possible samba and firewall module bug or is it install error?

[JensJacobsen]

Background:
I have two installs of EBOX.
1. Using the EBOX CD, upgraded to latest versions of EBOX modules from the EBOX repo.
2. Using Hardy server, upgraded and then upgraded to latest versions of EBOX modules from the EBOX repo.
Both running under VMWare WS (For now), machines has equal configuration with 2 virtual ethernet cards.

Nags and Bugs:
1. Whenever I log in using the web interface I get the message "Save Changes"
- I Save and get the message:
"eBox detected that some files which need to be overwritten have been modified by you.
Do you wish to overwrite these files?"

" Module: samba
File: /etc/ldap.conf
Comment: To let NSS know how to access LDAP accounts "

I wing the green V and saves and everything is good until next boot -> same again.
How do I remove this or the offending module that modifies ldap.conf

2. Firewall issue:
I configure one LAN card as external DHCP configured.
and one LAN card as internal static configured.

HOWEVER:
The management interface and ssh are only available on the internal interface if the firewall has rules that enables ssh and ebox administration on the external interface. I have tried to flip the "external" checkbox for both interfaces a number of times but always the same (rules must be enabled on the external if for it to work and internal if rules has no effect). Tested a number of times with reboots etc. However samba is supposed to only work on internal interfaces and it works just fine. This problem exists also before any updates straight out of the EBOX install CD. Is it me that do not understand the Internal / external definition or is it a VMware related problem or is it an install issue?

I hope someone can help me with this...

Regards
Jens

[javi]

The management interface and ssh are only available on the internal interface if the firewall has rules that enables ssh and ebox administration on the external interface. I have tried to flip the "external" checkbox for both interfaces a number of times but always the same (rules must be enabled on the external if for it to work and internal if rules has no effect). Tested a number of times with reboots etc. However samba is supposed to only work on internal interfaces and it works just fine. This problem exists also before any updates straight out of the EBOX install CD. Is it me that do not understand the Internal / external definition or is it a VMware related problem or is it an install issue?

This is really weird. Coud you please post the relevant firewall rules here? Section + rule

[JensJacobsen]

Hi Javi

Thanks for taking an interest in this issue.

I have the following config:

eth0: dhcp (DHCP server set so it will always hand out 192.168.1.21 to the EBOX server) (marked external)
eth1: static 192.168.1.120 (NOT marked external = internal)

Firewall rules:

1. Filtering rules from internal networks to eBox
(This is completely standard except for I have moved up the "ssh" and "eBox administration" rules)

ACCEPT      Any   ssh       --      
ACCEPT    Any    eBox administration    --    
ACCEPT    Any    http    --    
ACCEPT    Any    ipp    --    
ACCEPT    Any    samba    --    
ACCEPT    Any    ntp    --    
ACCEPT    Any    Mail system    --    
DENY    Any    ldap    --    
ACCEPT    Any    dns    --    
ACCEPT    Any    dhcp    --    
ACCEPT    Any    tftp    --    

2. No rules for "Filtering rules for internal networks"

3. Filtering rules for traffic coming out of eBox:
ACCEPT       Any   HTTP software       rule to allow apt updates

4. Filtering rules from external networks to eBox
(2 rules added).
ACCEPT      Any   eBox administration       --      
ACCEPT    Any    ssh    --    
DENY    Any    Mail system    --    

5. no rules for "Filtering rules from external networks to internal networks"

in point 4. I have added the two rules for eBox administration and ssh.
And here is the issue: 192.168.1.120 is the internal interface, in order to access eBox on this interface I have to add the 2 rules under point 4 for the external networks....
On the 192.168.1.120 interface the samba server is available sometimes and all the time if an access rule gets added on the external interface (4) for samba access it is available all the time (!).
However digging into the problems: once a "good" config is entered for ebox then redefining the internal interface to 192.168.3.120 makes everything work as expected, I'm quite baffled by this but it could be a bug related to first configure vs reconfigure (reconfigure works but initial configure does not work 100%).

It also looks like the other problem (save changes hanging) went away after about 3 reboots...

Regards
Jens

[javi]

Hi Jens,

Thanks a lot for a very detailed description.

The thing about samba listening on the external interfaces is a great hint. Samba will only listen on internal interfaces, so as you said it eBox wasn't aware of the change at first place.

I'll try to reproduce the issue.

May I ask you if you always restarted the services using the web interface or you started them from console?
Another thing, did you modify any of the samba configuration files manually?


Thanks again!!!