Re: [Lam-public] LDAP DNS issue

Mon, 23 Sep 2024 06:25:32 -0700 


Ah, that explains it.


I can only speak from the Samba point of view and with Bind9.18.28 
running on Debian bookworm, BIND9_DLZ works as expected.



Back when Samba first had the capability of running as an AD DC, Bind9 
had to be rebuilt to use dlz, you had to recompile with '--with-dlz'. 
Around 2014, Bind stopped using this switch and built it in as a 
default, so you no longer had to rebuild Bind9.



I suppose that I should point out that you could have set up a Samba AD 
domain in a lot less time than you have spent already.


Rowland

||

On 23/09/2024 14:05, Jose Antonio Baduria Jr wrote:


Hi Rowland,

    I found this on an ubuntu forum site 
(https://askubuntu.com/questions/630875/how-to-install-bind9-with-dlz-ubuntu-server-14-04).
 I verified it with Google Gemini. It is not supported out of the box. I've 
spent a week trying to get bind9 to work with dlz but it seems to crash every 
time I put in DLZ config on named.local.conf as it does not recognize the 
configs. Only workaround is to compile bind with dlz. I don't plan to compile 
it on my own as I need to be wary of any patching that can impact it.

Jose

-----Original Message-----
From: Rowland Penny <rpenny241...@gmail.com>
Sent: Monday, September 23, 2024 4:33 AM
To: lam-public@lists.sourceforge.net
Subject: Re: [Lam-public] LDAP DNS issue


Could I ask where Jose found the information that Ubuntu had dropped support 
for DLZ ?

This worried me, I had heard nothing of this, so I did some checking, Samba 
with Bind9 relies on DLZ.

I can find nothing that says Ubuntu (or Bind) have dropped DLZ, what I did find 
was that Ubuntu have removed the bind-dyndb-ldap package as it appears to be 
broken:

https://bugs.launchpad.net/ubuntu/+source/bind-dyndb-ldap/+bug/2078003

Rowland Penny

Samba team member


On 21/09/2024 20:15, Jose Antonio Baduria Jr via Lam-public wrote:

Hi,

     I just found out that that bind9 in ubuntu dropped support for DLZ. Could 
be the same thing with redhat. It now uses dyndb. Would LDAP manager support 
it? I tried power dns but I am facing the same issue. The documentation for 
powerdns for LAM is very scant? How can I create a zone for powerdns? I can do 
it with Bind DNS with New Zone.

Thanks,
Jose

-----Original Message-----
From: Roland Gruber <p...@rolandgruber.de>
Sent: Friday, September 20, 2024 1:35 PM
To: lam-public@lists.sourceforge.net
Subject: Re: [Lam-public] LDAP DNS issue

Hi Jose,

is nslookup contacting your server at all? You should see its IP address in the 
output.
I suggest to continue investigation on the Bind user mailinglist as this goes 
more into direction of configuring Bind itself. Here you will find more experts 
for this topic:

https://lists.isc.org/mailman/listinfo/bind-users


Best regards
Roland


Am 20.09.24 um 14:43 schrieb Jose Antonio Baduria Jr via Lam-public:

Hi,

      I activated logging. I do see some slapd messages but when I do the 
nslookup, I don't see any slapd logs. It is not communicating to ldap?

# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" "(olcLogLevel=*)"
SASL/EXTERNAL authentication started
SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree # filter: (olcLogLevel=*) #
requesting: ALL #

# config
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: stats
olcPidFile: /var/run/slapd/slapd.pid
olcToolThreads: 1

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

-----Original Message-----
From: Roland Gruber <p...@rolandgruber.de>
Sent: Friday, September 20, 2024 1:38 AM
To: lam-public@lists.sourceforge.net
Subject: Re: [Lam-public] LDAP DNS issue

Hi Jose,

please activate logging on LDAP server side to see which queries are performed 
on LDAP-side. Then you can check why they do not return results.

Log level (olcLogLevel in /etc/ldap/slapd.d/cn=config.ldif) for OpenLDAP should be e.g. 
"stats".


Best regards
Roland



Am 20.09.24 um 01:08 schrieb Jose Antonio Baduria Jr via Lam-public:

Hi,

        I have setup openldap as a dns server. I have set up a ldap backend 
using bind9-dyndb-ldap. dig works but somehow nslookup fails.

I do see the following issue on the logs:

Sep 19 22:32:25 sdc-ops-openldap01 named[260087]: 0 master zones
from LDAP instance 'ldap' loaded (0 zones defined, 0 inactive, 0
failed to
load) Sep 19 22:32:25 sdc-ops-openldap01 named[260087]: 0 master
zones is suspicious number, please check access control instructions
on LDAP server

root@sdc-ops-openldap01:/etc/bind# nslookup
sdc-ops-for01.bd.internal ;; Got SERVFAIL reply from 10.32.183.11,
trying next server

** server can't find sdc-ops-for01.bd.internal: NXDOMAIN

root@sdc-ops-openldap01:/etc/bind# dig @10.32.183.11 sdc-ops-for01

; <<>> DiG 9.18.28-0ubuntu0.22.04.1-Ubuntu <<>> @10.32.183.11
sdc-ops-for01 ; (1 server found) ;; global options: +cmd ;; Got
answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 27733 ;; flags:
qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232 ; COOKIE:
89af8b62d831e3d70100000066ecae50cc3e47461128b789 (good) ;; QUESTION
SECTION:
;sdc-ops-for01.                 IN      A

;; Query time: 324 msec
;; SERVER: 10.32.183.11#53(10.32.183.11) (UDP) ;; WHEN: Thu Sep 19
23:05:52 UTC 2024 ;; MSG SIZE  rcvd: 70


root@sdc-ops-openldap01:/etc/bind# ldapsearch -x -H ldap://10.32.183.11 -P 3 -LLL -b 
"dlzHostName=@,dlzZoneName=bd.internal,ou=dns,dc=bd,dc=internal" 
"(objectClass=dlzSOARecord)"
dn:
dlzRecordID=1,dlzHostName=@,dlzZoneName=bd.internal,ou=dns,dc=bd,dc=
i
ntern
al
objectClass: top
objectClass: dlzSOARecord
dlzRecordID: 1
dlzHostName: @
dlzType: SOA
dlzSerial: 1
dlzRefresh: 2800
dlzRetry: 7200
dlzExpire: 604800
dlzMinimum: 86400
dlzAdminEmail: root.example.com.
dlzTTL: 1209600
dlzPrimaryNS: sdc-ops-openldap01.bd.internal.


/etc/bind/named.conf

dyndb "ldap" "/usr/lib/bind/ldap.so" {
           uri "ldap://10.32.183.11";;
           base "ou=dns,dc=bd,dc=internal";
           auth_method "simple";
           bind_dn "cn=admin,dc=bd,dc=internal";
           password "PASSWORD";
       };

Not sure what the issue is. Any ideas?

Thanks,
Jose



_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public

_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public


_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public

_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public


_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public


_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public



_______________________________________________
Lam-public mailing list
Lam-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public






















					Reply via email to