Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / wildcards in cache authentication exemption [SOLVED]
« on: September 10, 2014, 04:09:41 pm »
I'm wondering if there is a way with the GUI (I'm running 3.2) to add wildcards the the "Auth and Cache Exemptions" for explicit proxy, to handle all subdomains without entering them all.
I know this boils down to the squid3 ACL's which should support wildcards, but for example I can't add:
.google.com as the GUI refuses to add the exception.
If the GUI doesn't support a wildcard, does someone know where I can poke around in the validation code for the HTTP Proxy general tab, or is just editing the script that generates the squid3.conf easier?
I'd love some feedback on this!
I know this boils down to the squid3 ACL's which should support wildcards, but for example I can't add:
.google.com as the GUI refuses to add the exception.
If the GUI doesn't support a wildcard, does someone know where I can poke around in the validation code for the HTTP Proxy general tab, or is just editing the script that generates the squid3.conf easier?
I'd love some feedback on this!
2
Installation and Upgrades / Problem generating a kerberos keytab for apache
« on: October 25, 2013, 09:03:21 am »
I'm trying to setup the Apache server on my 3.2 install of Zentyal to work with the kerberos SSO (I want to be able to display different pages on the local webserver for different user groups).
The apache webserver is on the same machine as the proxy/samba4 domain etc.
The proxy and domain all work correctly with authentication and authorisation.
I've install the apache2 kerberos auth module, and configured the private zone to use kerberos.
Now when accessing the zone from a windows PC it requests username/pw. On giving these it successfully authenticates the user.
The problem is it shouldn't pop up the request as it should be doing it through automatically.
I assume the problem is with the keytab for Apache. I haven't been able to create one, so I've basically pointed it to the same one as squid.
When using kadmin I get the following error
A couple of questions: If I pass in a username/password whos username and password do I supply?
I'm also assuming I need to create correctly a principal for apache and add it to the list of keytabs.
Any help on getting this last step working would be much appreciated!
The apache webserver is on the same machine as the proxy/samba4 domain etc.
The proxy and domain all work correctly with authentication and authorisation.
I've install the apache2 kerberos auth module, and configured the private zone to use kerberos.
Now when accessing the zone from a windows PC it requests username/pw. On giving these it successfully authenticates the user.
The problem is it shouldn't pop up the request as it should be doing it through automatically.
I assume the problem is with the keytab for Apache. I haven't been able to create one, so I've basically pointed it to the same one as squid.
When using kadmin I get the following error
Code: [Select]
kadmin: kadm5_init_with_password: No KDC found for realm EXAMPLE_REALM.ORGA couple of questions: If I pass in a username/password whos username and password do I supply?
I'm also assuming I need to create correctly a principal for apache and add it to the list of keytabs.
Any help on getting this last step working would be much appreciated!
3
Installation and Upgrades / Files not being deleted when using roaming profiles.
« on: June 08, 2013, 06:19:24 am »
I'm seeing some users files are not being deleted when they log off their account on the domain.
For example user A will delete files from their desktop, log off, then log on again and the files will have reappeared!
I was informed of this and started to investigate. I looked at their ACLs on their .V2 folder thinking that that might be a problem. One user that was missing the default ACL. I then took an unused profile (that does delete files correctly on logoff) and removed all the ACLS. Result was that it continued to work.
I scanned both syslog and samba logs to see if I could see anything, but nothing is presented at log off in those logs.
Now, not only is this the beta 3.1 I'm running, but these profiles were migrated from another server that had hardware problems so I'm guessing the problem could be linked to either of those 2 possibilities.
Another theory I'm having is the size of the profiles. Large profiles are 'timing' out on the log off. I still need to test that theory.
I'd love some pointers as to where I could look into this from an academic point of view. I'm wanting to move over to folder redirection as my user base can't understand that multi-gigabyte roaming profiles don't make for fast logins
For example user A will delete files from their desktop, log off, then log on again and the files will have reappeared!
I was informed of this and started to investigate. I looked at their ACLs on their .V2 folder thinking that that might be a problem. One user that was missing the default ACL. I then took an unused profile (that does delete files correctly on logoff) and removed all the ACLS. Result was that it continued to work.
I scanned both syslog and samba logs to see if I could see anything, but nothing is presented at log off in those logs.
Now, not only is this the beta 3.1 I'm running, but these profiles were migrated from another server that had hardware problems so I'm guessing the problem could be linked to either of those 2 possibilities.
Another theory I'm having is the size of the profiles. Large profiles are 'timing' out on the log off. I still need to test that theory.
I'd love some pointers as to where I could look into this from an academic point of view. I'm wanting to move over to folder redirection as my user base can't understand that multi-gigabyte roaming profiles don't make for fast logins
4
Installation and Upgrades / Looking for API to change User First and Last Name
« on: May 20, 2013, 03:11:19 am »
I'm looking at a method to change a users First and Last Name through a script, similar to
http://trac.zentyal.org/wiki/Documentation/Community/HowTo/ImportUsersInBulk
Something like:
I've not seen these API entries when briefly scanning the code, do they exist?
http://trac.zentyal.org/wiki/Documentation/Community/HowTo/ImportUsersInBulk
Something like:
Code: [Select]
$user=EBox::UsersAndGroups::User->get($username);
$user->givenname=$newgivenname;
$user->surname=$newsurname;
EBox::UsersAndGroups::User->set($user);
I've not seen these API entries when briefly scanning the code, do they exist?
5
Installation and Upgrades / Problem with Zentyal LDAP and Schooltool (on other server) [SOLVED]
« on: May 18, 2013, 05:25:48 pm »
I'd love some feedback with this as well!
I'm trying to integrate SchoolTool with LDAP. I'm running SchoolTool on a separate server (learning lessons about putting too many services on one server) and LDAP fails. When SchoolTool is installed on the zentyal server it works fine, but uses ldapi:// instead of ldap:// but that is only usable on the same machine.
URL looks like this: ldapi://%2fvar%2frun%2fslapd%2fldapi
And Replace it with ldap://192.168.1.X:389 or 390
And copy all the other details over SchoolTool fails. As it only does basic auth as far as I can tell this might explain why.
However if I run LdapAdmin.exe I can connect just fine on port 389 with basic auth, so I'm really confused now.
I'm also seeing failure with ampache ldap authorisation, I should be able to debug that one slightly more easily than SchoolTool.
I'd love to use the ldap for external services without having to bundle everything onto the same server
This is running 3.1, but had exactly the same experience on 3.0.
/mod edit by robb: Topic split off from http://forum.zentyal.org/index.php/topic,14113.0.html
I'm trying to integrate SchoolTool with LDAP. I'm running SchoolTool on a separate server (learning lessons about putting too many services on one server) and LDAP fails. When SchoolTool is installed on the zentyal server it works fine, but uses ldapi:// instead of ldap:// but that is only usable on the same machine.
URL looks like this: ldapi://%2fvar%2frun%2fslapd%2fldapi
And Replace it with ldap://192.168.1.X:389 or 390
And copy all the other details over SchoolTool fails. As it only does basic auth as far as I can tell this might explain why.
However if I run LdapAdmin.exe I can connect just fine on port 389 with basic auth, so I'm really confused now.
I'm also seeing failure with ampache ldap authorisation, I should be able to debug that one slightly more easily than SchoolTool.
I'd love to use the ldap for external services without having to bundle everything onto the same server
This is running 3.1, but had exactly the same experience on 3.0.
/mod edit by robb: Topic split off from http://forum.zentyal.org/index.php/topic,14113.0.html
6
Installation and Upgrades / Max number of users in proxy filter groups?
« on: February 15, 2013, 06:50:16 am »
I'm using Zentyal 3 server as an AD and proxy/filtering (non transparent proxy) in a school environment.
I've set up different profiles for the different groups in the school (students/teachers/admin/IT) which was working perfectly with only a few users added.
However once all the students were added and the domain was rolled out to the entire school I found some students were denied all access to the internet.
As a temporary measure I changed the filtering to route all users through the student filter.
All users were verified as being in the correct group.
I am assuming that there were too many users in a group and the user list was being truncated (all student users are indetified with the same preceding letters and a number ID), thus some users not appearing to be in a group and therefore not being allowed access.
So far I've not managed to find in the documentation any reference to maximum numbers, and I am not sure if Zentyal generates the ACL the users in a group, or if squid understands the groups.
I'd be interested if anyone else has seen something similar or can enlighten me about this.
When I'm next at work I'm going to create sub groups for the students (10 or so students in each group) as a work around. This isn't ideal as each group will need the same web sites white/black listed.
I don't have exact numbers of students, but it's around 100ish.
Thanks for any replies.
I've set up different profiles for the different groups in the school (students/teachers/admin/IT) which was working perfectly with only a few users added.
However once all the students were added and the domain was rolled out to the entire school I found some students were denied all access to the internet.
As a temporary measure I changed the filtering to route all users through the student filter.
All users were verified as being in the correct group.
I am assuming that there were too many users in a group and the user list was being truncated (all student users are indetified with the same preceding letters and a number ID), thus some users not appearing to be in a group and therefore not being allowed access.
So far I've not managed to find in the documentation any reference to maximum numbers, and I am not sure if Zentyal generates the ACL the users in a group, or if squid understands the groups.
I'd be interested if anyone else has seen something similar or can enlighten me about this.
When I'm next at work I'm going to create sub groups for the students (10 or so students in each group) as a work around. This isn't ideal as each group will need the same web sites white/black listed.
I don't have exact numbers of students, but it's around 100ish.
Thanks for any replies.
7
Installation and Upgrades / Error trying to set up a Mac OSX Server as a replica domain
« on: February 14, 2013, 07:44:22 am »
Running Zentyal Server 3.0.10 acting as a primary domain.
I'm trying to set up a replica domain on a Max OSX Server for redundancy purposes.
I'm getting an error that the master password is wrong when trying to connect to the domain on the mac.
I'm using the password that appears on the LDAP Page, and I've also tried the slave password, but neither is working. Not knowing much about the mac I don't have any error logs to attach.
Both machines are on the same net range.
The next part is maybe where the problem is as I'm not sure if it is set up correctly. I believe the master controller needs to know about the slave through DNS.
I've added the macserver as a host name in the domain of the master server.
If anyone has any pointers as where to look next it would be much appreciated!
And so many thanks for Zentyal, it works so well, so easily!
I'm trying to set up a replica domain on a Max OSX Server for redundancy purposes.
I'm getting an error that the master password is wrong when trying to connect to the domain on the mac.
I'm using the password that appears on the LDAP Page, and I've also tried the slave password, but neither is working. Not knowing much about the mac I don't have any error logs to attach.
Both machines are on the same net range.
The next part is maybe where the problem is as I'm not sure if it is set up correctly. I believe the master controller needs to know about the slave through DNS.
I've added the macserver as a host name in the domain of the master server.
If anyone has any pointers as where to look next it would be much appreciated!
And so many thanks for Zentyal, it works so well, so easily!
Pages: [1]