[Samba] dynamic update for reverse lookup zone denied - insufficient access rights
Kacper Wirski
kacper.wirski at gmail.com
Thu Nov 8 12:23:55 UTC 2018
Hello, I have some additional information:
I suspect hat this issue is similar to different error, that happens in
forward lookup zone:
Let's say that I have domain member host WIN-1 (with windows 10 OS)
WIN-1 dynamically creates DNS entry with IP 192.168.100.50 in forward
entry and another entry: 50.100.168.192-in-addr-arpa with WIN-1, assuming
that there were no entries in DNS neither for WIN-1 host nor for
50.100.168.192-in-addr-arpa. Everything is fine at that point.
Then for whatever reason WIN-1 was scrapped from AD (deleted). When host
with same name is added (WIN-1) it will have different SID, so technically
only name stays the same. Old DNS record for WIN-1 is removed.
When this happens WIN-1 (new account with different SID) will not be
allowed to dynamically add entry to DNS with insufficient rights error. It
seems that samba or named (even after purging tombstones) still hold
previous entry and sees that new host != previous host and throws
"insufficient rights".
Is it possible that for reverse lookup zone there is similar case? When IP
50.100.168.192-in-addr-arpa record was added by WIN-1$ another host won't
be able to change this record, that I can understand. But even after
manually deleting 50.100.168.192-in-addr-arpa entry from DNS, still error
with "insufficient rights" happens
IP's are changed a lot more often than hostnames, so this is somewhat of an
issue.
Is there a workaound? Where, after deleting entry from DNS,and expunging
tombstones information can still be stored that is blocking dynamic updates?
Regards,
Kacper
wt., 6 lis 2018 o 12:07 Rowland Penny via samba <samba at lists.samba.org>
napisaĆ(a):
> On Tue, 6 Nov 2018 11:24:43 +0100
> Kacper Wirski via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I'm struggling with an error for secure dynamic dns updates for
> > reverse lookup zones.
> >
> > My environment:
> >
> > 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos
> > 7.5. Samba was compiled from source with default heimdal kerberos
> > (./configure --with-systemd --enable-gnutls) /I know now that
> > --with-systemd is not needed, but didn't now that the time of
> > compilation/.
> >
> > BIND was installed from default centos repo. I read about supposed
> > issues with secure updates, but :
> >
> > a) secure updates for forward lookup zone work fine
> >
> > b) reverse updates were working fine prior to update (more on this
> > later on)
> >
> > my DC smb.conf (2nd dc has the same, just name is DC2):
> >
> > [global]
> > netbios name = DC1
> > realm = SOMEREALM.COM
> > workgroup = SOMEREALM
> > server role = active directory domain controller
> > idmap_ldb:use rfc2307 = yes
> > load printers = no
> > printing = bsd
> > printcap name = /dev/null
> > disable spoolss = yes
> >
> > allow dns updates = secure
> > server services = -dns
> > tls enabled = yes
> > tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
> > tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
> > tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem
> >
> > apply group policies = yes
> >
> > ntlm auth = mschapv2-and-ntlmv2-only
> >
> >
> >
> > [netlogon]
> > path
> > = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts read only =
> > No
> >
> > [sysvol]
> > path = /usr/local/samba/var/locks/sysvol
> > read only = No
> >
> >
> > Secure updates for forward lookup zone work generally fine with the
> > small exception: if I add to AD host that previously existed, it
> > won't allow update either, but ALL reverse lookup updates fail. I can
> > add client manually.
> >
> >
> > Named output looks like this:
> >
> > ov 02 20:14:45 dc1.somerealm.com named[1075]: client
> > 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone
> > 'somerealm.com/NONE': deleting rrset at 'WINDOWS-PC.somerealm.com' A
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted
> > rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
> > 1200 IN A 192.168.210.16'
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: client
> > 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone
> > 'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com' A
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added
> > rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
> > 1200 IN A 192.168.210.16'
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed
> > transaction on zone somerealm.com
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting
> > transaction on zone 210.168.192.in-addr.arpa
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing
> > update of signer=WINDOWS-PC\$\@somerealm.com
> > name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access
> > rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client
> > 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone
> > '210.168.192.in-addr.arpa/NONE': update failed: rejected by secure
> > update (REFUSED)
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling
> > transaction on zone 210.168.192.in-addr.arpa
> >
> > It's not general secure update issue, rather something specific to
> > reverse zones (all of them), but i'm not sure how to handle this, so
> > any general advice is appreciated, or direction where to look.
> >
>
> The only entity that can update a DNS record is the one that created
> it or a user with sufficient authority to do so.
> You have 'allow dns updates = secure' in smb.conf, you could try
> changing this to 'nonsecure'
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
More information about the samba
mailing list