Bug 14632 - samba_upgradedns adds dns account as dns-fqdn instead of dns-hostname
Summary: samba_upgradedns adds dns account as dns-fqdn instead of dns-hostname
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS plugin (BIND DLZ) (show other bugs)
Version: 4.11.6
Hardware: All All
: P5 normal with 5 votes (vote)
Target Milestone: ---
Assignee: Amitay Isaacs
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-02-04 23:58 UTC by Bo Kersey
Modified: 2022-09-28 14:48 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Bo Kersey 2021-02-04 23:58:35 UTC
Note: the added account here is dns-ad01.SAMDOM.EXAMPLE.COM, not dns-ad01

root@ad01:/var/lib/samba/bind-dns# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/SAMDOM.EXAMPLE.COM.zone
/usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
  logger.warn("DNS records will be automatically created")
DNS records will be automatically created
DNS partitions already exist
Adding dns-ad01.SAMDOM.EXAMPLE.COM account
BIND version unknown, please modify /var/lib/samba/bind-dns/named.conf manually.
See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

Then update bind config to add dlz..  and restart bind9

test with samba_dnsupdate
root@ad01:/var/lib/samba/bind-dns# samba_dnsupdate --all-names
dns_tkey_gssnegotiate: TKEY is unacceptable 
dns_tkey_gssnegotiate: TKEY is unacceptable 

So, I think that the user with a fqdn instead of just hostname is wrong, so I edit sam.ldb


then edit the resulting record:
ldbedit CN=dns-ad01,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM
and make the following changes:

-description: DNS Service Account for ad01.SAMDOM.EXAMPLE.COM
-sAMAccountName: dns-ad01.SAMDOM.EXAMPLE.COM
-servicePrincipalName: DNS/ad01.SAMDOM.EXAMPLE.COM.samdom.example.com

+description: DNS Service Account for ad01
+sAMAccountName: dns-ad01
+servicePrincipalName: DNS/ad01.samdom.example.com

and now samba_dnsupdate works....
root@ad01:~# samba_dnsupdate --all-names

Why is samba_upgradedns using a fully qualified domain name instead of just the hostname when it creates the DNS account?

The workaround above is not permanent of course because I think some changes are required in secrets.ldb so that things can get renewed....

hostname appears to return the correct values on the server...
root@ad01:~# hostname
root@ad01:~# hostname -s
root@ad01:~# hostname -f
Comment 1 Rainer Meier 2022-09-28 08:41:19 UTC
I lost some hourse on the same issue., My BIND9_DLZ backend was unable to update DNS records with "Dns tkey negotiategss: TKEY is unacceptable" errors on "samba_dnsupdate" and update requests from clients.

I did follow the instructions in <https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable> and re-created both the complete BIND9_DLZ configuration as well as removing the dns-user before re-enabling the BIND9_DLZ backend. I was sure there is something wrong with the keytab for BIND9 to access AD. However the keytab was properly created each time I ran "samba_upgradedns --dns-backend=BIND9_DLZ".

After a while I have noticed the user created was called "dns-host.DOMAIN.tld" instead of "dns-host" as it should.

Well I did not expect this to matter if the user used by BIND9_DLZ would be the "dns-host.DOMAIN.tld" user too.

Turned out BIND9_DLZ still will use "dns-host" and therefore failing to authenticate.

I also found a workaround for the issue. I updated the samba provision python module. On my system I had to edit "/usr/lib/python3.10/site-packages/samba/provision/__init__.py".

Line 2460 reads as follows:
names.hostname = str(res4[0]["dNSHostName"]).replace("." + names.dnsdomain, "")

However the replace will not work as dNSHostName containing the hostname with uppercase letters (host.DOMAIN.tld) while names.dnsdomain has ben converted to lowercasee just a few lines above. I decided to update the line to be case-insensitive (converting all to lowercase) as follows:

names.hostname = str(res4[0]["dNSHostName"]).lower().replace("." + names.dnsdomain, "")

After this I did run another "samba_upgradedns --dns-backend=BIND9_DLZ" and it created "dns-host" user. However I still need to find a bug why this user is not properly added to DnsAdmins group so I fixed this manually. After this my BIND9_DLZ was working fine.
Comment 2 Rainer Meier 2022-09-28 08:57:09 UTC
In fact I could not find any code which is adding the user to DnsAdmins group. The samba_upgradedns ttol is creating the group (DnsAdmins as well as DnsUpdateProxy) if it does not exist and it creates the user in line 589:

            setup_add_ldif(ldbs.sam, setup_path("provision_dns_add_samba.ldif"), {
                    "DNSDOMAIN": dnsdomain,
                    "DOMAINDN": domaindn,
                    "DNSPASS_B64": b64encode(dnspass.encode('utf-16-le')).decode('utf8'),
                    "HOSTNAME" : hostname,
                    "DNSNAME" : dnsname }

But I can't see how it adds it to the appropriate group.

So currently I am left with re-adding the "dns-host" user to DnsAdmins group manually after creation.
Comment 3 Rainer Meier 2022-09-28 14:48:02 UTC
Correction, the line index in my report was wrong. The offending line is at line 258.
The code to add the user to the "DnsAdmins" groups seems to be missing as confirmed: