[Samba] Do _kpasswd DNS entries determine server used for pasword changes

Andrew Bartlett abartlet at samba.org
Sun Mar 23 23:12:01 MDT 2014

On Thu, 2014-03-20 at 12:10 -0400, Thomas Schulz wrote:
> I am trying to do something apparently unsupported in trying to use
> Samba 4.1.6 as an additional Active Directory Domain Controller with
> a Windows Server 2000 controller. I find that inbound replication works
> but outbound replication does not. Also DNS replication is not supported
> (this was noted during provisioning). In an effort to get outbound
> replication working, I manually entered all of the DNS records into
> the Windows 2000 server. This did not fix the outbound replication.
> My worry now is that someone may change their password and that the
> change will go to the Samba 4.1.6 DC. If that happens, the change will
> not be replicated back to the Windows 2000 DC. If the _kpasswd DNS entries
> determine which servers can be used for password changes then I think that
> I could fix this problem by just removing the _kpasswd DNS entries. Does
> anyone know if that will be enough?

No, that is only used by very few clients.  You should work out why
replication isn't working, but understand that Windows 2000 isn't
something we test with at all (it is even hard to get - it isn't on MSDN
for example). 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list