[Samba] samba Digest, Vol 172, Issue 2

Karl Heinz Wichmann wichmann-karl at web.de
Sun Apr 2 13:22:31 UTC 2017


Hallo Rowland

I change the right from 600 (root:root) to 660 (root:bind) and i get 
following errormessage.


02-Apr-2017 14:56:15.190 client 192.168.99.6#54534 
(client006.my.domain.de): query: client006.my.domain.de IN SOA + 
(192.168.99.8)
02-Apr-2017 14:56:15.194 client 192.168.99.6#64810 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
02-Apr-2017 14:56:15.199 samba_dlz: starting transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:15.200 client 192.168.99.6#51349: update 
'MY.DOMAIN.DE/IN' denied
02-Apr-2017 14:56:15.200 samba_dlz: cancelling transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:15.203 client 192.168.99.6#52735 
(336-ms-7.59-ad98ae7.04ad5620-15fc-11e7-b5ab-525400186fdb): query: 
336-ms-7.59-ad98ae7.04ad5620-15fc-11e7-b5ab-525400186fdb IN TKEY -T 
(192.168.99.8)
02-Apr-2017 14:56:15.238 samba_dlz: starting transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:15.240 samba_dlz: disallowing update of 
signer=client006\$\@MY.DOMAIN.DE name=client006.my.domain.de type=AAAA 
error=insufficient access rights
02-Apr-2017 14:56:15.240 client 192.168.99.6#54726/key 
client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE': update 
failed: rejected by secure update (REFUSED)
02-Apr-2017 14:56:15.240 samba_dlz: cancelling transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:15.242 client 192.168.99.6#55115 
(6.99.168.192.in-addr.arpa): query: 6.99.168.192.in-addr.arpa IN SOA + 
(192.168.99.8)
02-Apr-2017 14:56:15.246 client 192.168.99.6#63569 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
02-Apr-2017 14:56:15.251 samba_dlz: starting transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:15.252 client 192.168.99.6#58125: update 
'99.168.192.in-addr.arpa/IN' denied
02-Apr-2017 14:56:15.252 samba_dlz: cancelling transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:15.253 samba_dlz: starting transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:15.255 samba_dlz: disallowing update of 
signer=client006\$\@MY.DOMAIN.DE name=6.99.168.192.in-addr.arpa type=PTR 
error=insufficient access rights
02-Apr-2017 14:56:15.255 client 192.168.99.6#60594/key 
client006\$\@MY.DOMAIN.DE: updating zone '99.168.192.in-addr.arpa/NONE': 
update failed: rejected by secure update (REFUSED)
02-Apr-2017 14:56:15.256 samba_dlz: cancelling transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:18.189 client 192.168.99.6#60714 
(client006.my.domain.de): query: client006.my.domain.de IN SOA + 
(192.168.99.8)
02-Apr-2017 14:56:18.194 client 192.168.99.6#49834 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
02-Apr-2017 14:56:18.199 samba_dlz: starting transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:18.200 client 192.168.99.6#58125: update 
'MY.DOMAIN.DE/IN' denied
02-Apr-2017 14:56:18.200 samba_dlz: cancelling transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:18.202 samba_dlz: starting transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:18.204 samba_dlz: disallowing update of 
signer=client006\$\@MY.DOMAIN.DE name=client006.my.domain.de type=AAAA 
error=insufficient access rights
02-Apr-2017 14:56:18.204 client 192.168.99.6#49384/key 
client006\$\@MY.DOMAIN.DE: updating zone 'MY.DOMAIN.DE/NONE': update 
failed: rejected by secure update (REFUSED)
02-Apr-2017 14:56:18.204 samba_dlz: cancelling transaction on zone 
MY.DOMAIN.DE
02-Apr-2017 14:56:18.207 client 192.168.99.6#50993 
(6.99.168.192.in-addr.arpa): query: 6.99.168.192.in-addr.arpa IN SOA + 
(192.168.99.8)
02-Apr-2017 14:56:18.211 client 192.168.99.6#52455 
(client008.my.domain.de): query: client008.my.domain.de IN A + 
(192.168.99.8)
02-Apr-2017 14:56:18.216 samba_dlz: starting transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:18.216 client 192.168.99.6#50421: update 
'99.168.192.in-addr.arpa/IN' denied
02-Apr-2017 14:56:18.217 samba_dlz: cancelling transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:18.218 samba_dlz: starting transaction on zone 
99.168.192.in-addr.arpa
02-Apr-2017 14:56:18.220 samba_dlz: disallowing update of 
signer=client006\$\@MY.DOMAIN.DE name=6.99.168.192.in-addr.arpa type=PTR 
error=insufficient access rights
02-Apr-2017 14:56:18.220 client 192.168.99.6#51170/key 
client006\$\@MY.DOMAIN.DE: updating zone '99.168.192.in-addr.arpa/NONE': 
update failed: rejected by secure update (REFUSED)
02-Apr-2017 14:56:18.220 samba_dlz: cancelling transaction on zone 
99.168.192.in-addr.arpa


The right of the /var/lib/samba/private/ are

drwxrwx--- 3 root bind 4,0K Mär 31 12:12 dns
-rw-r----- 1 root bind  792 Mär 31 10:49 dns.backup
-rw-r----- 1 root bind  792 Mär 31 12:12 dns.keytab
-rw------- 1 root root 1,9K Jul  8  2015 dns_update_cache
-rw-r--r-- 1 root root 3,2K Jul  8  2015 dns_update_list
-rw------- 1 root root 1,3M Jul  8  2015 hkcr.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hkcu.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hklm.ldb
-rw------- 1 root root 1,3M Jul  8  2015 hku.ldb
-rw------- 1 root root 5,9M Mär 30 14:23 idmap.ldb
-rw------- 1 root root 5,9M Okt 18 13:24 idmap.ldb.old
-rw-r--r-- 1 root root   93 Jul  8  2015 krb5.conf
srwxrwxrwx 1 root root    0 Apr  2 14:42 ldapi
drwxr-x--- 2 root root 4,0K Apr  2 14:42 ldap_priv
drwx------ 2 root root 4,0K Apr  2 15:07 msg.sock
-rw-r--r-- 1 root root  780 Mär 31 12:12 named.conf
-r--r--r-- 1 root root  408 Mär 31 09:46 named.conf.update
-rw-r--r-- 1 root root 2,1K Mär 31 12:12 named.txt
-rw------- 1 root root  696 Apr  2 14:42 netlogon_creds_cli.tdb
-rw------- 1 root root 1,3M Jul  8  2015 privilege.ldb
-rw------- 1 root root  696 Jul  8  2015 randseed.tdb
-rw-rw---- 1 root bind 4,1M Jul  8  2015 sam.ldb
drwxr-x--- 2 root bind 4,0K Mär 31 12:12 sam.ldb.d
-rw------- 1 root root  696 Apr  2 14:42 schannel_store.tdb
-rw------- 1 root root 1,2K Jul  8  2015 secrets.keytab
-rw------- 1 root root 1,3M Mär 31 12:12 secrets.ldb
-rw------- 1 root root 420K Jul  8  2015 secrets.tdb
-rw------- 1 root root 1,3M Jul  8  2015 share.ldb
drwxr-xr-x 3 root root 4,0K Feb 16  2016 smbd.tmp
-rw-r--r-- 1 root root  955 Jul  8  2015 spn_update_list
drwx------ 2 root root 4,0K Jul  8  2015 tls

Are the rights ok?


I created the dns entry with samba-tool. Is this a problem?

How can i check if i had problems with access rights? For example if 
bind can not read or write a file. Currently i check the bind with " 
named -u bind -f -g 2>&1 | tee /etc/bind/named.log ".

For testing i assign bind a shell (bash) and i can read the file sam.ldb 
as user bind.

Karl Heinz


Am 02.04.2017 um 14:00 schrieb samba-request at lists.samba.org:
>
> Hello
>
> We have installed 4 Sernet AD controllers on Debian 8.7 with bind9. If
> we run ipconfig /registerdns on a windowsclient , an
> error message is in the logfiles:
>
> 31-Mar-2017 11:08:49.270 client 192.168.99.6#50357
> (client006.my.domain.de): query: client006.my.domain.de IN SOA +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.274 client 192.168.99.6#51046
> (client008.my.domain.de): query: client008.my.domain.de IN A +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone
> my.domain.de
> 31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update
> 'my.domain.de/IN' denied
> 31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone
> my.domain.de
> 31-Mar-2017 11:08:49.282 client 192.168.99.6#58242
> (196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
> 196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
> (192.168.99.8)
> 31-Mar-2017 11:08:49.285 client 192.168.99.6#51560
> (6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.288 client 192.168.99.6#58260
> (client008.my.domain.de): query: client008.my.domain.de IN A +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone
> 99.30.172.in-addr.arpa
> 31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update
> '99.30.172.in-addr.arpa/IN' denied
> 31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone
> 99.30.172.in-addr.arpa
> 31-Mar-2017 11:08:49.297 client 192.168.99.6#60163
> (196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
> 196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
> (192.168.99.8)
> 31-Mar-2017 11:08:49.270 client 192.168.99.6#50357
> (client006.my.domain.de): query: client006.my.domain.de IN SOA +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.274 client 192.168.99.6#51046
> (client008.my.domain.de): query: client008.my.domain.de IN A +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.279 samba_dlz: starting transaction on zone
> my.domain.de
> 31-Mar-2017 11:08:49.280 client 192.168.99.6#63377: update
> 'my.domain.de/IN' denied
> 31-Mar-2017 11:08:49.280 samba_dlz: cancelling transaction on zone
> my.domain.de
> 31-Mar-2017 11:08:49.282 client 192.168.99.6#58242
> (196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
> 196-ms-7.22-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
> (192.168.99.8)
> 31-Mar-2017 11:08:49.285 client 192.168.99.6#51560
> (6.99.30.172.in-addr.arpa): query: 6.99.30.172.in-addr.arpa IN SOA +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.288 client 192.168.99.6#58260
> (client008.my.domain.de): query: client008.my.domain.de IN A +
> (192.168.99.8)
> 31-Mar-2017 11:08:49.294 samba_dlz: starting transaction on zone
> 99.30.172.in-addr.arpa
> 31-Mar-2017 11:08:49.294 client 192.168.99.6#49428: update
> '99.30.172.in-addr.arpa/IN' denied
> 31-Mar-2017 11:08:49.295 samba_dlz: cancelling transaction on zone
> 99.30.172.in-addr.arpa
> 31-Mar-2017 11:08:49.297 client 192.168.99.6#60163
> (196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb): query:
> 196-ms-7.23-4b26a5.ce2ea96c-15e6-11e7-5e9d-525400186fdb IN TKEY -T
> (192.168.99.8)
>
> If we executed
> samba_dnsupdate --verbose --all-names
> no errors are displayed.
>
> The rights of /var/lib/samba/private/dns/sam.ldb.d/*
> are 660.
>
> relevated content of /etc/bind/named.conf.options
> -------------------------------------------------
> allow-update { any;};
> tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
> dnssec-validation no;
> dnssec-enable no;
>
> We run
> ------
> samba_upgradedns --dns-backend=BIND9_DLZ
>
> /etc/samba/smb.conf
> -------------------
> server services = -dns
>
> named -V
> --------
> BIND 9.9.5-9+deb8u10-Debian (Extended Support Version) <id:f9b8a50e>
> built by make with '--prefix=/usr' '--mandir=/usr/share/man'
> '--infodir=/usr/share/info'
> '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads'
> '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static'
> '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld'
> '--with-geoip=/usr' '--with-atf=no' '--enable-ipv6' '--enable-rrl'
> '--enable-filter-aaaa'
> 'CFLAGS=-fno-strict-aliasing -fno-delete-null-pointer-checks
> -DDIG_SIGCHASE -O2'
> compiled by GCC 4.9.2
> using OpenSSL version: OpenSSL 1.0.1t  3 May 2016
> using libxml2 version: 2.9.1
>
> Timesync
> ---------
> correct time
>
> In the named.config.local we have not create an zone for "my.domain.de".
> I think this is not nessesary.
>
> dpkg -l | grep sernet
> ----------------------
> ii  libwbclient0:amd64               99:4.5.7-16 amd64        Glue
> package for sernet-samba-libs.
> ii  sernet-samba                     99:4.5.7-16 amd64        SMB/CIFS
> file, print, and login server for Unix
> ii  sernet-samba-ad                  99:4.5.7-16 amd64        Samba
> Active Directory Domain Controller
> ii  sernet-samba-client              99:4.5.7-16 amd64        a
> LanManager-like simple client for Unix
> ii  sernet-samba-common              99:4.5.7-16 all          Samba
> common files used by both the server and the client
> ii  sernet-samba-keyring             1.5 all          GnuPG archive keys
> of the SerNet Samba archive
> ii  sernet-samba-libs:amd64          99:4.5.7-16 amd64        Samba
> common library files used by both the server and the client
> ii  sernet-samba-libsmbclient0:amd64 99:4.5.7-16 amd64        Shared
> library that allows applications to talk to SMB servers
> ii  sernet-samba-winbind             99:4.5.7-16 amd64        Samba
> nameservice integration server
>
> Can anybody help me?
>
>
>
> Re: [Samba] Dynamic updates of windows clients.eml
>
> Betreff:
> Re: [Samba] Dynamic updates of windows clients
> Von:
> Rowland Penny <rpenny at samba.org>
> Datum:
> 01.04.2017 17:24
>
> An:
> samba at lists.samba.org
>
>
> On Sat, 1 Apr 2017 16:44:38 +0200
> Karl Heinz Wichmann via samba <samba at lists.samba.org> wrote:
>
>
>> The rights of /var/lib/samba/private/dns/sam.ldb.d/*
>> are 660.
>>
> Just in case you don't know, do not touch the files inside
> private/dns/sam.ldb.d or private/sam.ldb.d
>
> Right having got that out of the way, who
> owns /var/lib/samba/private/sam.ldb ?
>
> It should be root:bind with 660 permissions.
>
> Rowland
>
>





More information about the samba mailing list