Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: shahsx on November 04, 2013, 07:58:07 am
-
Hello All,
I have just set up a fresh install of Zentyal Server 3.2 and gone through the basic coniguration of setting it up as a DC. I have set it up on a VM on Xenserver with two interfaces, Internal and External. Both interfaces are connected to one switch.
One thing i notice is that the DNS server is picking up the internal and external server IP addresses which it shouldn't. This is the second time I have built this server because the same thing happend the first time.
Any ideas?
Thanks
-
Both interfaces are connected to one switch.
This just doesn't work unless some specific and complex set up based on VLANs.
Zentyal, when used with one external and one internal interfaces, is supposed to be deployed between external and internal side, meaning 2 different switches.
Any other implementation is going to fail or exhibit annoying side effects unless you really understand how to segregate networks using VLANs.
Feasible with servers in data-centre, much more complex when the inside side is made of clients.
-
Thanks Christian for the quick reply. I thought as the interfaces were defined as Internal and External the server would do the speration even though they were on the same switch. Guess not.
-
Unfortunately (or hopefully, I don't know), this is not the way it works.
Try to think at this in a different way: on this same switch, you do have other devices connected isn't it? (basically this is your LAN)
Why would Zentyal have any impact on these other devices if all are connected on same switch? Well, this requires to understand perhaps better what a basic switch is and is not but to make it short, your LAN is internal and you can connect as many Zentyal interfaces as you want to this LAN, all will be or are supposed to be internal.
External means physical external.
-
I rebuilt the server again with Zentyal 3.2 and once again configured an Internal and External interface. This time I only connected the Internal interface to the LAN swtich and have left the external interface disconnected. Everthing works fine as long as the external interface is "not set" as soon as I configure a Static IP on it but still leave it disconnected the external static IP shows up in the Internal DNS which is configured on Zentyal.
I am using a VM on Xenserver and have added two physical NIC's to the VM for the internal and external interfaces.
-
what are your IPs for internal and external addresses .
-
Internal - 10.216.16.1 /24
External -197.254.X.X /30
-
reading it again, I understand that you have 2 different concerns:
- one was related to the double connection (both internal and external) to same switch. I guess this one is solved.
- one is related to Zentyal DNS content: once your external interface is set, where is this IP registered in DNS? as domain IP or attached to host ? and can't you edit DNS content afterwards?
This "domain IP" concept is, although perhaps required by Microsoft (like) stuff, creating some misunderstanding because, as it works for whatever you type, it prevents admins to pay attention to DNS content like hosts (A record) and aliases (CNAME records).
As a result, when you connect to "mydomain" for whatever service (which doesn't make any sense), DNS replies with "domain IP" content that could be any of your interfaces. The right approach is supposed to be connection to host.domain or service.domain, well... fqdn. even host or service without domain extension is better as it will rely on "search domain" feature ;)
This said, Microsoft like services may need something different ::)
-
The internal IP (10.216.16.1) is set up in Zentyal DNS as the "Domain IP Addess" and under hostnames as the IP of DC Server.
The external IP is just set up in Network-> Interfaces.
When I do an nslookup "servername" from a client machine that's when I see both IP's against the DC server name.
-
The internal IP (10.216.16.1) is set up in Zentyal DNS as the "Domain IP Addess" and under hostnames as the IP of DC Server host.
The external IP is just set up in Network-> Interfaces.
When I do an nslookup "servername" from a client machine that's when I see both IP's against the DC server name.
If it generates any problem, can't you then go to DNS interface, select the "host" column, then edit IPs for this specific host, removing the one(s) you don't want (here I believe the external one).
Do you mean that such IP is added again if Zentyal reboots or services are restarted ? (I don't known as I don't run Zentyal 3.2)
-
Finally it works!!
There is a bug in the Zentyal 3.2 DNS module. Christian the external IP that i could see when I did the nslookup was not showing up in the host record so I couldn't delete it. But what I did find out is that every time I changed the WAN interface IP and saved the module the external IP was showing up when I did an nslookup. However after saving, if I went and restarted the DNS module from the Dashboard the external IP would not show up in the nslookup and it worked as it should.
Hey Christian I even got it working with both interface using one switch and no vlan's :P Thanks for all your help.
Update: Spoke too soon the external IP has comeback again but that could be because I am on one swtich. Will disconnect the external interface again and restart DNS and report back.
-
Hey Christian I even got it working with both interface using one switch and no vlan's :P Thanks for all your help.
This definitely doesn't work or at least it works for few services that do not expect Zentyal to filter communication or sessions.
e.g:
- you don't have any firewall
- HTTP proxy works only in explicit mode and requires filtering at default gateway level to be made mandatory
- VPN server will require specific settings too
but if you're happy with current settings, go ahead ;)
-
Christian I updated my last post. You were right about the single switch. :-X
-
Unfortunately the problem still persists. Restarting the DNS just cleared the cache so the external IP was not there for a while but it looks like it is dynamically adding it as it comes back after five minutes.
Any suggestions?
-
Any suggestions?
No suggestion but question as it was not clear previously:
where is this IP added ? at host level ? I yes, once external IP is configured, can't you modify host record in DNS to remove this IP ? Then restart DNS service (or even restart Zentyal) and check if your modification is kept. If not, open ticket ;)
-
The external IP is added through Network -> Interfaces. When i go to the Host Record in DNS it just shows the Internal IP of the server and not the external IP but when I do nslookup i can see both IP's coming up.
Like I said if i restart DNS the external IP does not show up for a while on nslookup but after about five minutes it's there again so it is being added dynamically.
I guess I will open a ticket and see what happens.
-
If IP is not added to DNS record, then it is not "dynamically" added.
I suspect there is something else wrong on your side.
-
ok more specifically the IP is dynamically added to DNS but it does not show up on the web interface.
-
ok more specifically the IP is dynamically added to DNS but it does not show up on the web interface.
do you have any dig output ?
-
Replying here so that we can share progress (or problem) with other users:
We have performed some test with shahsx.
Here is the issue he faces. Perhaps some 3.2 users can comment and help.
Server is running file sharing service.
- trying to resolve Zentyal server name returns 2 IPs: one for the internal interface, one for the external interface
- if you remove Zentyal host in DNS using Zentyal GUI, then another entry is automatically (and quickly) added, visible in GUI but without any IP.
- if you add an IP, everything looks OK but after few minutes (about 8 minutes) although thre is no change at GUI level, another record is added to DNS, visible using
dig axfr [yourdomain]
and if you resolve this server name, you get 2 IPs again, one for the internal, one for the external.
My question here:
- aside the strange nslookup behaviour, may this prevent Windows users to authenticate against Zentyal DC ?
We could have pushed further tests, e.g. disabling file sharing service but I'm already pretty convinced that such wrong behaviour is due to Samba handling one part of DNS content management on the behalf of Zentyal administrator.
Someone to confirm or to explain what's wrong ?
-
Hello,
Ok after a lot of effort from Christian (much appreciated) and Zentyal support we have finally got to the bottom of this. It turns out that this is not an issue at all but a new "design feature" of Zentyal 3.2.
There new strategy is that all services will listen on all interfaces ??? A reference to the code here:
https://github.com/Zentyal/zentyal/commit/9b5096ff647841d658c8e47a986b0ee67ce9249e
It has something to do with clients that only use one interface and allowing them to do more with the system....I am not really to sure.
Workaround:
There is a workaround to this where you can initialise the "sortlist" function in DNS through a hook so only internal addresses are returned. It goes a little something like this:
sudo mkdir /etc/zentyal/stubs/dns
sudo cp /usr/share/zentyal/stubs/dns/named.conf.options.mas
/etc/zentyal/stubs/dns
Conf key to enabled at /etc/zentyal/dns.conf
another workaround would be to use hooks to configure Samba to look at just the internal interfaces.
Thanks,
-
It looks like, in the meantime, Zentyal decided to enable this feature as a default one. Perhaps because we struggled to fix it :P
Anyway, I don't know if it has been pushed yet but it should soon and should also solve similar issue for other users.
-
I don't understand why you would need to use the stub file - if you can just change the dns.conf?
at least enabling sortlist is now mentioned in the documentation?
http://doc.zentyal.org/en/filesharing.html
(came here as my vpn connection broke dns...)
-
I don't understand why you would need to use the stub file - if you can just change the dns.conf?
because if you change dns.conf without using hook, your chage will be erased soon ;)
at least enabling sortlist is now mentioned in the documentation?
Sure but at the time we were discussing this, sortlist was not yet enabled by default 8)
-
Hello, this issue is causing me problems as well. Can somebody please give me a little more detail about what changes to make in the DNS related config files to work around the issue until a more permanent solution is in place?
James
-
I just realized that my issue is slightly different, so I am going to start a new topic.
James
-
Hi everyone,
even with sortlist = yes i have the same issue!
With nslookup I have either the internal and the external interface IP!
...H.E.L.P. PLEASE... =)
It's driving me nuts since my client PCs asking for samba's share, are quite often receiving the external IP (not the internal one) and so aren't able to open the share correctly.
Thank You in advance for any kind of help/hint/hand/else =D
Luca
-
I'm waking this old topic up.
I stumbled upon this problem too. The external IP address was picked up after a while when DNS server starts. The problem is actually a bug in Zentyal 4.2, but is easy to fix as all stubs are editable.
Samba thinks that it is enabled on the external interface, so you need to edit /usr/share/zentyal/stubs/samba/smb.conf.mas and set the interfaces manually there
interfaces = lo,eth0,eth1,eth1:virtual0
bind interfaces only = yes
I had to remove my external interface (eth0) and samba doesnt add the external IP to DNS anymore.
Restart zentyal samba after that and you are done. Only it might overwrite the stub after zentyal-samba updates. Other than that a nice fix that I found out.
I have latest 4.2 version of Zentyal.
Running Zentyal 3.0 on another machine and it sets the correct interfaces.