[Samba] samba_dlz: disallowing update of signer error=insufficient access rights
Rowland penny
rpenny at samba.org
Fri Nov 27 13:33:33 UTC 2020
See inline comments
On 27/11/2020 11:13, lmloge via samba wrote:
> Hello,
>
> When I run "systemctl status bind9.service" on my SAMBA_SERVER, I get
> the output below.
You seem to have numerous problems going on here.
>
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96c80d1cf0
> 192.168.3.249#50160 (wpad.mycompany.lan): query
> 'wpad.mycompany.lan/A/IN' denied
192.168.3.249 is trying to query your Bind9 domain for something called
'wpad' and being denied
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20
> 192.168.3.249#54685
> (_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan):
> query
> '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan/SRV/IN'
> denied
192.168.3.249 is being denied a query on an AD record.
> Nov 27 10:12:53 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20
> 192.168.3.249#58257 (ecs.office.com): query (cache)
> 'ecs.office.com/A/IN' denied
Yet again 192.168.3.249 is being denied access.
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0
> 192.168.2.55#55685: update 'mycompany.lan/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling
> transaction on zone mycompany.lan
This is a bit different 192.168.2.55 is trying to update your SOA and
being denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: disallowing update
> of signer=WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN
> name=WELL_KNOWN_MACHINE.mycompany.lan type=AAAA error=insufficient
> access rights
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0
> 192.168.2.55#54935/key WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN: updating
> zone 'mycompany.lan/NONE': update failed: rejected by secure update
> (REFUSED)
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling
> transaction on zone mycompany.lan
This last one is easy, 192.168.2.55 is trying to update an IPv6 record
and you have IPv6 turned off.
It might help if you could post your bind9 name.conf files.
Rowland
More information about the samba
mailing list