Ok thank you guys for you input.
So we need tot add something here :
cat /var/lib/samba/private/dns_update_list | grep ldap
${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN}
${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN}
${HOSTNAME} 389
${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST}
${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN}
${HOSTNAME} 389
${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN}
${HOSTNAME} 389
${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN}
${HOSTNAME} 389
${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST}
${HOSTNAME} 3268
${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST}
${HOSTNAME} 3268
${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN}
${HOSTNAME} 389
${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN}
${HOSTNAME} 389
${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST}
${HOSTNAME} 389
${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST}
${HOSTNAME} 389
Ive added the SRV records now as followed, and my squid groups not repond better
:-) great.
Use these commands, handy for others..
samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc1.dns_zone 636 0
100'
samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc2.dns_zone 636 0
100'
now i do believe, that this needs by default in the samba installs, if ssl/tls
is enabled by default.
Greetz,
Louis
> -----Oorspronkelijk bericht-----
> Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny
via
> samba
> Verzonden: woensdag 24 augustus 2016 18:10
> Aan: samba at lists.samba.org
> Onderwerp: Re: [Samba] missing dns records? _ldaps._tcp ?
>
> On Wed, 24 Aug 2016 11:56:06 -0400
> lingpanda101--- via samba <samba at lists.samba.org> wrote:
>
> >
> > I know you asked recently but I do have them from a long ago
> > provisioned DC as reference.
> >
> >
>
> If you have them, I think you may be the only one who does ;-)
>
> A bit of searching doesn't turn up anything about _ldaps records, just
> _ldap.
>
> Rowland
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
https://technet.microsoft.com/en-us/library/cc961719.aspx?f=255&MSPPError=-2147217396 No _ldaps in that link... 2016-08-25 10:22 GMT+02:00 L.P.H. van Belle via samba <samba at lists.samba.org>:> Ok thank you guys for you input. > > > > > > So we need tot add something here : > > cat /var/lib/samba/private/dns_update_list | grep ldap > > ${IF_RWDC}SRV _ldap._tcp.${DNSDOMAIN} > ${HOSTNAME} 389 > > ${IF_RWDC}SRV _ldap._tcp.dc._msdcs.${DNSDOMAIN} > ${HOSTNAME} 389 > > ${IF_RWDC}SRV _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} > ${HOSTNAME} 389 > > ${IF_DC}SRV _ldap._tcp.${SITE}._sites.${DNSDOMAIN} > ${HOSTNAME} 389 > > ${IF_DC}SRV _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} > ${HOSTNAME} 389 > > ${IF_PDC}SRV _ldap._tcp.pdc._msdcs.${DNSDOMAIN} > ${HOSTNAME} 389 > > ${IF_RWGC}SRV _ldap._tcp.gc._msdcs.${DNSFOREST} > ${HOSTNAME} 3268 > > ${IF_GC}SRV _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} > ${HOSTNAME} 3268 > > ${IF_RWDNS_DOMAIN}SRV _ldap._tcp.DomainDnsZones.${DNSDOMAIN} > ${HOSTNAME} 389 > > ${IF_DNS_DOMAIN}SRV _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} > ${HOSTNAME} 389 > > ${IF_RWDNS_FOREST}SRV _ldap._tcp.ForestDnsZones.${DNSFOREST} > ${HOSTNAME} 389 > > ${IF_DNS_FOREST}SRV _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} > ${HOSTNAME} 389 > > > > > > Ive added the SRV records now as followed, and my squid groups not repond > better :-) great. > > Use these commands, handy for others.. > > samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc1.dns_zone 636 0 > 100' > > samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc2.dns_zone 636 0 > 100' > > > > now i do believe, that this needs by default in the samba installs, if > ssl/tls is enabled by default. > > > > > > Greetz, > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland Penny > via > > > samba > > > Verzonden: woensdag 24 augustus 2016 18:10 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] missing dns records? _ldaps._tcp ? > > > > > > On Wed, 24 Aug 2016 11:56:06 -0400 > > > lingpanda101--- via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > I know you asked recently but I do have them from a long ago > > > > provisioned DC as reference. > > > > > > > > > > > > > > If you have them, I think you may be the only one who does ;-) > > > > > > A bit of searching doesn't turn up anything about _ldaps records, just > > > _ldap. > > > > > > Rowland > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
On Thu, 25 Aug 2016 10:22:36 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> Ok thank you guys for you input. > > > > > > So we need tot add something here : > > cat /var/lib/samba/private/dns_update_list | grep ldap > > ${IF_RWDC}SRV > _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} 389 > > ${IF_RWDC}SRV > _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 > > ${IF_RWDC}SRV > _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} 389 > > ${IF_DC}SRV > _ldap._tcp.${SITE}._sites.${DNSDOMAIN} > ${HOSTNAME} 389 > > ${IF_DC}SRV > _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 > > ${IF_PDC}SRV > _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} 389 > > ${IF_RWGC}SRV > _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268 > > ${IF_GC}SRV > _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} 3268 > > ${IF_RWDNS_DOMAIN}SRV > _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389 > > ${IF_DNS_DOMAIN}SRV > _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} 389 > > ${IF_RWDNS_FOREST}SRV > _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389 > > ${IF_DNS_FOREST}SRV > _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} 389 > > > > > > Ive added the SRV records now as followed, and my squid groups not > repond better :-) great. > > Use these commands, handy for others.. > > samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc1.dns_zone > 636 0 100' > > samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc2.dns_zone > 636 0 100' > > > > now i do believe, that this needs by default in the samba installs, > if ssl/tls is enabled by default. > > > > > > Greetz, > > > > Louis > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland > > Penny via > > > samba > > > Verzonden: woensdag 24 augustus 2016 18:10 > > > Aan: samba at lists.samba.org > > > Onderwerp: Re: [Samba] missing dns records? _ldaps._tcp ? > > > > > > On Wed, 24 Aug 2016 11:56:06 -0400 > > > lingpanda101--- via samba <samba at lists.samba.org> wrote: > > > > > > > > > > > I know you asked recently but I do have them from a long ago > > > > provisioned DC as reference. > > > > > > > > > > > > > > If you have them, I think you may be the only one who does ;-) > > > > > > A bit of searching doesn't turn up anything about _ldaps records, > > just > > > _ldap. > > > > > > Rowland > > > > > > > > > -- > > > To unsubscribe from this list go to the following URL and read the > > > instructions: https://lists.samba.org/mailman/options/samba > > >No, I think you need to fix squid or at the very least, ask squid where they got _ldaps from, because it doesn't seem to exist on any AD DC. Rowland
> > No, I think you need to fix squid or at the very least, ask squid where > they got _ldaps from, because it doesn't seem to exist on any AD DC. > > RowlandThats correct Rowland, found that also.. but.. i also did find. _ldaps._tcp is not any standard But that’s what usually people do if they can't use startTLS. And startTLS is prefered always before ldaps and https://tools.ietf.org/html/draft-hall-ldap-whois-01 7.4.5. SRV processing The query models described in this document make use of DNS SRV resource records whenever a new query process is started, as a way to locate the LDAP servers associated with a DIT. The procedure for constructing this SRV lookup is as follows: a. Construct an SRV-specific label pair for the service type. For LDAP queries, this will be "_ldap._tcp", while LDAPS will use "_ldaps._tcp". b. Append the SRV label pair to the left of the input domain name. In the case of an LDAP query for "example.com", this would result in an SRV-specific domain name of "_ldap._tcp.example.com". c. Issue a DNS query for the SRV resource records associated with the domain name formed in step 7.4.5.b. https://tools.ietf.org/html/rfc2782 no word about ssl/tls.. arg :-/ So, its all optional, as im seeing here. So if you preffer SSL over STARTTLS then its an option to add the SRV records or is an application uses/prefferes it. Of default _ldap._tcp with the ldaps port and set higher preference on the SRV record. One i must make a note of for the squid group setup. Thanks guys. Greetz, Louis
On Thu, 25 Aug 2016 11:22:46 +0200 "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote:> > > > No, I think you need to fix squid or at the very least, ask squid > > where they got _ldaps from, because it doesn't seem to exist on any > > AD DC. > > > > Rowland > > Thats correct Rowland, found that also.. but.. i also did find. > > > _ldaps._tcp is not any standard > But that’s what usually people do if they can't use startTLS. > > And > startTLS is prefered always before ldaps > > and > https://tools.ietf.org/html/draft-hall-ldap-whois-01Louis, that RFC expired 14 years ago and Microsoft still isn't using _ldaps._tcp, I would go back to squid and point this out. Rowland
On 15:21:56 wrote L.P.H. van Belle via samba:> > No, I think you need to fix squid or at the very least, ask squid > > where they got _ldaps from, because it doesn't seem to exist on > > any AD DC. > > > > Rowland > > Thats correct Rowland, found that also.. but.. i also did find. > > > _ldaps._tcp is not any standard > But that’s what usually people do if they can't use startTLS. > > And > startTLS is prefered always before ldaps > > and > https://tools.ietf.org/html/draft-hall-ldap-whois-01 > 7.4.5. SRV processing > > > The query models described in this document make use of DNS SRV > resource records whenever a new query process is started, as a > way to locate the LDAP servers associated with a DIT. > > The procedure for constructing this SRV lookup is as follows: > > a. Construct an SRV-specific label pair for the service > type. For LDAP queries, this will be "_ldap._tcp", while LDAPS will > use "_ldaps._tcp". > > b. Append the SRV label pair to the left of the input domain > name. In the case of an LDAP query for "example.com", > this would result in an SRV-specific domain name of > "_ldap._tcp.example.com". > > c. Issue a DNS query for the SRV resource records associated > with the domain name formed in step 7.4.5.b. > > https://tools.ietf.org/html/rfc2782 > no word about ssl/tls.. arg :-/ > > So, its all optional, as im seeing here. > > So if you preffer SSL over STARTTLS then its an option to add > the SRV records or is an application uses/prefferes it.Or if an admin or a company policy request ssl.> Of default _ldap._tcp with the ldaps port and set higher preference > on the SRV record.To declare _ldap._tcp with a ssl port should not work. ldaps ports do not accept plain text connections nor the start_tls command.> One i must make a note of for the squid group setup. > > Thanks guys. > > Greetz, > > Louis-- Regards Harry Jede
On 15:14:06 wrote Rowland Penny via samba:> On Thu, 25 Aug 2016 10:22:36 +0200 > > "L.P.H. van Belle via samba" <samba at lists.samba.org> wrote: > > Ok thank you guys for you input. > > > > > > > > > > > > So we need tot add something here : > > > > cat /var/lib/samba/private/dns_update_list | grep ldap > > > > ${IF_RWDC}SRV > > _ldap._tcp.${DNSDOMAIN} ${HOSTNAME} > > 389 > > > > ${IF_RWDC}SRV > > _ldap._tcp.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} > > 389 > > > > ${IF_RWDC}SRV > > _ldap._tcp.${DOMAINGUID}.domains._msdcs.${DNSFOREST} ${HOSTNAME} > > 389 > > > > ${IF_DC}SRV > > _ldap._tcp.${SITE}._sites.${DNSDOMAIN} > > ${HOSTNAME} 389 > > > > ${IF_DC}SRV > > _ldap._tcp.${SITE}._sites.dc._msdcs.${DNSDOMAIN} ${HOSTNAME} > > 389 > > > > ${IF_PDC}SRV > > _ldap._tcp.pdc._msdcs.${DNSDOMAIN} ${HOSTNAME} > > 389 > > > > ${IF_RWGC}SRV > > _ldap._tcp.gc._msdcs.${DNSFOREST} ${HOSTNAME} > > 3268 > > > > ${IF_GC}SRV > > _ldap._tcp.${SITE}._sites.gc._msdcs.${DNSFOREST} ${HOSTNAME} > > 3268 > > > > ${IF_RWDNS_DOMAIN}SRV > > _ldap._tcp.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} > > 389 > > > > ${IF_DNS_DOMAIN}SRV > > _ldap._tcp.${SITE}._sites.DomainDnsZones.${DNSDOMAIN} ${HOSTNAME} > > 389 > > > > ${IF_RWDNS_FOREST}SRV > > _ldap._tcp.ForestDnsZones.${DNSFOREST} ${HOSTNAME} > > 389 > > > > ${IF_DNS_FOREST}SRV > > _ldap._tcp.${SITE}._sites.ForestDnsZones.${DNSFOREST} ${HOSTNAME} > > 389 > > > > > > > > > > > > Ive added the SRV records now as followed, and my squid groups not > > repond better :-) great. > > > > Use these commands, handy for others.. > > > > samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc1.dns_zone > > 636 0 100' > > > > samba-tool dns add DC1.fqdn dns_zone _ldaps._tcp SRV 'dc2.dns_zone > > 636 0 100' > > > > > > > > now i do believe, that this needs by default in the samba installs, > > if ssl/tls is enabled by default. > > > > > > > > > > > > Greetz, > > > > > > > > Louis > > > > > > > > > > > > > > > > > > > > > > > > > -----Oorspronkelijk bericht----- > > > > > > Van: samba [mailto:samba-bounces at lists.samba.org] Namens Rowland > > > Penny via > > > > > > samba > > > > > > Verzonden: woensdag 24 augustus 2016 18:10 > > > > > > Aan: samba at lists.samba.org > > > > > > Onderwerp: Re: [Samba] missing dns records? _ldaps._tcp ? > > > > > > > > > > > > On Wed, 24 Aug 2016 11:56:06 -0400 > > > > > > lingpanda101--- via samba <samba at lists.samba.org> wrote: > > > > I know you asked recently but I do have them from a long ago > > > > > > > > provisioned DC as reference. > > > > > > If you have them, I think you may be the only one who does ;-) > > > > > > > > > > > > A bit of searching doesn't turn up anything about _ldaps records, > > > just > > > > > > _ldap. > > > > > > > > > > > > Rowland > > > > > > > > > > > > > > > > > > -- > > > > > > To unsubscribe from this list go to the following URL and read > > > the > > > > > > instructions: https://lists.samba.org/mailman/options/samba > > > > > > No, I think you need to fix squid or at the very least, ask squid > where they got _ldaps from, because it doesn't seem to exist on any > AD DC.Google search: site:technet.microsoft.com ldaps and you will find: http://social.technet.microsoft.com/wiki/contents/articles/2979.event-id-1220-ldap-over-ssl-ldaps.aspx "If you install the AD CS role and specify the Setup Type as Enterprise on a domain controller, all domain controllers in the forest will be configured automatically to accept LDAP over SSL."> > Rowland-- Regards Harry Jede