insufficient access rights [ Was - Samba4 DNS Updates - Linux Clients - Is it possible?]

Amitay Isaacs amitay at
Wed Feb 1 15:20:53 MST 2012

Hi Daniele,

On Thu, Feb 2, 2012 at 2:57 AM, Daniele Dario <d.dario76 at> wrote:
> Hi Amitay,
> On Wed, 2012-01-25 at 23:34 +1100, Amitay Isaacs wrote:
>> >>
>> >> The fix for DNS updates failing is in the master.
>> >>
>> >> Amitay.
>> >
>> > Hi Amitay,
>> >
>> > As Daniele hijacked the original thread, I've changed the title.
>> >
>> > I did a 'git pull' this morning at about 7am and the 'insufficient access
>> > rights' problem is still there when joining an XP client. As a matter of
>> > interest, this issue did not exist a short while ago.
>> >
>> > Regards,
>> > Mike.
>> > --
>> > Any question is easy if you know the answer!
>> Hi Mike,
>> Can you confirm you have following patch in the git tree you pulled?
>> dc4ef9b57b7e5f6f44ccf799a26b497c6025609b dlz_bind9: for authenticated
>> user, set the AUTHENTICATED USERS sid in token
>> If the problem is persisting after the patch, can you check if the there is an
>> entry for the windows XP in DNS records?
>> ldbsearch -H /path/to/sam.ldb -b
>> "DC=DomainDnsZones,DC=your,DC=domain,DC=name"
>> "(name=windowsxp-hostname)"
>> Amitay.
> I updated both the DCs to last git (Version 4.0.0alpha18-GIT-c83ce7b)
> but I still find the 'insufficient access rights' problem for many of
> the WinXP hosts.
> For example for the activity host I have:
> 01-Feb-2012 15:48:24.785 database: info: samba_dlz: starting transaction
> on zone saitelitalia.local
> 01-Feb-2012 15:48:24.790 database: info: samba_dlz: disallowing update
> of signer=activity\$\@SAITELITALIA.LOCAL
> name=activity.saitelitalia.local type=A error=insufficient access rights
> 01-Feb-2012 15:48:24.790 update: info: client
> activity\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
> update failed: rejected by secure update (REFUSED)
> 01-Feb-2012 15:48:24.790 database: info: samba_dlz: cancelling
> transaction on zone saitelitalia.local

>From the logs it appears that windows-xp box activity is not able to update it's
own record.

> [root at kdc01:~]# ldbsearch -H /usr/local/samba/private/sam.ldb -b
> "DC=DomainDnsZones,DC=saitelitalia,DC=local" "(name=activity)"

Can you add --show-binary flag to ldbsearch to decode dnsRecord attribute?

Also, more interesting would be to check the security descriptor for this record
as that would tell us how this particular record was created.

ldbsearch -H /usr/local/samba/private/sam.ldb
               -b "DC=DomainDnsZones,DC=saitelitalia,DC=local
               "(name=activity)" nTSecurityDescriptor

That will show the security descriptor. And if you want to decode the SDDL
format you can add --show-binary.

I am interested in finding out the owner of the record as that will tell how
this particular record was created.


More information about the samba-technical mailing list