[Samba] dynamic update for reverse lookup zone denied - insufficient access rights
Rowland Penny
rpenny at samba.org
Tue Nov 6 11:07:20 UTC 2018
On Tue, 6 Nov 2018 11:24:43 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:
> Hello,
>
> I'm struggling with an error for secure dynamic dns updates for
> reverse lookup zones.
>
> My environment:
>
> 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos
> 7.5. Samba was compiled from source with default heimdal kerberos
> (./configure --with-systemd --enable-gnutls) /I know now that
> --with-systemd is not needed, but didn't now that the time of
> compilation/.
>
> BIND was installed from default centos repo. I read about supposed
> issues with secure updates, but :
>
> a) secure updates for forward lookup zone work fine
>
> b) reverse updates were working fine prior to update (more on this
> later on)
>
> my DC smb.conf (2nd dc has the same, just name is DC2):
>
> [global]
> netbios name = DC1
> realm = SOMEREALM.COM
> workgroup = SOMEREALM
> server role = active directory domain controller
> idmap_ldb:use rfc2307 = yes
> load printers = no
> printing = bsd
> printcap name = /dev/null
> disable spoolss = yes
>
> allow dns updates = secure
> server services = -dns
> tls enabled = yes
> tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
> tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
> tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem
>
> apply group policies = yes
>
> ntlm auth = mschapv2-and-ntlmv2-only
>
>
>
> [netlogon]
> path
> = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts read only =
> No
>
> [sysvol]
> path = /usr/local/samba/var/locks/sysvol
> read only = No
>
>
> Secure updates for forward lookup zone work generally fine with the
> small exception: if I add to AD host that previously existed, it
> won't allow update either, but ALL reverse lookup updates fail. I can
> add client manually.
>
>
> Named output looks like this:
>
> ov 02 20:14:45 dc1.somerealm.com named[1075]: client
> 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone
> 'somerealm.com/NONE': deleting rrset at 'WINDOWS-PC.somerealm.com' A
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted
> rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
> 1200 IN A 192.168.210.16'
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: client
> 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone
> 'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com' A
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added
> rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
> 1200 IN A 192.168.210.16'
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed
> transaction on zone somerealm.com
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting
> transaction on zone 210.168.192.in-addr.arpa
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing
> update of signer=WINDOWS-PC\$\@somerealm.com
> name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access
> rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client
> 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone
> '210.168.192.in-addr.arpa/NONE': update failed: rejected by secure
> update (REFUSED)
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling
> transaction on zone 210.168.192.in-addr.arpa
>
> It's not general secure update issue, rather something specific to
> reverse zones (all of them), but i'm not sure how to handle this, so
> any general advice is appreciated, or direction where to look.
>
The only entity that can update a DNS record is the one that created
it or a user with sufficient authority to do so.
You have 'allow dns updates = secure' in smb.conf, you could try
changing this to 'nonsecure'
Rowland
More information about the samba
mailing list