Univention Bugzilla – Bug 55047
AXFR denied with Samba/AD when allowed in BIND9 config
Last modified: 2024-03-04 11:00:04 CET
reported in UCS help forum: https://help.univention.com/t/after-update-to-5-0-2-dns-server-wont-allow-zone-transfer/20227 since upgrading to UCS 5.0-2 (possibly earlier) zone transfers are denied by the server. UCR is set to allow, all config files show allows, but axfr is denied by UCS. listening on all interfaces. root@ucs1:~# netstat -ltup | grep domain tcp 0 0 172.17.42.1:domain 0.0.0.0:* LISTEN 15251/named tcp 0 0 ucs1.domain.lan:domain 0.0.0.0:* LISTEN 15251/named tcp 0 0 ucs1.domain.lan:domain 0.0.0.0:* LISTEN 15251/named tcp 0 0 localhost:domain 0.0.0.0:* LISTEN 15251/named tcp6 0 0 [::]:domain [::]:* LISTEN 15251/named udp 0 0 172.17.42.1:domain 0.0.0.0:* 15251/named udp 0 0 ucs1.domain.lan:domain 0.0.0.0:* 15251/named udp 0 0 ucs1.domain.lan:domain 0.0.0.0:* 15251/named udp 0 0 localhost:domain 0.0.0.0:* 15251/named udp6 0 0 [::]:domain [::]:* 15251/named root@ucs1:~# root@ucs1:~# ucr search dns/allow/transfer dns/allow/transfer: any Zone file shows transfer is allowed from any /etc/bind/univention.conf.d/domain.lan zone "domain.lan" { type master; allow-transfer { any; }; root 15251 0.6 1.5 519924 95200 ? Ssl 14:27 0:02 /usr/sbin/named -c /etc/bind/named.conf.samba4 -f -d 0 named config also allows transfer. /etc/bind/named.conf.samba4 options { tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; listen-on { any; }; allow-query { any; }; allow-recursion { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; }; allow-query-cache { localhost; 10.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; fc00::/7; fe80::/10; localnets; }; allow-transfer { any; }; listen-on-v6 { any; }; }; all axfr requests are denied. root@ucs1:~# cat /var/log/syslog | grep transfer Jul 27 02:59:58 ucs1 named[1059]: client @0x7f8130100f10 10.0.40.92#53947 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied Jul 27 02:59:58 ucs1 named[1059]: client @0x7f813011de30 10.0.40.92#38203 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied Jul 27 03:40:49 ucs1 named[1059]: client @0x7f813012c5c0 10.20.50.200#62888 (mydomain.lan): zone transfer 'mydomain.lan/IN' denied
root@m38:~# ucr get dns/backend ldap root@m38:~# dig @localhost "$(dnsdomainname)" axfr … root@m38:~# ucr get dns/backend samba4 root@m38:~# dig @localhost $(dnsdomainname) axfr ; Transfer failed.
You are right in the point that the bind9 options controlling zone transfers are unfortunately ignored by the Sambadlz_bin9 plugin. Additionally the behavior of the Samba dlz_bind9 plugin changed during the update from UCS 5.0-1 to 5.0-2: https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed#Bind_DLZ:_Added_the_ability_to_set_allow.2Fdeny_lists_for_zone_transfer_clients The behavior can be adjusted by new Samba configuration parameters as "documented" in https://gitlab.com/samba-team/samba/-/commit/0ec865d979540a63362a2014358c8bb27efc0081 This can be read more easily by looking at the output of "man smb.conf". In UCS the pareters can be adjusted locally e.g. by putting lines like these into /etc/samba/local.conf: === [global] dns zone transfer clients allow = <IPs or subnets> dns zone transfer clients deny = <some IPs> === And then running: ucr commit /etc/samba/smb.conf; /etc/init.d/samba restart
Ah, you need to restart bind9 instead of samba in this case..
(In reply to Arvid Requate from comment #2) > You are right in the point that the bind9 options controlling zone transfers > are unfortunately ignored by the Sambadlz_bin9 plugin. > > Additionally the behavior of the Samba dlz_bind9 plugin changed during the > update from UCS 5.0-1 to 5.0-2: > > https://wiki.samba.org/index.php/Samba_4.15_Features_added/changed#Bind_DLZ: > _Added_the_ability_to_set_allow.2Fdeny_lists_for_zone_transfer_clients > > The behavior can be adjusted by new Samba configuration parameters as > "documented" in > > https://gitlab.com/samba-team/samba/-/commit/ > 0ec865d979540a63362a2014358c8bb27efc0081 > > This can be read more easily by looking at the output of "man smb.conf". > > In UCS the pareters can be adjusted locally e.g. by putting lines like these > into /etc/samba/local.conf: > > === > [global] > dns zone transfer clients allow = <IPs or subnets> > dns zone transfer clients deny = <some IPs> > === > > And then running: > > ucr commit /etc/samba/smb.conf; /etc/init.d/samba restart thank you for this, the workaround resolved my issue.
(In reply to Arvid Requate from comment #2) > In UCS the pareters can be adjusted locally e.g. by putting lines like these > into /etc/samba/local.conf: Arvid, using /etc/samba/local.conf did not work on my UCS because that file is not referenced (included) in smb.conf. Instead, I've set the global option via UCR: ucr set 'samba/global/options/dns zone transfer clients allow'='1.2.3.4 5.6.7.8' PS: Now I need to find out how draft this in a file instead in a command b/c that would allow adding a documentation comment referencing this bug URL -- however, that exercise is not part of this but :)
I have this issue in my testenvironment. Out of the sudden, no zone transfer worked anymore. using the ucrV it worked again.
> Arvid, using /etc/samba/local.conf did not work on my UCS because that file is not referenced (included) in smb.conf. This should do the trick: ucr commit /etc/samba/smb.conf
*** Bug 53884 has been marked as a duplicate of this bug. ***