Recent Posts

Pages: [1] 2 3 ... 10
1
Thanks for creating the post showing how to setup letsencrypt etc.  However, I am a linux noob, and a zentyal noob and I think many people would appreciate a little more detail on the instructions provided, at least I would.

My installation is the community edition Zentyal 7.0.4 - It's running great, I have a Windows 10 machine joined to the 'domain' and email via SOGo works.  However I cannot get my head around the way certificates are installed/setup in Zentyal.

My backround is in IT support, and whilst I don't fully grasp every facet of SSL certificate implementation, I have installed certificates on a variety of platforms (mainly windows server, exchange, IIS etc), using wildcard certs and find the process reasonably simple.  Linux/Zentyal however seems a black art.  For every iteration of linux, and for all the different services running that might want to use a certificate (apache, ngnix etc.) it seems like a never ending process of config file changes.  Enough if the thicko moaning....

The thing is, and I know it's my lack of knowledge, I cannot tell from the the (I'm sure excellent) instructions in the forum here and in Zentyals own documents how to configure services to use a letsencrypt ssl certificate.  I can install letsencrypt, add the repo etc, as per the documentation, but for example, the following command from the manual:

> certbot --apache -m abraham@zentyal-domain.com

...clearly the 'abraham@zentyal-domain.com' needs to change, if I want to setup the certificate for the SOGo webmail service, what should this be?

The documentation instruction seems to be completely different than those posted here too...(https://forum.zentyal.org/index.php/topic,32351.msg112718.html#msg112718), with the final notes in the official documentation reading:

"When the certificate has been correctly issued and stored on your Zentyal Server, the next step is to configure the services to use this certificate. Below you can find some of the most common paths used to establish the certificate:"

But what are you supposed to do in those paths to establish the certificates?  It's a little confusing!  I'm used to just opening a GUI control, choosing the installed certificate and confirming it's use in that 'service'.

I think I understand that the process pulls down a certificate, stores it in maybe /etc/certs (but I don't really know), and then you are supposed to make numerous config changes to make use of the certificates - but I'm lost!

Also, from the web admin, I really don't understand the process, it doesn't seem to have any options to say select 'webmail' as the service, and choose the certificate for that service.  It kinda looks like you can create certificates signed by the server (so not CA approved by clients), and assign them - but 'Editing certificate' does not mean 'applying' so really don't understand what this GUI feature is actually doing (again me being thick), and the documentation really doesn't explain - it's almost like you need to know what its doing to understand what the documentation is telling you!

Apologies if this all sounds like a moan - I'm just frustrated, and really I do this for a job (although very much a jack of all, master of none), but Linux/Zentyal just seems so difficult to get my head round - will there ever be a certmgr equivalent tool that devs can utilise to simplify install and usage of certificates for people like me?

Anyway, I guess I'm asking for someone to produce a video or document with step by step instructions with explanations of what the commands do (simple), and what elements are to be tailored for an individuals setup (back to my question, why does the certbot apache command above require what looks like an email address when you are trying to apply SSL to a host/domain).

I'm pretty sure I'll be high maintenance with the responses, and me being so dim - but if anyone who has the time could respond, maybe we could email/PM to get me on the right track, or perhaps if you want the fame and er um 'fortune' post a youtube video of the whole process of applying a free lets encrypt cert on Zentyal 7 for admin console and SOGo webmail etc. - that would be awesome and frankly you would become a legend on these forums (according to me anyway).

Thankyou for making it to the end of this post!

2
Good day.

I just installed ZENTYAL 7.0 on a Virtual Box VM also created a domain and connected a PC in to it. I also installed RSAT to manage the server. Everything looks fine, but when I stumble upon the Group Policy Management, I noticed that the default domain policy and default domain controller policy are missing.

Is this normal? Is it okay that these defaults missing? Should I manually add these defaults?

I also try to install a Windows Sever 2019 on a VM and these default policies are present.

Thanks in advance.
3
Hello,

I installed the commercial version of Zentyal. I've got issue with the firewall. The log shows that some of the packet coming from the inside network to the internet through the Zentyal Gateway are blocked by the Zentyal Firewall but my configuration is set to allow everything!
It's an Home (or Lab) network and my network is quite simple. The box from my Internet provider is linked to eth1 of Zentyal Server (the eth1 addresses are 192.168.9.x - the router from the Internet provider does not allows bridge mode, thus I put the Zentyal Server in the DMZ) then eth0 is connected to my home network (the eth0 addresses are 192.168.1.x). I have another eth2 which is a copy of the eth1 in order to inspect the traffic by the IPS Zentyal system. The Zentyal server is an VM hosted by the free Windows HyperV 2016. I've got at least two other VM which is the OpenVPN Linux turnkey and another Windows Media Server for Plex.
The Http Proxy is also enabled in the Zentyal Server.  Any one have an idea why this traffic is blocked, even if it seems that everything is working on the Laptops or PC where the Firewall is blocking the traffic !

Link to screen copy and file of the configuration
https://it-cm.ch/mycloud/index.php/s/VvgEMfDAKiarKSv

Extract of the configuration file:
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
preinput   all  --  anywhere             anywhere
idrop      all  --  anywhere             anywhere             state INVALID
iaccept    all  --  anywhere             anywhere             state RELATED,ESTABLISHED
inospoof   all  --  anywhere             anywhere
iexternalmodules  all  --  anywhere             anywhere
iexternal  all  --  anywhere             anywhere
inoexternal  all  --  anywhere             anywhere
imodules   all  --  anywhere             anywhere
iglobal    all  --  anywhere             anywhere
iaccept    icmp !f  anywhere             anywhere             icmp echo-request state NEW
iaccept    icmp !f  anywhere             anywhere             icmp echo-reply state NEW
iaccept    icmp !f  anywhere             anywhere             icmp destination-unreachable state NEW
iaccept    icmp !f  anywhere             anywhere             icmp source-quench state NEW
iaccept    icmp !f  anywhere             anywhere             icmp time-exceeded state NEW
iaccept    icmp !f  anywhere             anywhere             icmp parameter-problem state NEW
idrop      all  --  anywhere             anywhere

Chain FORWARD (policy DROP)
target     prot opt source               destination
preforward  all  --  anywhere             anywhere
fdrop      all  --  anywhere             anywhere             state INVALID
faccept    all  --  anywhere             anywhere             state RELATED,ESTABLISHED
fnospoof   all  --  anywhere             anywhere
fredirects  all  --  anywhere             anywhere
fmodules   all  --  anywhere             anywhere
ffwdrules  all  --  anywhere             anywhere
fnoexternal  all  --  anywhere             anywhere
fdns       all  --  anywhere             anywhere
fglobal    all  --  anywhere             anywhere
faccept    icmp !f  anywhere             anywhere             icmp echo-request state NEW
faccept    icmp !f  anywhere             anywhere             icmp echo-reply state NEW
faccept    icmp !f  anywhere             anywhere             icmp destination-unreachable state NEW
faccept    icmp !f  anywhere             anywhere             icmp source-quench state NEW
faccept    icmp !f  anywhere             anywhere             icmp time-exceeded state NEW
faccept    icmp !f  anywhere             anywhere             icmp parameter-problem state NEW
fdrop      all  --  anywhere             anywhere

Chain OUTPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
preoutput  all  --  anywhere             anywhere
odrop      all  --  anywhere             anywhere             state INVALID
oaccept    all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ointernal  all  --  anywhere             anywhere
omodules   all  --  anywhere             anywhere
oglobal    all  --  anywhere             anywhere
oaccept    icmp !f  anywhere             anywhere             icmp echo-request state NEW
oaccept    icmp !f  anywhere             anywhere             icmp echo-reply state NEW
oaccept    icmp !f  anywhere             anywhere             icmp destination-unreachable state NEW
oaccept    icmp !f  anywhere             anywhere             icmp source-quench state NEW
oaccept    icmp !f  anywhere             anywhere             icmp time-exceeded state NEW
oaccept    icmp !f  anywhere             anywhere             icmp parameter-problem state NEW
odrop      all  --  anywhere             anywhere

Chain drop (3 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall drop "
DROP       all  --  anywhere             anywhere

Chain faccept (12 references)
target     prot opt source               destination
NFQUEUE    all  --  anywhere             anywhere             NFQUEUE num 0
NFQUEUE    all  --  anywhere             anywhere             NFQUEUE num 0
ACCEPT     all  --  anywhere             anywhere

Chain fdns (1 references)
target     prot opt source               destination

Chain fdrop (8 references)
target     prot opt source               destination
drop       all  --  anywhere             anywhere

Chain ffwdrules (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain fglobal (1 references)
target     prot opt source               destination
faccept    all  --  anywhere             anywhere

Chain fmodules (1 references)
target     prot opt source               destination

Chain fnoexternal (1 references)
target     prot opt source               destination
fdrop      all  --  anywhere             anywhere             state NEW

Chain fnospoof (1 references)
target     prot opt source               destination
fnospoofmodules  all  --  anywhere             anywhere
fdrop      all  --  192.168.1.0/24       anywhere
fdrop      all  --  192.168.9.0/24       anywhere
fdrop      all  --  192.168.3.0/24       anywhere
fdrop      all  --  192.168.99.0/24      anywhere

Chain fnospoofmodules (1 references)
target     prot opt source               destination

Chain fredirects (1 references)
target     prot opt source               destination
faccept    tcp  --  anywhere             192.168.1.124        state NEW tcp dpt:https
faccept    tcp  --  anywhere             192.168.1.66         state NEW tcp dpt:32400
faccept    udp  --  anywhere             192.168.1.124        state NEW udp dpt:openvpn

Chain ftoexternalonly (0 references)
target     prot opt source               destination
faccept    all  --  anywhere             anywhere
fdrop      all  --  anywhere             anywhere

Chain iaccept (54 references)
target     prot opt source               destination
NFQUEUE    all  --  anywhere             anywhere             NFQUEUE num 0
NFQUEUE    all  --  anywhere             anywhere             NFQUEUE num 0
ACCEPT     all  --  anywhere             anywhere

Chain idrop (7 references)
target     prot opt source               destination
drop       all  --  anywhere             anywhere

Chain iexternal (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
iaccept    tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:imaps state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:submission state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:https state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:http state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:smtp state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:32400 state NEW
iaccept    udp  --  anywhere             anywhere             udp dpts:32410:32414 state NEW

Chain iexternalmodules (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain iglobal (1 references)
target     prot opt source               destination
iaccept    tcp  --  anywhere             anywhere             tcp dpt:5223 state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:imaps state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:submission state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:https state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:http state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:smtp state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:ntp state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:32400 state NEW
iaccept    udp  --  anywhere             anywhere             udp dpts:32410:32414 state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:35622 state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:35623 state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:35621 state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpts:55413:55415 state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:35623 state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:zabbix-agent state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:zabbix-agent state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:zabbix-trapper state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:zabbix-trapper state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:kerberos state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:kerberos state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:loc-srv state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:netbios-ns state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:netbios-dgm state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:netbios-ssn state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:ldap state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:ldap state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:kpasswd state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:kpasswd state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:ldaps state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:3268 state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:3269 state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpts:49152:65535 state NEW
iaccept    udp  --  anywhere             anywhere             udp dpt:domain state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:domain state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:ssh state NEW
iaccept    tcp  --  anywhere             anywhere             tcp dpt:8450 state NEW

Chain imodules (1 references)
target     prot opt source               destination
iaccept    tcp  --  anywhere             anywhere             state NEW tcp dpt:3128
iaccept    tcp  --  anywhere             anywhere             state NEW tcp dpt:3128
DROP       tcp  --  anywhere             anywhere             state NEW tcp dpt:3129

Chain inoexternal (1 references)
target     prot opt source               destination
idrop      all  --  anywhere             anywhere             state NEW

Chain inointernal (0 references)
target     prot opt source               destination

Chain inospoof (1 references)
target     prot opt source               destination
inospoofmodules  all  --  anywhere             anywhere
idrop      all  --  192.168.1.0/24       anywhere
idrop      all  --  192.168.9.0/24       anywhere
idrop      all  --  192.168.3.0/24       anywhere
idrop      all  --  192.168.99.0/24      anywhere

Chain inospoofmodules (1 references)
target     prot opt source               destination

Chain log (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 50/min burst 10 LOG level debug prefix "zentyal-firewall log "
RETURN     all  --  anywhere             anywhere

Chain oaccept (13 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain odrop (2 references)
target     prot opt source               destination
drop       all  --  anywhere             anywhere

Chain oglobal (1 references)
target     prot opt source               destination
oaccept    all  --  anywhere             anywhere             state NEW

Chain ointernal (1 references)
target     prot opt source               destination

Chain omodules (1 references)
target     prot opt source               destination
oaccept    tcp  --  anywhere             anywhere             tcp dpt:http
oaccept    udp  --  anywhere             anywhere             udp dpt:domain
oaccept    tcp  --  anywhere             anywhere             tcp dpt:domain
oaccept    tcp  --  anywhere             anywhere             state NEW tcp dpt:http
oaccept    tcp  --  anywhere             anywhere             state NEW tcp dpt:https

Chain preforward (1 references)
target     prot opt source               destination

Chain preinput (1 references)
target     prot opt source               destination

Chain preoutput (1 references)
target     prot opt source               destination
4
News and Announcements / Re: Upgrade from Zentyal 6.2 to 7.0 is now available
« Last post by erotavlas on June 15, 2021, 09:53:27 pm »
Hi,
I tried to upgrade one of my machines with zentyal 6.2.9, but I get these log errors https://pastebin.com/w26wUnwf.
I was able to fix the grub error, but I could not fix the others "reconfigure". I tried both dpkg --configure -a and apt-get upgrade -f.
Any idea?

Before, to upgrade my production system, I tried again via several installations of zentyal 6.2 on virtualbox 6.1. However, I cannot solve my issue. I also tried to follow this https://forum.zentyal.org/index.php?topic=34454.0.
  • original: without any further package or software. Only one time it worked without any error.
  • original+kernel hwe: same error.
  • original+apache+php: same error.

Could it be a problem of virtual box? Do you have any hint?


5
Other modules / Zentyal 7 DNS: QUERY REFUSED
« Last post by Leo Moss on June 15, 2021, 08:27:06 pm »
Hello,
        after update to zentyal 7.0.4 we are getting DNS: query refused on VPN subnets.
we modified /usr/share/zentyal/stubs/dns/named.conf.local.mas and added the subnets without luck.

Any ideas? :)
 
6
Zentyal 7.0 licensed server edition as a VM on VMWare.

Users have been created.
A group for each company department has been created (Accounting, Marketing, Technology, etc.)
Users have been assigned to the appropriate groups.
File sharing module is installed and file shares have been created for each company department matching the groups listed above. The file shares are under the Zentyal home path.
Each group has been assigned to a file share with Read and Write permission.

Problem: Users are authenticating properly on the domain when they log into their Windows computer. When a user on a Windows client (desktop or laptop) on the domain attempts to create a network map to their department's file share, the Windows userid/password dialog appears when the share is opened.

The odd thing is, in Zentyal, if I assign a user directly to a file share rather than assigning the user's group to a file share, the user can on their Windows desktop, create a network map to the file share without the Windows userid/password dialog to connect to the share with the privileges I assign them in Zentyal file sharing, either Read, or Read and Write.

On the Zentyal domain controller, some of the file shares are owned by root:adm, some by <domain>\Administrator:adm. and some by <domain>\Administrator:<domain>\<group> like this:

drwxrwx---+   root:adm    4096  /home/zentyal/shares/accounting
drwxrwx---+   XYZ\Administrator:adm    4096  /home/zentyal/shares/marketing
drwxrwx---+   XYZ\Administrator:XYZ\marketing    4096  /home/zentyal/shares/technology

Accessing the share from the Windows client doesn't seem to differ based on the owner:group. It doesn't work when the user's group is assigned to the share, but works when the user is assigned to the share.

Lastly of what I can think that might be pertinent, if I run the "id <user>" command on the domain controller to see the groups per user, the groups per user match the groups to which the user is assigned in Zentyal.

Help greatly appreciated in advance.
7
Directory and Authentication / Re: BindSimple: Transport encryption required
« Last post by luiz Peterli on June 12, 2021, 02:58:55 pm »
I can change SAMBA4's behavior to allow non-TLS connections and this caused my server to crash with this error. For that I open the SAMBA4 configuration file in: /usr/local/samba/etc/samba/smb.conf and insert the line: ldap server require strong auth = no.

It's worth mentioning that in my case I use SAMBA4 directly on Ubuntu Server, and with this solution I managed to integrate NXFilter with my AD users and groups

8
Directory and Authentication / Re: Samba permissions problem (ACL problem?)
« Last post by spott on June 12, 2021, 05:40:41 am »
I think now 6.2 or newer - but not 7.
9
Directory and Authentication / Re: Samba permissions problem (ACL problem?)
« Last post by dsjunges83 on June 12, 2021, 04:48:14 am »
So are you running version 6.1 or 7.0?
10
News and Announcements / Re: Upgrade from Zentyal 6.2 to 7.0 is now available
« Last post by erotavlas on June 11, 2021, 11:59:01 am »
Hi,
I tried to upgrade one of my machines with zentyal 6.2.9, but I get these log errors https://pastebin.com/w26wUnwf.
I was able to fix the grub error, but I could not fix the others "reconfigure". I tried both dpkg --configure -a and apt-get upgrade -f.
Any idea?
Pages: [1] 2 3 ... 10