Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - AlecM

Pages: [1]
1
Other modules / DHCP Leases file garbage?
« on: June 03, 2024, 12:11:58 pm »
Zentyal version 8.0.3.  We have been using Zentyal for many years.

We have recently started having issues with our DHCP causing loss of client device connectivity.  Clients devices seem to be losing IP addresses for a period of time before re-establishing new ones.

We are a moderately small office and have just one range of DHCP IP's available (currently 10.0.0.59 - 10.0.0.254), the rest being reserved for servers, some Dev PC's and other network devices such as printers, switches etc.

Looking at the content of our leases file (/var/lib/dhcp/dhcpd.leases), we see a mix of some very old expired leases (from November 2023), current leases (3rd June 2024) and some leases (current) with some sort of scripting for "on expiry" and "on release".

I don't know if the two script blocks are legitimate entries, since not all entries have this format.

Our leases file is also getting very long, with over eight TEN thousand lines (increased during time of writing this post) of lease entries (lines bulked by the coded outputs as exampled below), almost all of them dated for today.

Example of the scripting:

Code: [Select]
on expiry {
    set ClientIP =
       binary-to-ascii (10, 8, ".", leased-address) ;
    log (debug,
        concat ("Expired: IP: ", ClientIP));
    execute ("/usr/share/zentyal-dhcp/dhcp-dyndns.sh", "delete", ClientIP, "", "0");
  }
  on release {
    set ClientIP =
       binary-to-ascii (10, 8, ".", leased-address) ;
    set ClientDHCID =
       concat (concat (concat (concat (concat (concat (concat (concat (concat (
                                                                               concat
                                                                              (
                                                                             suffix
                                                                              (
                                                                             concat
                                                                              (
                                                                             "0",
                                                                             
                                                                             
                                                                             binary-to-ascii
                                                                              (16
                                                                             ,
                                                                             8,
                                                                             ""
                                                                             ,
                                                                             
                                                                             substring
                                                                              (
                                                                             hardware,
                                                                             1,
                                                                             1)
                                                                             ))
                                                                             ,
                                                                             2)
                                                                             ,
                                                                               ":")
                                                                               ,
                                                                               
                                                                               suffix
                                                                              (
                                                                             concat
                                                                              (
                                                                             "0",
                                                                             
                                                                             
                                                                             binary-to-ascii
                                                                              (16
                                                                             ,
                                                                             8,
                                                                             ""
                                                                             ,
                                                                             
                                                                             substring
                                                                              (
                                                                             hardware,
                                                                             2,
                                                                             1)
                                                                             ))
                                                                             ,
                                                                             2)
                                                                       ), ":"),
                                                               
                                                               suffix (concat (
                                                                               "0",
                                                                               
                                                                               
                                                                               binary-to-ascii
                                                                              (16
                                                                             ,
                                                                             8,
                                                                             ""
                                                                             ,
                                                                             
                                                                             substring
                                                                              (
                                                                             hardware,
                                                                             3,
                                                                             1)
                                                                               ))
                                                                       , 2)),
                                                       ":"),
                                               suffix (concat ("0",
                                                               binary-to-ascii
                                                               (16, 8, "",
                                                                substring (
                                                                           hardware,
                                                                4, 1))), 2)),
                                       ":"),
                               suffix (concat ("0",
                                               binary-to-ascii (16, 8, "",
                                                                substring (
                                                                           hardware,
                                                                5, 1))), 2)),
                       ":"),
               suffix (concat ("0",
                               binary-to-ascii (16, 8, "",
                                                substring (hardware, 6, 1))), 2
               )) ;
    log (debug,
        concat ("Release: IP: ", ClientIP));
    execute ("/usr/share/zentyal-dhcp/dhcp-dyndns.sh", "delete", ClientIP, ClientDHCID);
  }


Can anyone enlighten me as to whether we have a buggy DHCP service (if so, what should I do to remedy), and whether I should try deleting the old or oddly-formed lease entries from the file in an effort to resolve it?

(I have made a backup copy of the file already.)

Thanks in advance,
Alec

=============== UPDATE (4th June 24) ================
Applying some basic troubleshooting/elimination processes on our network devices, I turned off our new WiFi AP (an Ubiquiti U7 Pro) and the address loss/reclaiming seems to have stabilised.  Perhaps a bit early to tell after only a couple of hours, as we had seen things stabilise after the morning anyway - so tomorrow morning should provide the real test of whether that device had been doing something rogue on the LAN.  It had applied an update back on 9th May (to v. 7.0.47), and we think that date is around when we started seeing the connectivity issues, but not sure why it had become increasingly worse during the last couple of weeks.

Have ordered a pair of NetGear AP's to test/replace the Ubiqiti stuff...
==============================================

2
We have two Zentyal systems (PDC and BDC), both running 5.0.9.  On the web admin dashboard, under the "Software" status, we are seeing "1 component updates" (sic), but when we click on that status to view the Zentyal Components page, there is nothing listed under the "Update" list.  Screen-shots 01 and 02 attached below.

Accessing the system via PuTTY, the post-login summary also indicates a package to update (image 03).

Running "apt-get upgrade" (after autoclean, autoremove and update), apt indicates 2 packages, one of which is zentyal-core (image 04).

Cancelling that upgrade, logging out and back in again, the summary still lists only 1 package to upgrade, even though apt is actually listing 2.

Is anyone else seeing this (or been through allowing the upgrade without problems)?

3
We have a Zentyal (Dev/community) v.5 system running as a BDC for an old Windows AD system.  The PDC is a rather ancient Windows 2003 SP2 system that had the 2008 R2 domain upgrade applied to it (I know, it really ought not to be still in use).

The Zentyal system was originally a 3.5 install, later upgraded to 4.2. The more recent upgrade to v5 totally borked it, so I had to fresh-build it (retaining server name and same modules installed).

Recently the old PDC Windows system has been failing to synch the AD data from the newer Zentyal BDC - this was flagged up when users changed their passwords successfully (apparently serviced by the Z-box), but then when accessing a share or service from the old PDC, their accounts would immediately get locked.  Using the MS resource tool to change the user password on the old server to match their new password resolved the connections for them.

I tried manually synchronising from the BDC Z-box to the PDC using the MS tool "Active Directory Sites and Services", as per the guide doc from Technet.  The synch errored out reporting that "The replication operation failed because of a schema mismatch between the servers involved."

I don't know if this is something caused by a Zentyal update, or really is simply the old Windows system just being old kak.

Either way, I had planned to use the Zentyal-provided Operations Master migration script "ad-migrate" to transfer the PDC role to the Zentyal system, so that I could start to decommission the old Windows server.  But this script fails, reporting back with the following "not found" messages:

Code: [Select]
./ad-migrate: 18: ./ad-migrate: use: not found
./ad-migrate: 19: ./ad-migrate: use: not found
./ad-migrate: 21: ./ad-migrate: use: not found
./ad-migrate: 22: ./ad-migrate: use: not found
./ad-migrate: 25: ./ad-migrate: use: not found
./ad-migrate: 27: ./ad-migrate: use: not found
./ad-migrate: 28: ./ad-migrate: use: not found
./ad-migrate: 29: ./ad-migrate: use: not found
./ad-migrate: 34: ./ad-migrate: Syntax error: Bad function name

Has anyone else encountered this issue?

I had wondered if (in lieu of the ad-migrate not working) I could change the Zentyal Domain setting from "Additional domain controller" to "Domain controller" (ie. standalone), then stop the old Windows AD service, but I really don't want to end up with no working DC at all!

4
Other modules / OpenVPN connections not supporting all protocols?
« on: May 15, 2017, 03:50:45 pm »
I've recently migrated my small set of users from an old Window-hosted OpenVPN connection point (which was using bridged mode, via TAP) to a new Zentyal OpenVPN connection, but the new Zentyal-hosted version is giving us some issues.

We have the Zentyal server (version 5) installed as a Secondary Domain Controller within an existing Windows AD network.  It is behind a pfSense-based firewall - so the pfSense firewall is performing the public-WAN to private-LAN port-forwarding/NAT for specific ports.

Our new Zentyal-based VPN problem manifests as some network issues for the client machines (all Windows laptops).  The issues were first noticed in VoIP calls (using an internally-hosted VoIP server, 3CX), where the remote laptop is now getting one-way audio for certain types of call (consistent, see tested scenarios below).  A second observed issue has been network shares not always showing their content properly (content would suddenly disappear then reappear later).

The client computers are all using OpenVPN client 2.4.1 64-bit, running as a Service on system startup to enable the network Route table to be modified (as this requires admin privileges).

Test scenarios for the VoIP call problem:
  • Make a VoIP call from VPN client machine using software phone (3CXPhone) to another internal extension that is also using 3CXPhone - result when the dialled user picks up call is success.
  • Repeat step 1 - result when the dialled user cannot pick up is the call gets directed to Voicemail, but the person who is making the call cannot hear the automated Voicemail menu. (one-way audio).
  • Make a VoIP call from VPN client machine using software phone to an external number - result is the recipient/target will hear the caller, but the caller cannot hear the person they have dialled. (one-way audio).
  • Make a calls from softphone client from LAN that is not using the VPN - all calls work fully as expected.

I ran some wireshark capture on the 3CX server to try and compare the successful calls with the one-way calls, but my knowledge of what to look is not sufficient to really diagnose them properly.

The Zentyal system is running as a QEMU Virtual Machine configured with 6 virtual-CPU and 6GiB RAM on an Ubuntu 16.04 server host.  The Zentyal server is also providing SAMBA shares.

I had originally configured the Zentyal VPN using TUN-mode, but due to the issue I have since added a second config (on a different port) to test using the TAP-mode option.  Unfortunately, the TAP connection version exhibits the same problem.

Note that Remote Desktop Protocol through either tun or tap works very well - hence my topic subject of suspecting the issue relates to specific network protocols.

I cannot seem to find sufficient documentation on the Zentyal WIKI to describe all the option settings for the various modules managed in Zentyal, which is deeply frustrating.  There are guides, but I find that the description of the various settings (why/when to use them and conversely why/when not to) is not discussed thoroughly enough.

Some youtube videos indicate adding network objects for the internal LAN, but don't configure the object - and this seems to be an unnecessary step anyway, as the OpenVPN module automatically adds the internal LAN (10.0.0.0/24) as an advertised network to the VPN server config.

I've wondered if the issue could be the DNS settings, as the Zentyal server is using forwarding to our pre-existing internal Windows DNS host.  It is not configured for transparent cache mode (again, documentation in the WIKI on this feels skimpy to me and doesn't fully describe the pro-and cons of enabling transparent cache mode).

Has anyone else experienced this type of "partial" connectivity with the Zentyal implementation of OpenVPN?

Pages: [1]