Hello,
I'm trying to replace an old Windows Server 2003 with Samba 4 and I've
got
a problem trying to add some DNS entries. When I open the RSAT DNS manager
I got an Access Denied error and I can't edit the zones.
My config file is the generated by samba-tool and I'm using Samba 4.7.0rc5
compiled on a Debian 8 amd64:
[global]
netbios name = DC1
realm = DOMAIN.DOM
workgroup = DOMAIN
server role = active directory domain controller
idmap_ldb:use rfc2307 = yes
dns forwarder = 8.8.8.8
[netlogon]
path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts
read only = No
[sysvol]
path = /server/samba/bin/var/locks/sysvol
read only = No
All seems to be working fine, because I'm able to join the domain, login on
that computer and manage other things like Users and Groups, Policies...
but DNS just drops me an Acces Denied message.
The log shows this:
[2017/09/12 11:17:01.416939, 2]
../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013]
[2017/09/12 11:17:01.444307, 2]
../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015]
[2017/09/12 11:17:01.469071, 2]
../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017]
[2017/09/12 11:17:01.494096, 2]
../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019]
Is there any way to fix this?, Maybe I forgot something like add the
computer to a group for example... I'm using the Administrator user, so it
should have access to all.
Thanks, and greetings!!
--
_________________________________________
Daniel Carrasco Marín
Ingeniería para la Innovación i2TIC, S.L.
Tlf: +34 911 12 32 84 Ext: 223
www.i2tic.com
_________________________________________
On Tue, 2017-09-12 at 11:21 +0200, Daniel Carrasco via samba wrote:> Hello, > > I'm trying to replace an old Windows Server 2003 with Samba 4 and I've got > a problem trying to add some DNS entries. When I open the RSAT DNS manager > I got an Access Denied error and I can't edit the zones. > > My config file is the generated by samba-tool and I'm using Samba 4.7.0rc5 > compiled on a Debian 8 amd64: > [global] > netbios name = DC1 > realm = DOMAIN.DOM > workgroup = DOMAIN > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > dns forwarder = 8.8.8.8 > > [netlogon] > path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts > read only = No > > [sysvol] > path = /server/samba/bin/var/locks/sysvol > read only = No > > All seems to be working fine, because I'm able to join the domain, login on > that computer and manage other things like Users and Groups, Policies... > but DNS just drops me an Acces Denied message. > > The log shows this: > [2017/09/12 11:17:01.416939, 2] > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013] > [2017/09/12 11:17:01.444307, 2] > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015] > [2017/09/12 11:17:01.469071, 2] > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017] > [2017/09/12 11:17:01.494096, 2] > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019] > > > Is there any way to fix this?, Maybe I forgot something like add the > computer to a group for example... I'm using the Administrator user, so it > should have access to all. > > Thanks, and greetings!!We have a restriction to disallow un-protected dce/rpc sessions, as they are just too each to hijack. You can use samba-tool or set allow dcerpc auth level connect = yes I hope this helps, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
2017-09-12 11:32 GMT+02:00 Andrew Bartlett <abartlet at samba.org>:> On Tue, 2017-09-12 at 11:21 +0200, Daniel Carrasco via samba wrote: > > Hello, > > > > I'm trying to replace an old Windows Server 2003 with Samba 4 and I've > got > > a problem trying to add some DNS entries. When I open the RSAT DNS > manager > > I got an Access Denied error and I can't edit the zones. > > > > My config file is the generated by samba-tool and I'm using Samba > 4.7.0rc5 > > compiled on a Debian 8 amd64: > > [global] > > netbios name = DC1 > > realm = DOMAIN.DOM > > workgroup = DOMAIN > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > dns forwarder = 8.8.8.8 > > > > [netlogon] > > path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts > > read only = No > > > > [sysvol] > > path = /server/samba/bin/var/locks/sysvol > > read only = No > > > > All seems to be working fine, because I'm able to join the domain, login > on > > that computer and manage other things like Users and Groups, Policies... > > but DNS just drops me an Acces Denied message. > > > > The log shows this: > > [2017/09/12 11:17:01.416939, 2] > > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) > > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013 > ] > > [2017/09/12 11:17:01.444307, 2] > > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) > > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015 > ] > > [2017/09/12 11:17:01.469071, 2] > > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) > > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017 > ] > > [2017/09/12 11:17:01.494096, 2] > > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request) > > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019 > ] > > > > > > Is there any way to fix this?, Maybe I forgot something like add the > > computer to a group for example... I'm using the Administrator user, so > it > > should have access to all. > > > > Thanks, and greetings!! > > We have a restriction to disallow un-protected dce/rpc sessions, as > they are just too each to hijack. You can use samba-tool or set > > allow dcerpc auth level connect = yes > > I hope this helps, > > Andrew Bartlett > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Catalyst IT http://catalyst.net.nz/ > services/samba > >Thanks, but I still getting the same error. I'll try to do it with samba-tool. Greetings! -- _________________________________________ Daniel Carrasco Marín Ingeniería para la Innovación i2TIC, S.L. Tlf: +34 911 12 32 84 Ext: 223 www.i2tic.com _________________________________________