Bug 33637 – wrong owner sid for samba4 dns object if object was created by the connector -> ddns update fails

Bug 33637 - wrong owner sid for samba4 dns object if object was created by the connector -> ddns update fails


Summary:	wrong owner sid for samba4 dns object if object was created by the connector ...

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	S4 Connector
Version:	UNSTABLE
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Connector maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-12-03 12:34 CET by Felix Botner
Modified:	2016-11-04 16:13 CET (History)
CC List:	2 users (show)

See Also:	34910
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2013-12-03 12:34:10 CET

Windows ddns updated fails if the dns object was created in UCS and synchronized by the connector.

-> ldbsearch -H /var/lib/samba/private/sam.ldb -b \
"DC=WIN7PRO,DC=perf.test,CN=MicrosoftDNS,CN=System,DC=perf,DC=test" \
nTSecurityDescriptor --show-binary|grep owner_sid
        owner_sid                : *
            owner_sid                : S-1-5-21-2258647891-1754753931-3671923481-512

The samba4 dns object has S-1-5-21-2258647891-1754753931-3671923481-512 as owner, because of that the windows client is no longer allowed to modify this object.

(1) in Windows 
 -> ipconfig /registerdns)

(2) syslog on the UCS Server
Dec  3 12:32:01 pmaster named[30805]: client 10.200.7.60#58199: updating zone 'perf.test/NONE': prerequisites are OK
Dec  3 12:32:01 pmaster named[30805]: samba_dlz: disallowing update of signer=win7pro\$\@PERF.TEST name=win7pro.perf.test type=AAAA error=insufficient access rights
Dec  3 12:32:01 pmaster named[30805]: client 10.200.7.60#58199: updating zone 'perf.test/NONE': update failed: rejected by secure update (REFUSED)


If i delete the object in samba4, the ddns update works and the object hat the owner_sid of the computer account.

-> ldbsearch -H /var/lib/samba/private/sam.ldb -b \
"DC=WIN7PRO,DC=perf.test,CN=MicrosoftDNS,CN=System,DC=perf,DC=test" \
nTSecurityDescriptor --show-binary|grep owner_sid
        owner_sid                : *
            owner_sid                : S-1-5-21-2258647891-1754753931-3671923481-1114

Comment 1 Stefan Gohmann

2013-12-30 10:06:52 CET

I think the current behavior is OK.

Comment 2 Arvid Requate

2014-05-19 19:05:13 CEST

Just for future reference:

Yes this is regular documented behaviour for what Microsoft refers to as "secure dynamic updates". See:

* http://technet.microsoft.com/en-us/library/cc959308.aspx#EAAA
* http://technet.microsoft.com/en-us/library/cc961412.aspx#EAAA

We might want to check / utilize the special behaviour of the DNSUpdateProxy group in Samba. If Samba supports this, we might want to put the sync user into that group to keep him from taking ownership of the records.

Comment 3 Arvid Requate

2015-10-12 19:06:25 CEST

See Ticket#2015100821000533 for a collection of more details.