Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1] 2
1
Installation and Upgrades / Re: Domain Controller - ".local" DNS domain
« on: September 26, 2012, 06:14:02 pm »
I had made an earlier post about this exact problem. FarquahrWindsor is 100% correct in that offering a replacement to active directory and then saying ".local" alienates anyone with this previous setup, effectively alienating potential market share. In other words, Zentyal Devs: this will cause you to loose money. Seriously. Honestly, if it conflicts with other services such as mDNS/bonjour (which are p2p and should probably be blocked in an enterprise environment anyway, not to mention the noise they create on networks) are very much secondary to getting Active Directory up. Now that I am not stuck to this "limitation" I am going to try and get Zentyal 3 up with my .local domain. mphilippi, THANK YOU for finding the exception in the code. Can confirm it works by commenting out the '.local' and that entire if statement. With this I am going to do a fresh VM install and I will be reporting back on the success in this thread if anyone's curious: http://forum.zentyal.org/index.php/topic,12035.0.html. Also, if this post sounds opinionated, it's because it is! Thanks folks!
2
Installation and Upgrades / Re: Joining Zentyal 3 to existing active directory domain.
« on: September 26, 2012, 12:28:51 am »
Checking back in before I head out of work. Basically, at this point, the DNS from the Windows 2k3 server is failing to connect to the Zentyal box. I've tried the Samba4 install with vanilla bind and remember it being a pain. That said, with Zentyal in the mix, I have a feeling it will be a little bit more difficult setting both up to play nice. Right now, I'd be referencing this step: http://wiki.samba.org/index.php/Samba4/HOWTO#Configure_.2Fetc.2Fresolv.conf
So, I have set up the bare minimum for DNS via the dashboard and now am trying to get the SRV records from above straightened out. For example:
EDIT:
Think I found the file the needs to update DNS, it's /usr/share/samba/setup/dns_update_list. So basically, those entries need to be added dynamically to Zentyal's DNS in order for everything to be happy. So, @Zentyal coders, how can we accomplish this? In other words, can something be done were bind.conf.mas startup file is modified to include these entries? Could it be flushed every time a computer/user is added/modified? This is starting to get a little too deep into the coding for me to know what to do. Thanks in advance.
So, I have set up the bare minimum for DNS via the dashboard and now am trying to get the SRV records from above straightened out. For example:
Code: [Select]
$ host -t SRV _ldap._tcp.zentyal.domain.lan
_ldap._tcp.zentyal.domain.lan has SRV record 0 100 389 zentyal.domain.lan.EDIT:
Think I found the file the needs to update DNS, it's /usr/share/samba/setup/dns_update_list. So basically, those entries need to be added dynamically to Zentyal's DNS in order for everything to be happy. So, @Zentyal coders, how can we accomplish this? In other words, can something be done were bind.conf.mas startup file is modified to include these entries? Could it be flushed every time a computer/user is added/modified? This is starting to get a little too deep into the coding for me to know what to do. Thanks in advance.
3
Installation and Upgrades / Re: Joining Zentyal 3 to existing active directory domain.
« on: September 25, 2012, 10:22:26 pm »
Adding some .02$ here. I am in the beginning steps to get it added just to prove it out. Note: this was a fresh install and I never got around to enabling the samba module via the dashboard. First step was to go into /etc/hosts and add both the existing 2003 DC and my IP for the Zentyal box:
I then also added the DNS entries in the Zentyal dashboard just in case. I then ran the following:
Which reported a successful join. I was actually shocked especially since I did not put in the FQDN. Anyway, it seemed all for naught as "samba-tool drs showrepl" gives an error that it "Failed to connect host <ip> (<hostname>) on port 135..." I read somewhere that samba needed to be restarted so I gave the machine a boot. Upon boot, I checked the "samba-tool drs showrepl" again which was still throwing an error like that it "fails to find CN=NTDS Settings". A suggested fix, https://lists.samba.org/archive/samba-technical/2011-December/080880.html had me run the following:
Code: [Select]
192.168.101.11 win2k3.domain.lan w2k3
192.168.101.112 zentyal.domain.lan zentyal
I then also added the DNS entries in the Zentyal dashboard just in case. I then ran the following:
Code: [Select]
/usr/bin/samba-tool domain join zentyal DC -Uadmin%password
Which reported a successful join. I was actually shocked especially since I did not put in the FQDN. Anyway, it seemed all for naught as "samba-tool drs showrepl" gives an error that it "Failed to connect host <ip> (<hostname>) on port 135..." I read somewhere that samba needed to be restarted so I gave the machine a boot. Upon boot, I checked the "samba-tool drs showrepl" again which was still throwing an error like that it "fails to find CN=NTDS Settings". A suggested fix, https://lists.samba.org/archive/samba-technical/2011-December/080880.html had me run the following:
Code: [Select]
samba-tool dbcheck --fixin which I totally started seeing my Windows 2k3 active directory objects. W00t! Right now when I run showrepl, I keep getting failures. I'm going to look into it and see what I can find, just wanted to share that I made some progress.
4
Installation and Upgrades / Re: Command line shutdown/power off
« on: September 25, 2012, 06:53:36 pm »
Try the shutdown command:
You can also give it a time by giving it a time in minutes instead of now above. This should bring down all the services "nicely". Good luck!
Code: [Select]
sudo shutdown -h nowYou can also give it a time by giving it a time in minutes instead of now above. This should bring down all the services "nicely". Good luck!
5
Installation and Upgrades / Re: Unable to get quotas on shares working
« on: September 25, 2012, 05:18:11 pm »
Well, after searching a bit, I found this, http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch28_:_Managing_Disk_Usage_with_Quotas#Edit_The_User.27s_Quota_Information. Which led me to this:
So now I can connect to shares without the 100mb limit issue. Here's the real issue: I have user quotas disabled through the Zentyal Dashboard (I'm assuming Users and Groups-> User Template -> Default user quota: Disabled), so something is not being flipped, even after I've tried changing it on/off.
Also, to note, this is not a user share, so why would my user have a quota? I would expect users to have quotas on their home shares, but not a regular share? Is the user quota supposed to be a gobal thing across all shares? To me that doesn't really make sense from an admin standpoint.
Also, for kicks, I took a look to see if the share had Group Quotas set:
So, the next thing was to look at /etc/fstab according to the link:
Bingo, I see the userquota is enabled there. So, I am debating here, but if I want to just disable quotas for everyone in one shot, should I just pull the userquota from the above? Any guidance would be very much appreciated.
Code: [Select]
sudo edquota -u <my username>So now I can connect to shares without the 100mb limit issue. Here's the real issue: I have user quotas disabled through the Zentyal Dashboard (I'm assuming Users and Groups-> User Template -> Default user quota: Disabled), so something is not being flipped, even after I've tried changing it on/off.
Also, to note, this is not a user share, so why would my user have a quota? I would expect users to have quotas on their home shares, but not a regular share? Is the user quota supposed to be a gobal thing across all shares? To me that doesn't really make sense from an admin standpoint.
Also, for kicks, I took a look to see if the share had Group Quotas set:
Code: [Select]
root@samba:/var/log# sudo edquota -g /home/samba/shares/<share>/
edquota: group /home/samba/shares/techops/ does not exist.So, the next thing was to look at /etc/fstab according to the link:
Code: [Select]
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc nodev,noexec,nosuid 0 0
/dev/mapper/samba-root / ext4 errors=remount-ro,usrquota,grpquota,acl 0 1
Bingo, I see the userquota is enabled there. So, I am debating here, but if I want to just disable quotas for everyone in one shot, should I just pull the userquota from the above? Any guidance would be very much appreciated.
6
Installation and Upgrades / Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
« on: September 13, 2012, 05:28:00 pm »
Seriously, bump up the verbosity of the logs. Put verb 6 in both your client and server config. 6 is good for debugging. 9 is overkill but can be useful. Bascially, connect and throw a
Code: [Select]
tail -f on the server side log and connect via windows. Wait till it disconnects on the client side then look at the log immediately. See if server/client report errors. Then google or post in the OpenVPN forums. Not trying to be brash with that suggestion, but let's put it this way: they answered my questions within 2 days after I spent almost a week doing google work trying to fix it myself. Good luck.
7
Installation and Upgrades / Re: OpenVPN Connection Error - TLS Error: TLS handshake failed
« on: September 12, 2012, 02:57:28 pm »
I had this problem too. My first recommendation would be to kick up the debug level on both sides; it should give you a better idea of what is going wrong. That said, one of the confusing things about OpenVPN is that they have 2 windows clients: the "paid" and the "free" client and the TLS hashing method is different for each client. Check out my post, https://forums.openvpn.net/topic10821.html, at the OpenVPN forums. Hope that helps.
8
Installation and Upgrades / Unable to get quotas on shares working
« on: September 11, 2012, 08:37:35 pm »
Hi All,
I am having a bit of troubles with quotas. Basically, I want to have shares without quotas to remove a NAS device that is used as a shared drive now. That said, in the Zentyal dashboard, I have disabled user quotas through Users and Groups -> User templates. I then go to add a share. The permissions on the share work fine but the share itself still has a 100mb quota. Am I missing something? Also, for those wondering, there is no place to set the quota under File and Sharing -> General Settings. Wondering if it was a samba limitation, I tried the following:
Any ideas? Just a note: my server is an AD-Sync'ed machine providing DNS and hopefully shares soon @ 2.2.7 core. Thanks in advance.
I am having a bit of troubles with quotas. Basically, I want to have shares without quotas to remove a NAS device that is used as a shared drive now. That said, in the Zentyal dashboard, I have disabled user quotas through Users and Groups -> User templates. I then go to add a share. The permissions on the share work fine but the share itself still has a 100mb quota. Am I missing something? Also, for those wondering, there is no place to set the quota under File and Sharing -> General Settings. Wondering if it was a samba limitation, I tried the following:
Code: [Select]
$ sudo smbcquotas -L //127.0.0.1/<share> -U <admin user>
Quotas are not enabled on this share.
Failed to open \$Extend\$Quota:$Q:$INDEX_ALLOCATION NT_STATUS_ACCESS_DENIED.
Any ideas? Just a note: my server is an AD-Sync'ed machine providing DNS and hopefully shares soon @ 2.2.7 core. Thanks in advance.
9
Installation and Upgrades / Re: Domain cannot end in .local
« on: August 29, 2012, 10:21:11 pm »
I can understand why, at least now with services with mDNS this may be the case and therefore Zentyal wouldn't allow it. That said, the pain of setting up a new domain and migrating everyone's accounts or even setting up a trust with a newly defined Zentyal-PDC. @Zentyal Devs, could you let me know if it would be possible to go into the code and remove this restricting? I will deal with fires as they come up. If it really isn't possible, anyone have ideas for migrating users from the 2003 domain to the Zentyal domain? Really, I am not worried about getting the accounts up on the new Zentyal PDC since I've already pulled them down via AD sync once, I am more worried about people losing their domain login profiles from the W2k3 server. Thanks in advance.
10
Installation and Upgrades / Domain cannot end in .local
« on: August 29, 2012, 07:38:22 pm »
Hi Everyone,
Quick question: I have a W2k3 domain that ends in ".local". Here's the issue: I've pulled all the AD accounts over and at some point want to turn off the AD machine and set Zentyal as a PDC. However, it complains when I use the "domain.local":
Here's my question: is there any way to quickly bypass this or would I have to just set up a new domain and migrate all the users to that domain? Thanks in advance for help/advice.
Quick question: I have a W2k3 domain that ends in ".local". Here's the issue: I've pulled all the AD accounts over and at some point want to turn off the AD machine and set Zentyal as a PDC. However, it complains when I use the "domain.local":
Code: [Select]
Domain name cannot end in '.local'" Here's my question: is there any way to quickly bypass this or would I have to just set up a new domain and migrate all the users to that domain? Thanks in advance for help/advice.
11
Installation and Upgrades / Re: Can not add users.
« on: August 29, 2012, 07:12:03 pm »
Just wanted to echo that I am having trouble with this as well. Right now I am running the Zentyal box as an AD slave and cannot add/delete any user accounts. I have enabled PAM for the user accounts imported form Microsoft AD but cannot do anything. Oddly, when I try and modify a user, there is no password field. I then go to save and am given an error "password is empty." message at the top. Yet I can't see a pawword field 
Next up, when I try and ad admin rights to my user I get the following
which I assume means that I already have admin privileges/am added to the right admin group. In terms of the users, one note: I was able to su to my username with my ldap password with PAM enabled. Any ideas?
Next up, when I try and ad admin rights to my user I get the following
Code: [Select]
Unknown error at EBox::UsersAndGroups::addUserToGroup modify/add: memberUid: value #0 already existswhich I assume means that I already have admin privileges/am added to the right admin group. In terms of the users, one note: I was able to su to my username with my ldap password with PAM enabled. Any ideas?
12
Installation and Upgrades / Re: OpenVPN w/OpenLDAP auth from Zentyal AD slave
« on: August 10, 2012, 11:00:00 pm »
Well, I was coming in to mark this solved but I decided to try and get Dynamic DNS working with the a Zentyal cloud account earlier this week. WHAM, my OpenVPN setup was not having that. I then went back, reset the custom stub to "all", edited my server.conf to use a tap1 interface, and changed to port to 1195 in my server.conf file from above. In other words, instead of just using the OpenVPN server I hacked in there, I decided to use two instances as suggested by http://openvpn.net/index.php/open-source/faq/79-client/283-can-i-run-multiple-openvpn-tunnels-on-a-single-machine.html.
But I couldn't get both the Zentyal client connection to the cloud to work on boot! It was driving me nuts. I tried modifying my startup script in all sorts of ways. Changing things around, adding custom init scripts, etc. Then, and I don't know what tipped me off to this, I realized I was turning my scripts on levels 3 4 5... and Zentyal was running at runlevel 2. The hours wasted for that... grrrr. Anywho, I got rid of my custom startup script and turned OpenVPN on for 2 3 4 and 5. Guess what? Unicorns and rainbows. So now my Zentyal box starts up with both the cloud connection and as an OpenVPN server that ties into my LDAP which was yanked from AD and I can confirm Windows passwords work. This is solved, thanks everyone.
But I couldn't get both the Zentyal client connection to the cloud to work on boot! It was driving me nuts. I tried modifying my startup script in all sorts of ways. Changing things around, adding custom init scripts, etc. Then, and I don't know what tipped me off to this, I realized I was turning my scripts on levels 3 4 5... and Zentyal was running at runlevel 2. The hours wasted for that... grrrr. Anywho, I got rid of my custom startup script and turned OpenVPN on for 2 3 4 and 5. Guess what? Unicorns and rainbows. So now my Zentyal box starts up with both the cloud connection and as an OpenVPN server that ties into my LDAP which was yanked from AD and I can confirm Windows passwords work. This is solved, thanks everyone.
13
Installation and Upgrades / Re: OpenVPN w/OpenLDAP auth from Zentyal AD slave
« on: August 02, 2012, 03:42:18 pm »
I ended up writing another little init script that sleeps 2 minutes and calls the initial openvpn init scrip. It looks like this:
Which works just fine. Also I'd thought I'd post my openvpn config for anyone interested in getting OpenVPN working with the internal Zentyal LDAP. Here is my server.conf
Here's the ldap.conf in "/etc/openvpn/auth/ldap.conf":
Here's the bridge startup script:
Here's the bridge down script:
Some notes from above: I made a user, OpenVPN that has no home dir or login to run. I chown'ed the /etc/openvpn dir as this user. Make sure to edit the Zentyal stub from the above post so that /etc/default/openvpn doesn't keep getting destroyed. In order to run the start_openvpn delay script above, I called
While I was having issues on startup, this was working well overall from a connectivity standpoint. The real issue here is that I know Zentyal incorporates OpenVPN in a way and I feel like I'm stepping on its toes. That said, @Zentyal devs, would it be possible to build this functionality directly into the Zentyal server? All the pieces are there they just need to be connected. Really the only thing that would need to be flushed out is my hack that uses the initials to determine if someone has access or not. I actually look at it and there is a way to build a .schema file and include it in OpenLDAP so that you could have a VPN boolean, but after fighting to get OpenVPN for the first time I was out of steam at that point. Finally, if anyone has any suggestions in helping me cleaning anything up please let me know. Thanks in advance.
Code: [Select]
#!/bin/bash
### BEGIN INIT INFO
# Provides: scriptname
# Required-Start: $remote_fs $syslog
# Required-Stop: $remote_fs $syslog
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Delayed OpenVPN startup
# Description: Enable service provided by daemon.
### END INIT INFO
sleep 2m
/etc/init.d/openvpn start
Which works just fine. Also I'd thought I'd post my openvpn config for anyone interested in getting OpenVPN working with the internal Zentyal LDAP. Here is my server.conf
Code: [Select]
port 1194
ca ca.crt
cert server.crt
key server.key
proto udp
dev tap0
up "/etc/init.d/bridge-up br1 tap0 1500"
down "/etc/init.d/bridge-down br1 tap0"
mode server
tls-server
dh dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.63 255.255.255.0 192.168.1.223 192.168.1.248
push "dhcp-option DNS 192.168.1.17"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status openvpn-status.log
log /var/log/openvpn.log
verb 6
plugin /usr/lib/openvpn/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
client-cert-not-required
Here's the ldap.conf in "/etc/openvpn/auth/ldap.conf":
Code: [Select]
<LDAP>
URL ldap://127.0.0.1:389
BindDN cn=ebox,dc=<fill in your base here from the ldap Zentyal settings>
Password <fill in your password from ldap Zentyal settings>
Timeout 15
TLSEnable no
FollowReferrals yes
TLSCACertFile /usr/local/etc/ssl/ca.pem
TLSCACertFile /usr/local/etc/ssl/ca.pem
TLSCACertDir /etc/ssl/certs
TLSCertFile /usr/local/etc/ssl/client-cert.pem
TLSKeyFile /usr/local/etc/ssl/client-key.pem
</LDAP>
<Authorization>
BaseDN "ou=Users,dc=<Zentyal base again here>"
#IMPORTANT, I added a "initials" attribute to determine whether a user has access or not
#I set this via adding an attribute to the ldap user via phpLdapAdmin. Users must have this attribute to connect
#This is hacky but it works!
SearchFilter "(&(uid=%u)(initials=vpn))"
RequireGroup false
<Group>
BaseDN "ou=Groups,dc=<Zentyal base...>"
SearchFilter "(|(cn=developers)(cn=artists))"
MemberAttribute uniqueMember
</Group>
</Authorization>
Here's the bridge startup script:
Code: [Select]
#!/bin/sh
BR=$1
DEV=$2
MTU=1500
/sbin/ip link set "$DEV" up promisc on mtu "$MTU"
/usr/sbin/brctl addif $BR $DEV
Here's the bridge down script:
Code: [Select]
#!/bin/sh
BR=$1
DEV=$2
/sbin/ip link set "$DEV" down
/usr/sbin/brctl delif $BR $DEV
Some notes from above: I made a user, OpenVPN that has no home dir or login to run. I chown'ed the /etc/openvpn dir as this user. Make sure to edit the Zentyal stub from the above post so that /etc/default/openvpn doesn't keep getting destroyed. In order to run the start_openvpn delay script above, I called
Code: [Select]
sudo update-rc.d start_openvpn defaults after making the script executable.While I was having issues on startup, this was working well overall from a connectivity standpoint. The real issue here is that I know Zentyal incorporates OpenVPN in a way and I feel like I'm stepping on its toes. That said, @Zentyal devs, would it be possible to build this functionality directly into the Zentyal server? All the pieces are there they just need to be connected. Really the only thing that would need to be flushed out is my hack that uses the initials to determine if someone has access or not. I actually look at it and there is a way to build a .schema file and include it in OpenLDAP so that you could have a VPN boolean, but after fighting to get OpenVPN for the first time I was out of steam at that point. Finally, if anyone has any suggestions in helping me cleaning anything up please let me know. Thanks in advance.
14
Installation and Upgrades / Re: OpenVPN w/OpenLDAP auth from Zentyal AD slave
« on: August 01, 2012, 10:00:01 pm »
Thanks! I edited the /usr/share/zentyal/stubs/openvpn/default-openvpn.mas to use my "server.conf" file but I still cannot get OpenVPN to go on start up. Looking through the Zentyal logs, /var/log/messages, and openvpn.log I can find nothing that relates to the startup. I rebooted and saw the OpenVPN startup process went through OK (hitting esc on the Zentyal Splash). However, after boot, OpenVPN reports that it is not running. I can then launch it no problem by starting the init script. I used sysv-rc-config to make sure OpenVPN was on runlevel 3, 4, and 5 but then I had a thought: does Zentyal use some sort of built-in start-up mechanism for OpenVPN? If so, what's the best practice for starting it?
15
Installation and Upgrades / [SOLVED] OpenVPN w/OpenLDAP auth from Zentyal AD slave
« on: July 31, 2012, 12:08:02 am »
I'm having a bit of trouble getting OpenVPN up and working smoothly with the LDAP auth module. The good news is that it DOES work (albeit a little hacky to get working). I have one minor issue: whenever I make changes to /etc/default/openvpn and change AUTOSTART="none" to AUTOSTART="server" (since my OpenVPN server conf file is named "server.conf" in /etc/openvpn) so that the server will autostart on boot, the file keeps getting smashed back to AUTOSTART="none" after at least 1 reboot. Is there a Zentyal process that re-writes the file? Other than that everything works fine. I can post more details if anyone is curious.
Pages: [1] 2