Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - jgould

Pages: [1] 2 3 4
1
Directory and Authentication / Change IP address of domain controllers/DNS
« on: February 12, 2021, 04:14:58 am »
I have a project right now that is going to require me to change the 2 zentyal domain controller/DNS servers to different IP addresses in a new subnet. I have 2 DC/DNS servers and have them rsync (+unison I believe) between them.

Zentyal seems to only changing the IP of the server is trivial and done right in the GUI. However, something makes me think this doesn't consider the case of running the AD DC/DNS (samba and bind9).

Samba has these instructions
https://wiki.samba.org/index.php/Changing_the_IP_Address_of_a_Samba_AD_DC

Which are considerably more involved. Demote the DC, make sure it's cleaned up, then add it back after.

What should I do?

2
Installation and Upgrades / samba memory leak update
« on: November 22, 2019, 05:47:30 pm »
Current Zentyal release shows it's using Samba 4.7.6
There is a bad memory leak that was fixed upsteam in 4.7.7
Please upgrade the module!

https://bugs.launchpad.net/ubuntu/+source/samba/+bug/1814532

Thanks

3
Other modules / Re: Zentyal 5.1 DNS Replication OR bind9 zone transfers
« on: November 22, 2019, 04:08:42 pm »
I haven't seen this behavior from 5 through current 6 release. DNS updates from domain join clients show on both DNS servers. Adding a record to either DNS server and they show up on the other. Set DNS settings on my windows client to either DNS server and name resolution works the same.

The only issue I've had is that I have "conditional forwarders" and some "trusted networks" that I needed to add to bind9. To do that I edited the mas files (to survive reboots). But I guess because those fall outside the "samba" AD scope they aren't replicated between servers. I don't have many of them so I just manually add them to both.

4
Installation and Upgrades / Re: VPN Client cannot resolv external urls
« on: November 21, 2019, 09:11:14 pm »
I find the cause of the problem, but I cannot find a solution to solve it reliable.

BIND9 is configured to "allow-recursion" and "allow-query-cache" only from trusted clients, but the VPN is not in the acl:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
};
....

Adding the vpn network solve the dns resolv problem:

Code: [Select]
/etc/bind/named.conf.local
acl "trusted" {
    localhost;
    localnets;
    172.20.20.0/24;
};
....

Problem now: It only keeps this settings, if I manually restart bind9 via "service bind9 restart". Restarting it from the GUI or changing the DNS configuration will be overwrite this setting.

How I am be able to set it permanently? Is this a bug?

Came across this and wanted to provide for others.

You want to edit /usr/share/zentyal/stubs/dns/named.conf.local.mas and find section acl" trusted" and add in your networks to sustain reboots.

Code: [Select]
/usr/share/zentyal/stubs/dns/named.conf.local.mas

acl "trusted" {
% foreach my $intnet (@intnets) {
    <% $intnet %>;
% }
    172.20.20.0/24;
    localhost;
    localnets;
};


there might be a method to add this via the DNS GUI tools. I don't know. I've had to do similar tweaks for DNS forwarding to other domains.

5
Sorry for the multiple posts but I figure I should get all the information I can into this thread for others to benefit from.

If you don't have access to a Windows PC to join to the domain and install RSAT, you can accomplish all of this through the CLI.

Check if Account Flags has an "L" in it meaning the account is locked;
Code: [Select]
pdbedit -Lvu username
Unlock the account if necessary;
Code: [Select]
pdbedit -c='[]' --user=username
Set the user account to never expire;
Code: [Select]
samba-tool user setexpiry username --noexpiry
Check members of DnsAdmins group;
Code: [Select]
samba-tool group listmembers "DnsAdmins"
Add user to DnsAdmins group;
Code: [Select]
samba-tool group addmembers DnsAdmins username
I didn't do it this way but those SHOULD work.

6
Here is why it matters. Using the DNS Manager of Windows RSAT you can check the security permissions on the various parts of DNS;

DNS server (vdc01 in my case)


Forward Lookup Zone for your Domain


All DNS records (kerberos record as example)


As you can see, all records list the AD Group DnsAdmins. So it stands to reason that if the dns user account needs to update DNS records it will need to be apart of the DnsAdmins group (the dns user account doesn't have permissions otherwise).

When you restart the DNS module (through the web GUI or CLI) it updates some of the DNS records by running;
Code: [Select]
nsupdate -g -t 10 /var/lib/zentyal/tmp/[somerandomfile]but it can't if the dns user doesn't have those necessary permissions. Same goes for changing any of the setting in the DNS module (like adding a record). Should also note that using Windows RSAT DNS tool I was still able to add records and change settings. I suspect because I was connected as a "Domain Admin" which DID have permissions while the Web GUI runs under the dns-vdc01 user account on the localhost (127.0.0.1).

The domain joined PC's are able to update their own DNS records because, if you look in their security properties, you will find that the PC has permissions to update its OWN DNS records only.

PS: I'm almost 100% certain that the dns user account should be set to "password never expires" but even in the current Zentyal download this setting is not checked. Which means that the password will eventually expire and will stop working.

7
ivan.m

The Active Directory User and Computers is provided through Window RSAT (remote server administrative tools) which you will find references as the simplest way to manage a Samba 4 Active Directory.

Simply search google for Windows RSAT for whatever windows OS you can get (Windows 7, 8, 10) or if you have a Windows Server you can add these through adding Roles.

Once you have them installed you must have the Windows machine added to the domain or it won't be able to access the Samba4/Zentyal server to manage it.

Once you have that setup you can launch the Active Directory Users and Computers (and others like DNS, Group Policy Management, etc) provided by RSAT and manage your domain. The whole collection of tools is in "Administratove Tools" in windows (just search for it).



And here you will see my dns-vdc01 user (vdc01 being the name of my server) and DnsAdmin Group in my Active Directory under the "Users" folder.



And here you will see the dns-vdc01 user account properties where I've added the account to the DnsAdmins group.




8
SOOOO, I managed to get mine working now!

All I had to do was solve the initial "Error output: Password has expired" error as I described earlier;
  • Using AD User and Computers, open properties for dns-[servername]
  • Go to "Account" tab
  • Check "Unlock account" & "Password never expires"
  • Apply and OK

Which got me to where most of you were with the Error output: update failed: REFUSED error.

Then, I had to add the dns-[servername] user to the DNSAdmins Group;
  • Using AD User and Computers, open properties for dns-[servername]
  • Go to "Member Of" tab
  • Click "Add..."
  • Type "DnsAdmins" & click "Check Names"
  • Click OK
  • Click Apply & Ok

Pretty standard steps for anyone familiar with AD.

Anyway, after adding the user account to the DnsAdmins group the DNS module restarts through the GUI without any errors and everything looks to be working as it should.

I found this issue by comparing to a freshly installed and untouched Zentyal 5 installation that was working. I did NOT remove the user from this group. The user WAS a member of Domain Users which obviously doesn't have enough permissions. DnsAdmins is what is granted permissions (through windows security tab) when I was looking in the RSAT DNS tool for the domain.

Also, I should note that even in Zentyal 5 the dns-[servername] user account password is not set to never expire, but as I seen in my initial error it sure looks like it did expire at some point.

I have a sneaking suspicion this is also why when I followed the Samba Wiki I linked above to completely delete the dns.keytab file, dns-[servername] user, and recreate everything using samba_upgradedns --dns-backend=BIND9_DLZ it STILL wasn't working. Because the user account wasn't added to the DnsAdmins group (I can't verify that at this point though, but highly likely).

9
Good Morning!,
I've found this link searching for the same error, and I've solved doing these few steps:

Code: [Select]
sudo cp /var/lib/samba/private/dns.keytab /var/lib/samba/private/dns.keytab.old
sudo rm /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=DNS/server.domain.local /var/lib/samba/private/dns.keytab
sudo samba-tool domain exportkeytab --principal=dns-ZENTYAL@DOMAIN.LOCAL /var/lib/samba/private/dns.keytab
sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
sudo kinit -k -t /var/lib/samba/private/dns.keytab dns-ZENTYAL

If you still get errors with the last command, review the Zentyal DNS user name

Cheers!

This seemed promising but didn't work for me, and I know I had the right user and the right information in the keytab file.

One thing to note is that this approach does not generate a dns.keytab file exactly like the original. It doesn't include the aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96 enctypes. See HERE. There is discussion on this in the samba mailing list I was reading. I couldn't get the solutions to add them to work for me but I didn't spend a ton of time on it as you can regenerate the dns.keytab and user by deleting everything and running samba_upgradedns --dns-backend=BIND9_DLZ as mentioned in my above post.

Example of what I mean;

New keytab file generated with your steps;
Code: [Select]
root@zentyal:~$ sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
/var/lib/samba/private/dns.keytab:

Vno  Type                     Principal                      Date        Aliases
  1  des-cbc-crc              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-crc              dns-zentyal@TEST.LAN           2017-06-14
  1  des-cbc-md5              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-md5              dns-zentyal@TEST.LAN           2017-06-14
  1  arcfour-hmac-md5         DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  arcfour-hmac-md5         dns-zentyal@TEST.LAN           2017-06-14

Old keytab that you are replacing;
Code: [Select]
root@zentyal:~$ sudo ktutil -v -k /var/lib/samba/private/dns.keytab.old list
/var/lib/samba/private/dns.keytab.old:

Vno  Type                     Principal                      Date        Aliases
  1  des-cbc-crc              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-crc              dns-zentyal@TEST.LAN           2017-06-14
  1  des-cbc-md5              DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  des-cbc-md5              dns-zentyal@TEST.LAN           2017-06-14
  1  arcfour-hmac-md5         DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  arcfour-hmac-md5         dns-zentyal@TEST.LAN           2017-06-14
  1  aes128-cts-hmac-sha1-96  DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  aes128-cts-hmac-sha1-96  dns-zentyal@TEST.LAN           2017-06-14
  1  aes256-cts-hmac-sha1-96  DNS/zentyal.test.lan@TEST.LAN  2017-06-14
  1  aes256-cts-hmac-sha1-96  dns-zentyal@TEST.LAN           2017-06-14

10
I'm going to post something I had put in a different thread.

I've gone through many Zentyal version upgrades on this server and am having the DNS issue.

My initial error message was
Code: [Select]
2017/06/13 12:10:25 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/13 12:10:27 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/13 12:10:32 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .
Exit value: 1
2017/06/13 12:10:32 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .

What I found was that the user account (dns-[servername]) in AD Users and Computers didn't show as being locked or anything. HOWEVER, by going into the Attribute Editor (make sure everything is selected in Filter) I found two attributes.
Code: [Select]
msDS-User-Account-Control-Computed
msDS-UserPasswordExpiryTimeComputer
These two attributes had values set that made it sure seem like the password HAD expired. This user account (that is automatically generated during install) also doesn't have the "Password never expires" set under Account -> Account options. So to test out a theory I checked the "Password never expires" and "Unlock account" options. I knew from experience that this enable the account using the original password so it didn't need to be changed.

This seemed to remove the Error output: Password has expired error, but now started to show the problem that other members here are having.

Code: [Select]
2017/06/14 00:15:38 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/14 00:15:39 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 00:15:41 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
2017/06/14 00:15:41 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2
2017/06/14 00:15:41 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
2017/06/14 00:15:41 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/tfjTLFN6aF failed.
Error output: update failed: REFUSED

Command output: .
Exit value: 2

I've tried multiple ways to resolve this error using recommendations here and the Samba wiki, but nothing has really worked and I STILL end up with the REFUSED error or the other error mentioned.

Code: [Select]
2017/06/14 01:55:23 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/14 01:55:24 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/14 01:55:25 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at /usr/share/perl5/EBox/Sudo.pm line 240
EBox::Sudo::_rootError('/usr/bin/sudo -p sudo: /var/lib/zentyal/tmp/Ym0eh3Z4y8.cmd 2> /var/lib/zentyal/tmp/stderr', 'nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8', 256, 'ARRAY(0x8ae78a0)', 'ARRAY(0x435f558)') called at /usr/share/perl5/EBox/Sudo.pm line 210
EBox::Sudo::_root(1, 'nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8') called at /usr/share/perl5/EBox/Sudo.pm line 153
EBox::Sudo::root('nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8') called at /usr/share/perl5/EBox/DNS.pm line 923
EBox::DNS::_postServiceHook('EBox::DNS=HASH(0x8997970)', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 941
EBox::Module::Service::_regenConfig('EBox::DNS=HASH(0x8997970)', 'restart', 1, 'restartModules', 1) called at /usr/share/perl5/EBox/Module/Service.pm line 960
eval {...} at /usr/share/perl5/EBox/Module/Service.pm line 959
EBox::Module::Service::restartService('EBox::DNS=HASH(0x8997970)', 'restartModules', 1) called at /usr/share/perl5/EBox/Util/Init.pm line 121
eval {...} at /usr/share/perl5/EBox/Util/Init.pm line 119
EBox::Util::Init::moduleAction('dns', 'restartService', 'start') called at /usr/share/perl5/EBox/Util/Init.pm line 87
EBox::Util::Init::start at /usr/bin/zs line 35
main::main at /usr/bin/zs line 82
2017/06/14 01:55:25 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1
2017/06/14 01:55:25 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

Command output: .
Exit value: 1 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/Q_yEAuXop8 failed.
Error output: dns_tkey_negotiategss: TKEY is unacceptable

I even followed THESE INSTRUCTIONS on the Samba Wiki where you completely delete the dns.keytab file, delete the dns-[servername] user, switch the DNS backend to Samba and then back to Bind (due to a glitch in samba not recreating the dns-[servername] user), and finally run samba_upgradedns --dns-backend=BIND9_DLZ to reprovision the user account and dns.keytab file from scratch. It still failed.

This results in the DNS module not being able to reload itself and the local machine (127.0.0.1) failing DNS updates (or at least it seems that way when the DNS module reload occurs where nsupdate fails to run). The logs seems to show that all my Windows PC's are still able to securely update DNS records though.


I will say that a fresh install of Zentyal isn't giving me this issue NOW, but who knows if it will after a certain amount of time. I'd also say that removing and reinstalling the DNS module also appeared to solve the issue for me. However that is REALLY NOT IDEAL. If you have to remove the DNS module you also have to remove the Domain Controller and File Sharing module. That means you'd remove all your domain joined computers, users, GPO, and so on. So the only other option I can think of right now would be a transfer of FSMO roles to a new Samba4 server.

11
News and Announcements / Re: Hasta la vista, Trac
« on: June 14, 2017, 03:46:56 pm »
Why does it feel like Zentyal is abandoned? Threads get no response on the forums, bugs go unanswered, and now I try to login to the tracker and get this;


12
Other modules / Re: kinit error
« on: June 14, 2017, 03:40:04 pm »
Seems like this is pretty widespread.
https://forum.zentyal.org/index.php?topic=30747.0
https://forum.zentyal.org/index.php/topic,30864.0.html

I did some testing and figured out a few things.

For my initial error, "Error output: Password has expired", I found that the user account (dns-[servername]) in AD Users and Computers didn't show as being locked or anything. HOWEVER, by going into the Attribute Editor (make sure everything is selected in Filter) I found two attributes.
Code: [Select]
msDS-User-Account-Control-Computed
msDS-UserPasswordExpiryTimeComputer
These two attributes had values set that made it sure seem like the password HAD expired. This user account (that is automatically generated during install) also doesn't have the "Password never expires" set under Account -> Account options. So to test out a theory I checked the "Password never expires" and "Unlock account" options. I knew from experience that this enable the account using the original password so it didn't need to be changed.

This seemed to remove the Error output: Password has expired error, but now started to show the problem that other members are having. That being;
Code: [Select]
Exit value: 2 at root command nsupdate -g -t 10 /var/lib/zentyal/tmp/[randomfile] failed.
Error output: update failed: REFUSED

And any attempt I make to resolve this error using recommendations here in the linked threads or following the Samba wiki results in either STILL getting the REFUSED error or;
Code: [Select]
Error output: dns_tkey_negotiategss: TKEY is unacceptable
I even went as far as to follow THESE INSTRUCTIONS on the Samba Wiki where you completely delete the dns.keytab file, delete the dns-[servername] user, switch the DNS backend to Samba and then back to Bind (due to a glitch in samba not recreating the dns-[servername] user), and finally run samba_upgradedns --dns-backend=BIND9_DLZ. It still failed.

This results in the DNS module not being able to reload itself and the local machine (127.0.0.1) failing DNS updates (or at least it seems that way when the DNS module reload occurs where nsupdate fails to run). The logs seems to show that all my Windows PC's are still able to securely update DNS records though.

13
Other modules / Re: kinit error
« on: June 13, 2017, 06:22:36 pm »
I'm getting this same error(s). The domains "Administrator" account is set to never expire. Same with my domain admin account.

I noticed that the dns-[hostname] user account that is created when zentyal installed doesn't have the password set to never expire. I have no idea what the password was set to for this account though and I would expect zentyal to configure the account CORRECTLY without intervention from the user.

I've also just noticed that krbtgt account is "Disabled" and I'm not sure why exactly that would be the case. I know I didn't do it though.

Anyone have a clue?

This is on a Zentyal server that has been upgraded through multiple versions. I actually just started up a fresh Zentyal 5 install with a Win10 PC as a client and the DNS module restarted without error. So sounds like either an issue caused through upgrades or time (and potentially an expiring password).

Code: [Select]
2017/06/13 12:10:25 INFO> Service.pm:958 EBox::Module::Service::restartService - Restarting service for module: dns
2017/06/13 12:10:27 INFO> DNS.pm:91 EBox::DNS::appArmorProfiles - Setting DNS apparmor profile
2017/06/13 12:10:32 ERROR> Sudo.pm:240 EBox::Sudo::_rootError - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> Service.pm:962 EBox::Module::Service::restartService - Error restarting service: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .
Exit value: 1
2017/06/13 12:10:32 ERROR> Service.pm:964 EBox::Module::Service::restartService - root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
2017/06/13 12:10:32 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command kinit -k -t /var/lib/samba/private/dns.keytab dns-vdc01 failed.
Error output: Password has expired
 dns-vdc01@INTERNAL.DOMAIN.COM's Password:

Command output: .
Exit value: 1

14
Other modules / Re: Disable Root DNS lookups
« on: May 31, 2017, 09:12:16 pm »
In my setup clients request are first against the bind DNS server that is provided by Zentyal. If the lookup fails because it isn't specified in the local DNS it uses the forwarders (ISP DNS, Google DNS, OpenDNS, etc).

Seeing as Zentyal uses the Bind9_DLZ backend it is configured essentially as described HERE in the Samba Wiki. There you will find a section describing how to "Downloading the DNS Root Servers List" and a section of the basic configuration that denotes how to include that downloaded root dns server list.

Now, on Zentyal, bind and it's configurations are located at /etc/bind. There is a file called db.root, which is equivalent to named.root in the samba example, and contains the root servers list. That file is referenced in the main bind configuration file named.conf. It looks like this;

Code: [Select]
include "/etc/bind/named.conf.options";
include "/etc/bind/keys";

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";

With all that in mind, I would postulate that if you were to edit the stubs file for bind you could exclude the root servers. Edit file
Code: [Select]
/usr/share/zentyal/stubs/dns/named.conf.mas and delete the section
Code: [Select]
// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

I can't say if that will work or give you the desired result. I honestly am not sure what you are even trying to accomplish. There also could be a better way to handle what you want that I'm not aware of. However I figured I'd give you an idea of what I'd try based on what you were asking. (PS: if what you were trying to do was to create an isolated "closed" network I'd think you would just provide a LAN interface without any WAN interface...but I probably don't understand what you are trying to do).

15
Other modules / Re: Where is CUPS/Printer in 5.0
« on: May 31, 2017, 08:44:08 pm »
FYI, when I upgraded to 5.0 the Printer module was removed from Zentyal. However CUPS remained installed and the printers still existed along with the config files. Only issue was that the include for printer.conf was removed from the samba config. You can add it back by editing the mas file (/usr/share/zentyal/stubs/samba/smb.conf.mas).

I don't remember if I had an issue or not because I had already altered the smb.conf.mas file before so that all printers were automatically shared.

Without the GUI you might find setting permissions a bit trickier. Those settings in the GUI were, I believe, for restricting access to who could add the printer through the samba share. You can do that manually through the samba config. Or restrict at the CUPS level. The CUPS web interface at https://hostname:631 still exists.

Personally, I didn't want to rely on Zentyal to keep CUPS current or to potentially cause issues for me with printers so I spun up a separate Ubuntu server, added it to the domain, and installed CUPS.

Pages: [1] 2 3 4