Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
76
Installation and Upgrades / Re: eBox .11.2 PDC part looks broken
« on: January 04, 2008, 07:14:34 pm »
Javi fixed this....
http://people.warp.es/~javi/ebox-usersandgroups_0.11.3_all.deb
1) install the .deb (dpkg -i ebox-usersandgroups_0.11.3_all.deb)
2) /etc/init.d/ebox apache restart
This won't replace existing duplicates, but will prevent it from happening again.
http://people.warp.es/~javi/ebox-usersandgroups_0.11.3_all.deb
1) install the .deb (dpkg -i ebox-usersandgroups_0.11.3_all.deb)
2) /etc/init.d/ebox apache restart
This won't replace existing duplicates, but will prevent it from happening again.
77
Installation and Upgrades / Re: eBox .11.2 PDC part looks broken
« on: January 04, 2008, 03:15:15 pm »
Well, we know the PDC won't update the uidumber if you join another samba machine to the domain. Perhaps those having the issue have also tried to add a samba domain member. I actually haven't added any windows machines to my domain here, so I don't actually have the issue duplicated either.
78
Installation and Upgrades / Re: eBox .11.2 PDC part looks broken
« on: January 04, 2008, 02:42:17 am »I am also having the same issue.. the I did the slapcat|grep and it turns out that I do have duplicate UID numbers.. now what should I do?
I thought that might be the case. The fix is simple, but it requires some changes of your LDAP tree. The simplest way to do this with a LDAP admin tool like phpldapadmin. I've become so spoiled with ldap tools, I've forgotten much of the command line syntax...forgive me!
Here's some phpldapadmin instructions:
1) Install phpldapadmin on a client computer.
2) Edit two lines in the conig.php (Assuming ebox ip is 192.168.1.1)
Code: [Select]
/* Examples:
'ldap.example.com',
'ldaps://ldap.example.com/',
'ldapi://%2fusr%local%2fvar%2frun%2fldapi'
(Unix socket at /usr/local/var/run/ldap) */
$ldapservers->SetValue($i,'server','host','192.168.1.1');
/* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
auto-detect it for you. */
$ldapservers->SetValue($i,'server','base',array('dc=ebox'));
3) Open phpldapadmin in browser and authenticate to ebox server using admindn (cn=admin,dc=ebox). [See attachment screenshot]
4) Browse to Computers->YOUR_COMPUTER->change the uidNumber to something higher...to be safe change it to 2100.
If i spend about ten minutes I can whip out the ldap commad line of need be.
regards,
Jim
79
Installation and Upgrades / Re: eBox .11.2 PDC part looks broken
« on: January 03, 2008, 04:23:51 pm »
I think this stems from a uidNumber bug I have noticed in the latest version. Chances are you have duplicate uidNumbers for the Machine account. I'm just guessing at this point, but I plan on spending some time on it this weekend. Should be pretty straight forward samba stuff.
Go ahead and do a "slapcat|grep uidNumber" and see if you have any duplicates. If you do...that might be an indication.
Jim
Go ahead and do a "slapcat|grep uidNumber" and see if you have any duplicates. If you do...that might be an indication.
Jim
80
Installation and Upgrades / Re: Add-On: FreeRadius request.
« on: December 31, 2007, 06:08:05 pm »
Fantastic. I'll see what I can do with it. I'm afraid my perl skills are minimal, but it looks like the hard parts are done. I'm slowly beginning to understand how all this ties together. What is the best way to get help when I need it?
81
Installation and Upgrades / Re: Joining and authenticating a linux machine to an ebox domain.
« on: December 29, 2007, 04:06:31 pm »If you think about it, everything necessary is already there (certificates, working config, etc.), so it should be merely a matter of adding a bunch of lines to slapd.conf and a checkbox or 2 to the webinterface.
Right?
Correct. There would be a few other things to change like making sure TLS is ebabled in the ldap config, but once it's setup and working, everything would be pretty standard.
I'm really excited about this project. I've dreamed about having all this in a "quality" web interface for years.
82
Installation and Upgrades / Add-On: FreeRadius request.
« on: December 28, 2007, 10:02:33 pm »
FreeRadius reconfigured to the LDAP backend would be great. This will allow radius authentication to the user database as well as allow for mare advanced EBOX features such as 802.1x authentication.
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
83
Installation and Upgrades / Re: Joining and authenticating a linux machine to an ebox domain.
« on: December 28, 2007, 06:28:57 pm »Thanks for the nice write-up, I wasn't aware that ebox made it's LDAP directory available to the network.
Welcome! I'm assuming the ebox team has not yet addressed many of the security issues associated with ldap at this point, but they have a great foundation to build on. Perhaps I will write a ebox "hardening" HOWTO soon.
I have had a few small issues with the config above that you should be aware of.
1) If you are doing ldap auth on a ubuntu machine, make sure you have bind_policy=soft in your ldap.conf or your machine will lock on boot.
2) There is also an issue with uidNumber assignment when joining a machine to the domain via samba. I have an e-mail in on the devel mailing list to address this one.
3) User home directories are created in /home/samba/users/[username], so if pam creates home directories from skel...they are built with that path. Nothing wrong with this, but I find it mildly irritating. There is one advantage though - This way you know what users are domain users on a local machine. Effectively, the same as user.domainname on a windows profile.
84
Installation and Upgrades / Joining and authenticating a linux machine to an ebox domain.
« on: December 27, 2007, 05:33:14 am »
I don't see much documentation on this, so I though I would write a quick HOWTO to join a linux box (ubuntu in the case) to an ebox samba domain. This is intended to be a rough draft, please feel free to add to it, perhaps we can find a more appropriate place like the wiki soon.
SERVER (EBOX):
1. Create a user with admin rights (Ex: admin)....remember the password!
2. Enable Samba as PDC
3. Gather the following info:
Base dn: dc=ebox
Admin dn: cn=admin,dc=ebox
Admin Pass: ebox2611130574 (This may vary...verify in /etc/ldap/slapd.conf)
Domain Name: EBOX (Whatever you set it to when you setup Samba as PDC)
Ebox Server IP/hostname: 192.168.1.1 (If you setup dns a hostname.domain would be better but an IP will work)
Client (DESKTOP-PC):
1. Install samba, ldap, etc...see ubuntu instructions:
https://help.ubuntu.com/community/LDAPClientAuthentication
2. copy your old smb.conf to a safe place
3. Edit smb.conf. Erase everything and add the following:
4. Test your new config.
...you should see
5. Restart Samba.
6. Join the domain
7. That's it...welcome to the EBOX domain!
SERVER (EBOX):
1. Create a user with admin rights (Ex: admin)....remember the password!
2. Enable Samba as PDC
3. Gather the following info:
Base dn: dc=ebox
Admin dn: cn=admin,dc=ebox
Admin Pass: ebox2611130574 (This may vary...verify in /etc/ldap/slapd.conf)
Domain Name: EBOX (Whatever you set it to when you setup Samba as PDC)
Ebox Server IP/hostname: 192.168.1.1 (If you setup dns a hostname.domain would be better but an IP will work)
Client (DESKTOP-PC):
1. Install samba, ldap, etc...see ubuntu instructions:
https://help.ubuntu.com/community/LDAPClientAuthentication
2. copy your old smb.conf to a safe place
Code: [Select]
cp /etc/samba/smb.conf{,.orig}3. Edit smb.conf. Erase everything and add the following:
Code: [Select]
[global]
unix charset = LOCALE
workgroup = EBOX
security = DOMAIN
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 137 138 139 445
name resolve order = wins bcast hosts
printcap name = CUPS
wins server = 192.168.1.1
ldap admin dn = cn=admin,dc=ebox
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Users
ldap suffix = dc=ebox
ldap user suffix = ou=Users
idmap backend = ldap:ldap://192.168.1.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind trusted domains only = Yes
printing = cups
print command =
lpq command = %p
lprm command =
4. Test your new config.
Code: [Select]
#testparm...you should see
Code: [Select]
Loaded services file OK.
Server role: ROLE_DOMAIN_MEMBER
5. Restart Samba.
Code: [Select]
/etc/init.d/samba restart6. Join the domain
Code: [Select]
net join -U admin
Password: [admin password]
You should then see.Code: [Select]
Joined domain EBOX7. That's it...welcome to the EBOX domain!
85
Installation and Upgrades / Re: Ebox installation in XEN
« on: December 18, 2007, 03:06:55 am »
I attempted this a while back. It's not impossible, but you have to consider a lot of moving parts when working with multiple interfaces in XEN. If you are ambitious, you might want to start with a XEN router config and build from there. After researching the matter I personally decided it was way too much work.
Best of Luck.
Jim
Best of Luck.
Jim
86
Installation and Upgrades / Big thanks!!
« on: December 18, 2007, 12:26:53 am »
I just wanted to take a moment and tell the Warp guys know how much I appreciate your work. Adding this forum will be a great help to many I'm sure. I've been watching e-box evolve for quite some time...it's fantastic! I'll try to do my part and help here on the forums.
Thanks again,
Jim
Thanks again,
Jim