Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Local Subnet prioritizing in DNS
« on: June 13, 2013, 03:05:14 pm »
I have my zentyal server configured to act as a central point for my 3 internal networks as a domain controler and gateway with load balance for 2 internet connections. In order to achieve a higher availability, I set up another server in paralel to the first one, and configured it as an aditional domain controller and also as a router as illustrated below:
My problem is that when I set it up as an aditional DC, zentyal adds the records for the 3 network interfaces of server 2 in the DNS records of server 1. That would work just fine if I had only one internal network, but having 3 of them, when I try to resolve mydomain.lan from any of the internal networks, I receive the 6 ip addresses in an order that changes at random. in that way, when I try to ping mydomain.lan from the internal nets, many times it will try to ping the interface of server2 that is in another net, and so it will fail since server1 is set as the default router.
Here is what I see from the client side:
That resulted in the clients taking a very long time to autenticate during login, trying to apply GPOs and also when trying to run some program as administrator.
Windows implements automatically Local network prioritizing, so that when resolving an address, the IP addresses that are in the same network as the client are always the first in the list. With bind, we have to set up The sortlist Statement (http://www.net.cmu.edu/groups/netdev/docs/bind9/Bv9ARM.ch06.html#the_sortlist_statement) in the configurations for the server to behave like that.
Here is what I added in my config to make it work apropriately (I think it would be very easy for it to be implemented by default in zen. or maybe through a checkbox in DHCP configs asking if they should prioritize local networks or round robin the adresses):
I think that the absense of this configuration would also be a problem in a single server that is configured to block communications across different LANs.
Also, it would be great to be able to set up 2 zentyal servers with a DHCP shared scope, so that a true redundant server can be set up.
Code: [Select]
192.168.0.1 192.168.0.2
_______ _______
| | | |
| WAN 1 | | WAN 2 |
|_______| |_______|
_____________________|____________________|______________________
| 192.168.0.3 Network A (external) 192.168.0.4|
_____|______ _____|______
| | 192.168.37.1 Network B (internal) 192.168.37.22 | |
| |----------------------------------------------------| |
| | 192.168.38.1 Network C (internal) 192.168.38.22 | |
| Server 1 |----------------------------------------------------| Server 2 |
| | 192.168.39.1 Network D (internal) 192.168.39.22 | |
| |----------------------------------------------------| |
|____________| |____________|
My problem is that when I set it up as an aditional DC, zentyal adds the records for the 3 network interfaces of server 2 in the DNS records of server 1. That would work just fine if I had only one internal network, but having 3 of them, when I try to resolve mydomain.lan from any of the internal networks, I receive the 6 ip addresses in an order that changes at random. in that way, when I try to ping mydomain.lan from the internal nets, many times it will try to ping the interface of server2 that is in another net, and so it will fail since server1 is set as the default router.
Here is what I see from the client side:
Code: [Select]
C:\>nslookup mydomain.lan
Servidor: seteh.mydomain.lan
Address: 192.168.37.1
Nome: mydomain.lan
Addresses: ::1
192.168.38.1
192.168.39.1
192.168.39.22
192.168.38.22
192.168.37.22
192.168.37.1
C:\>ipconfig /flushdns
Configuração de IP do Windows
Liberação do Cache do DNS Resolver bem-sucedida.
C:\>ping mydomain.lan
Disparando mydomain.lan [192.168.38.1] com 32 bytes de dados:
Resposta de 192.168.38.1: bytes=32 tempo<1ms TTL=64
Resposta de 192.168.38.1: bytes=32 tempo<1ms TTL=64
Resposta de 192.168.38.1: bytes=32 tempo<1ms TTL=64
Resposta de 192.168.38.1: bytes=32 tempo<1ms TTL=64
Estatísticas do Ping para 192.168.38.1:
Pacotes: Enviados = 4, Recebidos = 4, Perdidos = 0 (0% de
perda),
Aproximar um número redondo de vezes em milissegundos:
Mínimo = 0ms, Máximo = 0ms, Média = 0ms
C:\>ipconfig /flushdns
Configuração de IP do Windows
Liberação do Cache do DNS Resolver bem-sucedida.
C:\>ping mydomain.lan
Disparando mydomain.lan [192.168.39.22] com 32 bytes de dados:
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Esgotado o tempo limite do pedido.
Estatísticas do Ping para 192.168.39.22:
Pacotes: Enviados = 4, Recebidos = 0, Perdidos = 4 (100% de
perda),
That resulted in the clients taking a very long time to autenticate during login, trying to apply GPOs and also when trying to run some program as administrator.
Windows implements automatically Local network prioritizing, so that when resolving an address, the IP addresses that are in the same network as the client are always the first in the list. With bind, we have to set up The sortlist Statement (http://www.net.cmu.edu/groups/netdev/docs/bind9/Bv9ARM.ch06.html#the_sortlist_statement) in the configurations for the server to behave like that.
Here is what I added in my config to make it work apropriately (I think it would be very easy for it to be implemented by default in zen. or maybe through a checkbox in DHCP configs asking if they should prioritize local networks or round robin the adresses):
Code: [Select]
me@server1:~$ cat /etc/zentyal/stubs/dns/named.conf.options.mas
<%args>
@forwarders
$keytabPath => undef
</%args>
options {
directory "/var/cache/bind";
sortlist {
{192.168.37/24; {192.168.37/24; };};
{192.168.38/24; {192.168.38/24; };};
{192.168.39/24; {192.168.39/24; };};
};
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
//query-source address * port 53;
//transfer-source * port 53;
//notify-source * port 53;
% if ( @forwarders > 0 ) {
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
forward first;
forwarders {
% foreach my $forwarder (@forwarders) {
<% $forwarder %>;
% }
};
% }
% if (defined $keytabPath) {
tkey-gssapi-keytab "<% $keytabPath %>";
% }
auth-nxdomain no; # conform to RFC1035
allow-query { any; };
allow-recursion { trusted; };
allow-query-cache { trusted; };
allow-transfer { internal-local-nets; };
};
I think that the absense of this configuration would also be a problem in a single server that is configured to block communications across different LANs.
Also, it would be great to be able to set up 2 zentyal servers with a DHCP shared scope, so that a true redundant server can be set up.
2
Installation and Upgrades / Samba4 idmap
« on: January 10, 2013, 08:29:05 pm »
Hello!
I got myself quite a big problem with the file sharing module:
During Christmas and new year holidays I shut down my server, and when I return I found out that the integrated ethernet broke in some way. after installing a new ethernet card, the workstations didn't recognize the server to authenticate domain users, and when I tried to remove them from the domain and add again they wouldn't find the domain specified... So I read in a topic here in the forum that a guy removed the users and groups module and reinstalled it. that's what I did.
After that I could add the computers to the domain again, but I encountered another problem: some of the users had mixed up the UIDs with the SIDs and also the groups are kind of crazy. (when I log in as user alice and create a file, it creates as uses bob being the owner, and that makes the workstations crazy because they cannot read back what they write in the logon folders)
So I had the idea to fix the UIDs in idmap.ldb... but that didn't change much of the problem for me. so I would like to know if there is another file that I can fiddle to correct the UID / GID / SID associations.
Thanks a lot
I got myself quite a big problem with the file sharing module:
During Christmas and new year holidays I shut down my server, and when I return I found out that the integrated ethernet broke in some way. after installing a new ethernet card, the workstations didn't recognize the server to authenticate domain users, and when I tried to remove them from the domain and add again they wouldn't find the domain specified... So I read in a topic here in the forum that a guy removed the users and groups module and reinstalled it. that's what I did.
After that I could add the computers to the domain again, but I encountered another problem: some of the users had mixed up the UIDs with the SIDs and also the groups are kind of crazy. (when I log in as user alice and create a file, it creates as uses bob being the owner, and that makes the workstations crazy because they cannot read back what they write in the logon folders)
So I had the idea to fix the UIDs in idmap.ldb... but that didn't change much of the problem for me. so I would like to know if there is another file that I can fiddle to correct the UID / GID / SID associations.
Thanks a lot
3
Installation and Upgrades / zentyal.log gets a lot of garbage
« on: October 15, 2012, 04:27:56 pm »
I've been having some problems with my fresh instalations of zentyal 3, and trying to diagnose what's wrong gets really hard because the file /var/log/zentyal/zentyal.log is getting a lot of garbage dumped into it, making it unreadable (the last one grew to 11GB in a couple of days!) most of it is apparently some pearl script that gets dumped over and over. Here are the last 100 lines of my zentyal.log:
Is that a way to stop this behaviour? It is my 5th fresh install and it happens every time.
Code: [Select]
</tr>
<tr>
<td>INTERNAL_IPS</td>
<td class="code"><pre>()</pre></td>
</tr>
<tr>
<td>STATIC_URL</td>
<td class="code"><pre>'/static/'</pre></td>
</tr>
<tr>
<td>EMAIL_PORT</td>
<td class="code"><pre>25</pre></td>
</tr>
<tr>
<td>SHORT_DATETIME_FORMAT</td>
<td class="code"><pre>'m/d/Y P'</pre></td>
</tr>
<tr>
<td>ABSOLUTE_URL_OVERRIDES</td>
<td class="code"><pre>{}</pre></td>
</tr>
<tr>
<td>DATABASE_OPTIONS</td>
<td class="code"><pre>{}</pre></td>
</tr>
<tr>
<td>CACHE_MIDDLEWARE_SECONDS</td>
<td class="code"><pre>600</pre></td>
</tr>
<tr>
<td>BANNED_IPS</td>
<td class="code"><pre>()</pre></td>
</tr>
<tr>
<td>ANONYMOUS_USER_ID</td>
<td class="code"><pre>-1</pre></td>
</tr>
<tr>
<td>DATETIME_INPUT_FORMATS</td>
<td class="code"><pre>('%Y-%m-%d %H:%M:%S',
'%Y-%m-%d %H:%M',
'%Y-%m-%d',
'%m/%d/%Y %H:%M:%S',
'%m/%d/%Y %H:%M',
'%m/%d/%Y',
'%m/%d/%y %H:%M:%S',
'%m/%d/%y %H:%M',
'%m/%d/%y')</pre></td>
</tr>
<tr>
<td>DATABASE_PASSWORD</td>
<td class="code"><pre>'********************'</pre></td>
</tr>
<tr>
<td>COMMENTS_MODERATORS_GROUP</td>
<td class="code"><pre>None</pre></td>
</tr>
<tr>
<td>PROFANITIES_LIST</td>
<td class="code"><pre>'********************'</pre></td>
</tr>
<tr>
<td>EMAIL_HOST_USER</td>
<td class="code"><pre>''</pre></td>
</tr>
<tr>
<td>COMMENTS_BANNED_USERS_GROUP</td>
<td class="code"><pre>None</pre></td>
</tr>
</tbody>
</table>
</div>
<div id="explanation">
<p>
You're seeing this error because you have <code>DEBUG = True</code> in your
Django settings file. Change that to <code>False</code>, and Django will
display a standard 500 page.
</p>
</div>
</body>
</html>
Is that a way to stop this behaviour? It is my 5th fresh install and it happens every time.
4
Installation and Upgrades / Domain name x Samba realm
« on: October 09, 2012, 07:55:33 pm »
Hello,
I've been trying the new zentyal, but I ran into a lot of problems installing it. I narrowed it down to a conflict between the DNS server and Samba. I wish there was a better explanation during instalation about what names I should and shouldn't use for a samba realm, as I had to reinstall the whole thing once after typing the full domain name for the server (fix.mbmengenharia.com.br) as a realm, and now it seems that I can't also use the same root adress (mbmengenharia.com.br) for both domain name and realm. Could someone throw me a bone and explain a bit where I should use each name? Also I think it would be a very good idea to explain better in the instalation screens.
I've been trying the new zentyal, but I ran into a lot of problems installing it. I narrowed it down to a conflict between the DNS server and Samba. I wish there was a better explanation during instalation about what names I should and shouldn't use for a samba realm, as I had to reinstall the whole thing once after typing the full domain name for the server (fix.mbmengenharia.com.br) as a realm, and now it seems that I can't also use the same root adress (mbmengenharia.com.br) for both domain name and realm. Could someone throw me a bone and explain a bit where I should use each name? Also I think it would be a very good idea to explain better in the instalation screens.
5
Installation and Upgrades / pppoe failover
« on: March 21, 2012, 02:15:27 pm »
Hello,
I searched a lot and could not find a solution to my problem.
Is there a way to configure the failover in a way that when my pppoe connection stops responding, it tries to disconnect and dial again until it is successeful?
I searched a lot and could not find a solution to my problem.
Is there a way to configure the failover in a way that when my pppoe connection stops responding, it tries to disconnect and dial again until it is successeful?
6
Installation and Upgrades / Load Balancing makes VPN unstable
« on: July 21, 2011, 03:53:11 pm »
In the lasts months, I've been having a lot of problems with my VPN connections. They would get disconnected every 15 minutes or so, making my remote backup impossible. Also it was a drag to connect more than 2 users at a given time.
This last week one of my internet modems broke, and since then the connection hasn't dropped once, so I realized that the problem was with load balancing.
I'm guessing that the server switches the connection once in a while, forcing the clients to disconnect. I wanted to be able to connect though both links still, but in a way that one connection doesn't jump from one link to the other. is that possible? I understand that if I set up a multigateway rule for VPN connections, I'll only be able to use one gateway for my VPNs. Is that a known issue?
This last week one of my internet modems broke, and since then the connection hasn't dropped once, so I realized that the problem was with load balancing.
I'm guessing that the server switches the connection once in a while, forcing the clients to disconnect. I wanted to be able to connect though both links still, but in a way that one connection doesn't jump from one link to the other. is that possible? I understand that if I set up a multigateway rule for VPN connections, I'll only be able to use one gateway for my VPNs. Is that a known issue?
7
Installation and Upgrades / LDAP passwords are not updated in VOIP module
« on: January 21, 2011, 02:37:50 pm »
I had a really hard time to find out what was the problem with my configuration, when I tried to register an ata as a voip extension.
I found out that the password for each user was the password I used when I created the user, not the password after the user has changed it through windows.
I'm not sure if this is a wanted behavior or not, but I guess it should be mentioned in the user manual.
I found out that the password for each user was the password I used when I created the user, not the password after the user has changed it through windows.
I'm not sure if this is a wanted behavior or not, but I guess it should be mentioned in the user manual.
8
Installation and Upgrades / Wan Failover - suggestions
« on: January 14, 2011, 07:35:13 pm »
I've enabled wan failover for my 2 external interfaces, but it doesn't seem to be working... it is always accusing the first connection to be down, even though it isn't.
I was checking the code in http://trac.zentyal.org/browser/trunk/client/network/src/EBox/Event/Watcher/Gateways.pm?rev=19535 to see if I could identify the problem, and I have a suggestion to improve it a little bit:
Instead of changing iptables rules on the fly for each test, it would be a lot easier to just use the built in options for the programs that are used to test.. it would be a lot cleaner to do that way:
Ping to gateway: No need to change anything
Ping to host: using the -I option, it is possible to choose from wich interface (or ip address) the packages will be sent. Something on the ways of:
HTTP Request: using the --interface option with curl, it is possible to choose from wich interface (or ip address) the request will be sent in the same way as the -I interface in ping.
Name resolv: There is no option for an outbound ip or interface, but is this option really needed? the ping and wget commands, when given a host by it's dns will aready resolve it's name. what's the point of having this as a separate option?
I was checking the code in http://trac.zentyal.org/browser/trunk/client/network/src/EBox/Event/Watcher/Gateways.pm?rev=19535 to see if I could identify the problem, and I have a suggestion to improve it a little bit:
Instead of changing iptables rules on the fly for each test, it would be a lot easier to just use the built in options for the programs that are used to test.. it would be a lot cleaner to do that way:
Ping to gateway: No need to change anything
Ping to host: using the -I option, it is possible to choose from wich interface (or ip address) the packages will be sent. Something on the ways of:
Code: [Select]
ping -c1 -W5 -I ($gw)->valueByName('IP') $hostHTTP Request: using the --interface option with curl, it is possible to choose from wich interface (or ip address) the request will be sent in the same way as the -I interface in ping.
Name resolv: There is no option for an outbound ip or interface, but is this option really needed? the ping and wget commands, when given a host by it's dns will aready resolve it's name. what's the point of having this as a separate option?
9
Installation and Upgrades / Can't disable VOIP as internal service
« on: January 10, 2011, 08:41:57 pm »
I can't get zentyal voip to work the way I want right now, so I placed one ATA inside the firewall to connect to a voip service, but the voip won't connect, apparently because VOIP is enabled in zentyal as an external service. I want to disable it, or delete, but the line corresponding to it is grayed out and I cannot modify anything. Is there a way around this?
10
Installation and Upgrades / Log files growing huge
« on: January 07, 2011, 01:18:46 pm »
Around 2:00 PM yesterday, my server started to show a very high system load although it still mainteined a low CPU usage. When I went to check /var/log/messages to see what could have happened at that time, I realized that the log file is quite big, filled with dumps from samba full_audit.
My server is being used for only one week, and it is already using 515MB for messages.log, 143 MB for syslog and another 515 MB for user.log.
Is this the normal behaviour? do I need to clean my logs once a week so the server doesn't run out of space? Could the writing of the log files be the problem that is setting my system load very high?
Is there a way to disable full audit for my shares?
My server is being used for only one week, and it is already using 515MB for messages.log, 143 MB for syslog and another 515 MB for user.log.
Is this the normal behaviour? do I need to clean my logs once a week so the server doesn't run out of space? Could the writing of the log files be the problem that is setting my system load very high?
Is there a way to disable full audit for my shares?
11
Installation and Upgrades / Is there a change log?
« on: December 21, 2010, 02:25:55 pm »
On my dashboard I can see the following:
Core version 2.0.7 (2.0.11 available)
But I cannot find a changelog anywhere to know if I want to update now or wait a bit longer... Is there somewhere where I can see the closed bugs / new features in each minor release?
Core version 2.0.7 (2.0.11 available)
But I cannot find a changelog anywhere to know if I want to update now or wait a bit longer... Is there somewhere where I can see the closed bugs / new features in each minor release?
Pages: [1]