[Samba] samba_dlz: disallowing update of signer error=insufficient access rights

Rowland penny rpenny at samba.org
Fri Nov 27 16:53:57 UTC 2020


On 27/11/2020 16:16, lmloge via samba wrote:
> To say things quickly:
> I have two Samba servers with a VPN between the two.
> SAMBA_SERVER made a domain provision, SAMBA_SERVER_2 made a domain join.
>
> SAMBA_SERVER's IP is 192.168.3.x and is on one side of the VPN.
> SAMBA_SERVER_2's IP is 192.168.2.y and is on the other side of the VPN.
> WELL_KNOWN_MACHINE's IP is 192.168.2.55, on the same side of the VPN 
> as SAMBA_SERVER_2.
>
> WELL_KNOWN_MACHINE's real name is 7 alpha characters long (it is a 
> fine name). All my hostnames are fine.
> WELL_KNOWN_MACHINE has a fixed IP which I added that way:
> echo <pwd> | samba-tool dns add SAMBA_SERVER_2 mycompany.lan 
> WELL_KNOWN_MACHINE A 192.168.2.55 -Uadministrator
>
> "systemctl status bind9.service" has changed since my first post.
> Also, I made a mistake, this is on SAMBA_SERVER_2 that I run the 
> command below.
>
> root at SAMBA_SERVER_2# systemctl status bind9.service
> [...]
> Nov 27 16:57:31 SAMBA_SERVER_2 named[20057]: samba_dlz: starting 
> transaction on zone mycompany.lan
> Nov 27 16:57:31 SAMBA_SERVER_2 named[20057]: client @0x7f56d80441a0 
> 192.168.2.55#53696: update 'mycompany.lan/IN' denied
> Nov 27 16:57:31 SAMBA_SERVER_2 named[20057]: samba_dlz: cancelling 
> transaction on zone mycompany.lan
> Nov 27 16:57:31 SAMBA_SERVER_2 named[20057]: samba_dlz: starting 
> transaction on zone mycompany.lan
> Nov 27 16:57:31 SAMBA_SERVER_2 named[20057]: samba_dlz: disallowing 
> update of signer=WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN 
> name=WELL_KNOWN_MACHINE.mycompany.lan type=AAAA error=insufficient 
> access rights
> Nov 27 16:57:31 SAMBA_SERVER_2 named[20057]: client @0x7f56d80441a0 
> 192.168.2.55#61237/key WELL_KNOWN_MACHINE\$\@MYCOMPANY.LAN: updating 
> zone 'mycompany.lan/NONE': update failed: rejected by secure update 
> (REFUSED)
> Nov 27 16:57:31 SAMBA_SERVER_2 named[20057]: samba_dlz: cancelling 
> transaction on zone mycompany.lan
> [...]
'AAAA' is IPv6, you have turned off IPv6, so you need to find out why 
the computer is trying to update/set an IPv6 address.
>
> I have two reverse zones: "2.168.192.in-addr.arpa" and 
> "3.168.192.in-addr.arpa".
>
> > stop it trying to update any of its records.
> How do I do that?

Try your OS's documentation.

Rowland






More information about the samba mailing list