[Samba] dynamic update for reverse lookup zone denied - insufficient access rights
Kacper Wirski
kacper.wirski at gmail.com
Tue Nov 6 10:24:43 UTC 2018
Hello,
I'm struggling with an error for secure dynamic dns updates for reverse
lookup zones.
My environment:
2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos 7.5.
Samba was compiled from source with default heimdal kerberos
(./configure --with-systemd --enable-gnutls) /I know now that
--with-systemd is not needed, but didn't now that the time of compilation/.
BIND was installed from default centos repo. I read about supposed
issues with secure updates, but :
a) secure updates for forward lookup zone work fine
b) reverse updates were working fine prior to update (more on this later on)
my DC smb.conf (2nd dc has the same, just name is DC2):
[global]
netbios name = DC1
realm = SOMEREALM.COM
workgroup = SOMEREALM
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
allow dns updates = secure
server services = -dns
tls enabled = yes
tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem
apply group policies = yes
ntlm auth = mschapv2-and-ntlmv2-only
[netlogon]
path = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Secure updates for forward lookup zone work generally fine with the
small exception: if I add to AD host that previously existed, it won't
allow update either, but ALL reverse lookup updates fail. I can add
client manually.
Named output looks like this:
ov 02 20:14:45 dc1.somerealm.com named[1075]: client
192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone
'somerealm.com/NONE': deleting rrset at 'WINDOWS-PC.somerealm.com' A
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted
rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
1200 IN A 192.168.210.16'
Nov 02 20:14:45 dc1.somerealm.com named[1075]: client
192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone
'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com' A
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added rdataset
WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com. 1200
IN A 192.168.210.16'
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed
transaction on zone somerealm.com
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting
transaction on zone 210.168.192.in-addr.arpa
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing
update of signer=WINDOWS-PC\$\@somerealm.com
name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access rights
Nov 02 20:14:45 dc1.somerealm.com named[1075]: client
192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone
'210.168.192.in-addr.arpa/NONE': update failed: rejected by secure
update (REFUSED)
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling
transaction on zone 210.168.192.in-addr.arpa
It's not general secure update issue, rather something specific to
reverse zones (all of them), but i'm not sure how to handle this, so any
general advice is appreciated, or direction where to look.
Regards,
Kacper
More information about the samba
mailing list