[PATCH] Use samba-tool to add DNS entries with samba_dnsupdate

Andrew Bartlett abartlet at samba.org
Tue Aug 11 04:40:58 UTC 2015 

On Mon, 2015-03-16 at 11:17 +1300, Andrew Bartlett wrote:
> On Sat, 2015-03-14 at 10:33 +0100, Stefan (metze) Metzmacher wrote:
> > Am 14.03.2015 um 10:19 schrieb Andrew Bartlett:
> > > On Sat, 2015-03-14 at 10:07 +0100, Stefan (metze) Metzmacher 
> > > wrote:
> > > > Hi Andrew,
> > > > 
> > > > > > > Why did you not add NS records to the dns_update_list? 
> > > > > > >  Are we unable to
> > > > > > > add those with dynamic DNS updates for some reason?  (If 
> > > > > > > so, I'll make a
> > > > > > > special case to force these to samba-tool). 
> > > > > > 
> > > > > > Yes, this is not allowed via dns updates against Windows.
> > > > > > 
> > > > > > I'd propose the following syntax:
> > > > > > 
> > > > > > RPC ${ZONE} ${TYPE} ${NAME} ${TARGET}
> > > > > > 
> > > > > > SERVER = NS server von ZONE
> > > > > > => samba-tool dns add ${SERVER} ${ZONE} ${NAME}. ${TYPE} 
> > > > > > ${TARGET}
> > > > > > 
> > > > > > ${IF_RWDNS_DOMAIN}RPC ${DNSDOMAIN} NS ${DNSDOMAIN} 
> > > > > > ${HOSTNAME}
> > > > > > => samba-tool dns add ${SERVER} ${DNSDOMAIN} ${DNSDOMAIN}. 
> > > > > > NS ${HOSTNAME}
> > > > > > ${IF_RWDNS_FOREST}RPC _msdcs.${DNSFOREST} NS 
> > > > > > _msdcs.${DNSFOREST} ${HOSTNAME}
> > > > > > => samba-tool dns add ${SERVER} _msdcs.${DNSFOREST} 
> > > > > > _msdcs.${DNSFOREST}.
> > > > > > NS ${HOSTNAME}
> > > > > > ${IF_RWDNS_FOREST}RPC ${DNSFOREST} NS _msdcs.${DNSFOREST} 
> > > > > > ${HOSTNAME}
> > > > > > => samba-tool dns add ${SERVER} ${DNSFOREST} 
> > > > > > _msdcs.${DNSFOREST}. NS
> > > > > > ${HOSTNAME}
> > > > > > 
> > > > > > See
> > > > > > https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h
> > > > > > =c57c578539e65ce4fa9c4bc2c61b08ad9900a40a
> > > > > 
> > > > > Why not just make NS records go via the RPC layer, leaving 
> > > > > the rest of
> > > > > the syntax as-is?
> > > > 
> > > > Also note that we require _msdcs.${DNSFOREST} to be updated 
> > > > twice.
> > > > Once in the _msdcs.${DNSFOREST} zone and in the ${DNSFOREST} 
> > > > (see above).
> > > 
> > > OK, the glue records.
> > > 
> > > > This is not possible with the current syntax.
> > > > 
> > > > So it's basicaly just "RPC ${ZONE} " in front of what we have.
> > > > 
> > > > > How does the RPC prefix help, given I already have the 
> > > > > transformation
> > > > > between the different command-line syntaxes for the fallback 
> > > > > case?
> > > > 
> > > > I think there're also other name types which require RPC to be 
> > > > used
> > > > and currently the dns_update_list file is flexible enough to be 
> > > > extended
> > > > by the admin. E.g. it's possible to add MX records, which would 
> > > > likely
> > > > to require
> > > > rpc too.
> > > 
> > > What is special about MX records?
> > 
> > It's just an example. But as far as I remember Windows rejects more
> > than just NS updates via DNS. But I just tested that MX records 
> > work
> > over DNS.
> 
> Something doesn't make sense about the above.  First, for the 
> subdomain
> case we can't encode in the dns_update_list file the parent zone, as 
> our
> zone and the parent zone may not be directly parent/child of each 
> other.
> 
> Also, I think Windows does try and use NS updates.  We see this when 
> you
> create a new domain, as it reaches out to try and update it's parent
> zone.  I'm pretty sure that isn't over RPC, but I'll have to get a
> trace.
> 
> I've tried to encode the rules in a dns_update_list file, and
> modifications to samba_dnsupdate, but I'm getting nowhere fast.  
> 
> Do you think we can at least start with the modifications I proposed?
> These make a big difference for samba-only sites, which are the vast
> majority of our use cases, and the case that we currently very poorly
> support when they change the IP of their only DC.

Metze,

Can you look at my current samba_dnsupdate branch?  I would like to see
this merged into master as soon as I have tests for it.  It may not be
perfect, but it is a massive improvement on the current state, and
combined with your dns_update_cache work allows the name and IP of a
Samba AD DC to be changed and for us to still recover into a working
state.

This will in turn help a lot of our administrators who currently have a
lot of trouble in this situation.

(The tests are pending the resolv_wrapper and socket_wrapper work I'm
sorting out with Andreas).

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba




-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba_dnsupdate.patch
Type: text/x-patch
Size: 35283 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150811/e01f1e65/samba_dnsupdate.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150811/e01f1e65/signature.sig>

More information about the samba-technical mailing list