Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
[Samba] missing dns records? _ldaps._tcp ?
747 views
Skip to first unread message
L.P.H. van Belle via samba
Aug 24, 2016, 11:10:03 AM8/24/16
to
Hai,
Im wondering, im missing the _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns.
Now, before the updates ( badlock ) etc. this wasnt notice i think.
But now since im setting up that everything is doing ldaps i noticed this in my squid setup
( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem )
My question is... did someone resently setup a new AD DC domain and if so does the _ldaps exits?
My squid group helper reported ..
support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DOMAIN.TLD with res_search
support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldaps._tcp.INTERNAL.DOMAIN.TLD
so im checking here before im creating a bug report.
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Im wondering, im missing the _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns.
Now, before the updates ( badlock ) etc. this wasnt notice i think.
But now since im setting up that everything is doing ldaps i noticed this in my squid setup
( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem )
My question is... did someone resently setup a new AD DC domain and if so does the _ldaps exits?
My squid group helper reported ..
support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DOMAIN.TLD with res_search
support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldaps._tcp.INTERNAL.DOMAIN.TLD
so im checking here before im creating a bug report.
Greetz,
Louis
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Rowland Penny via samba
Aug 24, 2016, 11:30:04 AM8/24/16
to
On Wed, 24 Aug 2016 17:00:43 +0200
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> Hai,
>
>
>
> Im wondering, im missing the _ldaps._tcp. INTERNAL.DOMAIN.TLD
> entries in my dns.
>
> Now, before the updates ( badlock ) etc. this wasnt notice i think.
>
> But now since im setting up that everything is doing ldaps i noticed
> this in my squid setup
>
>
>
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl
> problem )
>
>
>
> My question is... did someone resently setup a new AD DC domain and
> if so does the _ldaps exits?
>
>
>
> My squid group helper reported ..
>
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12|
> kerberos_ldap_group: ERROR: Error while resolving service record
> _ldaps._tcp.INTERNAL.DOMAIN.TLD with res_search
>
> support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12|
> kerberos_ldap_group: ERROR: res_search: Unknown service record:
> _ldaps._tcp.INTERNAL.DOMAIN.TLD
>
>
>
> so im checking here before im creating a bug report.
I don't have this record, I also checked a DC I created for
"L.P.H. van Belle via samba" <sa...@lists.samba.org> wrote:
> Hai,
>
>
>
> Im wondering, im missing the _ldaps._tcp. INTERNAL.DOMAIN.TLD
> entries in my dns.
>
> Now, before the updates ( badlock ) etc. this wasnt notice i think.
>
> But now since im setting up that everything is doing ldaps i noticed
> this in my squid setup
>
>
>
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl
> problem )
>
>
>
> My question is... did someone resently setup a new AD DC domain and
> if so does the _ldaps exits?
>
>
>
> My squid group helper reported ..
>
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12|
> kerberos_ldap_group: ERROR: Error while resolving service record
> _ldaps._tcp.INTERNAL.DOMAIN.TLD with res_search
>
> support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12|
> kerberos_ldap_group: ERROR: res_search: Unknown service record:
> _ldaps._tcp.INTERNAL.DOMAIN.TLD
>
>
>
> so im checking here before im creating a bug report.
other testing purposes and it doesn't exist there either.
Does windows create this record ?
Or is it a Squid problem ?
Rowland
Achim Gottinger via samba
Aug 24, 2016, 11:50:02 AM8/24/16
to
Am 24.08.2016 um 17:00 schrieb L.P.H. van Belle via samba:
> Hai,
>
>
>
> Im wondering, im missing the _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns.
>
> Now, before the updates ( badlock ) etc. this wasnt notice i think.
>
> But now since im setting up that everything is doing ldaps i noticed this in my squid setup
>
>
>
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem )
>
>
>
> My question is... did someone resently setup a new AD DC domain and if so does the _ldaps exits?
>
>
>
> My squid group helper reported ..
>
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DOMAIN.TLD with res_search
>
> support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldaps._tcp.INTERNAL.DOMAIN.TLD
>
>
>
> so im checking here before im creating a bug report.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
records. I use bind there and the template
/var/lib/samba/private/dns_update_list also lacks these entries!
achim~
lingpanda101--- via samba
Aug 24, 2016, 12:00:03 PM8/24/16
to
On 8/24/2016 11:00 AM, L.P.H. van Belle via samba wrote:
> Hai,
>
>
>
> Im wondering, im missing the _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns.
>
> Now, before the updates ( badlock ) etc. this wasnt notice i think.
>
> But now since im setting up that everything is doing ldaps i noticed this in my squid setup
>
>
>
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem )
>
>
>
> My question is... did someone resently setup a new AD DC domain and if so does the _ldaps exits?
>
>
>
> My squid group helper reported ..
>
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DOMAIN.TLD with res_search
>
> support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldaps._tcp.INTERNAL.DOMAIN.TLD
>
>
>
> so im checking here before im creating a bug report.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
I know you asked recently but I do have them from a long ago provisioned
> Hai,
>
>
>
> Im wondering, im missing the _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my dns.
>
> Now, before the updates ( badlock ) etc. this wasnt notice i think.
>
> But now since im setting up that everything is doing ldaps i noticed this in my squid setup
>
>
>
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem )
>
>
>
> My question is... did someone resently setup a new AD DC domain and if so does the _ldaps exits?
>
>
>
> My squid group helper reported ..
>
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DOMAIN.TLD with res_search
>
> support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group: ERROR: res_search: Unknown service record: _ldaps._tcp.INTERNAL.DOMAIN.TLD
>
>
>
> so im checking here before im creating a bug report.
>
>
>
>
>
> Greetz,
>
>
>
> Louis
>
>
>
DC as reference.
--
-James
Rowland Penny via samba
Aug 24, 2016, 12:20:02 PM8/24/16
to
On Wed, 24 Aug 2016 11:56:06 -0400
lingpanda101--- via samba <sa...@lists.samba.org> wrote:
>
> I know you asked recently but I do have them from a long ago
> provisioned DC as reference.
>
>
If you have them, I think you may be the only one who does ;-)
lingpanda101--- via samba <sa...@lists.samba.org> wrote:
>
> I know you asked recently but I do have them from a long ago
> provisioned DC as reference.
>
>
A bit of searching doesn't turn up anything about _ldaps records, just
_ldap.
Rowland
lingpanda101--- via samba
Aug 24, 2016, 12:30:04 PM8/24/16
to
On 8/24/2016 12:10 PM, Rowland Penny via samba wrote:
> On Wed, 24 Aug 2016 11:56:06 -0400
> lingpanda101--- via samba <sa...@lists.samba.org> wrote:
>
>> I know you asked recently but I do have them from a long ago
>> provisioned DC as reference.
>>
>>
> If you have them, I think you may be the only one who does ;-)
>
> A bit of searching doesn't turn up anything about _ldaps records, just
> _ldap.
>
> Rowland
>
>
My domain was provisioned from 4.0. Here is my info.
> On Wed, 24 Aug 2016 11:56:06 -0400
> lingpanda101--- via samba <sa...@lists.samba.org> wrote:
>
>> I know you asked recently but I do have them from a long ago
>> provisioned DC as reference.
>>
>>
> If you have them, I think you may be the only one who does ;-)
>
> A bit of searching doesn't turn up anything about _ldaps records, just
> _ldap.
>
> Rowland
>
>
root@pfdc1:~# samba -V
Version 4.4.5
root@pfdc1:~# uname -a
Linux pfdc1.domain.local 3.2.0-106-generic #147-Ubuntu SMP Tue Jun 28
21:27:24 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
Using Internal DNS. From Windows command line I typed
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\james>nslookup
(root) ??? unknown type 41 ???
Default Server: UnKnown
Address: 172.16.232.29
> set type=all
> _ldap._tcp.dc._msdcs.domain.local
Server: UnKnown
Address: 172.16.232.29
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = pfdc1.domain.local
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = soldc1.domain.local
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dundc1.domain.local
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = soldc2.domain.local
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = dundc2.domain.local
_ldap._tcp.dc._msdcs.domain.local SRV service location:
priority = 0
weight = 100
port = 389
svr hostname = pfdc2.domain.local
_msdcs.domain.local
primary name server = pfdc1.domain.local
responsible mail addr = hostmaster.domain.local
serial = 34
refresh = 900 (15 mins)
retry = 600 (10 mins)
expire = 86400 (1 day)
default TTL = 3600 (1 hour)
>
--
-James
lingpanda101--- via samba
Aug 24, 2016, 12:30:05 PM8/24/16
to
L.P.H. van Belle via samba
Aug 25, 2016, 4:30:03 AM8/25/16
to
Ok thank you guys for you input.
So we need tot add something here :
cat /var/lib/samba/private/dns_update_list | grep ldap
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
Ive added the SRV records now as followed, and my squid groups not repond better :-) great.
Use these commands, handy for others..
samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc1.dns_zone 636 0 100'
samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc2.dns_zone 636 0 100'
now i do believe, that this needs by default in the samba installs, if ssl/tls is enabled by default.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: woensdag 24 augustus 2016 18:10
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] missing dns records? _ldaps._tcp ?
So we need tot add something here :
cat /var/lib/samba/private/dns_update_list | grep ldap
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389
Ive added the SRV records now as followed, and my squid groups not repond better :-) great.
Use these commands, handy for others..
samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc1.dns_zone 636 0 100'
samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc2.dns_zone 636 0 100'
now i do believe, that this needs by default in the samba installs, if ssl/tls is enabled by default.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-...@lists.samba.org] Namens Rowland Penny via
> samba
> Verzonden: woensdag 24 augustus 2016 18:10
> Aan: sa...@lists.samba.org
> Onderwerp: Re: [Samba] missing dns records? _ldaps._tcp ?
mathias dufresne via samba
Aug 25, 2016, 4:40:03 AM8/25/16
to
https://technet.microsoft.com/en-us/library/cc961719.aspx?f=255&MSPPError=-2147217396
No _ldaps in that link...
2016-08-25 10:22 GMT+02:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>:
No _ldaps in that link...
2016-08-25 10:22 GMT+02:00 L.P.H. van Belle via samba <sa...@lists.samba.org
>:
Rowland Penny via samba
Aug 25, 2016, 5:00:02 AM8/25/16
to
they got _ldaps from, because it doesn't seem to exist on any AD DC.
L.P.H. van Belle via samba
Aug 25, 2016, 5:30:03 AM8/25/16
to
>
> No, I think you need to fix squid or at the very least, ask squid where
> they got _ldaps from, because it doesn't seem to exist on any AD DC.
>
> Rowland
Thats correct Rowland, found that also.. but.. i also did find.
> No, I think you need to fix squid or at the very least, ask squid where
> they got _ldaps from, because it doesn't seem to exist on any AD DC.
>
> Rowland
_ldaps._tcp is not any standard
But that’s what usually people do if they can't use startTLS.
And
startTLS is prefered always before ldaps
and
https://tools.ietf.org/html/draft-hall-ldap-whois-01
7.4.5. SRV processing
The query models described in this document make use of DNS SRV
resource records whenever a new query process is started, as a way
to locate the LDAP servers associated with a DIT.
The procedure for constructing this SRV lookup is as follows:
a. Construct an SRV-specific label pair for the service type.
For LDAP queries, this will be "_ldap._tcp", while LDAPS
will use "_ldaps._tcp".
b. Append the SRV label pair to the left of the input domain
name. In the case of an LDAP query for "example.com", this
would result in an SRV-specific domain name of
"_ldap._tcp.example.com".
c. Issue a DNS query for the SRV resource records associated
with the domain name formed in step 7.4.5.b.
https://tools.ietf.org/html/rfc2782
no word about ssl/tls.. arg :-/
So, its all optional, as im seeing here.
So if you preffer SSL over STARTTLS then its an option to add
the SRV records or is an application uses/prefferes it.
Of default _ldap._tcp with the ldaps port and set higher preference on the SRV record.
One i must make a note of for the squid group setup.
Thanks guys.
Greetz,
Louis
Rowland Penny via samba
Aug 25, 2016, 6:00:03 AM8/25/16
to
On Thu, 25 Aug 2016 11:22:46 +0200
_ldaps._tcp, I would go back to squid and point this out.
Rowland
> > No, I think you need to fix squid or at the very least, ask squid
> > where they got _ldaps from, because it doesn't seem to exist on any
> > AD DC.
> >
> > Rowland
>
> Thats correct Rowland, found that also.. but.. i also did find.
>
>
> _ldaps._tcp is not any standard
> But that’s what usually people do if they can't use startTLS.
>
> And
> startTLS is prefered always before ldaps
>
> and
> https://tools.ietf.org/html/draft-hall-ldap-whois-01
Louis, that RFC expired 14 years ago and Microsoft still isn't using
> > where they got _ldaps from, because it doesn't seem to exist on any
> > AD DC.
> >
> > Rowland
>
> Thats correct Rowland, found that also.. but.. i also did find.
>
>
> _ldaps._tcp is not any standard
> But that’s what usually people do if they can't use startTLS.
>
> And
> startTLS is prefered always before ldaps
>
> and
> https://tools.ietf.org/html/draft-hall-ldap-whois-01
_ldaps._tcp, I would go back to squid and point this out.
Rowland
Harry Jede via samba
Aug 27, 2016, 9:40:03 AM8/27/16
to
On 15:14:06 wrote Rowland Penny via samba:
Google search:
site:technet.microsoft.com ldaps
and you will find:
http://social.technet.microsoft.com/wiki/contents/articles/2979.event-id-1220-ldap-over-ssl-ldaps.aspx
"If you install the AD CS role and specify the Setup Type as Enterprise
on a domain controller, all domain controllers in the forest will be
configured automatically to accept LDAP over SSL."
>
> Rowland
--
Regards
Harry Jede
site:technet.microsoft.com ldaps
and you will find:
http://social.technet.microsoft.com/wiki/contents/articles/2979.event-id-1220-ldap-over-ssl-ldaps.aspx
"If you install the AD CS role and specify the Setup Type as Enterprise
on a domain controller, all domain controllers in the forest will be
configured automatically to accept LDAP over SSL."
>
> Rowland
--
Regards
Harry Jede
Harry Jede via samba
Aug 27, 2016, 9:40:03 AM8/27/16
to
On 15:21:56 wrote L.P.H. van Belle via samba:
Or if an admin or a company policy request ssl.
> Of default _ldap._tcp with the ldaps port and set higher preference
> on the SRV record.
To declare _ldap._tcp with a ssl port should not work. ldaps ports do
not accept plain text connections nor the start_tls command.
> One i must make a note of for the squid group setup.
>
> Thanks guys.
>
> Greetz,
>
> Louis
--
Regards
Harry Jede
> Of default _ldap._tcp with the ldaps port and set higher preference
> on the SRV record.
not accept plain text connections nor the start_tls command.
> One i must make a note of for the squid group setup.
>
> Thanks guys.
>
> Greetz,
>
> Louis
--
Harry Jede
Rowland Penny via samba
Aug 27, 2016, 10:00:03 AM8/27/16
to
SSL wasn't the problem.
0 new messages