[Samba] samba_dlz: disallowing update of signer error=insufficient access rights

Arnaud FLORENT aflorent at iris-tech.fr
Fri Nov 27 15:29:28 UTC 2020 

Le 27/11/2020 à 12:13, lmloge via samba a écrit :
> Hello,
>
> When I run "systemctl status bind9.service" on my SAMBA_SERVER, I get 
> the output below.
>
> - There is one problem which implies "192.168.3.249", 
> "wpad.mycompany.lan", "ecs.office.com".
> What can this be, given that I know no "wpad" equipment in my network 
> and that I do not know what "ecs.office.com" is?

wpad means Web Proxy Auto-Discovery

it is queried by browsers to  download proxy configuration file


https://en.wikipedia.org/wiki/Web_Proxy_Auto-Discovery_Protocol

> Can you explain to me what is the meaning of the related messages below?
>
> - There is a second problem which implies "192.168.2.55" and 
> "WELL_KNOWN_MACHINE".
> "WELL_KNOWN_MACHINE" is a machine that is very well known, very 
> important in my network.
> Can you explain what the problem is and how to solve it?
> The error message says "insufficient access rights". How can I check 
> what's wrong?
>
> Thanks.
> -- 
> Léa
>
> root at SAMBA_SERVER:~# systemctl status bind9.service
> ? bind9.service - BIND Domain Name Server
>    Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor 
> preset: enabled)
>   Drop-In: /etc/systemd/system/bind9.service.d
>            +-override.conf
>    Active: active (running) since Thu 2020-06-11 21:33:05 CEST; 5 
> months 16 days ago
>      Docs: man:named(8)
>   Process: 431 ExecStart=/usr/sbin/named $OPTIONS (code=exited, 
> status=0/SUCCESS)
>  Main PID: 527 (named)
>     Tasks: 7 (limit: 4915)
>    Memory: 81.4M
>    CGroup: /system.slice/bind9.service
>            +-527 /usr/sbin/named -u bind -4
>
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96c80d1cf0 
> 192.168.3.249#50160 (wpad.mycompany.lan): query 
> 'wpad.mycompany.lan/A/IN' denied
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20 
> 192.168.3.249#54685 
> (_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan): 
> query 
> '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan/SRV/IN' 
> denied
> Nov 27 10:12:53 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20 
> 192.168.3.249#58257 (ecs.office.com): query (cache) 
> 'ecs.office.com/A/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting 
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0 
> 192.168.2.55#55685: update 'mycompany.lan/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling 
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting 
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: disallowing update 
> of signer=WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN 
> name=WELL_KNOWN_MACHINE.mycompany.lan type=AAAA error=insufficient 
> access rights
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0 
> 192.168.2.55#54935/key WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN: updating 
> zone 'mycompany.lan/NONE': update failed: rejected by secure update 
> (REFUSED)
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling 
> transaction on zone mycompany.lan
>
-- 
Arnaud FLORENT
IRIS Technologies

More information about the samba mailing list