samba 4 - 'domain admin' accounts behaving like normal users; inexplicable errors

Michael Wood esiotrot at
Sat Sep 18 16:49:15 MDT 2010

On 18 September 2010 22:24, Ben Hodgens <ben at> wrote:
> Thanks for the response, Matthias.
> On 09/11/2010 07:24 AM, Matthias Dieter Wallnöfer wrote:
>> Hi Ben,
>> Ben Hodgens wrote:
>>> Unfortunately, I'm not seeing anything in the samba.log file which
>>> might indicate the cause of this problem, one way or the other. (The
>>> only thing in there is relating to samba_dnsupdate, which I wouldn't
>>> expect to work - I'm using dnsmasq not bind; might this be the fault?).
>> You can ignore dnsupdate errors for the moment - they are not
>> essentially important.
>> But also with "dnsmasq" you make use of our provision-generated zone
>> files or create the entries requested by AD, I imagine?
> Here is what I'm using in my (dnsmasq) hosts file, which I duplicated from
> the zone files, more or less (not 100% sure it's perfectly congruent):
>      gc._msdcs
>       _gc._tcp
> _gc._tcp.Default-First-Site-Name._sites
> _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs
>     _gc._tcp.gc._msdcs
>  _ldap._tcp.gc._msdcs
>             _ldap._tcp
>   _ldap._tcp.dc._msdcs
>         _kerberos._udp
>                        rc1

And if you, e.g., do:

$ host -t srv

Does it return something like this? has SRV record 0 100 389

Does dnsmasq handle SRV records?

According to their docs they do, but it looks like what you have is
not enough.  You have to put some stuff in dnsmasq.conf:

# Change the following lines if you want dnsmasq to serve SRV
# records.  These are useful if you want to serve ldap requests for
# Active Directory and other windows-originated DNS requests.
# See RFC 2782.
# You may add multiple srv-host lines.
# The fields are <name>,<target>,<port>,<priority>,<weight>
# If the domain part if missing from the name (so that is just has the
# service and protocol sections) then the domain given by the domain=
# config option is used. (Note that expand-hosts does not need to be
# set for this to work.)

# A SRV record sending LDAP for the domain to
# port 389,,389

# A SRV record sending LDAP for the domain to
# port 389 (using domain=)

# Two SRV records for LDAP, each with different priorities,,389,1,,389,2

# A SRV record indicating that there is no LDAP server for the domain

Michael Wood <esiotrot at>

More information about the samba-technical mailing list