[Samba] samba_dlz: disallowing update of signer error=insufficient access rights
Arnaud FLORENT
aflorent at iris-tech.fr
Fri Nov 27 15:29:28 UTC 2020
Le 27/11/2020 à 12:13, lmloge via samba a écrit :
> Hello,
>
> When I run "systemctl status bind9.service" on my SAMBA_SERVER, I get
> the output below.
>
> - There is one problem which implies "192.168.3.249",
> "wpad.mycompany.lan", "ecs.office.com".
> What can this be, given that I know no "wpad" equipment in my network
> and that I do not know what "ecs.office.com" is?
wpad means Web Proxy Auto-Discovery
it is queried by browsers to download proxy configuration file
https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol
> Can you explain to me what is the meaning of the related messages below?
>
> - There is a second problem which implies "192.168.2.55" and
> "WELL_KNOWN_MACHINE".
> "WELL_KNOWN_MACHINE" is a machine that is very well known, very
> important in my network.
> Can you explain what the problem is and how to solve it?
> The error message says "insufficient access rights". How can I check
> what's wrong?
>
> Thanks.
> --
> Léa
>
> root at SAMBA_SERVER:~# systemctl status bind9.service
> ? bind9.service - BIND Domain Name Server
> Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor
> preset: enabled)
> Drop-In: /etc/systemd/system/bind9.service.d
> +-override.conf
> Active: active (running) since Thu 2020-06-11 21:33:05 CEST; 5
> months 16 days ago
> Docs: man:named(8)
> Process: 431 ExecStart=/usr/sbin/named $OPTIONS (code=exited,
> status=0/SUCCESS)
> Main PID: 527 (named)
> Tasks: 7 (limit: 4915)
> Memory: 81.4M
> CGroup: /system.slice/bind9.service
> +-527 /usr/sbin/named -u bind -4
>
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96c80d1cf0
> 192.168.3.249#50160 (wpad.mycompany.lan): query
> 'wpad.mycompany.lan/A/IN' denied
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20
> 192.168.3.249#54685
> (_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan):
> query
> '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan/SRV/IN'
> denied
> Nov 27 10:12:53 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20
> 192.168.3.249#58257 (ecs.office.com): query (cache)
> 'ecs.office.com/A/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0
> 192.168.2.55#55685: update 'mycompany.lan/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: disallowing update
> of signer=WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN
> name=WELL_KNOWN_MACHINE.mycompany.lan type=AAAA error=insufficient
> access rights
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0
> 192.168.2.55#54935/key WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN: updating
> zone 'mycompany.lan/NONE': update failed: rejected by secure update
> (REFUSED)
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling
> transaction on zone mycompany.lan
>
--
Arnaud FLORENT
IRIS Technologies
More information about the samba
mailing list