samba - Oct 2024 - AD/DNS: Cannot Create a CNAME record with a blank name...

On Fri, 11 Oct 2024 20:25:00 -0400
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> ...as recommended on the Samba Wiki here: 
>
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#I_have_to_Use_Different_Names_to_Resolve_Host_Names_Internally_and_Externally
> 
> I'm trying to use the "clever trick" to make a certain
internal
> server resolve to the name I'm forced to use to resolve it
> externally. I successfully created the new zone (fictionalizing the
> names for inclusion here):
> 
> ~ # samba-tool dns zonecreate "dc1"
"myserver.example.com" -U
> administrator Zone myserver.example.com created successfully
> 
> ...but I get a runtime error when I try to create the CNAME record in 
> the zone "...leaving the name of the record blank." Here's
what I did:
> 
> ~ # samba-tool dns add "dc1" "myserver.example.com"
"" CNAME
> "myserver.samdom.example.com"? -U Administrator
> ERROR(runtime): uncaught exception - (1383,
'WERR_INTERNAL_DB_ERROR')
>  ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/__init__.py",
> line 279, in _run
>  ??? return self.run(*args, **kwargs)
>  ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^
>  ? File "/usr/lib/python3.12/site-packages/samba/netcmd/dns.py",
line
> 1186, in run
> dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
>  ? File "/usr/lib/python3.12/site-packages/samba/netcmd/dns.py",
line
> 119, in f
>  ??? return attr(*args)
>  ?????????? ^^^^^^^^^^^
> Have I misinterpreted the instructions and done it wrong? Thanks in 
> advance for the help.
> 
> - John
> 
You might just be the first to try this, I wasn't really aware of that
particular faq, but now I look at it, I wonder if it ever worked ?

I think your problem lies in that 'samba-tool dns add' requires 5
arguments:

'server' 'zone' 'name' 'rtype' 'data'

Because you are supplying 'name' as "", it is being treated as
if it
isn't there, so 'samba-tool' is seeing:

'server' 'zone' 'rtype' 'data'

Which is wrong. 
This may have worked with python2, but it doesn't appear to work with
python3 (I know, I tried and got the same error as you).

The thing is, your AD domain shouldn't be accessible externally, so
what is the 'certain internal server' you need to access ?

Rowland

On 10/12/24 03:50, Rowland Penny via samba wrote:
> ...
> The thing is, your AD domain shouldn't be accessible externally, so
> what is the 'certain internal server' you need to access ?
> ...
I would have though that this was an entirely natural state of affairs, 
specifically that carefully chosen machines which publish services to 
the Internet at large would also naturally be part of my organization 
and thus exist within the AD domain. What would be the "best practice"
structure? Some sort of DMZ? Resolved with my external domain registrar?

As a side note, the speed and quality of the answers I get on this list 
has made me feel obliged to set up a monthly donation, which I have now 
done. Thanks so much for what you do.

- John