Bug 33637

Summary: wrong owner sid for samba4 dns object if object was created by the connector -> ddns update fails
Product: UCS Reporter: Felix Botner <botner>
Component: S4 ConnectorAssignee: Connector maintainers <connector-maintainers>
Status: RESOLVED WONTFIX QA Contact:
Severity: normal    
Priority: P5 CC: gohmann, requate
Version: UNSTABLE   
Target Milestone: ---   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=34910
What kind of report is it?: --- What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:

Description Felix Botner univentionstaff 2013-12-03 12:34:10 CET 
Windows ddns updated fails if the dns object was created in UCS and synchronized by the connector.

-> ldbsearch -H /var/lib/samba/private/sam.ldb -b \
"DC=WIN7PRO,DC=perf.test,CN=MicrosoftDNS,CN=System,DC=perf,DC=test" \
nTSecurityDescriptor --show-binary|grep owner_sid
        owner_sid                : *
            owner_sid                : S-1-5-21-2258647891-1754753931-3671923481-512

The samba4 dns object has S-1-5-21-2258647891-1754753931-3671923481-512 as owner, because of that the windows client is no longer allowed to modify this object.

(1) in Windows 
 -> ipconfig /registerdns)

(2) syslog on the UCS Server
Dec  3 12:32:01 pmaster named[30805]: client 10.200.7.60#58199: updating zone 'perf.test/NONE': prerequisites are OK
Dec  3 12:32:01 pmaster named[30805]: samba_dlz: disallowing update of signer=win7pro\$\@PERF.TEST name=win7pro.perf.test type=AAAA error=insufficient access rights
Dec  3 12:32:01 pmaster named[30805]: client 10.200.7.60#58199: updating zone 'perf.test/NONE': update failed: rejected by secure update (REFUSED)


If i delete the object in samba4, the ddns update works and the object hat the owner_sid of the computer account.

-> ldbsearch -H /var/lib/samba/private/sam.ldb -b \
"DC=WIN7PRO,DC=perf.test,CN=MicrosoftDNS,CN=System,DC=perf,DC=test" \
nTSecurityDescriptor --show-binary|grep owner_sid
        owner_sid                : *
            owner_sid                : S-1-5-21-2258647891-1754753931-3671923481-1114
Comment 1 Stefan Gohmann univentionstaff 2013-12-30 10:06:52 CET 
I think the current behavior is OK.
Comment 2 Arvid Requate univentionstaff 2014-05-19 19:05:13 CEST 
Just for future reference:

Yes this is regular documented behaviour for what Microsoft refers to as "secure dynamic updates". See:

* http://technet.microsoft.com/en-us/library/cc959308.aspx#EAAA
* http://technet.microsoft.com/en-us/library/cc961412.aspx#EAAA

We might want to check / utilize the special behaviour of the DNSUpdateProxy group in Samba. If Samba supports this, we might want to put the sync user into that group to keep him from taking ownership of the records.
Comment 3 Arvid Requate univentionstaff 2015-10-12 19:06:25 CEST 
See Ticket#2015100821000533 for a collection of more details.