[Samba] Access denied editing DNS using RSAT
Andrew Bartlett
abartlet at samba.org
Tue Sep 12 09:32:31 UTC 2017
On Tue, 2017-09-12 at 11:21 +0200, Daniel Carrasco via samba wrote:
> Hello,
>
> I'm trying to replace an old Windows Server 2003 with Samba 4 and I've got
> a problem trying to add some DNS entries. When I open the RSAT DNS manager
> I got an Access Denied error and I can't edit the zones.
>
> My config file is the generated by samba-tool and I'm using Samba 4.7.0rc5
> compiled on a Debian 8 amd64:
> [global]
> netbios name = DC1
> realm = DOMAIN.DOM
> workgroup = DOMAIN
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> dns forwarder = 8.8.8.8
>
> [netlogon]
> path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts
> read only = No
>
> [sysvol]
> path = /server/samba/bin/var/locks/sysvol
> read only = No
>
> All seems to be working fine, because I'm able to join the domain, login on
> that computer and manage other things like Users and Groups, Policies...
> but DNS just drops me an Acces Denied message.
>
> The log shows this:
> [2017/09/12 11:17:01.416939, 2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013]
> [2017/09/12 11:17:01.444307, 2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015]
> [2017/09/12 11:17:01.469071, 2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017]
> [2017/09/12 11:17:01.494096, 2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019]
>
>
> Is there any way to fix this?, Maybe I forgot something like add the
> computer to a group for example... I'm using the Administrator user, so it
> should have access to all.
>
> Thanks, and greetings!!
We have a restriction to disallow un-protected dce/rpc sessions, as
they are just too each to hijack. You can use samba-tool or set
allow dcerpc auth level connect = yes
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list