samba - Aug 2016 - missing dns records? _ldaps._tcp ?

Hai, 

 

Im wondering, im missing the  _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in my
dns.

Now, before the updates ( badlock ) etc. this wasnt notice i think. 

But now since im setting up that everything is doing ldaps i noticed this in my
squid setup

 

( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem ) 

 

My question is...   did someone resently setup a new AD DC domain and if so does
the _ldaps exits? 

 

My squid group helper reported .. 

support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group:
ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DOMAIN.TLD with
res_search

support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group:
ERROR: res_search: Unknown service record: _ldaps._tcp.INTERNAL.DOMAIN.TLD

 

so im checking here before im creating a bug report. 

 

 

Greetz, 

 

Louis

 

On Wed, 24 Aug 2016 17:00:43 +0200
"L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:
> Hai, 
> 
>  
> 
> Im wondering, im missing the  _ldaps._tcp. INTERNAL.DOMAIN.TLD
> entries in my dns. 
> 
> Now, before the updates ( badlock ) etc. this wasnt notice i think. 
> 
> But now since im setting up that everything is doing ldaps i noticed
> this in my squid setup
> 
>  
> 
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl
> problem ) 
> 
>  
> 
> My question is...   did someone resently setup a new AD DC domain and
> if so does the _ldaps exits?  
> 
>  
> 
> My squid group helper reported .. 
> 
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12|
> kerberos_ldap_group: ERROR: Error while resolving service record
> _ldaps._tcp.INTERNAL.DOMAIN.TLD with res_search
> 
> support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12|
> kerberos_ldap_group: ERROR: res_search: Unknown service record:
> _ldaps._tcp.INTERNAL.DOMAIN.TLD 
> 
>  
> 
> so im checking here before im creating a bug report. 
I don't have this record, I also checked a DC I created for
other testing purposes and it doesn't exist there either.

Does windows create this record ?
Or is it a Squid problem ?

Rowland

Am 24.08.2016 um 17:00 schrieb L.P.H. van Belle via
samba:
> Hai,
>
>   
>
> Im wondering, im missing the  _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in
my dns.
>
> Now, before the updates ( badlock ) etc. this wasnt notice i think.
>
> But now since im setting up that everything is doing ldaps i noticed this
in my squid setup
>
>   
>
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem
)
>
>   
>
> My question is...   did someone resently setup a new AD DC domain and if so
does the _ldaps exits?
>
>   
>
> My squid group helper reported ..
>
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group:
ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DOMAIN.TLD with
res_search
>
> support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group:
ERROR: res_search: Unknown service record: _ldaps._tcp.INTERNAL.DOMAIN.TLD
>
>   
>
> so im checking here before im creating a bug report.
>
>   
>
>   
>
> Greetz,
>
>   
>
> Louis
>
>   
>
On my 4.4.5 debian jessie test environment there also are no _ldaps 
records. I use bind there and the template 
/var/lib/samba/private/dns_update_list also lacks these entries!

achim~

On 8/24/2016 11:00 AM, L.P.H. van Belle via samba wrote:
> Hai,
>
>   
>
> Im wondering, im missing the  _ldaps._tcp. INTERNAL.DOMAIN.TLD entries in
my dns.
>
> Now, before the updates ( badlock ) etc. this wasnt notice i think.
>
> But now since im setting up that everything is doing ldaps i noticed this
in my squid setup
>
>   
>
> ( squid mailing subject : [squid-users] ext_kerberos_ldap_group_acl problem
)
>
>   
>
> My question is...   did someone resently setup a new AD DC domain and if so
does the _ldaps exits?
>
>   
>
> My squid group helper reported ..
>
> support_resolv.cc(289): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group:
ERROR: Error while resolving service record _ldaps._tcp.INTERNAL.DOMAIN.TLD with
res_search
>
> support_resolv.cc(71): pid=6902 :2016/08/24 16:10:12| kerberos_ldap_group:
ERROR: res_search: Unknown service record: _ldaps._tcp.INTERNAL.DOMAIN.TLD
>
>   
>
> so im checking here before im creating a bug report.
>
>   
>
>   
>
> Greetz,
>
>   
>
> Louis
>
>   
>
I know you asked recently but I do have them from a long ago provisioned 
DC as reference.


-- 
-James

On Wed, 24 Aug 2016 11:56:06 -0400
lingpanda101--- via samba <samba at lists.samba.org> wrote:
> 
> I know you asked recently but I do have them from a long ago
> provisioned DC as reference.
> 
> 
If you have them, I think you may be the only one who does ;-)

A bit of searching doesn't turn up anything about _ldaps records, just
_ldap.

Rowland

Ok thank you guys for you input.

 

 

So we need tot add something here :  

cat /var/lib/samba/private/dns_update_list | grep ldap

${IF_RWDC}SRV          _ldap._tcp.${DNSDOMAIN}                              
${HOSTNAME} 389

${IF_RWDC}SRV          _ldap._tcp.dc._msdcs.${DNSDOMAIN}                    
${HOSTNAME} 389

${IF_RWDC}SRV          _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} 
${HOSTNAME} 389

${IF_DC}SRV            _ldap._tcp.${SITE}._sites.${DNSDOMAIN}               
${HOSTNAME} 389

${IF_DC}SRV            _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}     
${HOSTNAME} 389

${IF_PDC}SRV           _ldap._tcp.pdc._msdcs.${DNSDOMAIN}                   
${HOSTNAME} 389

${IF_RWGC}SRV          _ldap._tcp.gc._msdcs.${DNSFOREST}                    
${HOSTNAME} 3268

${IF_GC}SRV            _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}     
${HOSTNAME} 3268

${IF_RWDNS_DOMAIN}SRV  _ldap._tcp.DomainDnsZones.${DNSDOMAIN}               
${HOSTNAME} 389

${IF_DNS_DOMAIN}SRV    _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN}
${HOSTNAME} 389

${IF_RWDNS_FOREST}SRV  _ldap._tcp.ForestDnsZones.${DNSFOREST}               
${HOSTNAME} 389

${IF_DNS_FOREST}SRV    _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST}
${HOSTNAME} 389

 

 

Ive added the SRV records now as followed, and my squid groups not repond better
:-) great.

Use these commands, handy for others.. 

samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc1.dns_zone 636 0
100'

samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc2.dns_zone 636 0
100'

 

now i do believe, that this needs by default in the samba installs, if ssl/tls
is enabled by default.

 

 

Greetz, 

 

Louis

 

 

 

 

 
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
via
> samba
> Verzonden: woensdag 24 augustus 2016 18:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] missing dns records? _ldaps._tcp ?
> 
> On Wed, 24 Aug 2016 11:56:06 -0400
> lingpanda101--- via samba <samba at lists.samba.org> wrote:
> 
> >
> > I know you asked recently but I do have them from a long ago
> > provisioned DC as reference.
> >
> >
> 
> If you have them, I think you may be the only one who does ;-)
> 
> A bit of searching doesn't turn up anything about _ldaps records, just
> _ldap.
> 
> Rowland
> 
> 
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba