Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: Vertel on November 09, 2012, 01:34:16 am
-
I'm servicing a client who has their network arranged across three locations, with a Windows 2008 R2 Enterprise server acting as domain controller and file server at location 1, with client machines in all three locations. The remote locations are connected in to location 1 with Zentyal-to-Zentyal VPN boxes, and everything is working correctly as far as domain communications goes, except for file sharing.
The file sharing itself is working; network drives are being mapped, you can see, access, all the good stuff. But at seemingly random intermittent moments remote locations appear to lose the ability to see the Windows 2008 server, despite pings, etc. all going through correctly at the very same moment. The problem always resolves itself in a few seconds, but one of the remote locations has some network share files constantly open and being worked on, and this network disruption completely knocks them offline and can damage their working files. When this happens, the server usually gets Windows Error ID 2012, but I've exhausted all the options searching for that error gives me. I have narrowed the problem to the VPN link, as the client machines at location 1 have absolutely no problem with extended access to file shares. I'm just not sure where to go from here, as the VPN link seems to remain up when these outages happen.
Any ideas?
-
i have used the VPN module without the Windows Controller - and it has worked great for transferring files.
3-4 GB files transfer with not corruption or drop in communication.
regards,
-
Any new info about this topic?
Were you able to solve this, nicolasdiogo?
Thank you!
-
i can not find this problem
if you are able to provide details on how you encounter this problem i will look into it.
regards,
-
I'm having the same problem. It seems that, in my case, the clients are disconnected when some other client accesses a file in the file system. But they don't disconnect from the lan (they still can ping the server, use the IM server or access the webpages that are only accessible in the LAN). They just don't seem to find the files, or are denied permission to them, or takes so long to open the file that it times out.
Any idea on what it can be? Or at least if I should blame the network, the operating system, the permissions system, open vpn software or Zentyal itself?
-
hi were you able to verify the logs on the Zentyal server?
if the files are locked - i would presume that samba would write to a log to flag any problem.
could you time when this error ocours and have a look at samba log?
i do not resources to test this config with Win2008AD.
-
something linked to this ?
(extract from Zentyal documentation)
Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast of traffic from the Samba server.
[3] For additional information about file sharing go to section File sharing and authentication service
-
As far as i can remember (today is a holiday here) I don't have the file sharing module enabled. Still, as I mentioned, users are able to access the shared folders, as long as no other user accesses any other file. Anyway, I'll enable the module first thing tomorrow morning.
Just in case it could give any hint, I had Zentyal 2.2 VPN working great (file sharing was enabled and configured as a domain client, but I wasn't able to configure Zentyal 3.0.17 as a domain client when I tried).
Thanks for your clues, I'll post a follow up.
-
Ok, samba enabled, still the same problems.
One thing I noticed, my in-LAN users can ping the file server by its name, while the ones connected through the VPN can't. Is that something normal or may have to do with the issue?
Edit: I can ping the FQDN of the file server, but not its short version.
-
The answer is within Zentyal documentation:
You now have access to the data server from both remote clients. If you want to use the local Zentyal DNS service through the private network, you need to configure these clients to use Zentyal as name server. Otherwise, it will not be possible to access services by the hosts in the LAN by name, but only by IP address. Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast of traffic from the Samba server.
Too bad, I didn't paste it in my previous post as I thought it was clear enough :-[
Technically speaking, VPN can, if I understand correctly, push DNS related info but I suppose it has some limitation like need to run client as administrator?
Anyway, this option is not implemented by Zentyal.
-
My fault, I focused in the file sharing bit and didnt see that DNS part. Sorry and thanks for your time.
Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast of traffic from the Samba server.
I have enabled file sharing (with the most basic configuration) (see attached file). That should be enough, I think?
My VPN clients connect from another LAN. I can see in the VPN widget that they are not using the default VPN port, but are assigned a (seemingly) random one. May that have anything to do with the issue? Is there anything I have to do (open ports in the firewall, or configure them somewhere) to make them work?
I'd like to remind anyone reading this that the clients can connect and use the files, so I had already discarded the firewall or closed ports as the cause of the problem. And that no change has been made in the clients, just moved from zentyal 2.2 to 3.
-
My VPN clients connect from another LAN. I can see in the VPN widget that they are not using the default VPN port, but are assigned a (seemingly) random one. May that have anything to do with the issue? Is there anything I have to do (open ports in the firewall, or configure them somewhere) to make them work?
I don't think so.
I'd like to remind anyone reading this that the clients can connect and use the files, so I had already discarded the firewall or closed ports as the cause of the problem. And that no change has been made in the clients, just moved from zentyal 2.2 to 3.
So the number of VPN servers is unchanged from the 2.2 setup? And the client bundles were not replaced because ... ? I'm just curious about that (I don't know for a fact that there is a problem here) since Zentyal 2.2 and Zentyal 3.0 are built on different Ubuntu LTS releases; my instinct would have been to update the clients as well.
-
I wrote that the clients are still the same as before, meaning that no new software has been added, nor changes have been made to their firewalls, etc. Yes, the client bundles were replaced (many times, in fact, since I have been testing all kind of things to make it work). Also the client program was reinstalled (not sure if in all the clients, but in most of them).
Zentyal OpenVPN log indicated that there were TLS handshake errors every now and then, but can't relate them to the failures.
I turned up the verbosity of Zentyal OpenVPN logs to 6, but now there are hundreds of occurences per second, and I couldn't find any error.
-
it seems that there are problem with Zentyal that are using internal/local LDAP as well as those using WINDOWS AD.
i will spin up a system and check this (without WINAD).
to certain - everybody is using and having problems with Zentyal 3?
Otherwise, it will not be possible to access services by the hosts in the LAN by name, but only by IP address.
that means your clients connected through VPN do not use the Zentyal in their dns lookup.
-
I don't understand why you enable file sharing on Zentyal if you do not intend to share anything :o
The only potential added value could be, assuming this is configured this way, use of Zentyal as WINS server. This aside, I don't understand what it brings.
I also don't understand how VPN clients could use port that is not assigned. Very strange to me.
When you create client bundle, your supposed to include client certificate that is signed by Zentyal CA.
Depending on how you moved from 2.2 to 3.0, this may just break VPN service (I never ran Zentyal migration script but assume that it keeps CA and issued certificates)
What perhaps deserves some clarification in your initial explanation is this
The file sharing itself is working; network drives are being mapped, you can see, access, all the good stuff. But at seemingly random intermittent moments remote locations appear to lose the ability to see the Windows 2008 server, despite pings, etc. all going through correctly at the very same moment. The problem always resolves itself in a few seconds, but one of the remote locations has some network share files constantly open and being worked on, and this network disruption completely knocks them offline and can damage their working files
what do you mean with "to see"? If you confirm server can still be reached (e.g. ping), then I would suggest that you look at some potential error or conflict with master browser election process.
-
I wrote that the clients are still the same as before, meaning that no new software has been added, nor changes have been made to their firewalls, etc. Yes, the client bundles were replaced (many times, in fact, since I have been testing all kind of things to make it work). Also the client program was reinstalled (not sure if in all the clients, but in most of them).
Thank you, much clearer than "no change has been made in the clients, just moved from zentyal 2.2 to 3," which I read literally as change only to the server.
to certain - everybody is using and having problems with Zentyal 3?
I had no problems with Zentyal 3 in a test environment where clients were not joining a domain, but that was local only. I'm not aware of Zentyal 3 problems specific to VPN connections.
-
My Zentyal 2.2 was set up as a client of my Windows 2003 AD. I haven't set up this Zentyal 3 as a client (because it throws an error about Windows forest functional level that I have to investigate deeper). May this "outside the domain" setup of Zentyal be causing the problem? If so, is it normal that clients can access the files, and use them, some times for a long time, but they randomly disconnect? (with error messages like "you don't have permissions to access this file" or "the net machine you are trying to access doesn't exist any more - sorry, translating the error messages I get, because I couldn't find the original English equivalent).
Thank you all for your comments, I'm really lost when it comes to networks, and would never be able to fix it without your help.
-
"the net machine you are trying to access doesn't exist any more"
Sorry to push again but this really looks like master browser related error. Just give a look closer ;)
-
Thank you for the hint, christian.
I didn't want to reply till I had solved the problem, because it really seems that it is a Master Browser issue here. But no luck yet.
I have spent all this time reading about Master Browser, but still don't know what to try. So I'll post here in case you can help me again.
This is how my network works:
Most of the machines in the headquarters of the company are inside a domain. They are all connected via lan, and there are a few windows XP and a lot of Windows 7 (a few home and the rest professional - of course, only the professional ones are inside the domain). Then, the main server is a Windows 2003, and there are a couple of other servers, a Linux web server, outside the domain, and the Zentyal server, inside the domain, which has the file sharing module enabled, among others.
Then there are other offices that connect to our lan via (zentyal) VPN. This are the ones that are having problems sharing data. Some Windows XP, some Windows 7, all out of the domain.
At first, I thought the problem was due to the mix of computers belonging to the domain with others outside of the domain and in different workgroups. I also read that having a network with machines running windows 7 can mess up your samba shares because they all fight to be the master browser. But again, the computers in my LAN can access to shares properly, no matter what operating system they are using or wether they are inside the domain.
Just for testing purposes, I made one of the computers (windows 7, belongs to the domain) inside the LAN connect via VPN. As soon as it connects through the VPN, it starts getting the same errors as the other ones in the offices outside the LAN.
I don't know what else to try. Any ideas?
-
Ok, in my case it finally didn't happen to do with any of the things I was investigating (domain issues, win7 mixed with win xp in the domain, master browser misconfiguration, etc...), but a much simpler reason.
I found out, by running net session in the file server to which the machines had to connect, that the IP address of all of them was the one of my Zentyal VPN server. That is, when a client connected, adopted that IP address. When a new one connected, adopted that very same address, throwing the first client out.
Once I knew what the problem was, it was very easy to solve: I just had to disable the NAT option and everything went smooth.
The thing is, that was one of the first things I tried and it didn't work at first, so I had to spend months trying other solutions. If you are in the same situation, if possible, create the VPN server from scratch and issue new certificates for every client.
I don't know if Vertel, the creator of the thread, has already fixed his problem with the VPN. Either if he has or he is not interested in it any more, I think this thread should be marked as solved, in case other people come here looking for a solution for a similar problem.
-
I've marked this as solved, perhaps the OP can confirm this in time.
Cheers.