insufficient access rights [ Was - Samba4 DNS Updates - Linux Clients - Is it possible?]

Daniele Dario d.dario76 at gmail.com
Wed Feb 1 08:57:34 MST 2012 

Hi Amitay,

On Wed, 2012-01-25 at 23:34 +1100, Amitay Isaacs wrote:
> >>
> >> The fix for DNS updates failing is in the master.
> >>
> >> Amitay.
> >
> > Hi Amitay,
> >
> > As Daniele hijacked the original thread, I've changed the title.
> >
> > I did a 'git pull' this morning at about 7am and the 'insufficient access
> > rights' problem is still there when joining an XP client. As a matter of
> > interest, this issue did not exist a short while ago.
> >
> > Regards,
> > Mike.
> > --
> > Any question is easy if you know the answer!
> 
> Hi Mike,
> 
> Can you confirm you have following patch in the git tree you pulled?
> 
> dc4ef9b57b7e5f6f44ccf799a26b497c6025609b dlz_bind9: for authenticated
> user, set the AUTHENTICATED USERS sid in token
> 
> If the problem is persisting after the patch, can you check if the there is an
> entry for the windows XP in DNS records?
> 
> ldbsearch -H /path/to/sam.ldb -b
> "DC=DomainDnsZones,DC=your,DC=domain,DC=name"
> "(name=windowsxp-hostname)"
> 
> 
> Amitay.

I updated both the DCs to last git (Version 4.0.0alpha18-GIT-c83ce7b)
but I still find the 'insufficient access rights' problem for many of
the WinXP hosts.

For example for the activity host I have:
01-Feb-2012 15:48:24.785 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
01-Feb-2012 15:48:24.790 database: info: samba_dlz: disallowing update
of signer=activity\$\@SAITELITALIA.LOCAL
name=activity.saitelitalia.local type=A error=insufficient access rights
01-Feb-2012 15:48:24.790 update: info: client 192.168.12.12#63862/key
activity\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
update failed: rejected by secure update (REFUSED)
01-Feb-2012 15:48:24.790 database: info: samba_dlz: cancelling
transaction on zone saitelitalia.local

[root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
"DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=activity)"
# record 1
dn:
DC=activity,DC=saitelitalia.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=saitelitalia,DC=local
objectClass: top
objectClass: dnsNode
instanceType: 4
whenCreated: 20120131123039.0Z
whenChanged: 20120131123039.0Z
uSNCreated: 4583
uSNChanged: 4583
showInAdvancedViewOnly: TRUE
name: activity
objectGUID: 3082b335-fb49-43be-9739-7422d74032c3
dnsRecord:: BAABAAXwAABYAAAAAAADhAAAAAAM/DYAwKgMDA==
objectCategory:
CN=Dns-Node,CN=Schema,CN=Configuration,DC=saitelitalia,DC=loca
 l
dc: activity
distinguishedName:
DC=activity,DC=saitelitalia.local,CN=MicrosoftDNS,DC=Domain
 DnsZones,DC=saitelitalia,DC=local

# returned 1 records
# 1 entries
# 0 referrals

I also tried (as per
http://blog.matws.net/post/2009/09/03/DDNS-with-Windows-and-Samba4 ) to
move some hosts (activity for example) in an OU named computers and
creating a GPO which forces only secure updates but nothing changed.

git log says that patch dc4ef9b57b7e5f6f44ccf799a26b497c6025609b
dlz_bind9: for authenticated user, set the AUTHENTICATED USERS sid in
token is in.

I've also seen that for some hosts the problem does not happen:
this host is a winXP host

01-Feb-2012 13:11:01.308 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
01-Feb-2012 13:11:01.309 update-security: error: client
192.168.12.209#59677: update 'saitelitalia.local/IN' denied
01-Feb-2012 13:11:01.309 database: info: samba_dlz: cancelling
transaction on zone saitelitalia.local
01-Feb-2012 13:11:01.345 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
01-Feb-2012 13:11:01.349 database: info: samba_dlz: allowing update of
signer=antoniodm\$\@SAITELITALIA.LOCAL name=antoniodm.saitelitalia.local
tcpaddr= type=A key=xxxx-xx-x.xxx-xxxxxxxx.xxxxxxxx-xxxx-xxxx-xxxx
-xxxxxxxxxxxx/xxx/x
01-Feb-2012 13:11:01.352 database: info: samba_dlz: allowing update of
signer=antoniodm\$\@SAITELITALIA.LOCAL name=antoniodm.saitelitalia.local
tcpaddr= type=A key=xxxx-xx-x.xxx-xxxxxxxx.xxxxxxxx-xxxx-xxxx-xxxx
-xxxxxxxxxxxx/xxx/x
01-Feb-2012 13:11:01.353 update: info: client 192.168.12.209#51471/key
antoniodm\$\@SAITELITALIA.LOCAL: updating zone
'saitelitalia.local/NONE': deleting rrset at
'antoniodm.saitelitalia.local' A
01-Feb-2012 13:11:01.368 database: info: samba_dlz: subtracted rdataset
antoniodm.saitelitalia.local 'antoniodm.saitelitalia.local.     1200
IN      A       192.168.12.209'
01-Feb-2012 13:11:01.370 update: info: client 192.168.12.209#51471/key
antoniodm\$\@SAITELITALIA.LOCAL: updating zone
'saitelitalia.local/NONE': adding an RR at
'antoniodm.saitelitalia.local' A
01-Feb-2012 13:11:01.377 database: error: samba_dlz: added
antoniodm.saitelitalia.local antoniodm.saitelitalia.local.   1200    IN
A       192.168.12.209
01-Feb-2012 13:11:01.538 database: info: samba_dlz: committed
transaction on zone saitelitalia.local

and this is a vista host

01-Feb-2012 15:19:44.884 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
01-Feb-2012 15:19:44.885 update-security: error: client
192.168.12.210#58077: update 'saitelitalia.local/IN' denied
01-Feb-2012 15:19:44.885 database: info: samba_dlz: cancelling
transaction on zone saitelitalia.local
01-Feb-2012 15:19:44.926 database: info: samba_dlz: starting transaction
on zone saitelitalia.local
01-Feb-2012 15:19:44.931 database: info: samba_dlz: allowing update of
signer=pcdino\$\@SAITELITALIA.LOCAL name=pcdino.saitelitalia.local
tcpaddr= type=AAAA
key=xxxx-xx-x.x-xxxxxxx.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxx/x
01-Feb-2012 15:19:44.934 database: info: samba_dlz: allowing update of
signer=pcdino\$\@SAITELITALIA.LOCAL name=pcdino.saitelitalia.local
tcpaddr= type=A
key=xxxx-xx-x.x-xxxxxxx.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxx/x
01-Feb-2012 15:19:44.938 database: info: samba_dlz: allowing update of
signer=pcdino\$\@SAITELITALIA.LOCAL name=pcdino.saitelitalia.local
tcpaddr= type=A
key=xxxx-xx-x.x-xxxxxxx.xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxx/x
01-Feb-2012 15:19:44.938 update: info: client 192.168.12.210#61192/key
pcdino\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
deleting rrset at 'pcdino.saitelitalia.local' AAAA
01-Feb-2012 15:19:44.939 update: info: client 192.168.12.210#61192/key
pcdino\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
deleting rrset at 'pcdino.saitelitalia.local' A
01-Feb-2012 15:19:44.955 database: info: samba_dlz: subtracted rdataset
pcdino.saitelitalia.local 'pcdino.saitelitalia.local.   1200    IN
A       192.168.12.210'
01-Feb-2012 15:19:44.957 update: info: client 192.168.12.210#61192/key
pcdino\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
adding an RR at 'pcdino.saitelitalia.local' A
01-Feb-2012 15:19:44.964 database: error: samba_dlz: added
pcdino.saitelitalia.local pcdino.saitelitalia.local. 1200    IN      A
192.168.12.210
01-Feb-2012 15:19:45.139 database: info: samba_dlz: committed
transaction on zone saitelitalia.local

what am I doing wrong?

Thanks,
Daniele.

More information about the samba-technical mailing list