[Samba] Access denied editing DNS using RSAT

Daniel Carrasco d.carrasco at i2tic.com
Tue Sep 12 14:04:00 UTC 2017 

2017-09-12 11:32 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:

> On Tue, 2017-09-12 at 11:21 +0200, Daniel Carrasco via samba wrote:
> > Hello,
> >
> > I'm trying to replace an old Windows Server 2003 with Samba 4 and I've
> got
> > a problem trying to add some DNS entries. When I open the RSAT DNS
> manager
> > I got an Access Denied error and I can't edit the zones.
> >
> > My config file is the generated by samba-tool and I'm using Samba
> 4.7.0rc5
> > compiled on a Debian 8 amd64:
> > [global]
> >         netbios name = DC1
> >         realm = DOMAIN.DOM
> >         workgroup = DOMAIN
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         dns forwarder = 8.8.8.8
> >
> > [netlogon]
> >         path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /server/samba/bin/var/locks/sysvol
> >         read only = No
> >
> > All seems to be working fine, because I'm able to join the domain, login
> on
> > that computer and manage other things like Users and Groups, Policies...
> > but DNS just drops me an Acces Denied message.
> >
> > The log shows this:
> > [2017/09/12 11:17:01.416939,  2]
> > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> >   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013
> ]
> > [2017/09/12 11:17:01.444307,  2]
> > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> >   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015
> ]
> > [2017/09/12 11:17:01.469071,  2]
> > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> >   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017
> ]
> > [2017/09/12 11:17:01.494096,  2]
> > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> >   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019
> ]
> >
> >
> > Is there any way to fix this?, Maybe I forgot something like add the
> > computer to a group for example... I'm using the Administrator user, so
> it
> > should have access to all.
> >
> > Thanks, and greetings!!
>
> We have a restriction to disallow un-protected dce/rpc sessions, as
> they are just too each to hijack.  You can use samba-tool or set
>
> allow dcerpc auth level connect = yes
>
> I hope this helps,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>
Thanks, but I still getting the same error. I'll try to do it with
samba-tool.

Greetings!

-- 
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________

More information about the samba mailing list