Bug 31311 - S4 connector breaks CNAME DNS records by always appending a missing dot
S4 connector breaks CNAME DNS records by always appending a missing dot
Product: UCS
Classification: Unclassified
Component: S4 Connector
UCS 4.2
Other Linux
: P1 normal (vote)
: UCS 4.2-0-errata
Assigned To: Arvid Requate
Felix Botner
Depends on:
  Show dependency treegraph
Reported: 2013-05-08 08:07 CEST by Kevin Dominik Korte
Modified: 2017-06-15 17:57 CEST (History)
4 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 4: Minor Usability: Impairs usability in secondary scenarios
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.091
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2013041821001047
Bug group (optional): Usability
Max CVSS v3 score:
requate: Patch_Available+

cname.patch (492 bytes, patch)
2017-04-19 12:47 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Kevin Dominik Korte univentionstaff 2013-05-08 08:07:00 CEST
In UCS a number of DNS entries are semantically wrong, as they represent complete DNS entries, not relative ones, but do not conclude with a dot in the end, e.g. domains are univention.example.com instead of univention.example.com.    .

If you now add a formally correct alias, such as proxy.univention.example.com. the DNS-Alias is not synced into Samba 4. Therefore either UCS should require, and in case of system Setup create, formally correct DNS entries or ignore tailing dots. The current state is only creating confusion.
Comment 1 Kevin Dominik Korte univentionstaff 2013-05-10 10:14:09 CEST
Auch an Ticket#2013041821001047 aufgetreten
Comment 2 Stefan Gohmann univentionstaff 2013-05-13 07:44:34 CEST
I'm not complete sure what you mean. Can you give an example?

This works for me:

root@master511:~# eval $(ucr shell)
root@master511:~# udm dns/alias create --superordinate zoneName=$domainname,cn=dns,$ldap_base --set name=proxy --set cname=$hostname.$domainname
Object created: relativeDomainName=proxy,zoneName=deadlock51.local,cn=dns,dc=deadlock51,dc=local
root@master511:~# ucr get dns/backend
root@master511:~# host proxy
proxy.deadlock51.local is an alias for master511.deadlock51.local.
master511.deadlock51.local has address
root@master511:~# udm dns/alias create --superordinate zoneName=$domainname,cn=dns,$ldap_base --set name=proxy2 --set cname=$hostname.${domainname}.
Object created: relativeDomainName=proxy2,zoneName=deadlock51.local,cn=dns,dc=deadlock51,dc=local
root@master511:~# host proxy2
proxy2.deadlock51.local is an alias for master511.deadlock51.local.
master511.deadlock51.local has address
Comment 3 Kevin Dominik Korte univentionstaff 2013-05-13 08:11:47 CEST
(In reply to comment #2)

The Master was created with either

In both cases this creates the DNS Domain

Formally correct would be the domain

If you now add
it will not be synced to S4. Bind with ldap will work correctly. Host and dig have error handling, which will allow them to resolve both proxy.test.example.com. and proxy.test.example.com as long as the DNS Server provides either answer
Comment 4 Philipp Hahn univentionstaff 2017-04-19 10:31:03 CEST
1. zones are always absolute in BIND; the "zone" statement even MUST NOT have the trailing dot '.'.
2. univention-s4-connector seems to re-write the CNAME records by adding a trailing dot (if it does not exist) and breaks them:

eval "$(ucr shell hostname domainname ldap/base)"
zone=$(udm dns/forward_zone list|sed -ne 's/^DN: //p;T;q')
udm dns/alias create --superordinate "$zone" --set name=a --set cname="$hostname"
udm dns/alias create --superordinate "$zone" --set name=b --set cname="$hostname.$domainname"
udm dns/alias create --superordinate "$zone" --set name=c --set cname="$hostname.$domainname."
univention-ldapsearch -LLLo ldif-wrap=no -b "zoneName=$domainname,cn=dns,$ldap_base" '(cNAMERecord=*)' cNAMERecord relativeDomainName  # OK
 dn: relativeDomainName=a,zoneName=$domainname,cn=dns,$ldap_base
 relativeDomainName: a
 cNAMERecord: $hostname

 dn: relativeDomainName=b,zoneName=$domainname,cn=dns,$ldap_base
 relativeDomainName: b
 cNAMERecord: $hostname.$domainname

 dn: relativeDomainName=c,zoneName=$domainame,cn=dns,$ldap_base
 relativeDomainName: c
 cNAMERecord: $hostname.$domainname.

# dns/backend=ldap:
dig +short @localhost -p 7777 a.$domainname. cname  # OK: $hostname.$domainname.
dig +short @localhost -p 7777 b.$domainname. cname  # EXPECTED-FAIL: $hostname.$domainname.$domainname.
dig +short @localhost -p 7777 c.$domainname. cname  # OK: $hostname.$domainname.

univention-install univention-samba4 univention-s4-connector

# dns/backend=samba4:
dig +short @localhost a.$domainname. cname  # FAIL: $hostname.
dig +short @localhost b.$domainname. cname  # FAIL: $hostname.$domainname.
dig +short @localhost c.$domainname. cname  # OK: $hostname.$domainname.
univention-ldapsearch -LLLo ldif-wrap=no -b "zoneName=$domainname,cn=dns,$ldap_base" '(cNAMERecord=*)' cNAMERecord relativeDomainName  # FAIL
 dn: relativeDomainName=a,zoneName=$domainname,cn=dns,$ldap_base
 relativeDomainName: a
 cNAMERecord: $hostname.
 dn: relativeDomainName=b,zoneName=$domainname,cn=dns,$ldap_base
 relativeDomainName: b
 cNAMERecord: $hostname.$domainname.
 dn: relativeDomainName=c,zoneName=$domainname,cn=dns,$ldap_base
 relativeDomainName: c
 cNAMERecord: $hostname.$domainname.

univention-s4search --cross-ncs --show-binary '(objectClass=dnsNode)'
 dn: DC=a,DC=$domainname,CN=MicrosoftDNS,DC=DomainDnsZones,$ldap_base
 name: a
 dc: a
 dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        cname                    : $hostname
 dn: DC=b,DC=$domainname,CN=MicrosoftDNS,DC=DomainDnsZones,$ldap_base
 name: b
 dc: b
 dnsRecord:     NDR: struct dnsp_DnssrvRpcRecord
        cname                    : $hostname.$domainname
 dn: DC=c,DC=$domainname,CN=MicrosoftDNS,DC=DomainDnsZones,$ldap_base
 name: c
 dc: c
        cname                    : $hostname.$domainname
Comment 5 Arvid Requate univentionstaff 2017-04-19 12:47:06 CEST
Created attachment 8782 [details]
Comment 6 Stefan Gohmann univentionstaff 2017-04-20 10:41:20 CEST
OK, please apply the patch for the next update. If it is more to do, please remove the target milestone.
Comment 7 Arvid Requate univentionstaff 2017-04-24 19:45:04 CEST
Packet rebuilt in ucs_4.2-0 with patch.

Advisory: univention-s4-connector.yaml
Comment 8 Stefan Gohmann univentionstaff 2017-05-06 19:30:00 CEST
Please check the following test case:

root@master421:~# /usr/share/ucs-test/52_s4connector/175sync_create_dns_alias -f
Creating dns/forward_zone object with /usr/sbin/udm-test dns/forward_zone create --set nameserver=master421.deadlock42.intranet --set zone=5yugso90to.aexpbufyed
Creating dns/alias object with /usr/sbin/udm-test dns/alias create --superordinate zoneName=5yugso90to.aexpbufyed,dc=deadlock42,dc=intranet --set cname=lpwbsjjqwb --set name=kbkgorc5qg
 Testing Ldap object : alias			 Success 
Waiting 30 seconds for sync...

Dig Output :

; <<>> DiG 9.9.5-9+deb8u6A~ <<>> kbkgorc5qg.5yugso90to.aexpbufyed CNAME +noall +answer
;; global options: +cmd
kbkgorc5qg.5yugso90to.aexpbufyed. 900 IN CNAME	lpwbsjjqwb.

OK: DNS synced after 0 seconds

 Testing Ldap object : alias			 Failed
Verification of Ldap object failed: DN: relativeDomainName=kbkgorc5qg,zoneName=5yugso90to.aexpbufyed,dc=deadlock42,dc=intranet
cNAMERecord: ['lpwbsjjqwb'], missing: 'lpwbsjjqwb.'
Cleanup after exception: <type 'exceptions.SystemExit'> 1
Performing UCSTestUDM cleanup...
UCSTestUDM cleanup done
Warning: Failed to remove 'dns/alias' object 'relativeDomainName=kbkgorc5qg,zoneName=5yugso90to.aexpbufyed,dc=deadlock42,dc=intranet'
Starting 1 ucs-test at 2017-05-04 00:25:26 to /dev/null
s4connector ucs2con sync of DNS CNAME record........................................................................................................... Test failed
Comment 9 Arvid Requate univentionstaff 2017-06-01 18:57:08 CEST
Ok, test adjusted.
Comment 10 Felix Botner univentionstaff 2017-06-13 17:46:30 CEST
hmm, i am confused

if i create an alias FQDN. in UCS the s4 connectors now modifies this to FQDN (without DOT)

But the tooltip in UMC said:
   "Der Name, auf den dieser Alias verweist. Der FQDN muss mit 
    einem Punkt enden."

So i did exactly what i have been told, but end up with a relative name.
Comment 11 Felix Botner univentionstaff 2017-06-14 09:49:31 CEST
Arvid changed it to "append dot if there is a dot in the cname record".
Comment 12 Felix Botner univentionstaff 2017-06-14 10:13:06 CEST
In samba there is never a DOT at the end of the cname. Even if i use the windows DNS Manager and select a host from the dialog or just type FQDNDOT, the internal record is FQDN not FQDNDOT, although upon reopen the  DNS Manager dialog shows FQDNDOT.

So if we do not append a DOT, all cname records become relative in UCS. That is no good.

So better we append a DOT if the record has a DOT (we assume the record is absolute in this case).

OK - s4-connector appends DOT to cname record if there is a DOT
     in the cname record (s4 -> ucs)
OK - univention-s4-connector.yaml
Comment 13 Janek Walkenhorst univentionstaff 2017-06-15 17:57:48 CEST