Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / DNS leaks private addresses for domains
« on: March 10, 2013, 07:39:20 am »
Network
1. configure eth0 as external ppoe.
2. configure eth1 as internal: 10.0.0.1
3. witness eth0 having a public IP of something like : 203.222.111.001
DNS
1. install and enable dns module
2. dns > domains : [+Add New]
3. provide domain name (example.com), save changes
4. dns > domains > [example.com > Domain IP Addresses]
5. witness it having two IP addresses : 10.0.0.1 and 203.222.111.001
DNS Registrar
1. bind your zentyal dns server to ns1.example.com ns*.example.com
Android Phone
1. disable wifi connection to local network, enable mobile data (3g, etc)
2. install network tools
3. swipe to DNS Dig pane
4. query example.com
5. witness external client is given private address of server
$ host example.com
example.com has address 203.222.111.001
example.com has address 10.0.0.1
example.com has IPv6 address ::1
example.com mail is handled by 10 ns.example.com.
Expected Results:
Query results should only contain private address results for internal queries (via eth1 or localnet)
1. configure eth0 as external ppoe.
2. configure eth1 as internal: 10.0.0.1
3. witness eth0 having a public IP of something like : 203.222.111.001
DNS
1. install and enable dns module
2. dns > domains : [+Add New]
3. provide domain name (example.com), save changes
4. dns > domains > [example.com > Domain IP Addresses]
5. witness it having two IP addresses : 10.0.0.1 and 203.222.111.001
DNS Registrar
1. bind your zentyal dns server to ns1.example.com ns*.example.com
Android Phone
1. disable wifi connection to local network, enable mobile data (3g, etc)
2. install network tools
3. swipe to DNS Dig pane
4. query example.com
5. witness external client is given private address of server
$ host example.com
example.com has address 203.222.111.001
example.com has address 10.0.0.1
example.com has IPv6 address ::1
example.com mail is handled by 10 ns.example.com.
Expected Results:
Query results should only contain private address results for internal queries (via eth1 or localnet)
2
Installation and Upgrades / zentyal-zarafa uninstallable
« on: July 01, 2012, 08:32:52 am »Code: [Select]
$ cat /etc/apt/sources.list.d/zentyal-2_3-precise.list
deb http://ppa.launchpad.net/zentyal/2.3/ubuntu precise main
deb-src http://ppa.launchpad.net/zentyal/2.3/ubuntu precise main
Code: [Select]
$ sudo apt-cache show zentyal-zarafa
Package: zentyal-zarafa
Priority: optional
Section: web
Installed-Size: 208
Maintainer: José Antonio Calvo <jacalvo@zentyal.org>
Architecture: all
Version: 2.3
Replaces: ebox-zarafa (<< 2.0.100)
Depends: zentyal-core (>= 2.3), zentyal-core (<< 2.3.100), zentyal-mail, zentyal-webserver, zarafa, zarafa-webaccess, zarafa-webapp, aspell
Filename: pool/main/z/zentyal-zarafa/zentyal-zarafa_2.3_all.deb
Size: 30812
MD5sum: 892b9cade75efcb899ab2a0602078d05
SHA1: 7e7b21a2f31b484ff55b3c8390117fcfd7be803c
Description: Zentyal - Groupware (Zarafa)
Zentyal is a Linux small business server that can act as
a Gateway, Unified Threat Manager, Office Server, Infrastructure
Manager, Unified Communications Server or a combination of them. One
single, easy-to-use platform to manage all your network services.
.
This module adds Zarafa integration with Zentyal.
Code: [Select]
$ sudo apt-get install zentyal-zarafa
Reading package lists... Done
Building dependency tree
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
zentyal-zarafa : Depends: zarafa but it is not installable
Depends: zarafa-webaccess but it is not installable
Depends: zarafa-webapp but it is not installable
E: Unable to correct problems, you have held broken packages.
3
Installation and Upgrades / can't login to the admin interface
« on: June 30, 2012, 12:28:13 pm »
title says it all...
i CAN ssh to the machine
i CAN use sudo on the machine
so i am god on this machine.
I have purged zentyal and reinstalled it at least four hundred gazillion times....
and it still won't let me login with my sudo enabled password
i CAN ssh to the machine
i CAN use sudo on the machine
so i am god on this machine.
I have purged zentyal and reinstalled it at least four hundred gazillion times....
and it still won't let me login with my sudo enabled password
Code: [Select]
$ groups
administrator adm sudo admin
administrator@edge:~$ id
uid=1000(administrator) gid=1000(administrator) groups=1000(administrator),4(adm),27(sudo),145(admin)
administrator@edge:~$ sudo service zentyal restart
* Stopping Zentyal module: webmail [ OK ]
* Stopping Zentyal module: usercorner [ OK ]
* Stopping Zentyal module: squid [ OK ]
* Stopping Zentyal module: radius [ OK ]
* Stopping Zentyal module: mailfilter [ OK ]
* Stopping Zentyal module: mail [ OK ]
* Stopping Zentyal module: jabber [ OK ]
* Stopping Zentyal module: ftp [ OK ]
* Stopping Zentyal module: captiveportal [ OK ]
* Stopping Zentyal module: asterisk [ OK ]
* Stopping Zentyal module: webserver [ OK ]
* Stopping Zentyal module: virt [ OK ]
* Stopping Zentyal module: users [ OK ]
* Stopping Zentyal module: trafficshaping [ OK ]
* Stopping Zentyal module: pptp [ OK ]
* Stopping Zentyal module: openvpn [ OK ]
* Stopping Zentyal module: ntp [ OK ]
* Stopping Zentyal module: logs [ OK ]
* Stopping Zentyal module: ipsec [ OK ]
* Stopping Zentyal module: ids [ OK ]
* Stopping Zentyal module: events [ OK ]
* Stopping Zentyal module: ebackup [ OK ]
* Stopping Zentyal module: dns [ OK ]
* Stopping Zentyal module: dhcp [ OK ]
* Stopping Zentyal module: ca [ OK ]
* Stopping Zentyal module: audit [ OK ]
* Stopping Zentyal module: antivirus [ OK ]
* Stopping Zentyal module: firewall [ OK ]
* Stopping Zentyal module: network [ OK ]
* Stopping Zentyal module: apache [ OK ]
* Starting Zentyal module: network [ OK ]
* Starting Zentyal module: firewall [ OK ]
* Starting Zentyal module: antivirus [ OK ]
* Starting Zentyal module: audit [ OK ]
* Starting Zentyal module: ca [ OK ]
* Starting Zentyal module: dhcp [ OK ]
* Starting Zentyal module: dns [ OK ]
* Starting Zentyal module: ebackup [ OK ]
* Starting Zentyal module: events [ OK ]
* Starting Zentyal module: ids [ OK ]
* Starting Zentyal module: ipsec [ OK ]
* Starting Zentyal module: logs [ OK ]
* Starting Zentyal module: ntp [ OK ]
* Starting Zentyal module: openvpn [ OK ]
* Starting Zentyal module: pptp [ OK ]
* Starting Zentyal module: trafficshaping [ OK ]
* Starting Zentyal module: users [ OK ]
* Starting Zentyal module: virt [ OK ]
* Starting Zentyal module: webserver [ OK ]
* Starting Zentyal module: asterisk [ OK ]
* Starting Zentyal module: captiveportal [ OK ]
* Starting Zentyal module: ftp [ OK ]
* Starting Zentyal module: jabber [ OK ]
* Starting Zentyal module: mail [ OK ]
* Starting Zentyal module: mailfilter [ OK ]
* Starting Zentyal module: radius [ OK ]
* Starting Zentyal module: squid [ OK ]
* Starting Zentyal module: usercorner [ OK ]
* Starting Zentyal module: webmail [ OK ]
* Starting Zentyal module: apache [ OK ]
administrator@edge:~$ sudo tail /var/log/zentyal/zentyal.log -f
...
2012/06/30 19:57:48 WARN> Auth.pm:160 EBox::Auth::authen_cred - Failed login from: 10.0.0.10
4
Installation and Upgrades / 2.3, Samba4 & Radius
« on: March 18, 2012, 04:37:40 am »
Currently the radius configuration used by Zentyal 2.3 Community Beta is not compatible with Samba4.
The zentyal setup still assumes the following aspects about how user and group data is stored in the ldap database :
* users will have a objectClass of "posixAccount"
* users group membership will only be described in a separate ldap entry (and tree)
* groups are having a objectClass of "groupOfNames"
* that group objects are under a separate ldap tree : OU=Groups,blahblah
All of these assumptions are now wrong in Samba4.
Here is the reality:
A Group created by Zentyal 2.3 with Samba4
A User Created in Zentyal 2.3 with Samba4
I was forced to look into this since my wifi access is controlled by radius.
So when the recent update occured none of my users could authenticate anymore (since radius is configured to search with all the wrong parameters)
So far I have come up with this :
However while running :
I see two things :
1. some posixGroup stuff being added to the search (i can't find where to delete this extra search stuff)
2. radius expects to find passwords in the ldap user object.
The zentyal setup still assumes the following aspects about how user and group data is stored in the ldap database :
* users will have a objectClass of "posixAccount"
* users group membership will only be described in a separate ldap entry (and tree)
* groups are having a objectClass of "groupOfNames"
* that group objects are under a separate ldap tree : OU=Groups,blahblah
All of these assumptions are now wrong in Samba4.
Here is the reality:
A Group created by Zentyal 2.3 with Samba4
Code: [Select]
dn: CN=wifi,CN=Users,DC=zentyal,DC=domain
objectClass: group
objectClass: top
groupType: -2147483646
instanceType: 4
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=zentyal,DC=domain
cn: wifi
distinguishedName: CN=wifi,CN=Users,DC=zentyal,DC=domain
member: CN=Jane Doe,CN=Users,DC=zentyal,DC=domain
member: CN=John Doe,CN=Users,DC=zentyal,DC=domain
name: wifi
objectGUID:: Za9b4OfWRkKLAuU1/zPyrA==
objectSid:: AQUAAAAAAAUVAAAAllabmZd1SQdnd4y4UgQAAA==
sAMAccountName: wifi
sAMAccountType: 268435456
uSNChanged: 3660
uSNCreated: 3658
whenChanged: 20120317091826.0Z
whenCreated: 20120317091812.0Z
A User Created in Zentyal 2.3 with Samba4
Code: [Select]
dn: CN=John Doe,CN=Users,DC=zentyal,DC=domain
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: user
cn: John Doe
instanceType: 4
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=zentyal,DC=domain
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
countryCode: 0
displayName: John Doe
distinguishedName: CN=John Doe,CN=Users,DC=zentyal,DC=domain
givenName: John
lastLogoff: 0
lastLogon: 0
logonCount: 0
memberOf: CN=wifi,CN=Users,DC=zentyal,DC=domain
name: John Doe
objectGUID:: 3qBTtpvCeUWpyrkUYBg8uA==
objectSid:: AQUAAAAAAAUVAAAAllabmZd1SQdnd4y4UAQAAA==
primaryGroupID: 513
pwdLastSet: 129764595980000000
sAMAccountName: johndoe
sAMAccountType: 805306368
sn: Doe
userAccountControl: 640
userPrincipalName: johndoe@zentyal.domain
uSNChanged: 3661
uSNCreated: 3650
whenChanged: 20120317120638.0Z
whenCreated: 20120317090353.0Z
I was forced to look into this since my wifi access is controlled by radius.
So when the recent update occured none of my users could authenticate anymore (since radius is configured to search with all the wrong parameters)
So far I have come up with this :
Code: [Select]
/etc/freeradius/modules/ldapCode: [Select]
ldap {
server = "10.0.0.1"
identity = "CN=Administrator,CN=Users,DC=zentyal,DC=domain"
password = Zentyal1234
basedn = "dc=zentyal,dc=domain"
filter = "(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=wifi,CN=Users,DC=zentyal,DC=domain))"
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
tls {
start_tls = no
}
access_attr = "msNPAllowDialin"
dictionary_mapping = ${confdir}/ldap.attrmap
edir_account_policy_check = no
}
However while running :
Code: [Select]
sudo freeradius -xI see two things :
1. some posixGroup stuff being added to the search (i can't find where to delete this extra search stuff)
Code: [Select]
[files] expand: (|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn}))) -> (|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
2. radius expects to find passwords in the ldap user object.
Code: [Select]
WARNING: No "known good" password was found in LDAP. Are you sure that the user is configured correctly?
because these two things make the query fail i can't authenticat my users through radius for wifi access.5
Installation and Upgrades / 2.3, Samba4 & Apache Directory Studio
« on: March 18, 2012, 04:24:52 am »
So some of you may be trying to figure out how to connect to the new LDAP server which is internally controlled by Samba4.
Prepare Samba4 for Users and Groups
* Heading over to file sharing
* click "Change"
* Witness it's desire to save system changes without you having changed anything.
* Click the large red "Save Changes" button up the top.
$ sudo tail /var/log/syslog
You will see samba4 perform the provisioning steps, setting up the new kerberos domain, new ldap database, etc, etc.
Step Two
Connect with Apache Directory Studio
* Fire up Apache Directory Studio
* Create a new LDAP server connection with the following details:
* HOSTNAME will be the IP address of your Zentyal Server
* PORT will be : 389
* ENCRYPTION : Use StartTLS Extension
* Click "Check Network Parameter" >> should report succesful (you may need to accept self signed cert)
* Move to the Authentication Tab, fill in the following information:
* Bind DN or User : administrator@zentyal.domain
* Bind Password: Zentyal1234
* Click "Check Authentication", should report successful.
* Either finalise configuration with the OK button, or
* restrict the tree to by moving to the "Browsing Options" Tab
* Base DN: DC=zentyal,DC=domain
Quote
WarningStep One
If you've already barrelled ahead and created users and groups be prepared to loose them. It seems to my limited testing that Zentyal 2.3 Community Beta (as of writing this) creates users and groups in the old standalone ldap database and not in the Samba4 database. I could be wrong however it remains that i couldn't connect to either until i performed step one.
Prepare Samba4 for Users and Groups
* Heading over to file sharing
* click "Change"
* Witness it's desire to save system changes without you having changed anything.
* Click the large red "Save Changes" button up the top.
$ sudo tail /var/log/syslog
You will see samba4 perform the provisioning steps, setting up the new kerberos domain, new ldap database, etc, etc.
Step Two
Connect with Apache Directory Studio
* Fire up Apache Directory Studio
* Create a new LDAP server connection with the following details:
* HOSTNAME will be the IP address of your Zentyal Server
* PORT will be : 389
* ENCRYPTION : Use StartTLS Extension
* Click "Check Network Parameter" >> should report succesful (you may need to accept self signed cert)
* Move to the Authentication Tab, fill in the following information:
* Bind DN or User : administrator@zentyal.domain
* Bind Password: Zentyal1234
* Click "Check Authentication", should report successful.
* Either finalise configuration with the OK button, or
* restrict the tree to by moving to the "Browsing Options" Tab
* Base DN: DC=zentyal,DC=domain
6
Installation and Upgrades / Prevent users sending mail to certain external domains.
« on: February 01, 2012, 04:53:10 am »
We run zentyal server in a small business environment, where it provides most of the services zentyal can provide.
We also have several less than sensibly attentive employees that do not pay attention to whom they are sending emails (half of the time).
What I would like to do, is configure a mail filter rule in zentyal that prevents anyone from sending email to a certain domain (of which i have no control of ).
We also have several less than sensibly attentive employees that do not pay attention to whom they are sending emails (half of the time).
What I would like to do, is configure a mail filter rule in zentyal that prevents anyone from sending email to a certain domain (of which i have no control of ).
Pages: [1]