insufficient access rights [ Was - Samba4 DNS Updates - Linux Clients - Is it possible?]

Amitay Isaacs amitay at gmail.com
Wed Jan 25 05:34:05 MST 2012


On Wed, Jan 25, 2012 at 10:03 PM, Mike Howard <mike at dewberryfields.co.uk> wrote:
> On 25/01/2012 02:45, Amitay Isaacs wrote:
>>
>>
>>
>> 20-Jan-2012 11:10:03.080 database: info: samba_dlz: starting transaction
>> on zone saitelitalia.local
>> 20-Jan-2012 11:10:03.081 update-security: error: client
>> 192.168.12.56#60235: update 'saitelitalia.local/IN' denied
>> 20-Jan-2012 11:10:03.081 database: info: samba_dlz: cancelling
>> transaction on zone saitelitalia.local
>> 20-Jan-2012 11:10:03.110 database: info: samba_dlz: starting transaction
>> on zone saitelitalia.local
>> 20-Jan-2012 11:10:03.114 database: info: samba_dlz: disallowing update
>> of signer=ua01\$\@SAITELITALIA.LOCAL name=ua01.saitelitalia.local type=A
>> error=insufficient access rights
>> 20-Jan-2012 11:10:03.114 update: info: client 192.168.12.56#60543/key
>> ua01\$\@SAITELITALIA.LOCAL: updating zone 'saitelitalia.local/NONE':
>> update failed: rejected by secure update (REFUSED)
>> 20-Jan-2012 11:10:03.115 database: info: samba_dlz: cancelling
>> transaction on zone saitelitalia.local
>>
>> but it says that signer has insufficient access rights: what rights
>> should I change or look for?
>>
>> Daniele.
>>
>> The fix for DNS updates failing is in the master.
>>
>> Amitay.
>
> Hi Amitay,
>
> As Daniele hijacked the original thread, I've changed the title.
>
> I did a 'git pull' this morning at about 7am and the 'insufficient access
> rights' problem is still there when joining an XP client. As a matter of
> interest, this issue did not exist a short while ago.
>
> Regards,
> Mike.
> --
> Any question is easy if you know the answer!

Hi Mike,

Can you confirm you have following patch in the git tree you pulled?

dc4ef9b57b7e5f6f44ccf799a26b497c6025609b dlz_bind9: for authenticated
user, set the AUTHENTICATED USERS sid in token

If the problem is persisting after the patch, can you check if the there is an
entry for the windows XP in DNS records?

ldbsearch -H /path/to/sam.ldb -b
"DC=DomainDnsZones,DC=your,DC=domain,DC=name"
"(name=windowsxp-hostname)"


Amitay.


More information about the samba-technical mailing list