Kacper Wirski
2018-Nov-06 10:24 UTC
[Samba] dynamic update for reverse lookup zone denied - insufficient access rights
Hello, I'm struggling with an error for secure dynamic dns updates for reverse lookup zones. My environment: 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos 7.5. Samba was compiled from source with default heimdal kerberos (./configure --with-systemd --enable-gnutls) /I know now that --with-systemd is not needed, but didn't now that the time of compilation/. BIND was installed from default centos repo. I read about supposed issues with secure updates, but : a) secure updates for forward lookup zone work fine b) reverse updates were working fine prior to update (more on this later on) my DC smb.conf (2nd dc has the same, just name is DC2): [global] netbios name = DC1 realm = SOMEREALM.COM workgroup = SOMEREALM server role = active directory domain controller idmap_ldb:use rfc2307 = yes load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes allow dns updates = secure server services = -dns tls enabled = yes tls keyfile = /usr/local/samba/private/tls/dc1.key.pem tls certfile = /usr/local/samba/private/tls/dc1.cert.pem tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem apply group policies = yes ntlm auth = mschapv2-and-ntlmv2-only [netlogon] path = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts read only = No [sysvol] path = /usr/local/samba/var/locks/sysvol read only = No Secure updates for forward lookup zone work generally fine with the small exception: if I add to AD host that previously existed, it won't allow update either, but ALL reverse lookup updates fail. I can add client manually. Named output looks like this: ov 02 20:14:45 dc1.somerealm.com named[1075]: client 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 'somerealm.com/NONE': deleting rrset at 'WINDOWS-PC.somerealm.com' A Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com. 1200 IN A 192.168.210.16' Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com' A Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com. 1200 IN A 192.168.210.16' Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed transaction on zone somerealm.com Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting transaction on zone 210.168.192.in-addr.arpa Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing update of signer=WINDOWS-PC\$\@somerealm.com name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone '210.168.192.in-addr.arpa/NONE': update failed: rejected by secure update (REFUSED) Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling transaction on zone 210.168.192.in-addr.arpa It's not general secure update issue, rather something specific to reverse zones (all of them), but i'm not sure how to handle this, so any general advice is appreciated, or direction where to look. Regards, Kacper
Rowland Penny
2018-Nov-06 11:07 UTC
[Samba] dynamic update for reverse lookup zone denied - insufficient access rights
On Tue, 6 Nov 2018 11:24:43 +0100 Kacper Wirski via samba <samba at lists.samba.org> wrote:> Hello, > > I'm struggling with an error for secure dynamic dns updates for > reverse lookup zones. > > My environment: > > 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos > 7.5. Samba was compiled from source with default heimdal kerberos > (./configure --with-systemd --enable-gnutls) /I know now that > --with-systemd is not needed, but didn't now that the time of > compilation/. > > BIND was installed from default centos repo. I read about supposed > issues with secure updates, but : > > a) secure updates for forward lookup zone work fine > > b) reverse updates were working fine prior to update (more on this > later on) > > my DC smb.conf (2nd dc has the same, just name is DC2): > > [global] > netbios name = DC1 > realm = SOMEREALM.COM > workgroup = SOMEREALM > server role = active directory domain controller > idmap_ldb:use rfc2307 = yes > load printers = no > printing = bsd > printcap name = /dev/null > disable spoolss = yes > > allow dns updates = secure > server services = -dns > tls enabled = yes > tls keyfile = /usr/local/samba/private/tls/dc1.key.pem > tls certfile = /usr/local/samba/private/tls/dc1.cert.pem > tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem > > apply group policies = yes > > ntlm auth = mschapv2-and-ntlmv2-only > > > > [netlogon] > path > = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts read only > No > > [sysvol] > path = /usr/local/samba/var/locks/sysvol > read only = No > > > Secure updates for forward lookup zone work generally fine with the > small exception: if I add to AD host that previously existed, it > won't allow update either, but ALL reverse lookup updates fail. I can > add client manually. > > > Named output looks like this: > > ov 02 20:14:45 dc1.somerealm.com named[1075]: client > 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone > 'somerealm.com/NONE': deleting rrset at 'WINDOWS-PC.somerealm.com' A > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted > rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com. > 1200 IN A 192.168.210.16' > Nov 02 20:14:45 dc1.somerealm.com named[1075]: client > 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone > 'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com' A > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added > rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com. > 1200 IN A 192.168.210.16' > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed > transaction on zone somerealm.com > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting > transaction on zone 210.168.192.in-addr.arpa > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing > update of signer=WINDOWS-PC\$\@somerealm.com > name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access > rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client > 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone > '210.168.192.in-addr.arpa/NONE': update failed: rejected by secure > update (REFUSED) > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling > transaction on zone 210.168.192.in-addr.arpa > > It's not general secure update issue, rather something specific to > reverse zones (all of them), but i'm not sure how to handle this, so > any general advice is appreciated, or direction where to look. >The only entity that can update a DNS record is the one that created it or a user with sufficient authority to do so. You have 'allow dns updates = secure' in smb.conf, you could try changing this to 'nonsecure' Rowland
Kacper Wirski
2018-Nov-08 12:23 UTC
[Samba] dynamic update for reverse lookup zone denied - insufficient access rights
Hello, I have some additional information: I suspect hat this issue is similar to different error, that happens in forward lookup zone: Let's say that I have domain member host WIN-1 (with windows 10 OS) WIN-1 dynamically creates DNS entry with IP 192.168.100.50 in forward entry and another entry: 50.100.168.192-in-addr-arpa with WIN-1, assuming that there were no entries in DNS neither for WIN-1 host nor for 50.100.168.192-in-addr-arpa. Everything is fine at that point. Then for whatever reason WIN-1 was scrapped from AD (deleted). When host with same name is added (WIN-1) it will have different SID, so technically only name stays the same. Old DNS record for WIN-1 is removed. When this happens WIN-1 (new account with different SID) will not be allowed to dynamically add entry to DNS with insufficient rights error. It seems that samba or named (even after purging tombstones) still hold previous entry and sees that new host != previous host and throws "insufficient rights". Is it possible that for reverse lookup zone there is similar case? When IP 50.100.168.192-in-addr-arpa record was added by WIN-1$ another host won't be able to change this record, that I can understand. But even after manually deleting 50.100.168.192-in-addr-arpa entry from DNS, still error with "insufficient rights" happens IP's are changed a lot more often than hostnames, so this is somewhat of an issue. Is there a workaound? Where, after deleting entry from DNS,and expunging tombstones information can still be stored that is blocking dynamic updates? Regards, Kacper wt., 6 lis 2018 o 12:07 Rowland Penny via samba <samba at lists.samba.org> napisał(a):> On Tue, 6 Nov 2018 11:24:43 +0100 > Kacper Wirski via samba <samba at lists.samba.org> wrote: > > > Hello, > > > > I'm struggling with an error for secure dynamic dns updates for > > reverse lookup zones. > > > > My environment: > > > > 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos > > 7.5. Samba was compiled from source with default heimdal kerberos > > (./configure --with-systemd --enable-gnutls) /I know now that > > --with-systemd is not needed, but didn't now that the time of > > compilation/. > > > > BIND was installed from default centos repo. I read about supposed > > issues with secure updates, but : > > > > a) secure updates for forward lookup zone work fine > > > > b) reverse updates were working fine prior to update (more on this > > later on) > > > > my DC smb.conf (2nd dc has the same, just name is DC2): > > > > [global] > > netbios name = DC1 > > realm = SOMEREALM.COM > > workgroup = SOMEREALM > > server role = active directory domain controller > > idmap_ldb:use rfc2307 = yes > > load printers = no > > printing = bsd > > printcap name = /dev/null > > disable spoolss = yes > > > > allow dns updates = secure > > server services = -dns > > tls enabled = yes > > tls keyfile = /usr/local/samba/private/tls/dc1.key.pem > > tls certfile = /usr/local/samba/private/tls/dc1.cert.pem > > tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem > > > > apply group policies = yes > > > > ntlm auth = mschapv2-and-ntlmv2-only > > > > > > > > [netlogon] > > path > > = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts read only > > No > > > > [sysvol] > > path = /usr/local/samba/var/locks/sysvol > > read only = No > > > > > > Secure updates for forward lookup zone work generally fine with the > > small exception: if I add to AD host that previously existed, it > > won't allow update either, but ALL reverse lookup updates fail. I can > > add client manually. > > > > > > Named output looks like this: > > > > ov 02 20:14:45 dc1.somerealm.com named[1075]: client > > 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone > > 'somerealm.com/NONE': deleting rrset at 'WINDOWS-PC.somerealm.com' A > > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted > > rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com. > > 1200 IN A 192.168.210.16' > > Nov 02 20:14:45 dc1.somerealm.com named[1075]: client > > 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone > > 'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com' A > > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added > > rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com. > > 1200 IN A 192.168.210.16' > > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed > > transaction on zone somerealm.com > > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting > > transaction on zone 210.168.192.in-addr.arpa > > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing > > update of signer=WINDOWS-PC\$\@somerealm.com > > name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access > > rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client > > 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone > > '210.168.192.in-addr.arpa/NONE': update failed: rejected by secure > > update (REFUSED) > > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling > > transaction on zone 210.168.192.in-addr.arpa > > > > It's not general secure update issue, rather something specific to > > reverse zones (all of them), but i'm not sure how to handle this, so > > any general advice is appreciated, or direction where to look. > > > > The only entity that can update a DNS record is the one that created > it or a user with sufficient authority to do so. > You have 'allow dns updates = secure' in smb.conf, you could try > changing this to 'nonsecure' > > Rowland > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >