[Samba] samba_dlz: disallowing update of signer error=insufficient access rights

lmloge lmloge at orange.fr
Fri Nov 27 11:13:09 UTC 2020 

Hello,

When I run "systemctl status bind9.service" on my SAMBA_SERVER, I get 
the output below.

- There is one problem which implies "192.168.3.249", 
"wpad.mycompany.lan", "ecs.office.com".
What can this be, given that I know no "wpad" equipment in my network 
and that I do not know what "ecs.office.com" is?
Can you explain to me what is the meaning of the related messages below?

- There is a second problem which implies "192.168.2.55" and 
"WELL_KNOWN_MACHINE".
"WELL_KNOWN_MACHINE" is a machine that is very well known, very 
important in my network.
Can you explain what the problem is and how to solve it?
The error message says "insufficient access rights". How can I check 
what's wrong?

Thanks.
--
Léa

root at SAMBA_SERVER:~# systemctl status bind9.service
? bind9.service - BIND Domain Name Server
    Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor 
preset: enabled)
   Drop-In: /etc/systemd/system/bind9.service.d
            +-override.conf
    Active: active (running) since Thu 2020-06-11 21:33:05 CEST; 5 
months 16 days ago
      Docs: man:named(8)
   Process: 431 ExecStart=/usr/sbin/named $OPTIONS (code=exited, 
status=0/SUCCESS)
  Main PID: 527 (named)
     Tasks: 7 (limit: 4915)
    Memory: 81.4M
    CGroup: /system.slice/bind9.service
            +-527 /usr/sbin/named -u bind -4

Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96c80d1cf0 
192.168.3.249#50160 (wpad.mycompany.lan): query 
'wpad.mycompany.lan/A/IN' denied
Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20 
192.168.3.249#54685 
(_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan): 
query 
'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan/SRV/IN' 
denied
Nov 27 10:12:53 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20 
192.168.3.249#58257 (ecs.office.com): query (cache) 
'ecs.office.com/A/IN' denied
Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting transaction 
on zone mycompany.lan
Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0 
192.168.2.55#55685: update 'mycompany.lan/IN' denied
Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling 
transaction on zone mycompany.lan
Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting transaction 
on zone mycompany.lan
Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: disallowing update 
of signer=WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN 
name=WELL_KNOWN_MACHINE.mycompany.lan type=AAAA error=insufficient 
access rights
Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0 
192.168.2.55#54935/key WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN: updating 
zone 'mycompany.lan/NONE': update failed: rejected by secure update 
(REFUSED)
Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling 
transaction on zone mycompany.lan

More information about the samba mailing list