[Samba] samba_dlz: disallowing update of signer error=insufficient access rights

Rowland penny rpenny at samba.org
Fri Nov 27 15:38:02 UTC 2020


On 27/11/2020 11:13, lmloge via samba wrote:
> Hello,
>
> When I run "systemctl status bind9.service" on my SAMBA_SERVER, I get 
> the output below.
>
> - There is one problem which implies "192.168.3.249", 
> "wpad.mycompany.lan", "ecs.office.com".
> What can this be, given that I know no "wpad" equipment in my network 
> and that I do not know what "ecs.office.com" is?
> Can you explain to me what is the meaning of the related messages below?
>
> - There is a second problem which implies "192.168.2.55" and 
> "WELL_KNOWN_MACHINE".
> "WELL_KNOWN_MACHINE" is a machine that is very well known, very 
> important in my network.
> Can you explain what the problem is and how to solve it?
> The error message says "insufficient access rights". How can I check 
> what's wrong?
>
> Thanks.
> -- 
> Léa
>
> root at SAMBA_SERVER:~# systemctl status bind9.service
> ? bind9.service - BIND Domain Name Server
>    Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor 
> preset: enabled)
>   Drop-In: /etc/systemd/system/bind9.service.d
>            +-override.conf
>    Active: active (running) since Thu 2020-06-11 21:33:05 CEST; 5 
> months 16 days ago
>      Docs: man:named(8)
>   Process: 431 ExecStart=/usr/sbin/named $OPTIONS (code=exited, 
> status=0/SUCCESS)
>  Main PID: 527 (named)
>     Tasks: 7 (limit: 4915)
>    Memory: 81.4M
>    CGroup: /system.slice/bind9.service
>            +-527 /usr/sbin/named -u bind -4
>
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96c80d1cf0 
> 192.168.3.249#50160 (wpad.mycompany.lan): query 
> 'wpad.mycompany.lan/A/IN' denied
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20 
> 192.168.3.249#54685 
> (_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan): 
> query 
> '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan/SRV/IN' 
> denied
> Nov 27 10:12:53 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20 
> 192.168.3.249#58257 (ecs.office.com): query (cache) 
> 'ecs.office.com/A/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting 
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0 
> 192.168.2.55#55685: update 'mycompany.lan/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling 
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting 
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: disallowing update 
> of signer=WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN 
> name=WELL_KNOWN_MACHINE.mycompany.lan type=AAAA error=insufficient 
> access rights
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0 
> 192.168.2.55#54935/key WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN: updating 
> zone 'mycompany.lan/NONE': update failed: rejected by secure update 
> (REFUSED)
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling 
> transaction on zone mycompany.lan
>
OK, the OP sent me their named.conf files offlist:

It looks like (if, as you say, 'wpad' isn't a name you recognise) that 
someone has wandered in with a laptop or tablet and your DHCP server has 
given it an IP, but it is being denied a query on its own hostname, 
probably because it doesn't exist in AD. Cure, find whatever it is, turn 
it off and then never let it on to your network again.

What is 192.168.2.55 ? it doesn't appear to be in your network, not 
unless your reverse zone is '168.192.in-addr.arpa'. It appears to be 
'WELL_KNOWN_MACHINE' (which I hope is a sanitised hostname, otherwise it 
is too long). If it is your RODC, then it shouldn't be trying to, it 
should have a fixed IP and if it does have a fixed IP, stop it trying to 
update any of its records.

Rowland





More information about the samba mailing list