Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Re: Connecting Ubuntu 14.04.x to a Zentyal 4.0 Domain
« on: July 29, 2015, 07:18:29 am »
Hi,
I just create a small script to automate part of the process... Just adjust the variables at the beginning of the script to match your environment.
Tested in clean install of Ubuntu 14.04.2 desktop edition.
CVC
I just create a small script to automate part of the process... Just adjust the variables at the beginning of the script to match your environment.
Tested in clean install of Ubuntu 14.04.2 desktop edition.
Code: [Select]
#!/bin/bash
DOMAIN='INET'
REALM='INET.EXAMPLE.COM'
DOMAIN_ADMIN='administrator'
PASSWORD_SERVER='pdc.inet.example.com'
clear;
echo "---------------------------------------------"
echo "domain_join.sh v0.1-20150526.1153"
echo "SAMBA/Kerbeos semi-automatic domain join script"
echo "IT - Activar Servicios y Almacenaje SAS"
echo "---------------------------------------------"
echo "Setting up directory service..."
sed -i 's& mdns4_minimal \[NOTFOUND=return\]&&g' /etc/nsswitch.conf
aptitude install winbind libpam-winbind libnss-winbind krb5-config
sed -i "s&workgroup = WORKGROUP&\t workgroup = $DOMAIN \n\t password server = $PASSWORD_SERVER \n\t realm = $REALM \n\t security = ads \n\t idmap config * : range = 16777216-33554431 \n\t template homedir = /home/%U \n\t template shell = /bin/bash \n\t winbind use default domain = true \n\t winbind offline logon = true&g" /etc/samba/smb.conf
sed -i 's&compat&compat winbind&g' /etc/nsswitch.conf
echo "session optional pam_mkhomedir.so skel=/etc/skel umask=077" >> /etc/pam.d/common-session
echo " Joining client to domain..."
net ads join -U $DOMAIN_ADMIN
echo " Setting up Lightdm..."
echo "[SeatDefaults]
greeter-hide-users=true
greeter-show-remote-login=false
greeter-show-manual-login=true" > /usr/share/lightdm/lightdm.conf.d/50-domain.conf
printf "Do you want to restrict guest login in this pc? (y/n) "
read continuar
if [ "$continuar" == "y" ]; then
echo "allow-guest=false" >> /usr/share/lightdm/lightdm.conf.d/50-domain.conf
fi
echo " Setting up sudoers..."
sed -i '26i%domain^admins ALL=(ALL) ALL' /etc/sudoers
echo "Setting up clock sync..."
echo "ntpdate -u $PASSWORD_SERVER" > /etc/cron.daily/ntpdate
chmod +x /etc/cron.daily/ntpdate
CVC
2
Installation and Upgrades / Re: Printer sharing service always has to be restarted (Zentyal 3.4)
« on: June 22, 2014, 06:13:41 pm »
Hi,
I'm facing the same issue after update from 3.3 to 3.4 with printers and ipsec services... I had removed both modules, purge and reinstall CUPS and Openswan... no way...
I end up making a cron script that check the status of both modules and start they if they are stooped... It is a pretty bad solution but it works until I have time to setup a clean installation, probably after the release of Zentyal 3.5
Just put it in /etc/cron.hourly and make it executable (chmod +x)...
I'm facing the same issue after update from 3.3 to 3.4 with printers and ipsec services... I had removed both modules, purge and reinstall CUPS and Openswan... no way...
I end up making a cron script that check the status of both modules and start they if they are stooped... It is a pretty bad solution but it works until I have time to setup a clean installation, probably after the release of Zentyal 3.5
Code: [Select]
#!/bin/bash
# List of the services we are going to check...
services=('printers' 'ipsec');
for service in "${services[@]}";
do
status=$(eval "service zentyal $service status")
if [[ $status == *STOPPED* ]]
then
service zentyal $service start
fi
done
Just put it in /etc/cron.hourly and make it executable (chmod +x)...
3
Installation and Upgrades / Re: cups-remote-pending-held erro Ubuntu
« on: April 23, 2014, 09:16:09 pm »
Hi,
I was facing the same issue... I solved it commenting 'Require group lpadmin' and 'Satisfy any' in the first 'Limit' in cups.conf:
You can change this in the CUPS web interface -> Administration -> Edit configuration file.
I don't now what side effects could have this in Windows clients (I don't have any). My printer have Guest access enabled in the Zentyal CUPS interface.
I was facing the same issue... I solved it commenting 'Require group lpadmin' and 'Satisfy any' in the first 'Limit' in cups.conf:
Code: [Select]
<Limit Send-Document Send-URI Hold-Job Release-Job Restart-Job
Purge-Jobs Set-Job-Attributes Create-Job-Subscription Renew-Subscription
Cancel-Subscription Get-Notifications Reprocess-Job Cancel-Current-Job
Suspend-Current-Job Resume-Job CUPS-Move-Job>
Require user @OWNER
# Require group lpadmin
Order deny,allow
# Satisfy any
</Limit>
You can change this in the CUPS web interface -> Administration -> Edit configuration file.
I don't now what side effects could have this in Windows clients (I don't have any). My printer have Guest access enabled in the Zentyal CUPS interface.
4
Installation and Upgrades / Re: IPSEC between Zentyal and Sonicwall not working
« on: February 20, 2014, 11:16:43 pm »
Actually I found a better solution, making it to work like in Zentyal 2.0...
You have to ssh to the server, then:
Look for the last lines and uncomment it:
Now in the firewall module you would find two new sections (you may be need to reboot your server):
- From external to internal networks
- Zentyal services
In the External to Internal networks you can create rules to allow traffic between IPsec subnets:
Just create a new Network Object for your subnets:
And then create a new rule in External to Internal Networks allowing traffic from subnets to subnets:
You will note that now you can access hosts in the subnets but you can not access the servers through its private IPs:
- Server A can not access hosts in subnet B
- Server B can not access hosts in subnet A
- Server A can not access services in Server B through B's private ip
- Server B can not access services in Server A through A's private ip
To solve this you have to edit /etc/ipsec.conf and add the proper leftsourceip and rightsourceip parameters in each connection:
After this you need to restart the ipsec service:
Unfortunately this changes are lost when you reboot the server or add a new IPsec connection... Right now my solution is to have a copy of the ipsec.conf file and restore it after each reboot...
After adjust ipsec.conf:
And put inside:
Then set the correct mod:
Off course you have to adjust your backup file (/root/ipsec.conf) after each config change you made through the web interface.
This bug was reported here: https://tracker.zentyal.org/issues/48 and it persist in Zentyal 3.4
Sources:
http://serverfault.com/questions/503864/openswan-tunnel-up-but-works-only-in-one-direction
https://wiki.debian.org/HowTo/openswan
https://lists.openswan.org/pipermail/users/2005-December/007589.html
You have to ssh to the server, then:
Code: [Select]
sudo su
nano /etc/zentyal/firewall.conf
Look for the last lines and uncomment it:
Code: [Select]
# Uncomment the following to show the from External to Internal section
show_ext_to_int_rules = yes
# Uncomment the following to show the Rules added by Zentyal services
show_service_rules = yes
Now in the firewall module you would find two new sections (you may be need to reboot your server):
- From external to internal networks
- Zentyal services
In the External to Internal networks you can create rules to allow traffic between IPsec subnets:
Just create a new Network Object for your subnets:
And then create a new rule in External to Internal Networks allowing traffic from subnets to subnets:
You will note that now you can access hosts in the subnets but you can not access the servers through its private IPs:
- Server A can not access hosts in subnet B
- Server B can not access hosts in subnet A
- Server A can not access services in Server B through B's private ip
- Server B can not access services in Server A through A's private ip
To solve this you have to edit /etc/ipsec.conf and add the proper leftsourceip and rightsourceip parameters in each connection:
Code: [Select]
# VPN: l222 (ipsec): 11.11.11.11 <=> 10.10.10.10
conn l222
left=11.11.11.11
right=10.10.10.10
rekey=yes
keyingtries=0
leftsubnet=192.168.11.0/24
leftsourceip=192.168.11.1 # !!!!!!!!!!!!!!!!!!!
rightsubnet=192.168.10.0/24
rightsourceip=192.168.10.1 # !!!!!!!!!!!!!!!!!!!
pfs=yes
auth=esp
keyexchange=ike
ike=3des-md5
ikelifetime=28800s
esp=3des-md5;modp1024
keylife=3600s
authby=secret
auto=start
# VPN: hayuelo (ipsec): 11.11.11.11 <=> 9.9.9.9
conn hayuelo
left=11.11.11.11
right=9.9.9.9
rekey=yes
keyingtries=0
leftsubnet=192.168.11.0/24
leftsourceip=192.168.11.1 # !!!!!!!!!!!!!!!!!!!
rightsubnet=192.168.9.0/24
rightsourceip=192.198.9.1 # !!!!!!!!!!!!!!!!!!!
pfs=yes
auth=esp
keyexchange=ike
ike=3des-md5
ikelifetime=28800s
esp=3des-md5;modp1024
keylife=3600s
authby=secret
auto=start
After this you need to restart the ipsec service:
Code: [Select]
service ipsec restart
Unfortunately this changes are lost when you reboot the server or add a new IPsec connection... Right now my solution is to have a copy of the ipsec.conf file and restore it after each reboot...
After adjust ipsec.conf:
Code: [Select]
cp /etc/ipsec.conf /root/ipsec.conf
nano /etc/zentyal/hooks/ipsec.postservice
And put inside:
Code: [Select]
#!/bin/sh
service ipsec stop
cp /root/ipsec.conf /etc/ipsec.conf
service ipsec start
exit 0
Then set the correct mod:
Code: [Select]
chmod --reference=/etc/zentyal/hooks/template.postsetconf /etc/zentyal/hooks/ipsec.postsetconf
Off course you have to adjust your backup file (/root/ipsec.conf) after each config change you made through the web interface.
This bug was reported here: https://tracker.zentyal.org/issues/48 and it persist in Zentyal 3.4
Sources:
http://serverfault.com/questions/503864/openswan-tunnel-up-but-works-only-in-one-direction
https://wiki.debian.org/HowTo/openswan
https://lists.openswan.org/pipermail/users/2005-December/007589.html
5
Installation and Upgrades / Re: IPsec PSK working one way, but i cant reach computers on zentyal local network
« on: January 14, 2014, 10:11:53 pm »6
Installation and Upgrades / Re: IPSEC between Zentyal and Sonicwall not working
« on: January 14, 2014, 10:10:34 pm »
Hi,
After a lot of searching and debugging I could setup the IPSec LAN to LAN VPN in Zentyal 3.3. You have to create a Firewall postservice script in /etc/zentyal/hooks allowing incoming connections from the remote subnet:
At the end of the file, before exit 0 add "iptables -A ffwdrules -s <remote_subnet> -j ACCEPT" for example:
In my case the local subnet is 192.168.11.0/24 and I have 3 remote subnets: 192.168.9.0/24 192.168.10.0/24 192.168.12.0/24, so I have 3 IPsec LAN to LAN tunnels.
References:
http://wiki.openwrt.org/doc/howto/netfilter
http://trac.zentyal.org/ticket/7881
After a lot of searching and debugging I could setup the IPSec LAN to LAN VPN in Zentyal 3.3. You have to create a Firewall postservice script in /etc/zentyal/hooks allowing incoming connections from the remote subnet:
Code: [Select]
cd /etc/zentyal/hooks
cp template.postservice firewall.postservice
nano firewall.postservice
At the end of the file, before exit 0 add "iptables -A ffwdrules -s <remote_subnet> -j ACCEPT" for example:
Code: [Select]
# Hook scripts need to be executable by root (note that examples are not).
iptables -A ffwdrules -s 192.168.9.0/24 -j ACCEPT
iptables -A ffwdrules -s 192.168.10.0/24 -j ACCEPT
iptables -A ffwdrules -s 192.168.12.0/24 -j ACCEPT
exit 0
In my case the local subnet is 192.168.11.0/24 and I have 3 remote subnets: 192.168.9.0/24 192.168.10.0/24 192.168.12.0/24, so I have 3 IPsec LAN to LAN tunnels.
References:
http://wiki.openwrt.org/doc/howto/netfilter
http://trac.zentyal.org/ticket/7881
Pages: [1]