samba - Oct 2024 - AD/DNS: Cannot Create a CNAME record with a blank name...

On 10/12/24 05:15, Kees van Vloten via samba wrote:
>
> On 12-10-2024 02:25, John R. Graham via samba wrote:
>> ...as recommended on the Samba Wiki here: 
>>
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#I_have_to_Use_Different_Names_to_Resolve_Host_Names_Internally_and_Externally
>>
>>
>> I'm trying to use the "clever trick" to make a certain
internal
>> server resolve to the name I'm forced to use to resolve it 
>> externally. I successfully created the new zone (fictionalizing the 
>> names for inclusion here):
>>
>> ~ # samba-tool dns zonecreate "dc1"
"myserver.example.com" -U
>> administrator
>> Zone myserver.example.com created successfully
>>
>> ...but I get a runtime error when I try to create the CNAME record in 
>> the zone "...leaving the name of the record blank."
Here's what I did:
>>
>> ~ # samba-tool dns add "dc1" "myserver.example.com"
"" CNAME
>> "myserver.samdom.example.com"? -U Administrator
>> ERROR(runtime): uncaught exception - (1383,
'WERR_INTERNAL_DB_ERROR')
>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/__init__.py",
>> line 279, in _run
>> ??? return self.run(*args, **kwargs)
>> ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^
>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/dns.py", line
>> 1186, in run
>> dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/dns.py", line
>> 119, in f
>> ??? return attr(*args)
>> ?????????? ^^^^^^^^^^^
>> Have I misinterpreted the instructions and done it wrong? Thanks in 
>> advance for the help.
>
> I have a similar need, but I create an A record at zone level with:
>
> samba-tool dns add localhost myserver.example.com myserver.example.com 
> A 10.2.3.4 -U Administrator
>
> The trick is to specify zone-name and record-name with the same value.
> I have not tried to create a CNAME but given the syntax above that 
> should be:
>
> samba-tool dns add localhost myserver.example.com myserver.example.com 
> CNAME?myserver.samdom.example.com -U Administrator
>
> If it turns out that it does not work with a CNAME record, I would 
> guess an A record also solves the issue.
>
> - Kees.
>
Hi, Kees.

Thank you; that worked perfectly! The CNAME variant, I mean. As an 
aside, although described as a "trick" in the wiki, it doesn't
seem to
be a particularly dirty or onerous one. After all, the overwhelming 
majority of a typical organization's machines _will not_ need to be 
externally accessible.

A question for you (and perhaps Rowland). Would creating a zone of just 
"example.com"? _without_ the "samdom" subdomain and then
creating DNS
records with the individual machine names not work for some structural 
reason? For example:

~ # samba-tool dns zonecreate localhost "example.com" -U administrator
~ # samba-tool dns add localhost example.com myserver 
CNAME?myserver.samdom.example.com -U administrator
~ # samba-tool dns add localhost example.com myotherserver 
CNAME?myotherserver.samdom.example.com -U administrator

This would have the advantage that a single dummy zone would be able to 
contain aliases for _all_ externally visible machines. (I haven't tried 
this yet; it just occurred to me...and struck me as being "tidier".)

I still don't completely get the gestalt of the strong recommendation of 
having a subdomain, even for smaller organizations, unless it's just a 
best practice designed to future proof an organization which might 
become more complex and hierarchical over time.

Thanks again for the help.

- John

On Sat, 12 Oct 2024 11:15:03 -0400
"John R. Graham via samba" <samba at lists.samba.org> wrote:
> 
> On 10/12/24 05:15, Kees van Vloten via samba wrote:
> >
> > On 12-10-2024 02:25, John R. Graham via samba wrote:
> >> ...as recommended on the Samba Wiki here: 
> >>
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#I_have_to_Use_Different_Names_to_Resolve_Host_Names_Internally_and_Externally
> >>
> >>
> >> I'm trying to use the "clever trick" to make a
certain internal
> >> server resolve to the name I'm forced to use to resolve it 
> >> externally. I successfully created the new zone (fictionalizing
> >> the names for inclusion here):
> >>
> >> ~ # samba-tool dns zonecreate "dc1"
"myserver.example.com" -U
> >> administrator
> >> Zone myserver.example.com created successfully
> >>
> >> ...but I get a runtime error when I try to create the CNAME record
> >> in the zone "...leaving the name of the record blank."
Here's what
> >> I did:
> >>
> >> ~ # samba-tool dns add "dc1"
"myserver.example.com" "" CNAME
> >> "myserver.samdom.example.com"? -U Administrator
> >> ERROR(runtime): uncaught exception - (1383,
> >> 'WERR_INTERNAL_DB_ERROR') File
> >>
"/usr/lib/python3.12/site-packages/samba/netcmd/__init__.py", line
> >> 279, in _run return self.run(*args, **kwargs)
> >> ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^
> >> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/dns.py",
> >> line 1186, in run
> >>
dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
> >> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/dns.py",
> >> line 119, in f
> >> ??? return attr(*args)
> >> ?????????? ^^^^^^^^^^^
> >> Have I misinterpreted the instructions and done it wrong? Thanks
> >> in advance for the help.
> >
> > I have a similar need, but I create an A record at zone level with:
> >
> > samba-tool dns add localhost myserver.example.com
> > myserver.example.com A 10.2.3.4 -U Administrator
> >
> > The trick is to specify zone-name and record-name with the same
> > value. I have not tried to create a CNAME but given the syntax
> > above that should be:
> >
> > samba-tool dns add localhost myserver.example.com
> > myserver.example.com CNAME?myserver.samdom.example.com -U
> > Administrator
> >
> > If it turns out that it does not work with a CNAME record, I would 
> > guess an A record also solves the issue.
> >
> > - Kees.
> >
> Hi, Kees.
> 
> Thank you; that worked perfectly! The CNAME variant, I mean. As an 
> aside, although described as a "trick" in the wiki, it
doesn't seem
> to be a particularly dirty or onerous one. After all, the
> overwhelming majority of a typical organization's machines _will not_
> need to be externally accessible.
> 
> A question for you (and perhaps Rowland). Would creating a zone of
> just "example.com"? _without_ the "samdom" subdomain
and then
> creating DNS records with the individual machine names not work for
> some structural reason? For example:
> 
> ~ # samba-tool dns zonecreate localhost "example.com" -U
administrator
> ~ # samba-tool dns add localhost example.com myserver 
> CNAME?myserver.samdom.example.com -U administrator
> ~ # samba-tool dns add localhost example.com myotherserver 
> CNAME?myotherserver.samdom.example.com -U administrator
> 
> This would have the advantage that a single dummy zone would be able
> to contain aliases for _all_ externally visible machines. (I haven't
> tried this yet; it just occurred to me...and struck me as being
> "tidier".)
> 
> I still don't completely get the gestalt of the strong recommendation
> of having a subdomain, even for smaller organizations, unless it's
> just a best practice designed to future proof an organization which
> might become more complex and hierarchical over time.
> 
> Thanks again for the help.
> 
> - John
> 
> 
One of the reasons for using a subdomain is to stop the problem you are
now having. The AD dns server has to be authoritative for the AD dns
domain and forwards anything unknown to an external dns server. It
is also recommended that the AD dns server is not contactable from
outside the AD domain.

Rowland

On 12-10-2024 17:15, John R. Graham via samba wrote:
>
> On 10/12/24 05:15, Kees van Vloten via samba wrote:
>>
>> On 12-10-2024 02:25, John R. Graham via samba wrote:
>>> ...as recommended on the Samba Wiki here: 
>>>
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#I_have_to_Use_Different_Names_to_Resolve_Host_Names_Internally_and_Externally
>>>
>>>
>>> I'm trying to use the "clever trick" to make a
certain internal
>>> server resolve to the name I'm forced to use to resolve it 
>>> externally. I successfully created the new zone (fictionalizing the
>>> names for inclusion here):
>>>
>>> ~ # samba-tool dns zonecreate "dc1"
"myserver.example.com" -U
>>> administrator
>>> Zone myserver.example.com created successfully
>>>
>>> ...but I get a runtime error when I try to create the CNAME record 
>>> in the zone "...leaving the name of the record blank."
Here's what I
>>> did:
>>>
>>> ~ # samba-tool dns add "dc1"
"myserver.example.com" "" CNAME
>>> "myserver.samdom.example.com"? -U Administrator
>>> ERROR(runtime): uncaught exception - (1383,
'WERR_INTERNAL_DB_ERROR')
>>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/__init__.py",
>>> line 279, in _run
>>> ??? return self.run(*args, **kwargs)
>>> ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^
>>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/dns.py", line
>>> 1186, in run
>>> dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
>>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/dns.py", line
>>> 119, in f
>>> ??? return attr(*args)
>>> ?????????? ^^^^^^^^^^^
>>> Have I misinterpreted the instructions and done it wrong? Thanks in
>>> advance for the help.
>>
>> I have a similar need, but I create an A record at zone level with:
>>
>> samba-tool dns add localhost myserver.example.com 
>> myserver.example.com A 10.2.3.4 -U Administrator
>>
>> The trick is to specify zone-name and record-name with the same value.
>> I have not tried to create a CNAME but given the syntax above that 
>> should be:
>>
>> samba-tool dns add localhost myserver.example.com 
>> myserver.example.com CNAME?myserver.samdom.example.com -U Administrator
>>
>> If it turns out that it does not work with a CNAME record, I would 
>> guess an A record also solves the issue.
>>
>> - Kees.
>>
> Hi, Kees.
>
> Thank you; that worked perfectly! The CNAME variant, I mean. As an 
> aside, although described as a "trick" in the wiki, it
doesn't seem to
> be a particularly dirty or onerous one. After all, the overwhelming 
> majority of a typical organization's machines _will not_ need to be 
> externally accessible.
>
> A question for you (and perhaps Rowland). Would creating a zone of 
> just "example.com"? _without_ the "samdom" subdomain
and then creating
> DNS records with the individual machine names not work for some 
> structural reason? For example:
>
> ~ # samba-tool dns zonecreate localhost "example.com" -U
administrator
> ~ # samba-tool dns add localhost example.com myserver 
> CNAME?myserver.samdom.example.com -U administrator
> ~ # samba-tool dns add localhost example.com myotherserver 
> CNAME?myotherserver.samdom.example.com -U administrator
>
Your internal machine will do DNS queries at your DC first. So indeed 
this will provide a different DNS view for internal machines, and they 
will never resolve to any of the externally known *.example.com domains.

It is totally valid to do something like this, bind9 even provides the 
concept of dns-views, a. o. for this reason.

I am using it to provide different (internal) IPs for the externally 
known domain-name of my environment. With this mobile devices which 
sometimes connect over internet and sometimes over the LAN / wifi can 
use the same DNS-name to connect to services (e.g. email) but they 
resolve differently depending on their location.

Do note that you have to set the TTL pretty low so that they won't use a 
cached result after changing location from internal to external or 
vice-versa. In order to allow samba-tool to set a TTL on a DNS record I 
have made a small patch. I can share it if that has any value for you.

- Kees.
> This would have the advantage that a single dummy zone would be able 
> to contain aliases for _all_ externally visible machines. (I haven't 
> tried this yet; it just occurred to me...and struck me as being 
> "tidier".)
>
> I still don't completely get the gestalt of the strong recommendation 
> of having a subdomain, even for smaller organizations, unless it's 
> just a best practice designed to future proof an organization which 
> might become more complex and hierarchical over time.
>
> Thanks again for the help.
>
> - John
>
>
>