Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: OliverSteele on December 18, 2012, 05:16:00 pm
-
We recently started having some configuration problems with our lab server running Ubuntu 10.04. The configuration got screwed up and the guy who set it up was no longer around to consult, so we just installed Zentyal 3.0. However, we had roughly 15-20 users each with their own rather important set of files in their home directories and we would like to just "re-attach" those user home folders to our current Zentyal setup instead of using the add users module to start over again. Is such a thing possible? Thanks.
-
Hi,
Well, it does not sound easy. Ubuntu users and users created on the Zentyal admin interface is something different.
If there are maximum 20 users, you can create them in Zentyal and copy the userdata back to the folders, providing you have a backup.
I've done it that way before when my server got borked.
Cheers.
-
Won't I have problems with UIDs and GIDs? Unfortunately the user home directories are anywhere from 150Mb - 120+Gb of data, so going through and manually updating user ids and group ids is out of the question.
-
Possibly yes, but isn't it possible to apply it to the whole volume?
An utility called "pysdm" should allow you to play with permissions. It will be rather generic, but you should be able to get your users data back.
Otherwise, I understand that you prefer importing the data preserving the UID, I can't see how that could be done.
But perhaps someone with more experience can comment on this.
Cheers.
-
Is your move to Zentyal 3.0 mandatory ?
I mean that such option will had some difficulties to the "migration".
This said, UID & GID numbers are stored in LDAP. Thus you should be able to create accounts in LDAP keeping UIDs & GIDs numbers you had with your previous version. What I don't perceive yet because I never saw any documentation about this, is the potential impact due to secondary LDAP server for Samba 4.
Again, this jump to Zentyal 3.0, if you are in a hurry, is not, from my standpoint, a good idea.
-
Well, what we really want to do is go from Ubuntu 10.04 to 12.04 Desktop, re-import the relevant user data from 10.04, and just use Zentyal for the firewall. If I'm using apt-get, do I need to download zentyal-core or can I just get zentyal-firewall? Thanks to both of you for your help, btw.
-
1 - I don't understand why your target is 12.04 desktop. Why not server as this is your firewall?
2 - you can install it from Zentyal ISO and select, instead of standard installation, the advanced one to install firewall only.
3 - I don't have all the dependencies in mind (especially with 3.0) but installing FW module will also install some other required modules
4 - if goal is really to run "FW only", Zentyal is perhaps slightly overkilling...
-
I agree with Christian. If it concerns only the firewall there are other simpler options to consider.
Zentyal has so much more to offer, why don't you take a look at the other modules also?
Cheers.
-
We prefer 12.04 Desktop because we have members of our group who likely will not become deeply familiar/comfortable with the command line, so the Unity interface is preferable to something command line only or the entire OS having the Zentyal overlay. Most of all, the old server that we're trying to re-create was Ubuntu Desktop 10.04 so we have the best reference of what the setup should look like from that. All of the modules that Zentyal configures are free-to-use modules that we very likely will be using on our own, but I have to be honest; I can't stand working from a GUI. I want to know exactly how things are set up and exactly what is going on on my computer so that I can just write up step-by-step instructions for setting the computer up if it fails again.
I'm sorry but I'm not so clear on the points you made, Christian:
1 - Ubuntu desktop vs. server can be made into the same thing, we just preferred to start with the familiar Unity interface and add/subtract programs as we needed.
2 - Can I just use "apt-get install zentyal-firewall" equally effectively?
3 - That should be fine
4 - I'm not sure what you mean. Are you asking if I'm only trying to set up a firewall? Or if my goal is only to use the firewall from Zentyal in addition to other freely available software that Zentyal uses as modules? The computer we're setting up is going to be a DHCP router, firewall, LDAP host, and probably a few other things I'm forgetting. I've tried fooling around with Zentyal for a couple of weeks, but there are too many areas I want to fine-tune that Zentyal does not allow for. Additionally, I'm pretty sure we're going to need to use DNSMasq since our ISP has three nameservers which doesn't leave room for localhost in /etc/resolv.conf, and creating a new user with adduser and just "re-attaching" their old home directories properly using usermod seems much safer than trying to edit the permissions of over 2.5 Tb of data. : /
-
1 - If you want to use Desktop edition rather than Server, it's up to you :)
Both work and if you are convinced difference is only GUI, then you're right, rather go for desktop edition. Differences in term of kernel settings are most likely not a concern for you.
2 - I though you wanted to install, based on your first post, "firewall" only, reason why I said "this is perhaps overkilling". If you want to also install LDAP and DHCP and some other modules, then Zentyal makes more sense.
There is one point I would like to highlight: it looks like you want to know the very detail of everything and look at Zentyal from the "low" side. Why not but keep in mind that Zentyal has been designed to be installed, configured and used through GUI, installing module rather than low level component. I refer here to your DNSmasq comment. With Zentyal, you do not install DNSmasq but "DNS service", no matters what DNS engine behind is.
If, for some reason, you don need DNSmasq, I would suggest not to go for Zentyal but rather build your own solution otherwise it can be quite complex to adapt to Zentyal.This aside, I don't understand your point with your ISP's DNS. Sorry :-[
For what concerns user's home directories, I'm a bit confused too: is your point related to UID numbers and GUID numbers?
-
Well with regards to your second paragraph, one of the issues we were running into was the fact that our ISP has three namservers, and apparently all are required to resolve ISP domain names. Thus, we needed to have all three nameserver IPs listed first in resolv.conf. However, this meant (apparently -- I am still working to fully understand how DNS/resolv.conf works, so if I am misunderstanding something and you have the time and energy, any clarification would be immensely helpful) that the LAN domain name resolution failed since 127.0.0.1 and 127.0.1.1 were the fourth and fifth nameservers in resolv.conf and only the first three are read. So we apparently have to choose between resolving LAN domain names, and the domains of our ISP. Since our ISP is a university instead of something like Comcast or Verizon, several of the ISP domain names are important to be able to resolve. Oddly, the rest of the internet outside of our ISP remained resolvable by name. I still don't know how that one works. The point is, I wasn't aware of a method that Zentyal offers to have more than three DNS IPs. This is why I talk about needing DNSmasq.
Regarding your question about our user's home directories, yes my point was related to aligning the UID and GID numbers of the newly re-created users and their backed-up files.
Merry Christmas btw :)
-
Hello OliverSteele,
we needed to have all three nameserver IPs listed first in resolv.conf
From the GUI
Zentyal >> Network >> DNS >> + Add New
You may add as much as you want (I just tried it and it worked for me).
From the Terminal
You may add more entries to it this way (and mitigate the conflict with Zentyal):
echo "nameserver 8.8.8.8" >> /etc/resolvconf/resolv.conf.d/extra
Simply replace the IP in the string and repeat for adding your extra IPs. You may not see those IP in the Zentyal GUI. That would just be an aesthetic problem...
Best,
Marcus
-
Hi Marcus,
Thanks for the suggestion; unfortunately neither method worked.
-
Coming back on this topic:
I currently have 7 DNS entries, 127.0.0.1 being the first one (no entry for 127.0.1.1 BTW I don't see any added value with this as the whole 127/8 range is loopback) and I don't face any identified DNS problem.
I'm not 100% sure all DNS entries are used but so far, it works.
If you can show that some entries are not used, why don't you create ticket as this is an obvious bug?
BTW, 127.0.0.1 is, hopefully, the first entry in my list ;)
-
I'm back again on this topic because, reading your post again, I decided to have a closer look at my own side.
Indeed, /etc/resolv.conf contained only 2 entries (not the 2 first ones from those configured in Zentyal, neither the 2 last ones but 2 IP matching DNS for one of my 2 ISPs).
127.0.0.1 was missing
Applying fake change in my Network/DNS configuration, it restored /etc/resolv.conf to something matching what Zentyal interface exposes.
So I suppose there is indeed something wrong somewhere >:(
I'll try to investigate further and will put here what I find, if any.
-
Christian, the only possible explanation would be that resolv.conf is being overwritten because one or more of your external interfaces is doing DHCP.
I have both external interfaces set as static and resolv.conf reflects exactly what has been set in the Zentyal interface.
Cheers.
-
You are perfectly right: 8) I realized exactly the same last night and indeed, for some reason, one external interface was left (changed?) to DHCP. No real impact in term of address as my router is configured with reserved IP for Zentyal MAC address but this changes resolv.conf content obviously.
-
Hello OliverSteele,
we needed to have all three nameserver IPs listed first in resolv.conf
From the GUI
Zentyal >> Network >> DNS >> + Add New
You may add as much as you want (I just tried it and it worked for me).
My understanding of DNS is a little bit different: it is a hierarchical system. You can not add several independent name servers into resolv.conf which are responsible for different domains and expect to resolve all of the zones.
For a new query only ONE server is picked and asked to resolve the name. When this NS answers "no, that host you asked for has no ip address" the resolver will NOT ask the other nameservers.
The point is that all nameservers should know "Forwarders". When a NS does not know a hosts name by itself it asks them. On of those upstream systems will reply either with the correct data or the query will result in "unknown host name".
To have more than one NS is recommended for redundancy - they must supply identical value. But the second/third... one will only get to be asked if the first one does not answer at all.
In other words: several several NS entries will rise the reliability, they will NOT offer the sum of knowledge of all of them.
One solution is to tell BIND about those zones: if you must resolve several independent zones you need to configure your primary name server (BIND on Zentyal in this case) explicitly to ask specific primary NS, responsible for that specific zone. This is not magic, it works. But it is a completely different approach to solve that issue than having "simply" several nameserver-entries configured in resolv.conf. Keep in mind that you need to copy BIND's *.mas to /etc/zentyal/stubs to make it persistent. The "normal" Forwarders can/should be told to BIND via the Zentyal Webgui.
This BIND instance, running on 127.0.0.1 is the ONLY entry in /etc/resolv.conf then.
Disclaimer: I did not modify Zentyal's BIND yet, so I am not sure if this all one needs to know.
Best regards
-
For a new query only ONE server is picked and asked to resolve the name. When this NS answers "no, that host you asked for has no ip address" the resolver will NOT ask the other nameservers.
The point is that all nameservers should know "Forwarders". When a NS does not know a hosts name by itself it asks them. On of those upstream systems will reply either with the correct data or the query will result in "unknown host name".
To have more than one NS is recommended for redundancy - they must supply identical value. But the second/third... one will only get to be asked if the first one does not answer at all.
In other words: several several NS entries will rise the reliability, they will NOT offer the sum of knowledge of all of them.
+1
Here I've configured 2 DNS entries for each ISP + another one in case (very unlikely) none from ISP answers but I do not expect different answer depending on which (external) DNS is requested.
-
Does anyone know if there is a way to specify more than one search domain? I am of the understanding that more than domain is allowed after the "search" option in resolv.conf.
Also, the following problem is perplexing me. If anyone has some idea about why this might happen, please tell:
Zentyal box has two network cards set up as such:
eth0: local network, static IP of 192.168.0.1, domain name of electron.internal.local
eth1: external network, static IP of 25.10.10.1, domain name of electron.defense.uk (names and IPs have been changed to protect the innocent)
Can ping both electron.internal.local and electron.defense.uk *however* "ping electron.internal.local" returns a response from the outward facing IP, i.e.
64 bytes from electron.internal.local (25.10.10.1): .....
instead of
64 bytes from electron.internal.local (192.168.0.1): .....
Additionally, "ssh user1@electron.defense.uk" from an internal network computer works as expected, however "ssh user1@electron.internal.local" will prompt for the password, but then always respond "Permission denied, please try again." even though we're 100% sure we're typing the right password. The firewall is set to allow any connection from an internal computer to electron, so I wouldn't think that is the problem, but I don't know.
-
I should also note that "ssh user1@25.10.10.1" and "ssh user1@192.168.0.1" are both successful, which doesn't clarify things for me at all, but may be useful to someone more knowledgeable than I.
-
Regarding your SSH issue:
- be sure that nsswitch.conf contains "file dns"
- then be sure that /etc/hosts contains an entry for localhost matching 127.0.0.1 and also entry for your Zentyal server (quite often 127.0.1.1 fqdn host)
- last, look at resolv.conf => it should contain entry for 127.0.0.1 so that local (Zentyal) DSN is used to resolve local (internal) domain.
If everything is correct, you should be able to resolve electron.internal.local on Zentyal server itself.
Does this work ?
-
Each of those details seems to be correct, yes. "ssh user1@electron.internal.local" from electron itself works correctly, just not from any of the client computers on the LAN. It kind of depends on what you mean by "resolve" electron.internal.local I think. When I execute "host electron.internal.local" from a LAN computer (or electron, actually), the response is:
electron.internal.local has address 192.168.0.1
electron.internal.local has address 25.10.10.1
electron.internal.local has IPv6 address ::1
When I execute "host electron.defense.uk" the response is simply:
electron.defense.uk has address 25.10.10.1
-
A few more related details/questions. Sorry about the deluge:
Isn't it an error that "host electron.internal.local" on a client computer is showing the IPv6 address as ::1? That's loopback right? I did a little experiment and it seems to comfirm my hypothesis:
- I ssh'd from electron to a LAN computer called dipole. That worked fine. I'm now on dipole as user "localuser".
- I deleted ~/.ssh/known_hosts.
- I typed "ssh localuser@electron.internal.local" **There is no user named localuser on electron!!!**
- One of the lines is "The authenticity of host 'electron.internal.local (::1)' can't be established.
- It prompts me for my password, so I type the password for dipole. It succeeds!
So for some odd reason, A) the LAN computers are suddently using IPv6 by default when ssh-ing to electron, but B) electron is telling these LAN computers that its IPv6 address is really the loopback address which obviously points to the computer I'm currently working on. Madness. It should be noted that adding the -4 flag to ssh allows successful ssh-ing to electron from LAN computers using the local domain, i.e. "ssh -4 user1@electron.internal.local" works correctly.
Under the DNS tab, the only listed domain is internal.local, however the "domain IP addresses" has both 192.168.0.1 AND 25.10.10.1, and similarly when I click on "hostnames" electron shows up, but that has two IP addresses as well. Should there be a separate ".defense.uk" domain with the 25.x.x.x information?