I’m documenting something that wasn’t easy to uncover.<\/p>\n
TL;DR – if you want to create a CNAME in Samba to replace an existing DNS record, you must delete the A record first.<\/p>\n
I have an Active Directory domain running on Samba.\u00a0 I’ve had an underpowered file server, simply called ‘files’, for a while.\u00a0 I finally had a chance to upgrade it to some newer hardware with a rather large SSD.<\/p>\n
Since this, like all my home projects, is a side-project that takes several days to complete I chose to build the new server (‘concord’) and get it running while leaving ‘files’ in-place.<\/p>\n
I like to have servers named after their roles, because it makes things easy, but we have a lot more computers than formal roles in the house.\u00a0 We’ve finally settled on a naming convention: Windows names are places in Washington, Apple products are from California, and Linux products are from Massachusetts.\u00a0 (I am aware that Unix was birthed in New Jersey but… Ew.\u00a0 At least X came from MIT, that’s good enough for me.)<\/p>\n
I also have a number of dependencies on the name ‘files’ including, most crucially, my own brain.\u00a0 Muscle memory is hard to overcome (“ls \/net\/files\/… damn ^H\/net\/concord\/…”) and I don’t want to relearn a server name.<\/p>\n
That left me with three problems to solve: follow the naming standard, use a “taken” name for the server, and build said server while the needed name is still available on the network.<\/p>\n
The obvious answer is to use CNAMEs<\/a>.\u00a0 I planned to set up ‘files’ as an alias to ‘concord’.\u00a0 Similar practice would carry us forward through an indefinite number of role-swaps in the future.<\/p>\n After copying all of our data from ‘files’ to ‘concord’ I confidently shut ‘files’ down and added my CNAME.\u00a0 This is where things went wrong.<\/p>\n After shutting ‘files’ down, I started by creating the CNAME:<\/p>\n That’s all well and good.\u00a0 Let’s test it out from another computer:<\/p>\n Crap.\u00a0 That’s the correct canonical name, but the wrong IP address – it’s ‘files’ old IP address.<\/p>\n Some googling uncovered someone with a similar issue back in 2012<\/a>, but they “solved” it by creating static A records instead.\u00a0 That’s not a great solution, certainly not what I want.<\/p>\n I thought about it for a few minutes.\u00a0 I got a success message, but was the record actually created?\u00a0 How can I tell?\u00a0 What happens if I insert it again?<\/p>\n Well, it was inserted somewhere<\/em>, that much is clear.<\/p>\n What happens if I dig it?\u00a0 nslookup gave us a canonical address, but I want to see the actual DNS record.\u00a0 Maybe it contains a clue.<\/p>\n First, lets dig the CNAME:<\/p>\n I’ve bolded the line that shows the alias.\u00a0 That looks right.<\/p>\n But what about ‘files’?<\/p>\n Ah.\u00a0 That looks like a conflict.\u00a0 Both records exist, and one has primacy over the other.<\/p>\n ‘files’ was assigned an address via DHCP, I never gave it a static address, so I didn’t expect that I would need to delete anything.\u00a0 But if I think about it, I realized that Samba doesn’t know that ‘files’ isn’t coming back.\u00a0 (That makes me wonder what kind of graveyard DNS becomes, with friends’ phones and laptops popping in from time to time.)<\/p>\n So, can we delete the old A record, and what happens if we do?<\/p>\n We delete the address.\u00a0 It looks like it’s working:<\/p>\n Was that the problem all along?<\/p>\n That looks pretty good!<\/p>\n","protected":false},"excerpt":{"rendered":" I’m documenting something that wasn’t easy to uncover. TL;DR – if you want to create a CNAME in Samba to replace an existing DNS record, you must delete the A record first. Background I have an Active Directory domain running on Samba.\u00a0 I’ve had an underpowered file server, simply called ‘files’, for a while.\u00a0 I … Continue reading “CNAMEs in Samba”<\/span><\/a><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_crdt_document":"","wprm-recipe-roundup-name":"","wprm-recipe-roundup-description":"","advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[9],"tags":[534,568,151,567,83,566],"class_list":["post-2606","post","type-post","status-publish","format-standard","hentry","category-linux","tag-bind","tag-cname","tag-dad-needs-to-stop-bringing-work-home","tag-dns","tag-linux","tag-samba"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4o3FW-G2","jetpack-related-posts":[],"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2606"}],"version-history":[{"count":5,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2606\/revisions"}],"predecessor-version":[{"id":2611,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=\/wp\/v2\/posts\/2606\/revisions\/2611"}],"wp:attachment":[{"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.jonesling.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}The Problem<\/h1>\n
dc1 # samba-tool dns add 192.168.1.2 ad.jonesling.us files CNAME concord.ad.jonesling.us -U administrator\nPassword for [AD\\administrator]: ******\nRecord added successfully<\/pre>\n
natick $ nslookup\n> files\nServer: dc1\nAddress: 2001:470:1f07:583:44a:52ff:fe4a:8cee#53\n\nName: files.ad.jonesling.us\nAddress: 192.168.1.153\nfiles.ad.jonesling.us canonical name = concord.ad.jonesling.us.<\/pre>\n
dc1 # samba-tool dns add 192.168.1.2 ad.jonesling.us files CNAME concord.ad.jonesling.us -U administrator\nPassword for [AD\\administrator]: ******\n\nERROR(runtime): uncaught exception - (9711, 'WERR_DNS_ERROR_RECORD_ALREADY_EXISTS')\n File \"\/usr\/lib\/python3.7\/site-packages\/samba\/netcmd\/__init__.py\", line 186, in _run\n return self.run(*args, **kwargs)\n File \"\/usr\/lib\/python3.7\/site-packages\/samba\/netcmd\/dns.py\", line 945, in run\n raise e\n File \"\/usr\/lib\/python3.7\/site-packages\/samba\/netcmd\/dns.py\", line 941, in run\n 0, server, zone, name, add_rec_buf, None)<\/pre>\n
dc1 # dig @dc1 files.ad.jonesling.us IN CNAME\n\n; <<>> DiG 9.14.8 <<>> @dc1 files.ad.jonesling.us IN CNAME\n; (1 server found)\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10370\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n; COOKIE: 7a0aa65a623d5d3bdbdc39075f2eff9d5b81dbd9ed05c9d0 (good)\n;; QUESTION SECTION:\n;files.ad.jonesling.us. IN CNAME\n\n;; ANSWER SECTION:\nfiles.ad.jonesling.us. 900 IN CNAME concord.ad.jonesling.us.<\/strong>\n\n;; Query time: 8 msec\n;; SERVER: 192.168.1.2#53(192.168.1.2)\n;; WHEN: Sat Aug 08 15:40:13 EDT 2020\n;; MSG SIZE rcvd: 100<\/pre>\n
dc1 # dig @dc1 files.ad.jonesling.us\n\n; <<>> DiG 9.14.8 <<>> @dc1 files.ad.jonesling.us\n; (1 server found)\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42296\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n; COOKIE: 0352365b5c07ecdace1ebf3c5f2effa6da5d32bfe9002b32 (good)\n;; QUESTION SECTION:\n;files.ad.jonesling.us. IN A\n\n;; ANSWER SECTION:\nfiles.ad.jonesling.us. 3600 IN A 192.168.1.153<\/strong>\n\n;; Query time: 8 msec\n;; SERVER: 192.168.1.2#53(192.168.1.2)\n;; WHEN: Sat Aug 08 15:40:22 EDT 2020\n;; MSG SIZE rcvd: 94<\/pre>\n
The Solution<\/h1>\n
dc1 # samba-tool dns delete 192.168.1.2 ad.jonesling.us files A 192.168.1.153 -U administrator\nPassword for [AD\\administrator]:\nRecord deleted successfully<\/pre>\n
dc1 # dig @dc1 files.ad.jonesling.us\n\n; <<>> DiG 9.14.8 <<>> @dc1 files.ad.jonesling.us\n; (1 server found)\n;; global options: +cmd\n;; Got answer:\n;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 38286\n;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1\n\n;; OPT PSEUDOSECTION:\n; EDNS: version: 0, flags:; udp: 4096\n; COOKIE: 1610fb8ec07db8e3a43976ed5f2effdffeb142b30ca93848 (good)\n;; QUESTION SECTION:\n;files.ad.jonesling.us. IN A\n\n;; ANSWER SECTION:\nfiles.ad.jonesling.us. 900 IN CNAME concord.ad.jonesling.us.\nconcord.ad.jonesling.us. 3600 IN A 192.168.1.82<\/strong>\n\n;; Query time: 15 msec\n;; SERVER: 192.168.1.2#53(192.168.1.2)\n;; WHEN: Sat Aug 08 15:41:20 EDT 2020\n;; MSG SIZE rcvd: 116<\/pre>\n