Univention Bugzilla – Bug 31311
S4 connector breaks CNAME DNS records by always appending a missing dot
Last modified: 2017-06-15 17:57:48 CEST
In UCS a number of DNS entries are semantically wrong, as they represent complete DNS entries, not relative ones, but do not conclude with a dot in the end, e.g. domains are univention.example.com instead of univention.example.com. . If you now add a formally correct alias, such as proxy.univention.example.com. the DNS-Alias is not synced into Samba 4. Therefore either UCS should require, and in case of system Setup create, formally correct DNS entries or ignore tailing dots. The current state is only creating confusion.
Auch an Ticket#2013041821001047 aufgetreten
I'm not complete sure what you mean. Can you give an example? This works for me: root@master511:~# eval $(ucr shell) root@master511:~# udm dns/alias create --superordinate zoneName=$domainname,cn=dns,$ldap_base --set name=proxy --set cname=$hostname.$domainname Object created: relativeDomainName=proxy,zoneName=deadlock51.local,cn=dns,dc=deadlock51,dc=local root@master511:~# ucr get dns/backend samba4 root@master511:~# host proxy proxy.deadlock51.local is an alias for master511.deadlock51.local. master511.deadlock51.local has address 10.201.51.1 root@master511:~# udm dns/alias create --superordinate zoneName=$domainname,cn=dns,$ldap_base --set name=proxy2 --set cname=$hostname.${domainname}. Object created: relativeDomainName=proxy2,zoneName=deadlock51.local,cn=dns,dc=deadlock51,dc=local root@master511:~# host proxy2 proxy2.deadlock51.local is an alias for master511.deadlock51.local. master511.deadlock51.local has address 10.201.51.1 root@master511:~#
(In reply to comment #2) The Master was created with either master.test.example.com or master.test.example.com. In both cases this creates the DNS Domain test.example.com Formally correct would be the domain test.example.com. If you now add proxy.test.example.com. it will not be synced to S4. Bind with ldap will work correctly. Host and dig have error handling, which will allow them to resolve both proxy.test.example.com. and proxy.test.example.com as long as the DNS Server provides either answer
1. zones are always absolute in BIND; the "zone" statement even MUST NOT have the trailing dot '.'. 2. univention-s4-connector seems to re-write the CNAME records by adding a trailing dot (if it does not exist) and breaks them: eval "$(ucr shell hostname domainname ldap/base)" zone=$(udm dns/forward_zone list|sed -ne 's/^DN: //p;T;q') udm dns/alias create --superordinate "$zone" --set name=a --set cname="$hostname" udm dns/alias create --superordinate "$zone" --set name=b --set cname="$hostname.$domainname" udm dns/alias create --superordinate "$zone" --set name=c --set cname="$hostname.$domainname." univention-ldapsearch -LLLo ldif-wrap=no -b "zoneName=$domainname,cn=dns,$ldap_base" '(cNAMERecord=*)' cNAMERecord relativeDomainName # OK dn: relativeDomainName=a,zoneName=$domainname,cn=dns,$ldap_base relativeDomainName: a cNAMERecord: $hostname dn: relativeDomainName=b,zoneName=$domainname,cn=dns,$ldap_base relativeDomainName: b cNAMERecord: $hostname.$domainname dn: relativeDomainName=c,zoneName=$domainame,cn=dns,$ldap_base relativeDomainName: c cNAMERecord: $hostname.$domainname. # dns/backend=ldap: dig +short @localhost -p 7777 a.$domainname. cname # OK: $hostname.$domainname. dig +short @localhost -p 7777 b.$domainname. cname # EXPECTED-FAIL: $hostname.$domainname.$domainname. dig +short @localhost -p 7777 c.$domainname. cname # OK: $hostname.$domainname. univention-install univention-samba4 univention-s4-connector univention-run-join-scripts # dns/backend=samba4: dig +short @localhost a.$domainname. cname # FAIL: $hostname. dig +short @localhost b.$domainname. cname # FAIL: $hostname.$domainname. dig +short @localhost c.$domainname. cname # OK: $hostname.$domainname. univention-ldapsearch -LLLo ldif-wrap=no -b "zoneName=$domainname,cn=dns,$ldap_base" '(cNAMERecord=*)' cNAMERecord relativeDomainName # FAIL dn: relativeDomainName=a,zoneName=$domainname,cn=dns,$ldap_base relativeDomainName: a cNAMERecord: $hostname. ... dn: relativeDomainName=b,zoneName=$domainname,cn=dns,$ldap_base relativeDomainName: b cNAMERecord: $hostname.$domainname. ... dn: relativeDomainName=c,zoneName=$domainname,cn=dns,$ldap_base relativeDomainName: c cNAMERecord: $hostname.$domainname. univention-s4search --cross-ncs --show-binary '(objectClass=dnsNode)' dn: DC=a,DC=$domainname,CN=MicrosoftDNS,DC=DomainDnsZones,$ldap_base name: a dc: a dnsRecord: NDR: struct dnsp_DnssrvRpcRecord ... cname : $hostname ... dn: DC=b,DC=$domainname,CN=MicrosoftDNS,DC=DomainDnsZones,$ldap_base name: b dc: b dnsRecord: NDR: struct dnsp_DnssrvRpcRecord ... cname : $hostname.$domainname ... dn: DC=c,DC=$domainname,CN=MicrosoftDNS,DC=DomainDnsZones,$ldap_base name: c dc: c ... cname : $hostname.$domainname
Created attachment 8782 [details] cname.patch
OK, please apply the patch for the next update. If it is more to do, please remove the target milestone.
Packet rebuilt in ucs_4.2-0 with patch. Advisory: univention-s4-connector.yaml
Please check the following test case: root@master421:~# /usr/share/ucs-test/52_s4connector/175sync_create_dns_alias -f Creating dns/forward_zone object with /usr/sbin/udm-test dns/forward_zone create --set nameserver=master421.deadlock42.intranet --set zone=5yugso90to.aexpbufyed Creating dns/alias object with /usr/sbin/udm-test dns/alias create --superordinate zoneName=5yugso90to.aexpbufyed,dc=deadlock42,dc=intranet --set cname=lpwbsjjqwb --set name=kbkgorc5qg Testing Ldap object : alias Success Waiting 30 seconds for sync... Dig Output : ; <<>> DiG 9.9.5-9+deb8u6A~4.2.0.201702281603-Debian <<>> kbkgorc5qg.5yugso90to.aexpbufyed CNAME +noall +answer ;; global options: +cmd kbkgorc5qg.5yugso90to.aexpbufyed. 900 IN CNAME lpwbsjjqwb. OK: DNS synced after 0 seconds Testing Ldap object : alias Failed Verification of Ldap object failed: DN: relativeDomainName=kbkgorc5qg,zoneName=5yugso90to.aexpbufyed,dc=deadlock42,dc=intranet cNAMERecord: ['lpwbsjjqwb'], missing: 'lpwbsjjqwb.' Cleanup after exception: <type 'exceptions.SystemExit'> 1 Performing UCSTestUDM cleanup... UCSTestUDM cleanup done Warning: Failed to remove 'dns/alias' object 'relativeDomainName=kbkgorc5qg,zoneName=5yugso90to.aexpbufyed,dc=deadlock42,dc=intranet' Starting 1 ucs-test at 2017-05-04 00:25:26 to /dev/null s4connector ucs2con sync of DNS CNAME record........................................................................................................... Test failed root@master421:~#
Ok, test adjusted.
hmm, i am confused if i create an alias FQDN. in UCS the s4 connectors now modifies this to FQDN (without DOT) But the tooltip in UMC said: "Der Name, auf den dieser Alias verweist. Der FQDN muss mit einem Punkt enden." So i did exactly what i have been told, but end up with a relative name.
Arvid changed it to "append dot if there is a dot in the cname record".
In samba there is never a DOT at the end of the cname. Even if i use the windows DNS Manager and select a host from the dialog or just type FQDNDOT, the internal record is FQDN not FQDNDOT, although upon reopen the DNS Manager dialog shows FQDNDOT. So if we do not append a DOT, all cname records become relative in UCS. That is no good. So better we append a DOT if the record has a DOT (we assume the record is absolute in this case). OK - s4-connector appends DOT to cname record if there is a DOT in the cname record (s4 -> ucs) OK - univention-s4-connector.yaml
<http://errata.software-univention.de/ucs/4.2/44.html>