samba - May 2018 - DC won't update Windows 10 PTR records

Our Domain Controller is running Samba 4.6.2
We have both Windows 7 & 10 on our network.
All of the Windows 7 workstations seem to be updating their reverse PTR 
records just fine, but the Windows 10 workstations seem to always fail.
Here are the named logs from the DC:
23-May-2018 13:53:08.965 update-security: error: client 
192.168.254.210#60093: update 'tipping.lan/IN' denied
23-May-2018 13:53:08.965 database: info: samba_dlz: cancelling 
transaction on zone tipping.lan
23-May-2018 13:53:08.998 database: info: samba_dlz: starting transaction 
on zone tipping.lan
23-May-2018 13:53:09.002 database: info: samba_dlz: allowing update of 
signer=I7X4-45G-2\$\@TIPPING.LAN name=i7x4-45G-2.tipping.lan tcpaddr= 
type=AAAA key=1744-ms-7.3-ac5fb46.7f4b13c3-5d26-11e8-3184-2c4d54d1ed8a/160/0
23-May-2018 13:53:09.005 database: info: samba_dlz: allowing update of 
signer=I7X4-45G-2\$\@TIPPING.LAN name=i7x4-45G-2.tipping.lan tcpaddr= 
type=A key=1744-ms-7.3-ac5fb46.7f4b13c3-5d26-11e8-3184-2c4d54d1ed8a/160/0
23-May-2018 13:53:09.008 database: info: samba_dlz: allowing update of 
signer=I7X4-45G-2\$\@TIPPING.LAN name=i7x4-45G-2.tipping.lan tcpaddr= 
type=A key=1744-ms-7.3-ac5fb46.7f4b13c3-5d26-11e8-3184-2c4d54d1ed8a/160/0
23-May-2018 13:53:09.008 update: info: client 192.168.254.210#64901/key 
I7X4-45G-2\$\@TIPPING.LAN: updating zone 'tipping.lan/NONE': deleting 
rrset at 'i7x4-45G-2.tipping.lan' AAAA
23-May-2018 13:53:09.009 update: info: client 192.168.254.210#64901/key 
I7X4-45G-2\$\@TIPPING.LAN: updating zone 'tipping.lan/NONE': deleting 
rrset at 'i7x4-45G-2.tipping.lan' A
23-May-2018 13:53:09.012 database: info: samba_dlz: subtracted rdataset 
i7x4-45G-2.tipping.lan 'i7x4-45G-2.tipping.lan. 1200 IN      A       
192.168.254.210'
23-May-2018 13:53:09.022 update: info: client 192.168.254.210#64901/key 
I7X4-45G-2\$\@TIPPING.LAN: updating zone 'tipping.lan/NONE': adding an 
RR at 'i7x4-45G-2.tipping.lan' A
23-May-2018 13:53:09.036 database: info: samba_dlz: added rdataset 
i7x4-45G-2.tipping.lan 'i7x4-45G-2.tipping.lan.      1200    IN A       
192.168.254.210'
23-May-2018 13:53:09.045 database: info: samba_dlz: committed 
transaction on zone tipping.lan
23-May-2018 13:53:09.070 database: info: samba_dlz: starting transaction 
on zone 254.168.192.in-addr.arpa
23-May-2018 13:53:09.079 update-security: error: client 
192.168.254.210#57291: update '254.168.192.in-addr.arpa/IN' denied
23-May-2018 13:53:09.079 database: info: samba_dlz: cancelling 
transaction on zone 254.168.192.in-addr.arpa
23-May-2018 13:53:09.080 database: info: samba_dlz: starting transaction 
on zone 254.168.192.in-addr.arpa
23-May-2018 13:53:09.094 database: info: samba_dlz: disallowing update 
of signer=I7X4-45G-2\$\@TIPPING.LAN name=210.254.168.192.in-addr.arpa 
type=PTR error=insufficient access rights
23-May-2018 13:53:09.094 update: info: client 192.168.254.210#52915/key 
I7X4-45G-2\$\@TIPPING.LAN: updating zone 
'254.168.192.in-addr.arpa/NONE': update failed: rejected by secure 
update (REFUSED)

Any suggestions?

On 5/23/2018 2:59 PM, Barry Ralphs wrote:
> Our Domain Controller is running Samba 4.6.2
Correction, our DC is on Samba 4.7.6 and we're using the packages from 
Tranquil.
Repo: https://samba.tranquil.it/centos7/stable/

On Thu, 24 May 2018 16:39:31 -0700
Barry Ralphs via samba <samba at lists.samba.org> wrote:
> On 5/23/2018 2:59 PM, Barry Ralphs wrote:
> > Our Domain Controller is running Samba 4.6.2
> Correction, our DC is on Samba 4.7.6 and we're using the packages
> from Tranquil.
> Repo: https://samba.tranquil.it/centos7/stable/
> 
> 
How was the reverse zone created ?
It looks like the clients do not own their own reverse records.

Rowland

Hi Barry,

> 23-May-2018 13:53:09.094 database: info: samba_dlz: disallowing update
> of signer=I7X4-45G-2\$\@TIPPING.LAN name=210.254.168.192.in-addr.arpa
> type=PTR error=insufficient access rights
could you check if that entry exist or not in the reverse zone, and if 
it exist what ACE is on that entry (right click/property/security). If 
the entry exists, you should see the computer account name with total 
control on the entry.

With reverse entries, it may have been created by another computer, and 
thus your new win10 cannot change the value. There is no DNS scavenging 
that will cleanup entries currently (I think it should land in 4.9).

Cheers,

Denis
> 23-May-2018 13:53:09.094 update: info: client 192.168.254.210#52915/key
> I7X4-45G-2\$\@TIPPING.LAN: updating zone
> '254.168.192.in-addr.arpa/NONE': update failed: rejected by secure
> update (REFUSED)
>
> Any suggestions?
>
-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint Sébastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

On 5/25/2018 12:32 AM, Denis Cardon wrote:
>
>> 23-May-2018 13:53:09.094 database: info: samba_dlz: disallowing update
>> of signer=I7X4-45G-2\$\@TIPPING.LAN name=210.254.168.192.in-addr.arpa
>> type=PTR error=insufficient access rights
>
> could you check if that entry exist or not in the reverse zone, and if 
> it exist what ACE is on that entry (right click/property/security). If 
> the entry exists, you should see the computer account name with total 
> control on the entry.
>
Hi Denis,
Thanks for the reply. No the entry does not exist in the DNS manager 
reverse zone.
How do I fix the "insufficient access rights"?

Thx,
Barry