Bug 14632 - samba_upgradedns adds dns account as dns-fqdn instead of dns-hostname
Summary: samba_upgradedns adds dns account as dns-fqdn instead of dns-hostname
Status: NEW
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DNS plugin (BIND DLZ) (show other bugs)
Version: 4.11.6
Hardware: All All
: P5 normal with 5 votes (vote)
Target Milestone: ---
Assignee: Amitay Isaacs
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-02-04 23:58 UTC by Bo Kersey
Modified: 2021-02-04 23:58 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Bo Kersey 2021-02-04 23:58:35 UTC
Note: the added account here is dns-ad01.SAMDOM.EXAMPLE.COM, not dns-ad01

root@ad01:/var/lib/samba/bind-dns# samba_upgradedns --dns-backend=BIND9_DLZ
Reading domain information
DNS accounts already exist
No zone file /var/lib/samba/bind-dns/dns/SAMDOM.EXAMPLE.COM.zone
/usr/sbin/samba_upgradedns:338: DeprecationWarning: The 'warn' method is deprecated, use 'warning' instead
  logger.warn("DNS records will be automatically created")
DNS records will be automatically created
DNS partitions already exist
Adding dns-ad01.SAMDOM.EXAMPLE.COM account
BIND version unknown, please modify /var/lib/samba/bind-dns/named.conf manually.
See /var/lib/samba/bind-dns/named.conf for an example configuration include file for BIND
and /var/lib/samba/bind-dns/named.txt for further documentation required for secure DNS updates
Finished upgrading DNS

Then update bind config to add dlz..  and restart bind9

test with samba_dnsupdate
root@ad01:/var/lib/samba/bind-dns# samba_dnsupdate --all-names
dns_tkey_gssnegotiate: TKEY is unacceptable 
dns_tkey_gssnegotiate: TKEY is unacceptable 

So, I think that the user with a fqdn instead of just hostname is wrong, so I edit sam.ldb


then edit the resulting record:
ldbedit CN=dns-ad01,CN=Users,DC=SAMDOM,DC=EXAMPLE,DC=COM
and make the following changes:

-description: DNS Service Account for ad01.SAMDOM.EXAMPLE.COM
-sAMAccountName: dns-ad01.SAMDOM.EXAMPLE.COM
-servicePrincipalName: DNS/ad01.SAMDOM.EXAMPLE.COM.samdom.example.com

+description: DNS Service Account for ad01
+sAMAccountName: dns-ad01
+servicePrincipalName: DNS/ad01.samdom.example.com

and now samba_dnsupdate works....
root@ad01:~# samba_dnsupdate --all-names

Why is samba_upgradedns using a fully qualified domain name instead of just the hostname when it creates the DNS account?

The workaround above is not permanent of course because I think some changes are required in secrets.ldb so that things can get renewed....

hostname appears to return the correct values on the server...
root@ad01:~# hostname
root@ad01:~# hostname -s
root@ad01:~# hostname -f