[Samba] Authentication to Secondary Domain Controller initially fails when PDC is offline

Rowland penny rpenny at samba.org
Fri Dec 11 11:07:08 UTC 2015

On 11/12/15 10:29, mathias dufresne wrote:
> Hi Ole,
> Using internal DNS samba_dnsupdate does not work correctly, at least not
> every time.
> Someone modified this samba_dnsupdate tool commenting this line:
> os.unlink(tmpfile)
> which should line 413.
> Doing that he was able to get files generated by samba_dnsupdate to use
> them as argument of nsupdate command (without -g switch and with "allow dns
> updates = nonsecure" in smb.conf).
> I was not able to make that process work here but I did not tried hard. As
> this process was sent directly to me I share it.
> The process I use to generate all DNS records is to run samba_dnsupdate
> --all-names --verbose and send output of that command to attached awk
> script.
> The awk script get information from samba_dnsupdate for each record and
> launch samba-tool to create DNS record. This script is not clever: it tries
> to create all mentioned DNS record, generating warnings when record already
> exists.
> You will have to modify this awk script as the BEGIN section contains fake
> information related to AD domain:
>    ad_zone = "YOUR.DOMAIN.TLD"
>    msdcs_zone = "_msdcs." ad_zone
>    dns_server = "YOUR-DC"
> }
> You must change "YOUR.DOMAIN.TLD" and "YOUR-DC" to match your domain
> configuration.
> The awk script uses kerberos authentication when running samba-tool so you
> will need to generate a kerberos ticket for some AD admin before:
> 1°) kinit administrator
> 2°) samba_dnsupdate | awk -f dnsupdate.awk
> As it is not an issue to try create an entry which already exists you can
> run it that script on each DC to assure you all entries are correctly
> created on all DC.
> Best regards,
> mathias dufresne

There is a flaw with your script!

This mailing list strips off attachments, you are going to have to paste 
it into post. :-)


More information about the samba mailing list