[Samba] Accidental samba_dnsupdate success after NT_STATUS_CONNECTION_REFUSED

L.P.H. van Belle belle at bazuin.nl
Mon Mar 18 09:08:22 UTC 2019

im betting here on a smb.conf that was not 4.6 compliant. 

port 49152 is not related i my opinion.

is there a firewall running?

the dynamic port range changed from a low range to high. 



Op 17 mrt. 2019, om 22:36, Rowland Penny via samba <samba at lists.samba.org> schreef: 
On 17 Mar 2019 20:44:12 UTC
Don Kuenz via samba <samba at lists.samba.org> wrote:


The process to join a new samba 4.6 DC to an existing samba 4.1 DC 
repeatedly caused:

samba_dnsupdate --verbose --all-names 

to fail on the new DC with:

Failed to connect host x.x.x.x on port 49152 -

Noted: both samba versions are obsolete and will be updated post

Regardless, samba_dnsupdate was accidentally invoked on the new DC
while the samba service on the existing DC just happened to be down
and the name service (bind) was up. bind accepted all new AD DNS
records and added them without error. 
The domain join process was successfully completed and the domain
continues to seamlessly function under stress tests where only one DC 
is available. It all appears to work.
My question pertains to the accidental discovery that the original
DC no longer failed with an NT_STATUS_CONNECTION_REFUSED when the
samba service on it was in a stopped state. Maybe it just doesn't 
matter? Are there any hidden repercussions?

Thank you, 73,

I have this theory, which I never seem to get the chance to look
into ;-)

When samba_dnsupdate runs, it gets a kerberos ticket as a DC, but not
as the DC that requires updating. This is the problem in my opinion.
When the other DC was down, the only DC available was the one that
required updating, so the ticket obtained is the correct one and it


More information about the samba mailing list