samba - Oct 2024 - AD/DNS: Cannot Create a CNAME record with a blank name...

On 12-10-2024 17:15, John R. Graham via samba wrote:
>
> On 10/12/24 05:15, Kees van Vloten via samba wrote:
>>
>> On 12-10-2024 02:25, John R. Graham via samba wrote:
>>> ...as recommended on the Samba Wiki here: 
>>>
https://wiki.samba.org/index.php/Active_Directory_Naming_FAQ#I_have_to_Use_Different_Names_to_Resolve_Host_Names_Internally_and_Externally
>>>
>>>
>>> I'm trying to use the "clever trick" to make a
certain internal
>>> server resolve to the name I'm forced to use to resolve it 
>>> externally. I successfully created the new zone (fictionalizing the
>>> names for inclusion here):
>>>
>>> ~ # samba-tool dns zonecreate "dc1"
"myserver.example.com" -U
>>> administrator
>>> Zone myserver.example.com created successfully
>>>
>>> ...but I get a runtime error when I try to create the CNAME record 
>>> in the zone "...leaving the name of the record blank."
Here's what I
>>> did:
>>>
>>> ~ # samba-tool dns add "dc1"
"myserver.example.com" "" CNAME
>>> "myserver.samdom.example.com"? -U Administrator
>>> ERROR(runtime): uncaught exception - (1383,
'WERR_INTERNAL_DB_ERROR')
>>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/__init__.py",
>>> line 279, in _run
>>> ??? return self.run(*args, **kwargs)
>>> ?????????? ^^^^^^^^^^^^^^^^^^^^^^^^^
>>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/dns.py", line
>>> 1186, in run
>>> dns_conn.DnssrvUpdateRecord2(dnsserver.DNS_CLIENT_VERSION_LONGHORN,
>>> ? File
"/usr/lib/python3.12/site-packages/samba/netcmd/dns.py", line
>>> 119, in f
>>> ??? return attr(*args)
>>> ?????????? ^^^^^^^^^^^
>>> Have I misinterpreted the instructions and done it wrong? Thanks in
>>> advance for the help.
>>
>> I have a similar need, but I create an A record at zone level with:
>>
>> samba-tool dns add localhost myserver.example.com 
>> myserver.example.com A 10.2.3.4 -U Administrator
>>
>> The trick is to specify zone-name and record-name with the same value.
>> I have not tried to create a CNAME but given the syntax above that 
>> should be:
>>
>> samba-tool dns add localhost myserver.example.com 
>> myserver.example.com CNAME?myserver.samdom.example.com -U Administrator
>>
>> If it turns out that it does not work with a CNAME record, I would 
>> guess an A record also solves the issue.
>>
>> - Kees.
>>
> Hi, Kees.
>
> Thank you; that worked perfectly! The CNAME variant, I mean. As an 
> aside, although described as a "trick" in the wiki, it
doesn't seem to
> be a particularly dirty or onerous one. After all, the overwhelming 
> majority of a typical organization's machines _will not_ need to be 
> externally accessible.
>
> A question for you (and perhaps Rowland). Would creating a zone of 
> just "example.com"? _without_ the "samdom" subdomain
and then creating
> DNS records with the individual machine names not work for some 
> structural reason? For example:
>
> ~ # samba-tool dns zonecreate localhost "example.com" -U
administrator
> ~ # samba-tool dns add localhost example.com myserver 
> CNAME?myserver.samdom.example.com -U administrator
> ~ # samba-tool dns add localhost example.com myotherserver 
> CNAME?myotherserver.samdom.example.com -U administrator
>
Your internal machine will do DNS queries at your DC first. So indeed 
this will provide a different DNS view for internal machines, and they 
will never resolve to any of the externally known *.example.com domains.

It is totally valid to do something like this, bind9 even provides the 
concept of dns-views, a. o. for this reason.

I am using it to provide different (internal) IPs for the externally 
known domain-name of my environment. With this mobile devices which 
sometimes connect over internet and sometimes over the LAN / wifi can 
use the same DNS-name to connect to services (e.g. email) but they 
resolve differently depending on their location.

Do note that you have to set the TTL pretty low so that they won't use a 
cached result after changing location from internal to external or 
vice-versa. In order to allow samba-tool to set a TTL on a DNS record I 
have made a small patch. I can share it if that has any value for you.

- Kees.
> This would have the advantage that a single dummy zone would be able 
> to contain aliases for _all_ externally visible machines. (I haven't 
> tried this yet; it just occurred to me...and struck me as being 
> "tidier".)
>
> I still don't completely get the gestalt of the strong recommendation 
> of having a subdomain, even for smaller organizations, unless it's 
> just a best practice designed to future proof an organization which 
> might become more complex and hierarchical over time.
>
> Thanks again for the help.
>
> - John
>
>
>

On 10/12/24 13:33, Kees van Vloten via samba wrote:
>
> On 12-10-2024 17:15, John R. Graham via samba wrote:
>>
>> ...
>>
>> A question for you (and perhaps Rowland). Would creating a zone of 
>> just "example.com"? _without_ the "samdom"
subdomain and then
>> creating DNS records with the individual machine names not work for 
>> some structural reason? For example:
>>
>> ~ # samba-tool dns zonecreate localhost "example.com" -U
administrator
>> ~ # samba-tool dns add localhost example.com myserver 
>> CNAME?myserver.samdom.example.com -U administrator
>> ~ # samba-tool dns add localhost example.com myotherserver 
>> CNAME?myotherserver.samdom.example.com -U administrator
>>
> Your internal machine will do DNS queries at your DC first. So indeed 
> this will provide a different DNS view for internal machines, and they 
> will never resolve to any of the externally known *.example.com domains.
>
> It is totally valid to do something like this, bind9 even provides the 
> concept of dns-views, a. o. for this reason.
>
> I am using it to provide different (internal) IPs for the externally 
> known domain-name of my environment. With this mobile devices which 
> sometimes connect over internet and sometimes over the LAN / wifi can 
> use the same DNS-name to connect to services (e.g. email) but they 
> resolve differently depending on their location.
>
> Do note that you have to set the TTL pretty low so that they won't use 
> a cached result after changing location from internal to external or 
> vice-versa. In order to allow samba-tool to set a TTL on a DNS record 
> I have made a small patch. I can share it if that has any value for you.
>
> - Kees.
>
>> This would have the advantage that a single dummy zone would be able 
>> to contain aliases for _all_ externally visible machines. (I
haven't
>> tried this yet; it just occurred to me...and struck me as being 
>> "tidier".)
>>
>> ...
>>
It turns that the scheme that I asked about above *doesn't* do what I 
hoped it might. Creating an "example.com" zone and then a CNAME record
that maps between the external name and the internal one for my server 
does indeed work, but the existence of the "example.com" zone also 
blocks resolution of the names of all the externally hosted machines 
that have URLs that end in "example.com". (Just as one example, my
mail
server is externally hosted.) This is probably just Samba behaving as 
designed, namely that it's designed to be authoritative for the zones 
that it manages.

So this leads me to *another* question. If my surmise is correct, would 
it be considered a worthwhile feature to add an attribute to a zone 
record so that a zone could be declared--I'm not exactly sure what the 
term should be--selectively authoritative? The behavior being, if a DNS 
records exists in the zone, then use it; otherwise, forward the request 
to upstream DNS and then use that result?

The reason I think this might be a reasonable and worthwhile feature is 
because the wiki describes a "trick" that has apparently already
ceased
to function *once*. It's good for me that an alternative embodiment of 
the trick is still available, but it also might one day cease to work. 
Relying on documented features and behavior is always preferred.