Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - Escorpiom

Pages: [1] 2 3
Just checking if this is normal?
Booting Zentyal 3.5 is pretty fast as compared to previous versions.
But I've noticed that, once at the desktop and opening the admin page, it is not available.
Also during that time, there is no network connectivity, no Internet.
It takes several minutes before the admin interface becomes available, and everything starts to work.

Is this normal? Do others experience the same issue?


Looking at the bug tracker, I see that most previous Zentyal releases are no longer maintained.
The recommendation is "upgrade to a newer version".
I've just installed Zentyal 3.5, but Zentyal 4.0 is will be released next month.
So the obvious question is: Will bugs in Zentyal 3.5 be fixed after Zentyal 4.0 is released?


The switch from Zentyal 2.2 to 3.5 is a big step forward and there are a lot of changes.
Biggest change is perhaps Samba 4, and I can't get the ACL's right.

I need to share the root of a drive so that the user with administrator role can change, delete, create whatever file in whatever folder.
On that same drive, there's a folder "scanned" that contains documents from a scanner.
Two users have access that folder, one read and one read/write.
And of course, the admin user need to have full access.

So I created the admin user, set "apply ACL's recursively" on the whole drive and that worked OK.
But then I created the other two users and applied the ACL at the "scanned" folder.
Saving changes - no errors reported (commented out the full audit again) but the folder is visible from Windows with the two users listed in permissions.
But the owner of "scanned" is still the admin user, so even if the other two have correct credentials, they would not be able to see the contents.
And that's what happens, when I share that folder as a network drive, giving the correct credentials Samba denies access.

Only modification done to smb.conf is commenting out "full audit" hoping to speed up the process of setting ACL.

Edit: This topic in Spanish describes exactly my issue with denied access on subfolders:

Code: [Select]
Before I go that route, let's try to get it right with Samba first. If all else fails, above link would be my last effort.



This weekend my raptor gave up, so I had to do a server rebuild.
I was using 2.2 but it is way to old now, so decided to use Zentyal 3.5.

First impressions: Much better overall, but it has some quirks. Especially the way Squid has been implemented.
Zentyal 3.5 has no forward proxy port configured in squid.conf, and this error spams the cache.log eternally.
Adding the port is necessary, even if you don't use forward proxy.   

Code: [Select]
Solves the constant error in cache.log. I don't know if this breaks something, because the port is referenced in the config file.

Another quirk is the not-completely disabled IPv6.
Squid tries to bind to IPv6 addresses (DNS) and this of course errors out.

Code: [Select]
commBind: Cannot bind socket FD 21 to [::1]: (99) Cannot assign requested address
commBind: Cannot bind socket FD 22 to [::1]: (99) Cannot assign requested address
ERROR: Failed to create helper child read FD: UDP[::1]
Accepting NAT intercepted HTTP Socket connections at local= remote=[::] FD 20 flags=41

This is a bit sloppy, I tried to put the ipv4 first directive in the config file, but it had no effect, the errors in cache.log remain.
Zentyal devs should really fix this.

For those that want to monitor the hit/miss rate, do not look at access.log but instead look at external-access.log.
Another weak point is the Samba 4 implementation.
I have 3 x 3 TB disks about 70% filled, there is a Zoneminder storage and a lot of other files.
When creating a share and defining ACL's, the saving process literally takes days.
This makes Samba as a file server completely useless.
At this point in time I've only been able to add one user because of this.

The good, but not Zentyal related:
Zoneminder latest build works fantastic. Now the wait is for storing events in mp4 format.


Got myself a vlan enabled switch, so let the fun get started :-)
Before borking yet another Zentyal install, I would like to ask the devs if routing between subnets and/or vlans is something that can be disabled?
I've read some topics on the forum (vhaulsk for example) and it is possible to isolate vlans by means of firewall rules.
But it would be much easier if routing between subnets/vlans can be disabled from the admin interface.

Don't know if my question makes sense, if it does please consider this a feature request.


Installation and Upgrades / [SOLVED]"Stuck" dhcp lease.
« on: March 10, 2014, 08:44:58 pm »
For some days, the DHCP widget on the Zentyal admin page is showing one, non existent DHCP lease.
Don't know why or how it happened, but I'd like to delete that.
Tried searching for the DHCP "lease" file, but could not find it.
In the syslog, for the last few days, no lease was given to that specific MAC address.

Tried restarting DHCP module and rebooting the whole server, but the non existent DHCP lease remains.
If someone knows how to get rid of the phantom dhcp lease, please elaborate.


After the most recent updates, I'm now getting a warning message on top of the admin interface:

Please note that the maximum number of users for Community is and you currently have xx

I'm sure this possible restriction has been implemented in the latest updates, but I'm puzzled: Why?
What is the maximum number of users in Zentyal community edition?
Is it necessary to limit the an older version 2.2.11? 

Needless to say that this could as well mean the end of my Zentyal server, as this is a non profit project.


After today's updated core and IPSec modules, the dashboard shows IPSec as stopped.
SSH into the server, tried to stop and start the service. This is the output:

Code: [Select]
root@myserver:~# service ipsec stop
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: stop ordered, but IPsec appears to be already stopped!
ipsec_setup: doing cleanup anyway...
ipsec_setup: ERROR: Module xfrm_user is in use

Starting IPSec:

Code: [Select]
root@myserver:~# service ipsec start
ipsec_setup: Starting Openswan IPsec U2.6.23/K2.6.32-50-server...

Service still shows as stopped on the dashboard.


Installation and Upgrades / not resolving.
« on: August 20, 2013, 07:22:42 pm »
I'm using the domain included in the community edition to remotely manage a Zentyal 3.0 server.
I've also set up Zoneminder that can be accessed at
But sometimes it seems that the domain can't be resolved, so the only way to get to the admin interface is by IP address.
I've tried to using Google public DNS and also Zentyal internal DNS cache but sadly the domain won't resolve to IP.

Is this something on my side or could it be that something went south at Zentyal headquarters?


Ok this post is a report on my attempts to make load balancing work on Zentyal 2.2.7.
In short, it is not as straight forward as it looks, and I'll explain why.

Let's start with the first scenario, one static interface with public IP address, the other interface dynamic PPPoE using included pppd with a bridged adsl2+ modem.
Either the pppd implementation is in early alpha stage or incredibly buggy, well - when you have ONE interface it works but if you try to balance between
one static and another pppoe it's a no-go.
I found that every change to the static gateway also disconnected the PPPoE interface.
Likewise, adding, changing or removing rules also disconnects both interfaces.

The problem lies in the method how the PPPoE connection is ended. A non-clean termination causes a "hung" session at the providers side, and to detect this can take a long time.
While testing, my PPPoE interface would come up only after 30 minutes or sometimes one hour.
That in turn results in Zentyal reporting firewall errors, because when saving changes, the PPPoE gateway is down.
So while PPPoE authentication worked before with only one interface, when doing load balancing I was forced to use my adsl2+ modem as a PPPoE client, and make it as transparent as possible. I'm not exited about double routing and getting all sorts of port issues.
The penalty of this method is latency, the poor adsl2+ modem has a lot more to cope with now.

Now having two static interfaces, the load balancing worked better. But then, another issue came up.
Load balancing breaks video conferencing, online games and my security camaras would go black after a while.
Obviously this has to do with traffic going out on the second interface while the remote client is still connected to the first from which the connection was initiated.
So this can be solved eventually, but it requires setting traffic rules for each and every application and service.
This is just not feasible because it takes a lot of work.

What does work? Interface metrics are OK. the weight of each interface can be adjusted and it gives the expected results.
Rules on itself are also working. I could set rules for different traffic types like sending DNS out one one interface etc. all OK.
But what I wanted to achieve, the load balancing using two interfaces simultaneously, is not possible.

At this point, to make use of my second interface with the adsl2+ modem connected, I have the load balancing option disabled and set some rules
for specific traffic type to go out on that interface.
Bandwidth is only 512Kb (yes, in Colombia that's still considered high speed Internet) so my options are a bit limited.
Anyway, if others can share their views and/or experiences it would be nice.



So I did some reading on how to make Squid respond faster.
My Zentyal 2.2.7 server is running smooth, but I think it can be a bit better.
At this moment the whole installation sits on a WD raptor 10k harddisk. Squid cache is 10GB.
To obtain faster response times I would like to change the physical media and the way it is used.
These are some possible ideas.

- Put it all on SSD drive. Drawback is that it will wear out pretty soon.
- Leave Zentyal on the raptor 10k, add the 120GB SSD and use only for /var, lots of free space to do balanced writes and prolong SSD life
- Put in another 4GB of RAM and make a Linux ramdisk to use that as Squid cache-dir
- Use compact flash card for /var. Drawback that it can be damaged easily or pulled out of the system by someone
- Robb a bank and buy the SLC or eMLC based SSD that will last as a cache drive

And the software "tweaks" as you may call them:

- Use reiserFS for the cache dir as it performs better with small files (Ubuntu12 support reiserFS I lazily assume)
- Use aufs for populating the cache dir instead of ufs
- Use more memory for Squid so less physical storage is used (that would need hacking into config files)
- Go adventurous and install Zentyal 3.0 to get Squid 3.x that is not single threaded as opposed to Squid 2.x

Well that sums it up, a lot of possible solutions.
I would love to hear some comments on this, what you think is best or how do you have it setup at your turf.
Little remark: No raid setup please, goal is to make something more energy efficient and getting rid of spinners is preferred.
The number of users lies anywhere between 40 and 60.


Last week I had a change of Internet providers.
Before I had an Adsl2+ connection and was using eth3 as the pppoe interface, with the adsl modem bridged.
Now eth3 has changed from pppoe to static, and the modem is no longer bridged but routed.

The problem is, according to the logs, pppd is still hammering to connect eth3 as a pppoe interface.
Now that eth3 is changed to static, pppd should no longer try to connect.
In fact, at this moment pppd is not needed at all, the adsl modem will be doing the authentication and as such, it is a pppoe client.   

On a side note, the pppoe implementation in Zentyal proved to be very problematic when doing load balancing and failover.
The combination of one static and one pppoe interface for load balancing and multi gateway rules is a no-go.
I'll start another topic about this to share my experiences.
Edit: All this applies to Zentyal 2.2.7.

De nieuwe bind9 updates van vandaag werken nog niet goed samen met de gebruikers module van Zentyal en dit kan problemen veroorzaken.
Wacht even met updaten totdat het Zentyal team hier meer info over verstrekt.


Just finished setting up a VPN server and tested it with some remote clients mapping shares. It works!
The procedure is not that hard to follow, I used the 3.0 official documentation to start and will only outline the steps I took and comment on some possible pitfalls.

Create the certificate for your remote clients. You will need one for each client that's going to log on.
Setup the VPN server and advertised networks as explained in the docs.
When downloading the client bundle, make sure the server name can be resolved, in my case this was not possible and I had to edit the .ovp file afterwards.
Do not include the installer, it's an old one. Better download OpenVPN 2.2.2 from the homepage (thanks Cardinal for his tip).

When using Windows Vista, 7 or 8 make sure to run the OpenVPN connecton as admin, else it won't work.
Some may be alarmed by the titel "public network" and the expected inability to browse it, don't worry - it will browse regardless.
I had to use IP addresses to map network shares but I knew that on forehand.

VPN client working on Windows 8, remote server is running Zentyal 3.0.6.


Installation and Upgrades / Issue with dynamic dns.
« on: November 18, 2012, 06:54:57 am »
To be able to manage my clients server remotely, the new dynamic dns option would be ideal.
If it only worked....
The setup consist of a cable modem, no router, connected to the external interface of the Zentyal server.
Eth0 gets a public IP address from the ISP and after setting up the firewall rules for administration, I can get to the server by IP address just fine.
I can enter the admin page and even the webserver is working (zoneminder is being served).

However, when I try to do this:

Code: [Select]

The browser returns a DNS error.
So logically, we check if the name resolves to IP address, and indeed it resolves to the public IP address of the zentyal server.
Why can't I access the server by its name?

This could be an issue later because the clients needs a VPN setup between this shop and two other shops, if I'm not mistaken it will be easier with dynamic dns working.   

Pages: [1] 2 3