samba - Aug 2014 - DNS problem when adding new record using samba-tool

Hi all,

I am setting up a new AD server with Samba 4.1.11 from the FreeBSD ports.

I struggle with the internal DNS. I add a new CNAME record but it does not
show up properly.

I gave the AD domain a new DNS domain (domain.fda) and the server the name
samba4.domain.fda.

I am using the internal DNS, and a forwarder to a bind server in the same
network.

After the AD provision I have this here (/etc/resolv.conf pointing to
itself on 192.168.50.216)

# host -v samba4.domain.fda.
Trying "samba4.domain.fda"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10796
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;samba4.domain.fda.             IN      A

;; ANSWER SECTION:
samba4.domain.fda.      900     IN      A       192.168.50.216

Received 51 bytes from 192.168.50.216#53 in 0 ms
Trying "samba4.domain.fda"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54131
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;samba4.domain.fda.             IN      AAAA

Received 35 bytes from 192.168.50.216#53 in 0 ms
Trying "samba4.domain.fda"
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20043
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;samba4.domain.fda.             IN      MX

Received 35 bytes from 192.168.50.216#53 in 0 ms

Good.

Adding a CNAME:

# samba-tool dns add samba4 domain.fda proxy CNAME proxy.vv.fda. -U
Administrator
Password for [DOMAIN\Administrator]:
Record added successfully

Looks good.

proxy.vv.fda resolves, see:

# host proxy.vv.fda.
proxy.vv.fda is an alias for squid.vv.fda.
squid.vv.fda has address 192.168.50.222

But:

# host -v proxy.domain.fda.
Trying "proxy.domain.fda"
Trying "proxy.domain.fda.domain.fda"
Host proxy.domain.fda not found: 3(NXDOMAIN)
Received 45 bytes from 192.168.50.216#53 in 0 ms

Not good.

But it works if I query samba using the samba-tool:

# samba-tool dns query samba4 domain.fda proxy CNAME  -U Administrator
Password for [DOMAIN\Administrator]:
  Name=, Records=1, Children=0
    CNAME: proxy.vv.fda. (flags=f0, serial=2, ttl=900)

Why isn't it showing up in "normal DNS"?

Below the zonelist for samba4 if needed.

Thanks for any help
Peter

# samba-tool dns zonelist samba4  -U Administrator
Password for [DOMAIN\Administrator]:
  2 zone(s) found

  pszZoneName                 : domain.fda
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : DomainDnsZones.domain.fda

  pszZoneName                 : _msdcs.domain.fda
  Flags                       : DNS_RPC_ZONE_DSINTEGRATED
DNS_RPC_ZONE_UPDATE_SECURE
  ZoneType                    : DNS_ZONE_TYPE_PRIMARY
  Version                     : 50
  dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
DNS_DP_ENLISTED
  pszDpFqdn                   : ForestDnsZones.domain.fda

Hi,

to follow up.. I found an older e-mail which suggests CNAMEs are broken
under samba4. Still true?

https://lists.samba.org/archive/samba-technical/2013-January/090240.html

Here my case - which (for me) suggests samba4 is not preoperly woirking as
a DNS server:

When I do a "host proxy.domain.fda", the traffic is:

14:08:27.473227 IP samba4.vv.fda.50057 > samba4.vv.fda.domain: 54908+ A?
proxy.domain.fda.domain.fda. (45)
14:08:27.473395 IP samba4.vv.fda.domain > samba4.vv.fda.50057: 54908
NXDomain- 0/0/0 (45)

even when the CNAME can be solved "host -t CNAME proxy.domain.fda":

14:09:46.162952 IP samba4.vv.fda.52435 > samba4.vv.fda.domain: 40243+
CNAME? proxy.domain.fda. (34)
14:09:46.163344 IP samba4.vv.fda.domain > samba4.vv.fda.52435: 40243*
1/0/0 CNAME proxy.vv.fda. (57)

proxy.vv.fda resolves on the forwarder and a CNAME itself. So what is the
traffic goes there ("host proxy.domain.fda")?

14:11:22.520133 IP samba4.vv.fda.28484 > bind.domain: 39432+ [1au] A?
proxy.vv.fda. (41)
14:11:22.520222 IP bind.domain > samba4.vv.fda.28484: 39432* 2/2/3 CNAME
squid.vv.fda., A 192.168.50.222 (152)

So, this DNS server (bind 9.10) sends the CNAME back, and the A record
this one is pointing to.

If I am not mistaken, it means CNAME is broken in Samba4.

Can someone confirm this?

Thanks
Peter

Peter Ross wrote:
> Hi all,
>
> I am setting up a new AD server with Samba 4.1.11 from the FreeBSD ports.
>
> I struggle with the internal DNS. I add a new CNAME record but it does not
> show up properly.
>
> I gave the AD domain a new DNS domain (domain.fda) and the server the name
> samba4.domain.fda.
>
> I am using the internal DNS, and a forwarder to a bind server in the same
> network.
>
> After the AD provision I have this here (/etc/resolv.conf pointing to
> itself on 192.168.50.216)
>
> # host -v samba4.domain.fda.
> Trying "samba4.domain.fda"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10796
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;samba4.domain.fda.             IN      A
>
> ;; ANSWER SECTION:
> samba4.domain.fda.      900     IN      A       192.168.50.216
>
> Received 51 bytes from 192.168.50.216#53 in 0 ms
> Trying "samba4.domain.fda"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54131
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;samba4.domain.fda.             IN      AAAA
>
> Received 35 bytes from 192.168.50.216#53 in 0 ms
> Trying "samba4.domain.fda"
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20043
> ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
>
> ;; QUESTION SECTION:
> ;samba4.domain.fda.             IN      MX
>
> Received 35 bytes from 192.168.50.216#53 in 0 ms
>
> Good.
>
> Adding a CNAME:
>
> # samba-tool dns add samba4 domain.fda proxy CNAME proxy.vv.fda. -U
> Administrator
> Password for [DOMAIN\Administrator]:
> Record added successfully
>
> Looks good.
>
> proxy.vv.fda resolves, see:
>
> # host proxy.vv.fda.
> proxy.vv.fda is an alias for squid.vv.fda.
> squid.vv.fda has address 192.168.50.222
>
> But:
>
> # host -v proxy.domain.fda.
> Trying "proxy.domain.fda"
> Trying "proxy.domain.fda.domain.fda"
> Host proxy.domain.fda not found: 3(NXDOMAIN)
> Received 45 bytes from 192.168.50.216#53 in 0 ms
>
> Not good.
>
> But it works if I query samba using the samba-tool:
>
> # samba-tool dns query samba4 domain.fda proxy CNAME  -U Administrator
> Password for [DOMAIN\Administrator]:
>   Name=, Records=1, Children=0
>     CNAME: proxy.vv.fda. (flags=f0, serial=2, ttl=900)
>
> Why isn't it showing up in "normal DNS"?
>
> Below the zonelist for samba4 if needed.
>
> Thanks for any help
> Peter
>
> # samba-tool dns zonelist samba4  -U Administrator
> Password for [DOMAIN\Administrator]:
>   2 zone(s) found
>
>   pszZoneName                 : domain.fda
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_DOMAIN_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : DomainDnsZones.domain.fda
>
>   pszZoneName                 : _msdcs.domain.fda
>   Flags                       : DNS_RPC_ZONE_DSINTEGRATED
> DNS_RPC_ZONE_UPDATE_SECURE
>   ZoneType                    : DNS_ZONE_TYPE_PRIMARY
>   Version                     : 50
>   dwDpFlags                   : DNS_DP_AUTOCREATED DNS_DP_FOREST_DEFAULT
> DNS_DP_ENLISTED
>   pszDpFqdn                   : ForestDnsZones.domain.fda
>
>