Don Kuenz
2019-Mar-17 20:44 UTC
[Samba] Accidental samba_dnsupdate success after NT_STATUS_CONNECTION_REFUSED
Greetings,
The process to join a new samba 4.6 DC to an existing samba 4.1 DC
repeatedly caused:
samba_dnsupdate --verbose --all-names
to fail on the new DC with:
Failed to connect host x.x.x.x on port 49152 - NT_STATUS_CONNECTION_REFUSED
Noted: both samba versions are obsolete and will be updated post haste.
Regardless, samba_dnsupdate was accidentally invoked on the new DC while
the samba service on the existing DC just happened to be down and the
name service (bind) was up. bind accepted all new AD DNS records and
added them without error.
The domain join process was successfully completed and the domain
continues to seamlessly function under stress tests where only one DC
is available. It all appears to work.
My question pertains to the accidental discovery that the original
DC no longer failed with an NT_STATUS_CONNECTION_REFUSED when the
samba service on it was in a stopped state. Maybe it just doesn't
matter? Are there any hidden repercussions?
Thank you, 73,
--
Don Kuenz KB7RPU
There was a young lady named Bright Whose speed was far faster than light;
She set out one day In a relative way And returned on the previous night.
Rowland Penny
2019-Mar-17 21:36 UTC
[Samba] Accidental samba_dnsupdate success after NT_STATUS_CONNECTION_REFUSED
On 17 Mar 2019 20:44:12 UTC Don Kuenz via samba <samba at lists.samba.org> wrote:> > Greetings, > > The process to join a new samba 4.6 DC to an existing samba 4.1 DC > repeatedly caused: > > samba_dnsupdate --verbose --all-names > > to fail on the new DC with: > > Failed to connect host x.x.x.x on port 49152 - > NT_STATUS_CONNECTION_REFUSED > > Noted: both samba versions are obsolete and will be updated post > haste. > > Regardless, samba_dnsupdate was accidentally invoked on the new DC > while the samba service on the existing DC just happened to be down > and the name service (bind) was up. bind accepted all new AD DNS > records and added them without error. > The domain join process was successfully completed and the domain > continues to seamlessly function under stress tests where only one DC > is available. It all appears to work. > My question pertains to the accidental discovery that the original > DC no longer failed with an NT_STATUS_CONNECTION_REFUSED when the > samba service on it was in a stopped state. Maybe it just doesn't > matter? Are there any hidden repercussions? > > Thank you, 73, >I have this theory, which I never seem to get the chance to look into ;-) When samba_dnsupdate runs, it gets a kerberos ticket as a DC, but not as the DC that requires updating. This is the problem in my opinion. When the other DC was down, the only DC available was the one that required updating, so the ticket obtained is the correct one and it works. Rowland
Possibly Parallel Threads
- Accidental samba_dnsupdate success after NT_STATUS_CONNECTION_REFUSED
- samba-tool provision - Undefined symbol "ldb_handler_copy"
- Easy way to create missing bind-dns/named.conf and BIND9_DLZ libs?
- Cloning from a backup: unable to reach any KDC in realm
- port 135 - NT_STATUS_CONNECTION_REFUSED