samba - Nov 2018 - dynamic update for reverse lookup zone denied - insufficient access rights

Hello,

I'm struggling with an error for secure dynamic dns updates for reverse 
lookup zones.

My environment:

2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos 7.5. 
Samba was compiled from source with default heimdal kerberos 
(./configure --with-systemd --enable-gnutls) /I know now that 
--with-systemd is not needed, but didn't now that the time of compilation/.

BIND was installed from default centos repo. I read about supposed 
issues with secure updates, but :

a) secure updates for forward lookup zone work fine

b) reverse updates were working fine prior to update (more on this later on)

my DC smb.conf (2nd dc has the same, just name is DC2):

[global]
         netbios name = DC1
         realm = SOMEREALM.COM
         workgroup = SOMEREALM
         server role = active directory domain controller
         idmap_ldb:use rfc2307 = yes
         load printers = no
         printing = bsd
         printcap name = /dev/null
         disable spoolss = yes

         allow dns updates = secure
         server services = -dns
         tls enabled = yes
         tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
         tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
         tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem

         apply group policies = yes

         ntlm auth = mschapv2-and-ntlmv2-only



[netlogon]
         path = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts
         read only = No

[sysvol]
         path = /usr/local/samba/var/locks/sysvol
         read only = No


Secure updates for forward lookup zone work generally fine with the 
small exception: if I add to AD host that previously existed, it won't 
allow update either, but ALL reverse lookup updates fail. I can add 
client manually.


Named output looks like this:

ov 02 20:14:45 dc1.somerealm.com named[1075]: client 
192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 
'somerealm.com/NONE': deleting rrset at
'WINDOWS-PC.somerealm.com' A
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted 
rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.        
1200        IN        A 192.168.210.16'
Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 
192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 
'somerealm.com/NONE': adding an RR at 'WINDOWS-PC.somerealm.com'
A
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added rdataset 
WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.        1200        
IN        A 192.168.210.16'
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed 
transaction on zone somerealm.com
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting 
transaction on zone 210.168.192.in-addr.arpa
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing 
update of signer=WINDOWS-PC\$\@somerealm.com 
name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access rights
Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 
192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone 
'210.168.192.in-addr.arpa/NONE': update failed: rejected by secure 
update (REFUSED)
Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling 
transaction on zone 210.168.192.in-addr.arpa

It's not general secure update issue, rather something specific to 
reverse zones (all of them), but i'm not sure how to handle this, so any 
general advice is appreciated, or direction where to look.

Regards,

Kacper

On Tue, 6 Nov 2018 11:24:43 +0100
Kacper Wirski via samba <samba at lists.samba.org> wrote:
> Hello,
> 
> I'm struggling with an error for secure dynamic dns updates for
> reverse lookup zones.
> 
> My environment:
> 
> 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos
> 7.5. Samba was compiled from source with default heimdal kerberos 
> (./configure --with-systemd --enable-gnutls) /I know now that 
> --with-systemd is not needed, but didn't now that the time of
> compilation/.
> 
> BIND was installed from default centos repo. I read about supposed 
> issues with secure updates, but :
> 
> a) secure updates for forward lookup zone work fine
> 
> b) reverse updates were working fine prior to update (more on this
> later on)
> 
> my DC smb.conf (2nd dc has the same, just name is DC2):
> 
> [global]
>          netbios name = DC1
>          realm = SOMEREALM.COM
>          workgroup = SOMEREALM
>          server role = active directory domain controller
>          idmap_ldb:use rfc2307 = yes
>          load printers = no
>          printing = bsd
>          printcap name = /dev/null
>          disable spoolss = yes
> 
>          allow dns updates = secure
>          server services = -dns
>          tls enabled = yes
>          tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
>          tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
>          tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem
> 
>          apply group policies = yes
> 
>          ntlm auth = mschapv2-and-ntlmv2-only
> 
> 
> 
> [netlogon]
>          path
> = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts read only > No
> 
> [sysvol]
>          path = /usr/local/samba/var/locks/sysvol
>          read only = No
> 
> 
> Secure updates for forward lookup zone work generally fine with the 
> small exception: if I add to AD host that previously existed, it
> won't allow update either, but ALL reverse lookup updates fail. I can
> add client manually.
> 
> 
> Named output looks like this:
> 
> ov 02 20:14:45 dc1.somerealm.com named[1075]: client 
> 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 
> 'somerealm.com/NONE': deleting rrset at
'WINDOWS-PC.somerealm.com' A
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted 
> rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.        
> 1200        IN        A 192.168.210.16'
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 
> 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone 
> 'somerealm.com/NONE': adding an RR at
'WINDOWS-PC.somerealm.com' A
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added
> rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
> 1200 IN        A 192.168.210.16'
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed 
> transaction on zone somerealm.com
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting 
> transaction on zone 210.168.192.in-addr.arpa
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing 
> update of signer=WINDOWS-PC\$\@somerealm.com 
> name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access
> rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client 
> 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone 
> '210.168.192.in-addr.arpa/NONE': update failed: rejected by secure 
> update (REFUSED)
> Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling 
> transaction on zone 210.168.192.in-addr.arpa
> 
> It's not general secure update issue, rather something specific to 
> reverse zones (all of them), but i'm not sure how to handle this, so
> any general advice is appreciated, or direction where to look.
> 
The only entity that can update a DNS record is the one that created
it or a user with sufficient authority to do so. 
You have 'allow dns updates = secure' in smb.conf, you could try
changing this to 'nonsecure'

Rowland

Hello, I have some additional information:

I  suspect hat this issue is similar to different error, that happens in
forward lookup zone:

Let's say that I have domain member host WIN-1 (with windows 10 OS)
WIN-1 dynamically creates DNS entry with IP 192.168.100.50 in forward
entry  and another entry: 50.100.168.192-in-addr-arpa with WIN-1, assuming
that there were no entries in DNS neither for WIN-1 host nor for
50.100.168.192-in-addr-arpa. Everything is fine at that point.

Then for whatever reason WIN-1 was scrapped from AD (deleted). When host
with same name is added (WIN-1) it will have different SID, so technically
only name stays the same. Old DNS record for WIN-1 is removed.
When this happens WIN-1 (new account with different SID) will not be
allowed to dynamically add entry to DNS with insufficient rights error. It
seems that samba or named (even after purging tombstones) still hold
previous entry and sees that new host != previous host and throws
"insufficient rights".

Is it possible that for reverse lookup zone there is similar case? When IP
50.100.168.192-in-addr-arpa record was added by WIN-1$ another host won't
be able to change this record, that I can understand. But even after
manually deleting 50.100.168.192-in-addr-arpa entry from DNS, still error
with "insufficient rights"  happens

IP's are changed a lot more often than hostnames, so this is somewhat of an
issue.

Is there a workaound? Where, after deleting entry from DNS,and expunging
tombstones information can still be stored that is blocking dynamic updates?

Regards,
Kacper

wt., 6 lis 2018 o 12:07 Rowland Penny via samba <samba at lists.samba.org>
napisał(a):
> On Tue, 6 Nov 2018 11:24:43 +0100
> Kacper Wirski via samba <samba at lists.samba.org> wrote:
>
> > Hello,
> >
> > I'm struggling with an error for secure dynamic dns updates for
> > reverse lookup zones.
> >
> > My environment:
> >
> > 2 Samba 4.8.4 DC's with BIND DLZ as dns backend, running on Centos
> > 7.5. Samba was compiled from source with default heimdal kerberos
> > (./configure --with-systemd --enable-gnutls) /I know now that
> > --with-systemd is not needed, but didn't now that the time of
> > compilation/.
> >
> > BIND was installed from default centos repo. I read about supposed
> > issues with secure updates, but :
> >
> > a) secure updates for forward lookup zone work fine
> >
> > b) reverse updates were working fine prior to update (more on this
> > later on)
> >
> > my DC smb.conf (2nd dc has the same, just name is DC2):
> >
> > [global]
> >          netbios name = DC1
> >          realm = SOMEREALM.COM
> >          workgroup = SOMEREALM
> >          server role = active directory domain controller
> >          idmap_ldb:use rfc2307 = yes
> >          load printers = no
> >          printing = bsd
> >          printcap name = /dev/null
> >          disable spoolss = yes
> >
> >          allow dns updates = secure
> >          server services = -dns
> >          tls enabled = yes
> >          tls keyfile = /usr/local/samba/private/tls/dc1.key.pem
> >          tls certfile = /usr/local/samba/private/tls/dc1.cert.pem
> >          tls cafile = /usr/local/samba/private/tls/ca-chain.cert.pem
> >
> >          apply group policies = yes
> >
> >          ntlm auth = mschapv2-and-ntlmv2-only
> >
> >
> >
> > [netlogon]
> >          path
> > = /usr/local/samba/var/locks/sysvol/somerealm.com/scripts read only
> > No
> >
> > [sysvol]
> >          path = /usr/local/samba/var/locks/sysvol
> >          read only = No
> >
> >
> > Secure updates for forward lookup zone work generally fine with the
> > small exception: if I add to AD host that previously existed, it
> > won't allow update either, but ALL reverse lookup updates fail. I
can
> > add client manually.
> >
> >
> > Named output looks like this:
> >
> > ov 02 20:14:45 dc1.somerealm.com named[1075]: client
> > 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone
> > 'somerealm.com/NONE': deleting rrset at
'WINDOWS-PC.somerealm.com' A
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: subtracted
> > rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
> > 1200        IN        A 192.168.210.16'
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: client
> > 192.168.210.16#50095/key WINDOWS-PC\$\@somerealm.com: updating zone
> > 'somerealm.com/NONE': adding an RR at
'WINDOWS-PC.somerealm.com' A
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: added
> > rdataset WINDOWS-PC.somerealm.com 'WINDOWS-PC.somerealm.com.
> > 1200 IN        A 192.168.210.16'
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: committed
> > transaction on zone somerealm.com
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: starting
> > transaction on zone 210.168.192.in-addr.arpa
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: disallowing
> > update of signer=WINDOWS-PC\$\@somerealm.com
> > name=16.210.168.192.in-addr.arpa type=PTR error=insufficient access
> > rights Nov 02 20:14:45 dc1.somerealm.com named[1075]: client
> > 192.168.210.16#62741/key WINDOWS-PC\$\@somerealm.com: updating zone
> > '210.168.192.in-addr.arpa/NONE': update failed: rejected by
secure
> > update (REFUSED)
> > Nov 02 20:14:45 dc1.somerealm.com named[1075]: samba_dlz: cancelling
> > transaction on zone 210.168.192.in-addr.arpa
> >
> > It's not general secure update issue, rather something specific to
> > reverse zones (all of them), but i'm not sure how to handle this,
so
> > any general advice is appreciated, or direction where to look.
> >
>
> The only entity that can update a DNS record is the one that created
> it or a user with sufficient authority to do so.
> You have 'allow dns updates = secure' in smb.conf, you could try
> changing this to 'nonsecure'
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>