samba - Jun 2019 - Can't access DNS from RSAT

Hello all,

My Server is CentOS 7 and I'm running Samba 4.10.4 compiled from scratch.

When I try to open DNS in RSAT I receive this message: Access was denied.
Would you like to add it anyway?

In my log.samba file I see this message:

[2019/06/18 19:48:26.176994,  3]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of secrets.ldb
[2019/06/18 19:48:26.202329,  3]
../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
  ldb_wrap open of privilege.ldb
[2019/06/18 19:48:26.209150,  2]
../../source4/rpc_server/dcerpc_server.c:1936(dcesrv_request)
  dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver]
with auth[type=0x9,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.1.10:1662
]
[2019/06/18 19:48:26.209623,  3]
../../source4/smbd/service_stream.c:67(stream_terminate_connection)
  stream_terminate_connection: Terminating connection - 'dcesrv:
NT_STATUS_CONNECTION_DISCONNECTED'

When I put  the option allow dcerpc auth level connect:dnsserver = yes on
my smb.conf file I receive:

dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver] with
auth[type=0x9,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.1.10:1662]

When I not put that option on smb.conf file I receive this message:

dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0x9,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.1.10:1670]

My smb.conf

[global]
        netbios name = PDC
        realm = DOMAIN.LOCAL
        server role = active directory domain controller
        server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
winbindd, ntp_signd, kcc, dnsupdate
        workgroup = DOMAIN
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 1.1.1.1 8.8.8.8 208.67.222.22
        log level = 3
        allow dcerpc auth level connect:dnsserver = yes
        interfaces = 127.0.0.1 192.168.1.10
        bind interfaces only = yes
        interfaces = lo enp21s0
        ntlm auth = yes

My Samba is fully functional. I can create users, join computers, resolve
names, but I cannot access DNS via RSAT to edit my zones. Via CLI I can
edit DNS zones.

Thanks

Andre

On 19/06/2019 00:10, Andr? Luiz via samba wrote:
> Hello all,
>
> My Server is CentOS 7 and I'm running Samba 4.10.4 compiled from
scratch.
>
> When I try to open DNS in RSAT I receive this message: Access was denied.
> Would you like to add it anyway?
>
> In my log.samba file I see this message:
>
> [2019/06/18 19:48:26.176994,  3]
> ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
>    ldb_wrap open of secrets.ldb
> [2019/06/18 19:48:26.202329,  3]
> ../../lib/ldb-samba/ldb_wrap.c:332(ldb_wrap_connect)
>    ldb_wrap open of privilege.ldb
> [2019/06/18 19:48:26.209150,  2]
> ../../source4/rpc_server/dcerpc_server.c:1936(dcesrv_request)
>    dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver]
> with auth[type=0x9,level=0x2] on [ncacn_ip_tcp] from
[ipv4:192.168.1.10:1662
> ]
> [2019/06/18 19:48:26.209623,  3]
> ../../source4/smbd/service_stream.c:67(stream_terminate_connection)
>    stream_terminate_connection: Terminating connection - 'dcesrv:
> NT_STATUS_CONNECTION_DISCONNECTED'
>
> When I put  the option allow dcerpc auth level connect:dnsserver = yes on
> my smb.conf file I receive:
>
> dcesrv_request: restrict access by min_auth_level[0x4] to [dnsserver] with
> auth[type=0x9,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.1.10:1662]
>
> When I not put that option on smb.conf file I receive this message:
>
> dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0x9,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.1.10:1670]
>
> My smb.conf
>
> [global]
>          netbios name = PDC
>          realm = DOMAIN.LOCAL
>          server role = active directory domain controller
>          server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl,
> winbindd, ntp_signd, kcc, dnsupdate
You appear to be using Bind9
>          workgroup = DOMAIN
>          idmap_ldb:use rfc2307 = yes
>          dns forwarder = 1.1.1.1 8.8.8.8 208.67.222.22
Yet you have a dns forwarder line
>          log level = 3
>          allow dcerpc auth level connect:dnsserver = yes
>          interfaces = 127.0.0.1 192.168.1.10
>          bind interfaces only = yes
>          interfaces = lo enp21s0
You also have two 'interfaces' lines, you can only have
one
>          ntlm auth = yes
>
> My Samba is fully functional. I can create users, join computers, resolve
> names, but I cannot access DNS via RSAT to edit my zones. Via CLI I can
> edit DNS zones.
>
> Thanks
>
> Andre
Can you post your named.conf file.

Rowland