Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - murz

Pages: [1] 2 3
1
And in /usr/share/perl5/EBox/Samba/SecurityPrincipal.pm I have found other place:

Code: [Select]
# Method: lastUid
#
#       Returns the last uid used.
#
# Parameters:
#
#       system - boolean: if true, it returns the last uid for system users,
#                         otherwise the last uid for normal users
#       
# Returns:
#
#       string - last uid
#
sub lastUid
{
    my ($class, $system) = @_;

    my $lastUid = -1;
    my $sambaModule = EBox::Global->modInstance('samba');
    foreach my $user (@{$sambaModule->users($system)}) {
        my $uid = $user->get('uidNumber');
        if ($system) {
            last if ($uid >= MINUID);
        } else {
            next if ($uid < MINUID);
        }
        if ($uid > $lastUid) {
            $lastUid = $uid;
        }
    }
       
    my $ret;
    if ($system) {
        $ret = ($lastUid < SYSMINUID ? SYSMINUID : $lastUid);
    } else {
        $ret = ($lastUid < MINUID ? MINUID : $lastUid);
    }
    return $ret;
}

where 65534 is hard-coded!

So after creating Guest user on Zentyal default install, all other users got guest uid+1!

Seems this is regression bug, so I create issue here: https://github.com/zentyal/zentyal/issues/1938

2
I have found in file /usr/share/perl5/EBox/Samba/User.pm code, that generates new user id:
Code: [Select]
# Method: lastUid
#
#       Returns the last uid used.
#
# Parameters:
#
#       system - boolean: if true, it returns the last uid for system users,
#                         otherwise the last uid for normal users
#       
# Returns:
#
#       string - last uid
#
sub lastUid
{
    my ($class, $system) = @_;

    my $lastUid = -1;
    my $sambaModule = EBox::Global->modInstance('samba');
    foreach my $user (@{$sambaModule->users($system)}) {
        my $uid = $user->get('uidNumber');
        if ($system) {
            last if ($uid >= MINUID);
        } else {
            next if ($uid < MINUID);
        }
        if ($uid > $lastUid) {
            $lastUid = $uid;
        }
    }
       
    my $ret;
    if ($system) {
        $ret = ($lastUid < SYSMINUID ? SYSMINUID : $lastUid);
    } else {
        $ret = ($lastUid < MINUID ? MINUID : $lastUid);
    }
    return $ret;
}

So yes, seems it lookups current system maximum user id (that is 65534 for all default Ubuntu setups) and increase it.

What is easier way to add configurable range for LDAP users id - hardcode it to this function in file?

3
Seems this is because Zentyal (or samba?) lookups max uid, and see the nobody's user id 65534 (that is default in Ubuntu https://wiki.ubuntu.com/nobody ) and inrease this number?

So is there any way to manually set starting number for new LDAP users id's?

4
The main problem is that SSSD shows "Can't contact LDAP server" after sucessfull connection, here is verbose output:
Code: [Select]
(Thu Jan  9 22:20:42 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_id_op_connect_done] (0x4000): caching successful connection after 1 notifies
(Thu Jan  9 22:20:42 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [be_run_unconditional_online_cb] (0x4000): List of unconditional online callbacks is empty, nothing to do.
(Thu Jan  9 22:20:42 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [be_run_online_cb] (0x0080): Going online. Running callbacks.
(Thu Jan  9 22:20:42 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x2000): Trace: sh[0x55f6cc49c710], connected[1], ops[0x55f6cc4f7ad0], ldap[0x55f6cc4eebf0]
(Thu Jan  9 22:20:42 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Thu Jan  9 22:20:42 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x2000): Trace: sh[0x55f6cc49c710], connected[1], ops[0x55f6cc4f7ad0], ldap[0x55f6cc4eebf0]
(Thu Jan  9 22:20:42 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_ldap_connect_callback_add] (0x1000): New LDAP connection to [ldap://org.mycompany.com/CN=Configuration,DC=org,DC=mycompany,DC=com] with fd [22].
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_rebind_proc] (0x1000): Successfully bind to [ldap://org.mycompany.com/CN=Configuration,DC=org,DC=mycompany,DC=com].
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://org.mycompany.com/CN=Configuration,DC=org,DC=mycompany,DC=com
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x2000): Trace: sh[0x55f6cc49c710], connected[1], ops[0x55f6cc4f7ad0], ldap[0x55f6cc4eebf0]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://org.mycompany.com/DC=DomainDnsZones,DC=org,DC=mycompany,DC=com
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x2000): Trace: sh[0x55f6cc49c710], connected[1], ops[0x55f6cc4f7ad0], ldap[0x55f6cc4eebf0]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_REFERENCE]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_get_generic_ext_add_references] (0x1000): Additional References: ldap://org.mycompany.com/DC=ForestDnsZones,DC=org,DC=mycompany,DC=com
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x2000): Trace: sh[0x55f6cc49c710], connected[1], ops[0x55f6cc4f7ad0], ldap[0x55f6cc4eebf0]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x2000): Trace: end of ldap_result list
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [be_ptask_online_cb] (0x0400): Back end is online
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [be_ptask_enable] (0x0080): Task [SUDO Smart Refresh]: already enabled
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x2000): Trace: sh[0x55f6cc49c710], connected[1], ops[0x55f6cc4f7ad0], ldap[0x55f6cc4eebf0]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_process_result] (0x0040): ldap_result error: [Can't contact LDAP server]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_handle_release] (0x2000): Trace: sh[0x55f6cc49c710], connected[1], ops[0x55f6cc4f7ad0], ldap[0x55f6cc4eebf0], destructor_lock[0], release_memory[0]
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [remove_connection_callback] (0x4000): Successfully removed connection callback.
(Thu Jan  9 22:20:43 2020) [sssd[be[ORG.DIGITERRA.PRO]]] [sdap_op_destructor] (0x1000): Abandoning operation 3

5
Can anybody describe why default groups "Domain Admins" and "Schema Admins" in Zentyal are created in "Users" section (organizational unit) of domain structure, instead of "Groups"?

And where to create new custom groups (eg "Designers") - in "Users" section like default groups, or in separate "Groups" section?

6
When I changing NetBIOS domain name in Zentyal settings, I see the warning:
Code: [Select]
Changing the domain name will cause to reprovision the samba database. The users and groups will be imported from Zentyal LDAP, but you will have to rejoin all computers to the new domain.Ok, users-groups will be imported, continuing... And after finishing operation - I see empty list of users! All users are deleted!!
Why this happens? And how to restore users after changing NetBIOS domain name?

7
On Zentyal 6.1 setup, created Zentyal users got user ids, starting from 65534 (Guest) and increasing (user2 is 65535, user3 is 65536, etc).

Where can I configure starting id number for change this to lower (2000+) value, and to make user id's range differ from other Zentyal servers?

8
Can anybody provide fresh working SSSD configuration example, that works with current Zentyal 6.1 server via LDAP login and password, without generating host Kerberos ticket?

I have found https://wiki.zentyal.org/wiki/SSSD but seems it is too old because not working on Zentyal default setup.
It was work for me on Zentyal 4.x and Ubuntu 14.04, but not work on new Zentyal 6.x and Ubuntu 18.04 clients.

Also I have found https://wiki.zentyal.org/wiki/Authenticating_Linux_client_against_Samba but it works via generating Kerberos ticket for each host, that is too expensive.

Does anybody have any fresh sssd.conf, that works well with direct connection to Zentyal 6.x LDAP, without generating Kerberos ticket?

9
I have server, hosted in virtual cloud, and it have internal IP address on network interface (eg 10.130.0.2).

All traffic are bridged to external IP (eg 84.201.151.2) via virtual private cloud.

And I can't understand, how can I bind Zentyal AD server to external IP, instead of internal?

If I fill external IP 84.201.151.2 into DNS zone together with internal, all works, but external AD clients sometimes receive internal IP address (10.130.0.2) and see connection errors.

If I remove 10.130.0.2 from DNS, I can't restart Samba with error:
Code: [Select]
Samba can't be provisioned if no IP addresses are set for domain org.digiterra.pro.
So what is right solution for bind Zentyal Active Directory domain to external IP address, that not match current network interface IP address?

10
I want suggest you to integrate [matrix] instant messaging server in Zentyal, as replacement to eJabberd, or additionally to it.

[matrix] is an opensource federated ecosystem with all rich functional like in WhatsApp, Slack, Skype and other modern system. So this is next large step after XMPP technology. More info we can read here: https://matrix.org/docs/guides/faq.html#what-is-matrix

As comparison with XMPP, here is detailed description why Matrix is better: https://matrix.org/docs/guides/faq.html#what-is-the-difference-between-matrix-and-xmpp

Matrix Synapse server can be easily integrated into any LDAP or AD system via integrated Synapse LDAP Auth Provider module or via extended mxisd third-party module.

11
I confirm this waring - moving from SSSD to winbind will broke unix numeric users id between multiple Zentyal servers! SSSD is more elegant solution that winbind. If you want to set winbind as default - please keep SSSD as optional.
Or maybe you can describe advantages of winbind on sssd?

12
Installation and Upgrades / Re: Zentyal 4.1 jabber/xmpp
« on: September 01, 2016, 09:28:52 am »
Here is example of config file for ejabberd 16.03-1~bpo8+1:
Code: [Select]
ldap_servers:
  - "example.com"

ldap_rootdn: "administrator@example.com"

ldap_password: "superpassword"

ldap_base: "dc=example,dc=com"

ldap_uids:
  - "sAMAccountName"

ldap_filter: "(objectClass=userJabberAccount)"

 mod_shared_roster_ldap:
    ldap_rfilter: "(&(objectCategory=Group)(objectClass=posixAccount))"
    ldap_groupattr: "sAMAccountName"
    ldap_groupdesc: ""
    ldap_gfilter: "(&(objectClass=posixAccount)(memberOf=CN=%g,CN=Groups,DC=example,DC=com))"
    ldap_memberattr: "sAMAccountName"
    ldap_ufilter: "(&(objectClass=userJabberAccount)(sAMAccountName=%u))"
    ldap_useruid: "sAMAccountName"
    ldap_userdesc: "displayName"

  mod_vcard_ldap:
    ldap_uids: {"sAMAccountName": "%u"}
    matches: infinity
    ldap_vcard_map:
      "NICKNAME": {"%s": ["displayName"]}
      "FN": {"%s": ["displayName"]}
      "EMAIL": {"%s": ["mail"]}
      "GIVEN": {"%s": ["givenName"]}
      "MIDDLE": {"%s": ["initials"]}
      "FAMILY": {"%s": ["sn"]}
      "ORGNAME": {"%s": ["company"]}
      "ORGUNIT": {"%s": ["department"]}
      "TITLE": {"%s": ["title"]}
      "TEL": {"%s": ["telephoneNumber"]}
    ldap_search_fields:
      "User": "%u"
      "Full Name":  "displayName"
      "Email": "mail"
    ldap_search_reported:
      "Full Name": "FN"
      "Nickname": "NICKNAME"
      "Email": "EMAIL"

13
Installation and Upgrades / Re: Zentyal 4.1 jabber/xmpp
« on: September 01, 2016, 07:51:10 am »
murz, where you able to fork out the module?  If so, is it available for public use?  I am looking for email / collab / chat and zentyal fits some of those and the jabber part was only thing missing.
At first time I try to fork module, but see that Zentyal use too old version of ejabbed and with custom patches. So I select better way - configure separate fresh ejabberd server to work with Zentyal LDAP user database. At now all works well, instead one problem: I can't port Zentyal user groups to ejabberd roster.

14
Installation and Upgrades / Re: Logs and Cyrillic
« on: October 08, 2015, 10:17:45 am »
Got the same problem on Zentyal 4.1 and Samba:
Quote
    2015/10/08 10:51:21 ERROR> Samba.pm:1045 EBox::Samba::_postServiceHook - Error setting security descriptor on file caramba/exchange/РазобÑаÑÑ Ð±Ð¾ÑвÑ/share/ÐÐ»Ñ ÐаÑи 14 ÑевÑалÑ/55182123_cupid01_as.jpg: Failed to open: NT_STATUS_ACCESS_DENIED at /usr/share/perl5/EBox/Samba.pm line 1043, <GEN0> line 940.
Mogidin, did you fix your problem or find any workaround?

15
Installation and Upgrades / Re: Cyrillic names and samba4
« on: October 08, 2015, 10:15:36 am »
EGO, did you solve this issue? I also have problems with cyrillic (russian) letters when working with Zentyal 4.1 ans Samba, but not in group names, in file names:
Quote
2015/10/08 10:51:21 ERROR> Samba.pm:1045 EBox::Samba::_postServiceHook - Error setting security descriptor on file caramba/exchange/РазобÑаÑÑ Ð±Ð¾ÑвÑ/share/ÐÐ»Ñ ÐаÑи 14 ÑевÑалÑ/55182123_cupid01_as.jpg: Failed to open: NT_STATUS_ACCESS_DENIED at /usr/share/perl5/EBox/Samba.pm line 1043, <GEN0> line 940.
Seems that Samba accepts wrong encoding of non-latin symbols.

Pages: [1] 2 3