Messages

1

News and Announcements / Re: Zentyal 4.2 available!

« on: October 25, 2015, 06:34:36 am »

I created this psot https://forum.zentyal.org/index.php/topic,25556.msg96628.html#msg96628 and I would like to know if this problem gets fixed in this release.

This seems not to be a Zentyal problem, authentication against a Zentyal AD work. You've got post in the thread!

@J. A. Calvo:
Keep up the work!

Is Zentyal now using all Ubuntu gcc-packages as base or provide it's own again like in 4.1? This is a crucial problem when trying to extend Zentyal with software like WebVirtMgr!

2

Installation and Upgrades / Re: Zentyal 4.1.2 and Zimbra 8 - LDAP Authentication

« on: October 25, 2015, 06:29:06 am »

Code: [Select]

Alias /test "/apachetest/"
<Directory /apachetest/>
Options Indexes FollowSymLinks Includes ExecCGI MultiViews
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
    AuthName "DEI Internal Website"
AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan,?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "cn=Administrator,cn=Users,dc=deidomain,dc=lan"
AuthLDAPBindPassword "password"
    Require valid-user
</Directory>


If you haven't fixed it right now, the answer for your problems should be simple, your AuthLDAPURL you are using is spelled wrong. Instead of

AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan,?sAMAccountName?sub?(objectClass=*)"

it should be [without the comma after your domain]

AuthLDAPURL "ldap://192.168.2.12:389/cn=Users,dc=deidomain,dc=lan?sAMAccountName?sub?(objectClass=*)"

Just like https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html tells you! And if you are not running LDAP on the same server (and point to localhost), you should also run secured connection via ldaps:// instead of ldap://!

Until now, none of the methods described before works.

Is your domain ending really "local"? On a windows AD server this wouldn't cause any problems, but on a linux AD server that's a bad idea because of mDNS-Problems: http://wiki.ubuntuusers.de/samba_winbind#Die-TLD-der-Domain-ist-local-example-local. It would be better if you use another ending like lan or intranet if you want to avoid these problems.

What is the output of (only available on Windows), don't forget to replace youradminusername:

dsquery user -name youradminusername

The credentials in the picture only work when Zimbra can convert them to UPN, but that's unlikely. Otherwise they simply would be wrong for LDAP-Authentification.

Which of these credential formats for your USER DN did you also try?

1. DN format
cn=myadmin,cn=Users,dc=zentyal,dc=local

2. DN format (short)
cn=myadmin,dc=zentyal,dc=local

3. UPN format
myadmin@zentyal.local

Can you also post your zimbra config?

3

Installation and Upgrades / Re: Account Lockout policies are not working

« on: April 07, 2015, 09:40:10 am »

The answer why it isn't working is really simple: the wrong password attempts tracking and accounts locking wasn't implemented in samba until version 4.2.0. So you have to wait until Zentyal updated samba to a version 4.2 or greater.

See samba release notes for further informations:
https://www.samba.org/samba/history/samba-4.2.0.html

4

Installation and Upgrades / Re: Unable to join centos box to Zentyal domain

« on: August 08, 2014, 11:11:52 am »

/etc/krb.conf

Is your Kerberos file /etc/krb.conf or /etc/krb5.conf? "krb5.conf" is the right pronouncement.

/etc/krb5.conf:

Code: [Select]

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/krb5admind.log

[libdefaults]
default_realm = HOPTO.ORG
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
HOPTO.ORG = {
kdc = xenon.hopto.org
admin_server = xenon.hopto.org:749
default_domain = hopto.org
}

[domain_realm]
hopto.org = HOPTO.ORG
.hopto.org = HOPTO.ORG

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

/etc/samba/lmhosts is OK.

/etc/samba/smb.conf

Code: [Select]

[global]
security = ads
workgroup = YOURWORKGROUP
realm = HOPTO.ORG
encrypt passwords = yes
#password server = xenon.hopto.org ; <-- For the initial setup sometimes it's needed to uncomment this line.
idmap config *:backend = tdb
idmap config *:range = 100001-110000
winbind cache time = 10
winbind enum users = yes
winbind enum groups = yes
winbind offline logon = yes
winbind refresh tickets = yes
template homedir = /home/%D/%U
template shell = /bin/bash
domain master = no
local master = no
preferred master = no
dns proxy = no
wins server = xenon.hopto.org
wins proxy = no
inherit acls = yes
map acl inherit = yes
acl group control = yes
load printers = no
os level = 0
max protocol = SMB2

/etc/nsswitch.conf

Code: [Select]

passwd:       compat winbind
shadow:       compat
group:        compat winbind

hosts:       files dns wins
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files
Please make sure that you replace your Domain, Workgroup, Server. Make also sure that you synchronized your times via a NTP-Server and create a folder named like your domain under /home/ (e.g. /home/HOPTO).

5

Installation and Upgrades / Re: Unable to join centos box to Zentyal domain

« on: August 07, 2014, 03:34:47 am »

Thanks for the info,

But I've tried to follow these guides with clean Centos boxes, and they are failing in the same way as before.

How do I debug schannel issues? What ports are in play, etc?

Ports should be ok, elsewhere you couldn't find the server anyway, but it does because of the "NT_STATUS_ACCESS_DENIED". Did you synchronize the time on ALL machines?

If this also faults, please post the following files:
/etc/krb5.conf
/etc/samba/lmhosts
/etc/samba/smb.conf
/etc/nsswitch.conf

6

Installation and Upgrades / Re: Unable to join centos box to Zentyal domain

« on: August 06, 2014, 11:23:19 am »

When attempting to joing the Centos box, the computer object gets created in AD users and computers, but there seems to be no trust relationship created.

The error I get is the following

Code: [Select]

# net join -U Administrator -S xxxxx.xxxxx.xxx
Enter Administrator's password:
libnet_join_ok: failed to get schannel session key from server xxxxx.xxxx.xxx for domain XXXXX. Error was NT_STATUS_ACCESS_DENIED
Failed to join domain: failed to verify domain membership after joining: Access denied
ADS join did not work, falling back to RPC...
Could not initialise lsa pipe
Enter Administrator's password:
net_rpc_join_ok: failed to get schannel session key from server xxxxx.xxxxx.xxx for domain XXXXX. Error was NT_STATUS_ACCESS_DENIED
Unable to join domain XXXXX.


The schannel problem says that there is a kerberos problem setting up a secure channel and has nothing to do with Zentyal in this case. If you just ran the "net join" command without configuring samba and kerberos on that machine it will have to fail.

To easily setup the AD you can use authconfig-tui or authconfig-gui (at least in fedora) where you can setup your options via a gui. [http://funwithlinux.net/2013/10/join-centos-6-to-active-directory-domain/]

Or via command line. [https://digitalchild.info/active-directory-authentication-with-centos/]

7

Installation and Upgrades / Re: OpenChange and Evolution?

« on: August 05, 2014, 08:52:25 am »

Thanks again, but one of my questions was how do you import the certificate into the client. I read the documentation, and it says if you are trying to connect via HTTPS then you need to "import the certificate displayed in the image above", but it doesn't give you any hints how to do that. I did open the HTTPS port, but I figured the problem was not being able to import the certificate.

It depends on your Outlook version. Try this: http://support.microsoft.com/kb/823503 or just search for "outlook 2010"+"import certificate" on your favourite search engine.

Also, do you have any idea if getting davmail (http://davmail.sourceforge.net/) would work?

No. sorry. Never used it.

8

Installation and Upgrades / Re: OpenChange and Evolution?

« on: August 02, 2014, 02:35:42 pm »

Really? Nobody is using a Linux workstation and wants to use the spiffy new OpenChange server? I have been trying, and I have yet to be able to connect to the OpenChange server with anything, evolution, outlook, nothing. What a mess. Of course I am trying connect from an "external" network. Has anybody got Outlook working with that at least? If so, can you share how you imported the certificate? The documentation kind of glosses over how to do that.

Running Openchange with Evolution should depend on your version and the plugin you try to use. The evolution-ews plugin can't connect to an Openchange server until Autodiscover service will be implemented. This feature is planned for Zentyal 4.0, but even Openchange haven't it directly integrated. The evolution-mapi plugin was dropped around Evolution 3.6/3.8, so it can't be used on newer distros.

For Outlook it also depends on your Version, 2013 couldn't also be connected but 2003/2007/2010 should run at least internal. RPC over HTTP like it is used in Microsoft Outlook Anywhere is also not supported right now.

To reach the MAPI Proxy and connect your Outlook 2003/2007/2010 you have to open the HTTP/HTTPS ports available in your external interface.

More details here:
https://wiki.zentyal.org/wiki/En/3.5/OpenChange_%28Microsoft%28R%29_Exchange_native_replacement%29#Configuring_the_Microsoft.C2.AE_Outlook_Client

9

News and Announcements / Re: Zentyal 4.0 Roadmap Published!

« on: August 02, 2014, 04:31:31 am »

First of all, about the dropped modules, as the roadmap announcement says: "Documentation will be provided on configuring some of these services with specific software and naturally, community members interested in maintaining any of these modules will be warmly welcome."

First of all I am a bit disappointed that Zentyal is cut down this way but I can understand the background behind. For me it's a little bit too widely cut down in some points and I want to say why and the thoughts behind in detail and MAYBE a solution to get the best out of it. Maybe a synapse between free and payed modules for community edition will lead a way out of this scenario (like in ClearOS).

Now to the points I thought of. I have no problem with the removal of:
- IPS module
- RADIUS module
- IPsec module
- Free Zentyal Account
- Webmail module (Roundcube)

For a most secured network upset Firewall + IPS + RADIUS should always be outsourced to another (hardware / virtual) machine. There are enough (free/open source/payed) distributions like IPFire, pfsense, smoothwall that can be used for this propose and has same or better functionality in this areas than Zentyal.
What I don't understand when removing these security modules is the point that the Squid module won't be removed also because running squid on a system without an IPS can be very dangerous. All of the mentioned distros also support setting up a web proxy in an easy way (at least for IPFire). Also the VPN Service could be removed because it can be run on these distros.
The point that the free Zentyal Account is removed points to the thing that this is either not used or that it is too expensive to provide it. If it is the second one, than it could be converted into a payed module.
The Webmail module (Roundcube) won't be a great loss when it will be replaced with Sogo-Webmail.

But I'm a bit concerned about the removal of:
- UPS module (NUT)
- Backup module (Duplicity)
- Monitor module

When people have to splitting up security and their mail + AD system because of the removal of the security modules, you must have in mind that they need to handle at least two machines. So they have more work to stay updated and needed to be informed if something is getting wrong.
Therefor the Monitor module is the right thing and makes a real difference in competition to other AD/Exchange Servers which don't have these functionality even Windows SBS and 2012 Servers don't have such reporting functionality.
The UPS module (NUT) made it so easy to connect and setup an USV. Nowadays it is essential to have such a module to avoid data-loss and get a clean server shutdown before running out of power.
A backup module is also essential for such an environment Zentyal wants to play in. Administrators should have an easy way to backup and/or restore files when they need to and therefor Duplicity is the best solution for now. Bacula is to complicated to be run in a small business environment because of the too powerfull interface and bash. It has no GUI interface at all and so your target audience won't be reached at all.
Correct me if I'm wrong, but which of your supported companies have their own linux administrator? So all this 3 modules are essential for your audience you want to reach and were you have your niche you should focus on.

Now to my SOLUTION I thought of:

Why don't Zentyal integrate a "payed" module solution like ClearOS foundation has one?

As example [because there are a lot more modules like these in ClearOS]:
For the ClearOS community edition there exists a payed Zarafa module with outlook integration which costs about 10 EUR which is supported by an freelancer and not by ClearOS directly.

Maybe that's a way Zentyal could also inspire the community to do more work and get a "little" payment back for their time and work they spent in providing and supporting modules to Zentyal. I know that there is much work to do to integrate such a workflow, but I think this could be the way to get through without cutting down the potential Zentyal has too much.
For my point of view I wouldn't have a problem to spent 5-10 EUR per module/year when I have an UPS module (NUT), Backup module (Duplicity), Monitor module back again. Directly from Zentyal or someone in the community.

These are my thoughts about the future of the Zentyal development.