Bug 55047 – AXFR denied with Samba/AD when allowed in BIND9 config

Bug 55047 - AXFR denied with Samba/AD when allowed in BIND9 config


Summary:	AXFR denied with Samba/AD when allowed in BIND9 config

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	DNS
Version:	UCS 5.0
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:
Keywords:

Duplicates:	53884 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-08-01 06:09 CEST by dlloyd
Modified:	2024-03-04 11:00 CET (History)
CC List:	7 users (show)

See Also:	53884 dns_no_notify_dlz
What kind of report is it?:	Bug Report
What type of bug is this?:	1: Cosmetic issue or missing function but workaround exists
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.011
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description dlloyd 2022-08-01 06:09:32 CEST

reported in UCS help forum: https://help.univention.com/t/after-update-to-5-0-2-dns-server-wont-allow-zone-transfer/20227

since upgrading to UCS 5.0-2 (possibly earlier) zone transfers are denied by the server.  UCR is set to allow, all config files show allows, but axfr is denied by UCS.  listening on all interfaces.

root@ucs1:~# netstat -ltup | grep domain
tcp        0      0 172.17.42.1:domain      0.0.0.0:*               LISTEN      15251/named
tcp        0      0 ucs1.domain.lan:domain   0.0.0.0:*               LISTEN      15251/named
tcp        0      0 ucs1.domain.lan:domain   0.0.0.0:*               LISTEN      15251/named
tcp        0      0 localhost:domain        0.0.0.0:*               LISTEN      15251/named
tcp6       0      0 [::]:domain             [::]:*                  LISTEN      15251/named
udp        0      0 172.17.42.1:domain      0.0.0.0:*                           15251/named
udp        0      0 ucs1.domain.lan:domain   0.0.0.0:*                           15251/named
udp        0      0 ucs1.domain.lan:domain   0.0.0.0:*                           15251/named
udp        0      0 localhost:domain        0.0.0.0:*                           15251/named
udp6       0      0 [::]:domain             [::]:*                              15251/named
root@ucs1:~#

root@ucs1:~# ucr search dns/allow/transfer
dns/allow/transfer: any



Zone file shows transfer is allowed from any
/etc/bind/univention.conf.d/domain.lan
zone "domain.lan" {
        type master;
        allow-transfer { any; };



root     15251  0.6  1.5 519924 95200 ?        Ssl  14:27   0:02 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0

named config also allows transfer.
/etc/bind/named.conf.samba4
options {
        tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab";
        listen-on { any; };
        allow-query { any; };
        allow-recursion { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
        allow-query-cache { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; };
        allow-transfer { any; };
        listen-on-v6 { any; };
};

all axfr requests are denied.

root@ucs1:~# cat /var/log/syslog | grep transfer
Jul 27 02:59:58 ucs1 named[1059]: client @0x7f8130100f10 10.0.40.92#53947 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 02:59:58 ucs1 named[1059]: client @0x7f813011de30 10.0.40.92#38203 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
Jul 27 03:40:49 ucs1 named[1059]: client @0x7f813012c5c0 10.20.50.200#62888 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied

Comment 1 Philipp Hahn

2022-08-01 10:12:51 CEST

root@m38:~# ucr get dns/backend 
ldap
root@m38:~# dig @localhost "$(dnsdomainname)" axfr
…

root@m38:~# ucr get dns/backend 
samba4
root@m38:~# dig @localhost $(dnsdomainname) axfr
; Transfer failed.

Comment 2 Arvid Requate

2022-08-01 10:31:39 CEST

You are right in the point that the bind9 options controlling zone transfers are unfortunately ignored by the Sambadlz_bin9 plugin.

Additionally the behavior of the Samba dlz_bind9 plugin changed during the update from UCS 5.0-1 to 5.0-2:

https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed#Bind_DLZ:_Added_the_ability_to_set_allow.2Fdeny_lists_for_zone_transfer_clients

The behavior can be adjusted by new Samba configuration parameters as "documented" in

https://gitlab.com/samba-team/samba/-/commit/0ec865d979540a63362a2014358c8bb27efc0081

This can be read more easily by looking at the output of "man smb.conf".

In UCS the pareters can be adjusted locally e.g. by putting lines like these into /etc/samba/local.conf:

===
[global]
    dns zone transfer clients allow = <IPs or subnets>
    dns zone transfer clients deny = <some IPs>
===

And then running:

ucr commit /etc/samba/smb.conf; /etc/init.d/samba restart

Comment 3 Arvid Requate

2022-08-01 10:33:32 CEST

Ah, you need to restart bind9 instead of samba in this case..

Comment 4 dlloyd 2022-08-01 17:30:17 CEST

(In reply to Arvid Requate from comment #2)
> You are right in the point that the bind9 options controlling zone transfers
> are unfortunately ignored by the Sambadlz_bin9 plugin.
> 
> Additionally the behavior of the Samba dlz_bind9 plugin changed during the
> update from UCS 5.0-1 to 5.0-2:
> 
> https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed#Bind_DLZ:
> _Added_the_ability_to_set_allow.2Fdeny_lists_for_zone_transfer_clients
> 
> The behavior can be adjusted by new Samba configuration parameters as
> "documented" in
> 
> https://gitlab.com/samba-team/samba/-/commit/
> 0ec865d979540a63362a2014358c8bb27efc0081
> 
> This can be read more easily by looking at the output of "man smb.conf".
> 
> In UCS the pareters can be adjusted locally e.g. by putting lines like these
> into /etc/samba/local.conf:
> 
> ===
> [global]
>     dns zone transfer clients allow = <IPs or subnets>
>     dns zone transfer clients deny = <some IPs>
> ===
> 
> And then running:
> 
> ucr commit /etc/samba/smb.conf; /etc/init.d/samba restart

thank you for this, the workaround resolved my issue.

Comment 5 Sebastian Klamar 2023-03-30 06:20:13 CEST

(In reply to Arvid Requate from comment #2)
> In UCS the pareters can be adjusted locally e.g. by putting lines like these
> into /etc/samba/local.conf:

Arvid, using /etc/samba/local.conf did not work on my UCS because that file is not referenced (included) in smb.conf.  Instead, I've set the global option via UCR:

ucr set 'samba/global/options/dns zone transfer clients allow'='1.2.3.4 5.6.7.8'


PS: Now I need to find out how draft this in a file instead in a command b/c that would allow adding a documentation comment referencing this bug URL -- however, that exercise is not part of this but :)

Comment 6 Christina Scheinig

2023-07-20 15:27:10 CEST

I have this issue in my testenvironment. Out of the sudden, no zone transfer worked anymore.
using the ucrV it worked again.

Comment 7 Arvid Requate

2023-12-01 15:30:05 CET

> Arvid, using /etc/samba/local.conf did not work on my UCS because that file is not referenced (included) in smb.conf.  

This should do the trick: ucr commit /etc/samba/smb.conf

Comment 8 Philipp Hahn

2024-03-04 11:00:04 CET

*** Bug 53884 has been marked as a duplicate of this bug. ***