[PATCH] Use samba-tool to add DNS entries with samba_dnsupdate

Sun Mar 15 16:17:41 MDT 2015

On Sat, 2015-03-14 at 10:33 +0100, Stefan (metze) Metzmacher wrote:
> Am 14.03.2015 um 10:19 schrieb Andrew Bartlett:
> > On Sat, 2015-03-14 at 10:07 +0100, Stefan (metze) Metzmacher wrote:
> >> Hi Andrew,
> >>
> >>>>> Why did you not add NS records to the dns_update_list?  Are we unable to
> >>>>> add those with dynamic DNS updates for some reason?  (If so, I'll make a
> >>>>> special case to force these to samba-tool). 
> >>>>
> >>>> Yes, this is not allowed via dns updates against Windows.
> >>>>
> >>>> I'd propose the following syntax:
> >>>>
> >>>> RPC ${ZONE} ${TYPE} ${NAME} ${TARGET}
> >>>>
> >>>> SERVER = NS server von ZONE
> >>>> => samba-tool dns add ${SERVER} ${ZONE} ${NAME}. ${TYPE} ${TARGET}
> >>>>
> >>>> ${IF_RWDNS_DOMAIN}RPC ${DNSDOMAIN} NS ${DNSDOMAIN} ${HOSTNAME}
> >>>> => samba-tool dns add ${SERVER} ${DNSDOMAIN} ${DNSDOMAIN}. NS ${HOSTNAME}
> >>>> ${IF_RWDNS_FOREST}RPC _msdcs.${DNSFOREST} NS _msdcs.${DNSFOREST} ${HOSTNAME}
> >>>> => samba-tool dns add ${SERVER} _msdcs.${DNSFOREST} _msdcs.${DNSFOREST}.
> >>>> NS ${HOSTNAME}
> >>>> ${IF_RWDNS_FOREST}RPC ${DNSFOREST} NS _msdcs.${DNSFOREST} ${HOSTNAME}
> >>>> => samba-tool dns add ${SERVER} ${DNSFOREST} _msdcs.${DNSFOREST}. NS
> >>>> ${HOSTNAME}
> >>>>
> >>>> See
> >>>> https://git.samba.org/?p=metze/samba/wip.git;a=commitdiff;h=c57c578539e65ce4fa9c4bc2c61b08ad9900a40a
> >>>
> >>> Why not just make NS records go via the RPC layer, leaving the rest of
> >>> the syntax as-is?
> >>
> >> Also note that we require _msdcs.${DNSFOREST} to be updated twice.
> >> Once in the _msdcs.${DNSFOREST} zone and in the ${DNSFOREST} (see above).
> > 
> > OK, the glue records.
> > 
> >> This is not possible with the current syntax.
> >>
> >> So it's basicaly just "RPC ${ZONE} " in front of what we have.
> >>
> >>> How does the RPC prefix help, given I already have the transformation
> >>> between the different command-line syntaxes for the fallback case?
> >>
> >> I think there're also other name types which require RPC to be used
> >> and currently the dns_update_list file is flexible enough to be extended
> >> by the admin. E.g. it's possible to add MX records, which would likely
> >> to require
> >> rpc too.
> > 
> > What is special about MX records?
> 
> It's just an example. But as far as I remember Windows rejects more
> than just NS updates via DNS. But I just tested that MX records work
> over DNS.

Something doesn't make sense about the above.  First, for the subdomain
case we can't encode in the dns_update_list file the parent zone, as our
zone and the parent zone may not be directly parent/child of each other.

Also, I think Windows does try and use NS updates.  We see this when you
create a new domain, as it reaches out to try and update it's parent
zone.  I'm pretty sure that isn't over RPC, but I'll have to get a
trace.

I've tried to encode the rules in a dns_update_list file, and
modifications to samba_dnsupdate, but I'm getting nowhere fast.  

Do you think we can at least start with the modifications I proposed?
These make a big difference for samba-only sites, which are the vast
majority of our use cases, and the case that we currently very poorly
support when they change the IP of their only DC.

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20150316/a3b053d9/attachment.pgp>