Univention Bugzilla – Bug 33637
wrong owner sid for samba4 dns object if object was created by the connector -> ddns update fails
Last modified: 2016-11-04 16:13:52 CET
Windows ddns updated fails if the dns object was created in UCS and synchronized by the connector. -> ldbsearch -H /var/lib/samba/private/sam.ldb -b \ "DC=WIN7PRO,DC=perf.test,CN=MicrosoftDNS,CN=System,DC=perf,DC=test" \ nTSecurityDescriptor --show-binary|grep owner_sid owner_sid : * owner_sid : S-1-5-21-2258647891-1754753931-3671923481-512 The samba4 dns object has S-1-5-21-2258647891-1754753931-3671923481-512 as owner, because of that the windows client is no longer allowed to modify this object. (1) in Windows -> ipconfig /registerdns) (2) syslog on the UCS Server Dec 3 12:32:01 pmaster named[30805]: client 10.200.7.60#58199: updating zone 'perf.test/NONE': prerequisites are OK Dec 3 12:32:01 pmaster named[30805]: samba_dlz: disallowing update of signer=win7pro\$\@PERF.TEST name=win7pro.perf.test type=AAAA error=insufficient access rights Dec 3 12:32:01 pmaster named[30805]: client 10.200.7.60#58199: updating zone 'perf.test/NONE': update failed: rejected by secure update (REFUSED) If i delete the object in samba4, the ddns update works and the object hat the owner_sid of the computer account. -> ldbsearch -H /var/lib/samba/private/sam.ldb -b \ "DC=WIN7PRO,DC=perf.test,CN=MicrosoftDNS,CN=System,DC=perf,DC=test" \ nTSecurityDescriptor --show-binary|grep owner_sid owner_sid : * owner_sid : S-1-5-21-2258647891-1754753931-3671923481-1114
I think the current behavior is OK.
Just for future reference: Yes this is regular documented behaviour for what Microsoft refers to as "secure dynamic updates". See: * http://technet.microsoft.com/en-us/library/cc959308.aspx#EAAA * http://technet.microsoft.com/en-us/library/cc961412.aspx#EAAA We might want to check / utilize the special behaviour of the DNSUpdateProxy group in Samba. If Samba supports this, we might want to put the sync user into that group to keep him from taking ownership of the records.
See Ticket#2015100821000533 for a collection of more details.