thr3ads.net - samba - [Samba] Zone update denied [Oct 2020]

If this information is useful, please help other people find it:
Share via:

Peter Pollock

2020-Oct-13 21:29 UTC

[Samba] Zone update denied

I'm not quite sure how to ask this question because I don't really know
what's going on, but I'm seeing an error I don't understand.

It appears that when updating the sone record, something is not working
right, but I'm not use what it is

The logs have an error like this:   client @0x7f7bd4089880
192.168.7.144#57386: update 'internal.kcs/IN' denied

It is then followed by Samba_dlz allowing the update of various records
from that IP address, followed by another error which is for the same IP
and is similar but slightly different, like this, for example:

  client @0x7f7be408d970 192.168.7.144#59545: update 'internal.kcs/IN'
denied

This happens 5+ times for each IP address.

Could someone smarter than me (that's all of you) tell me what's going
on
and if I should be concerned?

Here's a more complete section from the log:

Oct 13 13:17:35 dc01 named[28462]: samba_dlz: starting transaction on zone
internal.kcs
Oct 13 13:17:35 dc01 named[28462]: client @0x7f7bd4089880
192.168.7.144#57386: update 'internal.kcs/IN' denied
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: cancelling transaction on
zone internal.kcs
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: starting transaction on zone
internal.kcs
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: allowing update of
signer=KCS-LAB-06\$\@INTERNAL.KCS name=KCS-LAB-06.internal.kcs
tcpaddr=192.168.7.144 type=AAAA key=1544-ms-7.56-810a45ed.a3c0e1ca>
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: allowing update of
signer=KCS-LAB-06\$\@INTERNAL.KCS name=KCS-LAB-06.internal.kcs
tcpaddr=192.168.7.144 type=A key=1544-ms-7.56-810a45ed.a3c0e1ca-f9>
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: allowing update of
signer=KCS-LAB-06\$\@INTERNAL.KCS name=KCS-LAB-06.internal.kcs
tcpaddr=192.168.7.144 type=A key=1544-ms-7.56-810a45ed.a3c0e1ca-f9>
Oct 13 13:17:35 dc01 named[28462]: client @0x7f7bdc07b4c0
192.168.7.144#51239/key KCS-LAB-06\$\@INTERNAL.KCS: updating zone
'internal.kcs/NONE': deleting rrset at 'KCS-LAB-06.internal.kcs'
AAAA
Oct 13 13:17:35 dc01 named[28462]: client @0x7f7bdc07b4c0
192.168.7.144#51239/key KCS-LAB-06\$\@INTERNAL.KCS: updating zone
'internal.kcs/NONE': deleting rrset at 'KCS-LAB-06.internal.kcs'
A
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: subtracted rdataset
KCS-LAB-06.internal.kcs 'KCS-LAB-06.internal.kcs.        1200        IN
   A        192.168.7.144'
Oct 13 13:17:35 dc01 named[28462]: client @0x7f7bdc07b4c0
192.168.7.144#51239/key KCS-LAB-06\$\@INTERNAL.KCS: updating zone
'internal.kcs/NONE': adding an RR at 'KCS-LAB-06.internal.kcs' A
192.1>
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: added rdataset
KCS-LAB-06.internal.kcs 'KCS-LAB-06.internal.kcs.        1200        IN
   A        192.168.7.144'
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: committed transaction on zone
internal.kcs
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: starting transaction on zone
internal.kcs
Oct 13 13:17:35 dc01 named[28462]: client @0x7f7be408d970
192.168.7.144#59545: update 'internal.kcs/IN' denied
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: cancelling transaction on
zone internal.kcs
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: starting transaction on zone
internal.kcs
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: allowing update of
signer=KCS-LAB-06\$\@INTERNAL.KCS name=KCS-LAB-06.internal.kcs
tcpaddr=192.168.7.144 type=AAAA key=1544-ms-7.56-810a45ed.a3c0e1ca>
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: allowing update of
signer=KCS-LAB-06\$\@INTERNAL.KCS name=KCS-LAB-06.internal.kcs
tcpaddr=192.168.7.144 type=A key=1544-ms-7.56-810a45ed.a3c0e1ca-f9>
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: allowing update of
signer=KCS-LAB-06\$\@INTERNAL.KCS name=KCS-LAB-06.internal.kcs
tcpaddr=192.168.7.144 type=A key=1544-ms-7.56-810a45ed.a3c0e1ca-f9>
Oct 13 13:17:35 dc01 named[28462]: client @0x7f7be408d970
192.168.7.144#49791/key KCS-LAB-06\$\@INTERNAL.KCS: updating zone
'internal.kcs/NONE': deleting rrset at 'KCS-LAB-06.internal.kcs'
AAAA
Oct 13 13:17:35 dc01 named[28462]: client @0x7f7be408d970
192.168.7.144#49791/key KCS-LAB-06\$\@INTERNAL.KCS: updating zone
'internal.kcs/NONE': deleting rrset at 'KCS-LAB-06.internal.kcs'
A
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: subtracted rdataset
KCS-LAB-06.internal.kcs 'KCS-LAB-06.internal.kcs.        1200        IN
   A        192.168.7.144'
Oct 13 13:17:35 dc01 named[28462]: client @0x7f7be408d970
192.168.7.144#49791/key KCS-LAB-06\$\@INTERNAL.KCS: updating zone
'internal.kcs/NONE': adding an RR at 'KCS-LAB-06.internal.kcs' A
192.1>
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: added rdataset
KCS-LAB-06.internal.kcs 'KCS-LAB-06.internal.kcs.        1200        IN
   A        192.168.7.144'
Oct 13 13:17:35 dc01 named[28462]: samba_dlz: committed transaction on zone
internal.kcs

Andrew Bartlett

2020-Oct-14 00:36 UTC

head link

[Samba] Zone update denied

On Tue, 2020-10-13 at 14:29 -0700, Peter Pollock via samba wrote:
> 
> The logs have an error like this:   client @0x7f7bd4089880
> 
> 192.168.7.144#57386: update 'internal.kcs/IN' denied
> 
> 
> 
> It is then followed by Samba_dlz allowing the update of various
> records
> 
> from that IP address, followed by another error which is for the same
> IP
So, what some (and if I recall Windows clients in particular) clients
do is try an unauthenticated update, and then only do GSS-TSIG once
that fails.
> and if I should be concerned?
No.

Andrew Bartlett

-- 
Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          
https://catalyst.net.nz/services/samba

Peter Pollock

2020-Oct-14 16:08 UTC

head link

[Samba] Zone update denied

Thank you Andrew. That's the kind of answer I love! :-)

On Tue, Oct 13, 2020 at 5:36 PM Andrew Bartlett <abartlet at samba.org>
wrote:
> On Tue, 2020-10-13 at 14:29 -0700, Peter Pollock via samba wrote:
>
> >
> > The logs have an error like this:   client @0x7f7bd4089880
> >
> > 192.168.7.144#57386: update 'internal.kcs/IN' denied
> >
> >
> >
> > It is then followed by Samba_dlz allowing the update of various
> > records
> >
> > from that IP address, followed by another error which is for the same
> > IP
>
> So, what some (and if I recall Windows clients in particular) clients
> do is try an unauthenticated update, and then only do GSS-TSIG once
> that fails.
>
> > and if I should be concerned?
>
> No.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       https://samba.org/~abartlet/
> Authentication Developer, Samba Team  https://samba.org
> Samba Developer, Catalyst IT
> https://catalyst.net.nz/services/samba
>
>
>
>

samba - Oct 2020 - Zone update denied

[Samba] Zone update denied

[Samba] Zone update denied

[Samba] Zone update denied