[Samba] DNS forwarding. WAS: disable automatic creation of computer accounts

Angel Bosch Mora abosch at imasmallorca.net
Fri Nov 5 12:14:19 UTC 2021

> We have an internal dns resolver, that is provided to our internal
> clients through the dhcp.
> This internal resolver uses external resolvers ( for
> everything,
> except for the samba zone ad.company.com. For everything in that
> specific zone, it talks to our samba DCs.

yeah, it's pretty similar to my own setup with powerdns.

just adding a line to pdns-resolver configuration makes the forward run:


my doubts were regarding initial DNS talk between Win machines and DNS because in the past I got some messages regarding SRV entries like _ldap._tcp.dc._msdcs.MYDOMAIN

by the way, what's de difference between _ldap._tcp.dc._msdcs.MYDOMAIN and _ldap._tcp.MYDOMAIN ?

and one last question/request: what's the logic behind requiring credentials for 'samba-tool dns' commands?

from administration point of view it's a lot more dangerous/insecure to add users and groups and that subcommand don't ask for any user/password.
so I don't get why that particular subset of actions require specific credentials.

best regards,

-- Institut Mallorqui d'Afers Socials. Aquest missatge, i si escau, qualsevol fitxer annex, es dirigeix exclusivament a la persona que n'es destinataria i pot contenir informacio confidencial. En cap cas no heu de copiar aquest missatge ni lliurar-lo a terceres persones sense permis expres de l'IMAS. Si no sou la persona destinataria que s'hi indica (o la responsable de lliurar-l'hi) us demanam que ho notifiqueu immediatament a l'adreca electronica de la persona remitent. Abans d'imprimir aquest missatge, pensau si es realment necessari.

More information about the samba mailing list