[Samba] FW: DNS record info (samba-tool)

Günter Kukkukk linux at kukkukk.com
Tue Apr 8 20:01:48 MDT 2014 

Am 08.04.2014 22:18, schrieb Stuart Naylor:
> Doh forgot to cc
> 
>  
>  
> -----Original message-----
>> From:Stuart Naylor <stuartiannaylor at thursbygarden.org>
>> Sent: Tuesday 8th April 2014 21:16
>> To: Günter Kukkukk <linux at kukkukk.com>
>> Subject: RE: [Samba] DNS record info (samba-tool)
>>
>> Brilliant, glad about that as zones pretty much done on set up and no worry about a restart.
>>
>> Great that adding records to a zone doesn't as restarting samba for that each time would be a bit strange in production.
>>
>> Gunter apols to ask you again but you do seem to be a wealth of infomation.
>>
>> With samba-tool and dns entries the only documented dns add is something like
>>
>>
>> samba-tool dns add SAMBA1.SAMBA4.LAN 1.168.192.in-addr.arpa 32 PTR SAMBA1.SAMBA4.LAN --username=administrator
>>
>> Am I confused as the cli presents this samba-tool dns add <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>
>>
>> So the above is server=SAMBA1.SAMBA4.LAN zone=1.168.192.in-addr.arpa name=32 PTR data=SAMBA1.SAMBA4.LAN
>>
>> To be honest it was just 'name' that threw me.
>>
>> root at samba1:~# samba-tool dns delete
>> Usage: samba-tool dns delete <server> <zone> <name> <A|AAAA|PTR|CNAME|NS|MX|SRV|TXT> <data>
>>
>> would be samba-tool dns delete SAMBA1.SAMBA4.LAN 1.168.192.in-addr.arpa 32 PTR SAMBA1.SAMBA4.LAN --username=administrator
>>
>> which it was.


Hi Stuart,

first of all let us have a look at "--username=administrator" aka "-Uadministrator"
which is needed with many samba-tool commands.

To avoid entering it over and over again, one can use
     kinit administrator at YOUR.REALM
and then enter the password *once*.

>From now on the administrator and its password can be omitted with samba-tool commands.
AFAIR there is at least one exception from this rule when using
    samba-tool domain demote
Here the -Uadministrator had to be used, but i might be wrong here ....

>>
>> So you can have duplicate 'names' as long as the data points to the correct entry?

Now it starts to get a bit problematically.  :-(

Sure, you can add many A or AAAA records pointing to the same host. (a host can have many of them)
Same holds true for the reverse PTR records and others...

But - (atm) samba-tool also *allows* you to add records which are wrong, e.g. CNAME entries.
When you have a look at (i assume the ISC bind tools are installed):
   dig irc.freenode.org

...
;; ANSWER SECTION:
irc.freenode.org.       84      IN      CNAME   irc.freenode.net.
irc.freenode.net.       41      IN      CNAME   chat.freenode.net.
chat.freenode.net.      299     IN      A       193.219.128.49
chat.freenode.net.      299     IN      A       185.30.166.35
... and so on
A CNAME alias *must always* point to an already *existing* A/AAAA (or even CNAME) record!
In the above example a CNAME points to another CNAME, which then points to many A records.
Most docus note that this should be avoided due to performance - but it's valid.

Now back to samba-tool.
Here i add 2 CNAME records which point to *not existing* hostname records:
   samba-tool dns add li4771-131 addlz.kukkukk.com abcd.addlz.kukkukk.com CNAME notthere.addlz.kukkukk.com
   samba-tool dns add li4771-131 addlz.kukkukk.com xyz1.addlz.kukkukk.com CNAME wrong.addlz.kukkukk.com
Both commands add the CNAMEs without problem - but they are wrong and cannot be resolved by dns queries!

I guess, when trying the same with dyn. DNS updates, those CNAMEs will fail... cause there the existence
of the resulting host will be usually checked as a "prerequisite" ...

A last hint:
The name "samba-tool" is nice - but a bit long.
So i added the following to ~/.bashrc
   alias st=samba-tool
(then use "source ~/.bashrc" to get it reloaded)
>From now on one can use "st" instead of longer "samba-tool".  :-)
Note that the command "st" should not be in use already.

Cheers,  Günter

>>
>> Stuart
>>
>>  
>>  
>>  
>> -----Original message-----
>>> From:Günter Kukkukk <linux at kukkukk.com>
>>> Sent: Tuesday 8th April 2014 20:26
>>> To: Stuart Naylor <stuartiannaylor at thursbygarden.org>
>>> Cc: samba at lists.samba.org
>>> Subject: Re: [Samba] DNS record info (samba-tool)
>>>
>>> Am 08.04.2014 20:31, schrieb Stuart Naylor:
>>>> Thanks Gunter,
>>>>
>>>> I am keeping to the internal, I am not a fan of bind in this scenario.
>>>>
>>>> Gunter so even though it lists that is just an RPC call but actually the working record needs a restart?
>>>>
>>>> I am trying to do a webmin module for Samba4 rather than use any RSAT tools.
>>>>
>>>> The DNS part is a little confusing :)
>>>>
>>>> Stuart 
>>>
>>> there are (at least) 2 ways to manipulate samba (windows) dns entries:
>>>   - using dce/rpc calls to modify the AD directory directly
>>>     (e.g. used by samba-tool, MS DNS Manager GUI, ...)
>>>   - using dynamic DNS
>>>     (e.g. ISC nsupdate, MS ipconfig /registerdns, ...)
>>>
>>> When samba starts, the internal dns server reads all currently defined
>>> zones (from ADS) - and the containing dns records - into its _own_ data structures.
>>>
>>> When a new zone is added, the dce/rpc tools will show it,
>>> but the internal dns must be restarted.
>>>
>>> When you then add new records to any now existing zone, the dns server
>>> will also track them. So no samba restart is needed.
>>>
>>> Cheers, Günter
>>>
>>>>
>>>>  
>>>>  
>>>> -----Original message-----
>>>>> From:Günter Kukkukk <linux at kukkukk.com>
>>>>> Sent: Tuesday 8th April 2014 19:15
>>>>> To: Stuart Naylor <stuartiannaylor at thursbygarden.org>; Marc Muehlfeld <samba at marc-muehlfeld.de>; samba at lists.samba.org
>>>>> Subject: Re: [Samba] DNS record info (samba-tool)
>>>>>
>>>>> Am 08.04.2014 19:08, schrieb Stuart Naylor:
>>>>>> root at samba1:~# samba-tool dns query SAMBA1.SAMBA4.LAN 1.168.192.in-addr.arpa @ ALL --username=administrator       Password for [SAMBA4\administrator]:
>>>>>>   Name=, Records=2, Children=0
>>>>>>     SOA: serial=2, refresh=900, retry=600, expire=86400, minttl=3600, ns=samba1.samba4.lan., email=hostmaster.samba4.lan. (flags=600000f0, serial=2, ttl=3600)
>>>>>>     NS: samba1.samba4.lan. (flags=600000f0, serial=1, ttl=3600)
>>>>>>   Name=32, Records=1, Children=0
>>>>>>     PTR: SAMBA1.SAMBA4.LAN (flags=f0, serial=2, ttl=900)
>>>>>>
>>>>>>
>>>>>> @ ALL seems to do it.
>>>>>> trying to use samba-tool and not the RSAT tools.
>>>>>>
>>>>>> any more info anyone?
>>>>>>
>>>>>> Thanks
>>>>>>
>>>>>> Stuart
>>>>>>
>>>>>>
>>>>>>  
>>>>>>  
>>>>>> -----Original message-----
>>>>>>> From:Marc Muehlfeld <samba at marc-muehlfeld.de>
>>>>>>> Sent: Tuesday 8th April 2014 17:55
>>>>>>> To: Stuart Naylor <stuartiannaylor at thursbygarden.org>; samba at lists.samba.org
>>>>>>> Subject: Re: [Samba] DNS record info (samba-tool)
>>>>>>>
>>>>>>> Hello Stuart,
>>>>>>>
>>>>>>> Am 08.04.2014 18:08, schrieb Stuart Naylor:
>>>>>>>> But if I wanted to browse and delete a record how do I do it?
>>>>>>>
>>>>>>>
>>>>>>> Have you seen
>>>>>>> https://wiki.samba.org/index.php/DNS_Administration
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Regards,
>>>>>>> Marc
>>>>>>>
>>>>>
>>>>> Are you using the internal samba dns server?
>>>>> If so, you need to restart samba after adding a dns zone. The zone was
>>>>> added with rpc calls to the directory, but the dns server doesn't
>>>>> notice this atm .
>>>>> Note - also with the bind dlz module, sometimes wrong results have been seen
>>>>> after adding a zone. So one might also here need to restart bind/samba.
>>>>>
>>>>> Cheers, Günter
>>>>>
>>>>> -- 
>>>>>
>>>>>
>>>>
>>>
>>>
>>> -- 
>>>
>>>


--

More information about the samba mailing list