WINDOWS-PC.somerealm.com' A
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted 
> rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.        
> 1200        IN        A 192.168.210.16'
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 
> 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 
> 'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com' A
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added
> rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
> 1200 IN        A 192.168.210.16'
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed 
> transaction on zone somerealm.com
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting 
> transaction on zone 210.168.192.in-addr.arpa
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing 
> update of signer=WINDOWS-PC\$\@somerealm.com 
> name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access
> rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 
> 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone 
> '210.168.192.in-addr.arpa/NONE': update failed: rejected by secure 
> update (REFUSED)
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling 
> transaction on zone 210.168.192.in-addr.arpa
> 
> It's not general secure update issue, rather something specific to 
> reverse zones (all of them), but i'm not sure how to handle this, so
> any general advice is appreciated, or direction where to look.
> 

The only entity that can update a DNS record is the one that created
it or a user with sufficient authority to do so. 
You have 'allow dns updates = secure' in smb.conf, you could try
changing this to 'nonsecure'

Rowland


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba