[Samba] Antw: Re: bind9 dlopen/dlz problems [update]

Marcel Ritter Marcel.Ritter at rrze.uni-erlangen.de
Wed Feb 9 01:58:18 MST 2011

>>> Andrew Bartlett <abartlet at samba.org> schrieb am 2/8/2011 um 22:15
in Nachricht
<1297199717.28365.6.camel at obed>:
> On Mon, 2011-02-07 at 08:28 +0100, Marcel Ritter wrote:
> > Hi,
> > 
> > just a short update on this issue:
> > 
> > By using strace and having a look at the source code, I found the
> > reason for the named error:
> > 
> > Accessing samba database via ldapi requires the use of ildap.so
> > (samba ldb module, which is not located in "standard ldb modules
> > path"). Just setting LDB_MODULES_PATH to the directory containing
> > it makes named start:
> > 
> > export LDB_MODULES_PATH=/usr/lib/samba/ldb/
> > named -u named 
> > -> startup complete
> > 
> > So it wasn't my first suspect "ldap uri":
> >      ldapi:///var/lib/samba4/private/ldap_priv/ldapi  
> >      ldapi://%2Fvar%2Flib%2Fsamba4%2Fprivate%2Fldap_priv%2Fldapi 
> > 
> > This leaves me with the task to finally get some DNS entries into
> > samba database :-)
> The only way to get DNS entries in is by replicating an existing
> Microsoft DNS server.
> Anyway, the reason there isn't any documentation is that it's not
> finished.  We got it to the point where we were able to show that
> BIND9.8 when released would do what we want, when we are loaded with
> dlopen dlz plugin.  That was an important milestone, as it is more
> difficult to get a new BIND version to Samba4 users than an updated
> plugin. 
> From here, we need to come up with a secure read/write approach over
> LDAPI, with transactions of some kind, and tidy up some other
> Then we will publish some more docs on this.  But in the meantime,
> seem to have cracked the setup for the less secure, unsafe (no
> transactions) but works-for-a-demo mode of operation :-). 
> Andrew Bartlett
> -- 
> Andrew Bartlett                               
> Authentication Developer, Samba Team           http://samba.org 
> Samba Developer, Cisco Inc.

Hi Andrew,

thanks for giving an update on this issue.

I know it may be a little early (and insecure) to use this setup - but
I like the way it works anyway :-)

Just in case someone wanted to modify the provision tool, to create
the DNS entries in samba ldb database directly instead of creating
a named.conf - could you give some directions where to start?

(And yes, I know that Active Directory DNS data types are ugly binary
blobs, but I'll take that as a challenge :-)


More information about the samba mailing list