14632 – samba_upgradedns adds dns account as dns-fqdn instead of dns-hostname

Bug 14632 - samba_upgradedns adds dns account as dns-fqdn instead of dns-hostname

Summary: samba_upgradedns adds dns account as dns-fqdn instead of dns-hostname

Status:	NEW

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DNS plugin (BIND DLZ) (show other bugs)
Version:	4.11.6
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Amitay Isaacs
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2021-02-04 23:58 UTC by Bo Kersey
Modified:	2021-02-04 23:58 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bo Kersey 2021-02-04 23:58:35 UTC

Note: the added account here is dns-ad01.SAMDOM.EXAMPLE.COM, not dns-ad01

root@ad01:/var/lib/samba/bind-dns# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/SAMDOM.EXAMPLE.COM.zone
/usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
  logger.warn("DNS records will be automatically created")
DNS records will be automatically created
DNS partitions already exist
Adding dns-ad01.SAMDOM.EXAMPLE.COM account
BIND version unknown, please modify /var/lib/samba/bind-dns/named.conf manually.
See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

Then update bind config to add dlz..  and restart bind9

test with samba_dnsupdate
root@ad01:/var/lib/samba/bind-dns# samba_dnsupdate --all-names
dns_tkey_gssnegotiate: TKEY is unacceptable 
dns_tkey_gssnegotiate: TKEY is unacceptable 
...

So, I think that the user with a fqdn instead of just hostname is wrong, so I edit sam.ldb

root@ad01:~# ldbrename CN=dns-ad01.SAMDOM.EXAMPLE.COM,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM CN=dns-ad01,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM

then edit the resulting record:
ldbedit CN=dns-ad01,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM
and make the following changes:

-description: DNS Service Account for ad01.SAMDOM.EXAMPLE.COM
-sAMAccountName: dns-ad01.SAMDOM.EXAMPLE.COM
-servicePrincipalName: DNS/ad01.SAMDOM.EXAMPLE.COM.samdom.example.com

+description: DNS Service Account for ad01
+sAMAccountName: dns-ad01
+servicePrincipalName: DNS/ad01.samdom.example.com

and now samba_dnsupdate works....
root@ad01:~# samba_dnsupdate --all-names
root@ad01:~# 

Why is samba_upgradedns using a fully qualified domain name instead of just the hostname when it creates the DNS account?

The workaround above is not permanent of course because I think some changes are required in secrets.ldb so that things can get renewed....

hostname appears to return the correct values on the server...
root@ad01:~# hostname
ad01
root@ad01:~# hostname -s
ad01
root@ad01:~# hostname -f
ad01.samdom.example.com