Bug #13237

ERROR_ACCESS_DENIED when deleting DNS A record (dns_dnscmd plugin)

Added by Dmitry Sakun about 1 year ago. Updated 6 months ago.

Status:Closed
Priority:Normal
Assigned To:Alex Fisher
Category:DNS
Target version:-
Difficulty:trivial Bugzilla link:
Found in release:1.10.0 Pull request:https://github.com/theforeman/smart-proxy/pull/410
Story points-
Velocity based estimate-
Release1.14.0Release relationshipAuto

Description

Record creation works just fine but when you try to delete the host you will get access denied and HTTP 404 back from the smart proxy.

dnscmd.exe DC.example.com /RecordDelete example.com record.example.com. A /f

Command failed: ERROR_ACCESS_DENIED 5 0x5

It looks like it's necessary to include RRData (e.g. IP address in this case) when deleting A record.

Syntax: dnscmd ServerName /recorddelete ZoneName NodeName RRType RRData[/f]

Quick hint to fix it:
\modules\dns_dnscmd\dns_dnscmd_main.rb
38c38
< cmd = "/RecordDelete #{zone} #{fqdn}. A /f"
---

cmd = "/RecordDelete #{zone} #{fqdn}. A #{ip} /f"

DNS service is running on W2k12R2

Associated revisions

Revision 67c1cc83
Added by Alex Fisher 6 months ago

fixes #13237 - Use RRData option when deleting DNS records

To be able to delete dns records with `dnscmd` without specifying
the `RRData` option, the account needs `Full Control` privileges on the
zone.

`Full Control` allows the account to do much more besides
adding/removing records and this represents a security risk.

Instead of trying to delete all records with a single dnscmd, use
`dnscmd /EnumRecords` and then delete each record individually. In most
cases, I'd expect `/EnumRecords` to only return a single record anyway
(but I have tested it with many).

There is one side-effect of specifying the IP address when deleting an A
record. If the matching PTR also exists on the same DNS server, I
believe it gets automatically deleted too. This hasn't caused any
issues in testing.

Signed-off-by: Alexander Fisher <>

History

#1 Updated by Alex Fisher 11 months ago

I've hit this too.

I don't think the fix is quite as trivial as suggested though.
From what I can see, the foreman smart-proxy API for deleting DNS A records doesn't support the IP address being sent as well as the fqdn.
https://github.com/theforeman/smart-proxy/blob/develop/modules/dns/dns_api.rb#L43

I don't think it should be too hard to use dnscmd /EnumRecords to build a list, (of most likely 1), specific entries that need to be deleted though. I'll try hacking on a patch...

Meanwhile, does anybody know why the current solution isn't working for some of us? All dnscmd documentation I've come across certainly suggests that specifying the RRData field is optional.

#2 Updated by The Foreman Bot 11 months ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/smart-proxy/pull/410 added

#3 Updated by Dmitri Dolguikh 11 months ago

Would be helpful to see the contents of event log when this error is reported...

#4 Updated by Alex Fisher 9 months ago

It's been a while, but I've finally been able to get some time with a domain admin to investigate this further. Even after much fiddling we weren't able to get anything useful logged, but we did discover the following...

The only way to delete records (without specifying the RRData option) was to (temporarily) give the service account user 'Full Control' privileges on the zone. No other combination of privileges worked, (including ticking everything other than 'full control'). This might be acceptable to some, but I won't be allowed to run with the account configured this way (eg it can delete the whole zone in a single click). Some organisations might be prepared to grant the user these elevated privileges, but I imagine many won't.

#5 Updated by Alex Fisher 6 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by Dominic Cleal 6 months ago

  • Assigned To set to Alex Fisher
  • Release set to 1.14.0

Also available in: Atom PDF