Web lists-archives.com

Re: [Samba] Accidental samba_dnsupdate success after NT_STATUS_CONNECTION_REFUSED




On 17 Mar 2019 20:44:12 UTC
Don Kuenz via samba <samba@xxxxxxxxxxxxxxx> wrote:

>  
> Greetings,
> 
> The process to join a new samba 4.6 DC to an existing samba 4.1 DC 
> repeatedly caused:
> 
>   samba_dnsupdate --verbose --all-names 
> 
> to fail on the new DC with:
> 
>   Failed to connect host x.x.x.x on port 49152 -
> NT_STATUS_CONNECTION_REFUSED
> 
> Noted: both samba versions are obsolete and will be updated post
> haste.
> 
> Regardless, samba_dnsupdate was accidentally invoked on the new DC
> while the samba service on the existing DC just happened to be down
> and the name service (bind) was up. bind accepted all new AD DNS
> records and added them without error. 
>     The domain join process was successfully completed and the domain
> continues to seamlessly function under stress tests where only one DC 
> is available. It all appears to work.
>     My question pertains to the accidental discovery that the original
> DC no longer failed with an NT_STATUS_CONNECTION_REFUSED when the
> samba service on it was in a stopped state. Maybe it just doesn't 
> matter? Are there any hidden repercussions?
> 
> Thank you, 73,
> 

I have this theory, which I never seem to get the chance to look
into ;-)

When samba_dnsupdate runs, it gets a kerberos ticket as a DC, but not
as the DC that requires updating. This is the problem in my opinion.
When the other DC was down, the only DC available was the one that
required updating, so the ticket obtained is the correct one and it
works.

Rowland

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba