Access denied editing DNS using RSAT

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Access denied editing DNS using RSAT

Samba - General mailing list
Hello,

I'm trying to replace an old Windows Server 2003 with Samba 4 and I've got
a problem trying to add some DNS entries. When I open the RSAT DNS manager
I got an Access Denied error and I can't edit the zones.

My config file is the generated by samba-tool and I'm using Samba 4.7.0rc5
compiled on a Debian 8 amd64:
[global]
        netbios name = DC1
        realm = DOMAIN.DOM
        workgroup = DOMAIN
        server role = active directory domain controller
        idmap_ldb:use rfc2307 = yes
        dns forwarder = 8.8.8.8

[netlogon]
        path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts
        read only = No

[sysvol]
        path = /server/samba/bin/var/locks/sysvol
        read only = No

All seems to be working fine, because I'm able to join the domain, login on
that computer and manage other things like Users and Groups, Policies...
but DNS just drops me an Acces Denied message.

The log shows this:
[2017/09/12 11:17:01.416939,  2]
../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
  dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013]
[2017/09/12 11:17:01.444307,  2]
../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
  dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015]
[2017/09/12 11:17:01.469071,  2]
../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
  dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017]
[2017/09/12 11:17:01.494096,  2]
../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
  dcesrv_request: restrict auth_level_connect access to [dnsserver] with
auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019]


Is there any way to fix this?, Maybe I forgot something like add the
computer to a group for example... I'm using the Administrator user, so it
should have access to all.

Thanks, and greetings!!

--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Access denied editing DNS using RSAT

Samba - General mailing list
On Tue, 2017-09-12 at 11:21 +0200, Daniel Carrasco via samba wrote:

> Hello,
>
> I'm trying to replace an old Windows Server 2003 with Samba 4 and I've got
> a problem trying to add some DNS entries. When I open the RSAT DNS manager
> I got an Access Denied error and I can't edit the zones.
>
> My config file is the generated by samba-tool and I'm using Samba 4.7.0rc5
> compiled on a Debian 8 amd64:
> [global]
>         netbios name = DC1
>         realm = DOMAIN.DOM
>         workgroup = DOMAIN
>         server role = active directory domain controller
>         idmap_ldb:use rfc2307 = yes
>         dns forwarder = 8.8.8.8
>
> [netlogon]
>         path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts
>         read only = No
>
> [sysvol]
>         path = /server/samba/bin/var/locks/sysvol
>         read only = No
>
> All seems to be working fine, because I'm able to join the domain, login on
> that computer and manage other things like Users and Groups, Policies...
> but DNS just drops me an Acces Denied message.
>
> The log shows this:
> [2017/09/12 11:17:01.416939,  2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
>   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013]
> [2017/09/12 11:17:01.444307,  2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
>   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015]
> [2017/09/12 11:17:01.469071,  2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
>   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017]
> [2017/09/12 11:17:01.494096,  2]
> ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
>   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019]
>
>
> Is there any way to fix this?, Maybe I forgot something like add the
> computer to a group for example... I'm using the Administrator user, so it
> should have access to all.
>
> Thanks, and greetings!!

We have a restriction to disallow un-protected dce/rpc sessions, as
they are just too each to hijack.  You can use samba-tool or set

allow dcerpc auth level connect = yes

I hope this helps,

Andrew Bartlett

--
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
Reply | Threaded
Open this post in threaded view
|

Re: Access denied editing DNS using RSAT

Samba - General mailing list
2017-09-12 11:32 GMT+02:00 Andrew Bartlett <[hidden email]>:

> On Tue, 2017-09-12 at 11:21 +0200, Daniel Carrasco via samba wrote:
> > Hello,
> >
> > I'm trying to replace an old Windows Server 2003 with Samba 4 and I've
> got
> > a problem trying to add some DNS entries. When I open the RSAT DNS
> manager
> > I got an Access Denied error and I can't edit the zones.
> >
> > My config file is the generated by samba-tool and I'm using Samba
> 4.7.0rc5
> > compiled on a Debian 8 amd64:
> > [global]
> >         netbios name = DC1
> >         realm = DOMAIN.DOM
> >         workgroup = DOMAIN
> >         server role = active directory domain controller
> >         idmap_ldb:use rfc2307 = yes
> >         dns forwarder = 8.8.8.8
> >
> > [netlogon]
> >         path = /server/samba/bin/var/locks/sysvol/domain.dom/scripts
> >         read only = No
> >
> > [sysvol]
> >         path = /server/samba/bin/var/locks/sysvol
> >         read only = No
> >
> > All seems to be working fine, because I'm able to join the domain, login
> on
> > that computer and manage other things like Users and Groups, Policies...
> > but DNS just drops me an Acces Denied message.
> >
> > The log shows this:
> > [2017/09/12 11:17:01.416939,  2]
> > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> >   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65013
> ]
> > [2017/09/12 11:17:01.444307,  2]
> > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> >   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65015
> ]
> > [2017/09/12 11:17:01.469071,  2]
> > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> >   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65017
> ]
> > [2017/09/12 11:17:01.494096,  2]
> > ../source4/rpc_server/dcerpc_server.c:1804(dcesrv_request)
> >   dcesrv_request: restrict auth_level_connect access to [dnsserver] with
> > auth[type=0xa,level=0x2] on [ncacn_ip_tcp] from [ipv4:192.168.0.52:65019
> ]
> >
> >
> > Is there any way to fix this?, Maybe I forgot something like add the
> > computer to a group for example... I'm using the Administrator user, so
> it
> > should have access to all.
> >
> > Thanks, and greetings!!
>
> We have a restriction to disallow un-protected dce/rpc sessions, as
> they are just too each to hijack.  You can use samba-tool or set
>
> allow dcerpc auth level connect = yes
>
> I hope this helps,
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                       http://samba.org/~abartlet/
> Authentication Developer, Samba Team  http://samba.org
> Samba Developer, Catalyst IT          http://catalyst.net.nz/
> services/samba
>
>
Thanks, but I still getting the same error. I'll try to do it with
samba-tool.

Greetings!

--
_________________________________________

      Daniel Carrasco Marín
      Ingeniería para la Innovación i2TIC, S.L.
      Tlf:  +34 911 12 32 84 Ext: 223
      www.i2tic.com
_________________________________________
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba