[Samba] samba_dlz: disallowing update of signer error=insufficient access rights
Rowland penny
rpenny at samba.org
Fri Nov 27 15:38:02 UTC 2020
On 27/11/2020 11:13, lmloge via samba wrote:
> Hello,
>
> When I run "systemctl status bind9.service" on my SAMBA_SERVER, I get
> the output below.
>
> - There is one problem which implies "192.168.3.249",
> "wpad.mycompany.lan", "ecs.office.com".
> What can this be, given that I know no "wpad" equipment in my network
> and that I do not know what "ecs.office.com" is?
> Can you explain to me what is the meaning of the related messages below?
>
> - There is a second problem which implies "192.168.2.55" and
> "WELL_KNOWN_MACHINE".
> "WELL_KNOWN_MACHINE" is a machine that is very well known, very
> important in my network.
> Can you explain what the problem is and how to solve it?
> The error message says "insufficient access rights". How can I check
> what's wrong?
>
> Thanks.
> --
> Léa
>
> root at SAMBA_SERVER:~# systemctl status bind9.service
> ? bind9.service - BIND Domain Name Server
> Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor
> preset: enabled)
> Drop-In: /etc/systemd/system/bind9.service.d
> +-override.conf
> Active: active (running) since Thu 2020-06-11 21:33:05 CEST; 5
> months 16 days ago
> Docs: man:named(8)
> Process: 431 ExecStart=/usr/sbin/named $OPTIONS (code=exited,
> status=0/SUCCESS)
> Main PID: 527 (named)
> Tasks: 7 (limit: 4915)
> Memory: 81.4M
> CGroup: /system.slice/bind9.service
> +-527 /usr/sbin/named -u bind -4
>
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96c80d1cf0
> 192.168.3.249#50160 (wpad.mycompany.lan): query
> 'wpad.mycompany.lan/A/IN' denied
> Nov 27 10:12:51 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20
> 192.168.3.249#54685
> (_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan):
> query
> '_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.mycompany.lan/SRV/IN'
> denied
> Nov 27 10:12:53 SAMBA_SERVER named[527]: client @0x7f96d0fc5d20
> 192.168.3.249#58257 (ecs.office.com): query (cache)
> 'ecs.office.com/A/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0
> 192.168.2.55#55685: update 'mycompany.lan/IN' denied
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: starting
> transaction on zone mycompany.lan
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: disallowing update
> of signer=WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN
> name=WELL_KNOWN_MACHINE.mycompany.lan type=AAAA error=insufficient
> access rights
> Nov 27 10:57:31 SAMBA_SERVER named[527]: client @0x7f96c406fed0
> 192.168.2.55#54935/key WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN: updating
> zone 'mycompany.lan/NONE': update failed: rejected by secure update
> (REFUSED)
> Nov 27 10:57:31 SAMBA_SERVER named[527]: samba_dlz: cancelling
> transaction on zone mycompany.lan
>
OK, the OP sent me their named.conf files offlist:
It looks like (if, as you say, 'wpad' isn't a name you recognise) that
someone has wandered in with a laptop or tablet and your DHCP server has
given it an IP, but it is being denied a query on its own hostname,
probably because it doesn't exist in AD. Cure, find whatever it is, turn
it off and then never let it on to your network again.
What is 192.168.2.55 ? it doesn't appear to be in your network, not
unless your reverse zone is '168.192.in-addr.arpa'. It appears to be
'WELL_KNOWN_MACHINE' (which I hope is a sanitised hostname, otherwise it
is too long). If it is your RODC, then it shouldn't be trying to, it
should have a fixed IP and if it does have a fixed IP, stop it trying to
update any of its records.
Rowland
More information about the samba
mailing list