I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807 which seemed to have someone experiencing the same issue I am. I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my smb.conf, rebooted the server, but still I get the an access denied message in windows. However, what is logged in the log.samba files has changed since adding this option to my smb.conf. it now shows [2017/12/12 10:21:02.936834, 2] ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request) dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver] with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: 172.28.9.100:49994] when I try to open the DNS Management RSAT On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling < thammerling at tcsbasys.com> wrote:> I cranked up the log level to 3 and found this in the log.samba file when > trying to open the DNS Manager RSAT from my client machine (which is joined > to the same domain as the DCs) > > [2017/12/12 09:59:30.601170, 2] ../source4/rpc_server/dcerpc_ > server.c:1804(dcesrv_request) > dcesrv_request: restrict auth_level_connect access to [dnsserver] with > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:172.28.9.100:49960] > > On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling < > thammerling at tcsbasys.com> wrote: > >> Good morning all! >> >> I have two DCs, both running Samba 4.7.3. I have just joined the second >> DC to the domain. The second DC is replicating AD objects perfectly, I >> verified this by running "samba-tool drs showrepl" as well as using the >> ADUC RSAT snapin and adding a user to one DC, then switching the DC that >> ADUC connects to and verifying that the user was properly replicated. >> >> The DNS objects are alos replicating properly. I checked this by running >> "samba-dnsupdate" as well as by running nslookup, switching the server to >> the new DC and doing a couple of lookups. >> >> Unfortunately, I can't access the DNS on the new DC thru the DNS Manager >> RSAT snapin. I get an "access denied" error. There are no entries in any >> of the samba logs when I attempt to open the DNS Manager snapin either. >> >> I CAN access the DNS on the original DC using the DNS Manager RSAT snapin. >> >> I'm hoping (and suspecting) this will just be an easy fix of >> chmodding/chowing something... >> I've spent the last hour googling and have come up with nada. >> >> Any help you can provide would be VERY appreciated! >> >> -- >> *Taylor Hammerling* | *IT Manager* >> 2800 Laura Lane | Middleton, WI 53562 >> *O *(608) 669-9070 *| C *(608) 512-7849 >> tcsbasys.com | ubiquistat.com >> > > > > -- > *Taylor Hammerling* | *IT Manager* > 2800 Laura Lane | Middleton, WI 53562 > *O *(608) 669-9070 *| C *(608) 512-7849 > tcsbasys.com | ubiquistat.com >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com
On 12/12/2017 11:24 AM, Taylor Hammerling via samba wrote:> I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807 which > seemed to have someone experiencing the same issue I am. > I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my > smb.conf, rebooted the server, but still I get the an access denied message > in windows. > However, what is logged in the log.samba files has changed since adding > this option to my smb.conf. it now shows > > [2017/12/12 10:21:02.936834, 2] > ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request) > dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver] > with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: > 172.28.9.100:49994] > > when I try to open the DNS Management RSAT > > On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling < > thammerling at tcsbasys.com> wrote: > >> I cranked up the log level to 3 and found this in the log.samba file when >> trying to open the DNS Manager RSAT from my client machine (which is joined >> to the same domain as the DCs) >> >> [2017/12/12 09:59:30.601170, 2] ../source4/rpc_server/dcerpc_ >> server.c:1804(dcesrv_request) >> dcesrv_request: restrict auth_level_connect access to [dnsserver] with >> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:172.28.9.100:49960] >> >> On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling < >> thammerling at tcsbasys.com> wrote: >> >>> Good morning all! >>> >>> I have two DCs, both running Samba 4.7.3. I have just joined the second >>> DC to the domain. The second DC is replicating AD objects perfectly, I >>> verified this by running "samba-tool drs showrepl" as well as using the >>> ADUC RSAT snapin and adding a user to one DC, then switching the DC that >>> ADUC connects to and verifying that the user was properly replicated. >>> >>> The DNS objects are alos replicating properly. I checked this by running >>> "samba-dnsupdate" as well as by running nslookup, switching the server to >>> the new DC and doing a couple of lookups. >>> >>> Unfortunately, I can't access the DNS on the new DC thru the DNS Manager >>> RSAT snapin. I get an "access denied" error. There are no entries in any >>> of the samba logs when I attempt to open the DNS Manager snapin either. >>> >>> I CAN access the DNS on the original DC using the DNS Manager RSAT snapin. >>> >>> I'm hoping (and suspecting) this will just be an easy fix of >>> chmodding/chowing something... >>> I've spent the last hour googling and have come up with nada. >>> >>> Any help you can provide would be VERY appreciated! >>> >>> -- >>> *Taylor Hammerling* | *IT Manager* >>> 2800 Laura Lane | Middleton, WI 53562 >>> *O *(608) 669-9070 *| C *(608) 512-7849 >>> tcsbasys.com | ubiquistat.com >>> >> >> >> -- >> *Taylor Hammerling* | *IT Manager* >> 2800 Laura Lane | Middleton, WI 53562 >> *O *(608) 669-9070 *| C *(608) 512-7849 >> tcsbasys.com | ubiquistat.com >> > >Is your user part of the DNS admins group? -- -- James
The user is a member of "Domain Admins" so they should be able to access the DNS (as is evident by the fact that they can access the DNS thru RSAT on the initial DC). But just to be thorough I have added "Domain Admins" to the group "DnsAdmins" and tested again, still get the "access denied" error from within windows. On Tue, Dec 12, 2017 at 11:01 AM, lingpanda101 via samba < samba at lists.samba.org> wrote:> On 12/12/2017 11:24 AM, Taylor Hammerling via samba wrote: > >> I found this page https://bugzilla.samba.org/show_bug.cgi?id=12807 which >> seemed to have someone experiencing the same issue I am. >> I tried adding "allow dcerpc auth level connect:dnsserver = yes" to my >> smb.conf, rebooted the server, but still I get the an access denied >> message >> in windows. >> However, what is logged in the log.samba files has changed since adding >> this option to my smb.conf. it now shows >> >> [2017/12/12 10:21:02.936834, 2] >> ../source4/rpc_server/dcerpc_server.c:1824(dcesrv_request) >> dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver] >> with auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4: >> 172.28.9.100:49994] >> >> when I try to open the DNS Management RSAT >> >> On Tue, Dec 12, 2017 at 10:04 AM, Taylor Hammerling < >> thammerling at tcsbasys.com> wrote: >> >> I cranked up the log level to 3 and found this in the log.samba file when >>> trying to open the DNS Manager RSAT from my client machine (which is >>> joined >>> to the same domain as the DCs) >>> >>> [2017/12/12 09:59:30.601170, 2] ../source4/rpc_server/dcerpc_ >>> server.c:1804(dcesrv_request) >>> dcesrv_request: restrict auth_level_connect access to [dnsserver] with >>> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:172.28.9.100:49960 >>> ] >>> >>> On Tue, Dec 12, 2017 at 9:47 AM, Taylor Hammerling < >>> thammerling at tcsbasys.com> wrote: >>> >>> Good morning all! >>>> >>>> I have two DCs, both running Samba 4.7.3. I have just joined the second >>>> DC to the domain. The second DC is replicating AD objects perfectly, I >>>> verified this by running "samba-tool drs showrepl" as well as using the >>>> ADUC RSAT snapin and adding a user to one DC, then switching the DC that >>>> ADUC connects to and verifying that the user was properly replicated. >>>> >>>> The DNS objects are alos replicating properly. I checked this by >>>> running >>>> "samba-dnsupdate" as well as by running nslookup, switching the server >>>> to >>>> the new DC and doing a couple of lookups. >>>> >>>> Unfortunately, I can't access the DNS on the new DC thru the DNS Manager >>>> RSAT snapin. I get an "access denied" error. There are no entries in >>>> any >>>> of the samba logs when I attempt to open the DNS Manager snapin either. >>>> >>>> I CAN access the DNS on the original DC using the DNS Manager RSAT >>>> snapin. >>>> >>>> I'm hoping (and suspecting) this will just be an easy fix of >>>> chmodding/chowing something... >>>> I've spent the last hour googling and have come up with nada. >>>> >>>> Any help you can provide would be VERY appreciated! >>>> >>>> -- >>>> *Taylor Hammerling* | *IT Manager* >>>> 2800 Laura Lane | Middleton, WI 53562 >>>> *O *(608) 669-9070 *| C *(608) 512-7849 >>>> tcsbasys.com | ubiquistat.com >>>> >>>> >>> >>> -- >>> *Taylor Hammerling* | *IT Manager* >>> 2800 Laura Lane | Middleton, WI 53562 >>> *O *(608) 669-9070 *| C *(608) 512-7849 >>> tcsbasys.com | ubiquistat.com >>> >>> >> >> Is your user part of the DNS admins group? > > -- > -- > James > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- *Taylor Hammerling* | *IT Manager* 2800 Laura Lane | Middleton, WI 53562 *O *(608) 669-9070 *| C *(608) 512-7849 tcsbasys.com | ubiquistat.com