Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Directory and Authentication / Re: Accidentally "Apply ACLs recursively" in /home path system.
« on: February 15, 2018, 02:42:13 pm »
I haven't set up shared folders yet, so I can't tell what their default permissions are.
What you can do, however, is simply generate a few new ones for a dummy user and see what their owner and permissions on the hard drive are (e.g. through ls -ahl /home).
If they don't generate their own folders, the permissions are probably managed through Samba itself, not in the filesystem.
What you can do, however, is simply generate a few new ones for a dummy user and see what their owner and permissions on the hard drive are (e.g. through ls -ahl /home).
If they don't generate their own folders, the permissions are probably managed through Samba itself, not in the filesystem.
2
Directory and Authentication / Re: Accidentally "Apply ACLs recursively" in /home path system.
« on: February 15, 2018, 12:00:16 pm »
I have barely just installed Zentyal and don't run it yet, so I can't say much about the Zentyal side of things (I guess just remove the ACL wherever you applied it, so Zentyal doesn't reapply it).
If, however, you have a backup of the file system, you can look up the folder permissions in the backup and re-set them on the command line or through the GUI, if you have one.
If you don't have one, you'll have to do a bit of work. Through either the command line or GUI, start by setting ownership and permissions of only the /home folder to root:root and 755 (chown root:root /home and chmod 755 /home).
Then for the individual user folders, the scheme is always the same: /home/someuserfolder itself has permissions 700, the files below vary according to what the user did - 644 is default.
The folder and all files below are owned by the user and and belong to the group "domain users" of your domain.
Run the following commands:
getent group | grep "domain users" - this will give you the name of your domain users group. It'll be in the Format NETBIOSDOMAIN\domain users.
getent passwd | grep "/home/" - this will give you a list of people who (may) have folders below /home. You should see all the usernames of your domain in the format NETBIOSDOMAIN\username as well as the home folders assigned to them (the foldername ends before the next colon, e.g. out of /home/username:/bin/bash, /home/username is the folder).
For each user, run the following commands, switching out NetBIOS-domain and username as appropriate:
chown -R "NETBIOSDOMAIN\username":"NETBIOSDOMAIN\domain users" /home/username # this will recursively reassign /home/username and everything below to that user. If the previously output user list shows a different home folder than /home/username, alter that part appropriately.
chmod -R 644 /home/username # this sets the folder and everything below it to to the default permissions of rw-r-r
chmod 700 /home/username # this corrects the permissions of the home folder itself to only be visible to the user
This is only the system side of things. I don't know what else Zentyal does on top of that. If any of those folders are mounted through a network, you will also have to check the Samba permissions.
If, however, you have a backup of the file system, you can look up the folder permissions in the backup and re-set them on the command line or through the GUI, if you have one.
If you don't have one, you'll have to do a bit of work. Through either the command line or GUI, start by setting ownership and permissions of only the /home folder to root:root and 755 (chown root:root /home and chmod 755 /home).
Then for the individual user folders, the scheme is always the same: /home/someuserfolder itself has permissions 700, the files below vary according to what the user did - 644 is default.
The folder and all files below are owned by the user and and belong to the group "domain users" of your domain.
Run the following commands:
getent group | grep "domain users" - this will give you the name of your domain users group. It'll be in the Format NETBIOSDOMAIN\domain users.
getent passwd | grep "/home/" - this will give you a list of people who (may) have folders below /home. You should see all the usernames of your domain in the format NETBIOSDOMAIN\username as well as the home folders assigned to them (the foldername ends before the next colon, e.g. out of /home/username:/bin/bash, /home/username is the folder).
For each user, run the following commands, switching out NetBIOS-domain and username as appropriate:
chown -R "NETBIOSDOMAIN\username":"NETBIOSDOMAIN\domain users" /home/username # this will recursively reassign /home/username and everything below to that user. If the previously output user list shows a different home folder than /home/username, alter that part appropriately.
chmod -R 644 /home/username # this sets the folder and everything below it to to the default permissions of rw-r-r
chmod 700 /home/username # this corrects the permissions of the home folder itself to only be visible to the user
This is only the system side of things. I don't know what else Zentyal does on top of that. If any of those folders are mounted through a network, you will also have to check the Samba permissions.
3
Directory and Authentication / Default Groups DN wrong?
« on: February 14, 2018, 06:00:16 pm »
The LDAP information page says
Where can I change this to the appropriate (and existing) "CN=Groups"?
Quote
Default Groups DNdespite the fact that OU "Groups" exists.
CN=Users,DC=mydomain,DC=tld
Where can I change this to the appropriate (and existing) "CN=Groups"?
4
Installation and Upgrades / Re: "Password incorrect" after fresh installation from package- alternative solution
« on: February 14, 2018, 05:13:13 pm »
In case anyone looks this up later: I "solved" the dependency issue by allowing the system to uninstall software-properties-common and ubuntu-server.
The former is responsible for conveniences like add-apt-repository, the latter is a metapackage for a specific set of server-software.
I can only hope this doesn't lead to apt "helpfully" uninstalling core software because it deems it an "unused dependency". We'll see.
The former is responsible for conveniences like add-apt-repository, the latter is a metapackage for a specific set of server-software.
I can only hope this doesn't lead to apt "helpfully" uninstalling core software because it deems it an "unused dependency". We'll see.
5
Installation and Upgrades / Re: "Password incorrect" after fresh installation from package- alternative solution
« on: February 14, 2018, 01:50:29 pm »
I have partially deciphered the dependency issue.
Due to the failure to document that for package installation, the universe repository is required (to fix dependencies like libhtml-mason-perl), I had to enable that on my own yesterday.
Since I essentially improvised that on the fly, I hadn't enabled universe for xenial-updates and the like.
Adding universe everywhere fixes most of the dependency issues for package installation.
There are still collisions with gnupg, libgnutls-openssl27 and libgnutls30 (Depends: libgnutls30 (= 3.4.10-4ubuntu1.4) but 3.5.6-4 is to be installed.)
Due to the failure to document that for package installation, the universe repository is required (to fix dependencies like libhtml-mason-perl), I had to enable that on my own yesterday.
Since I essentially improvised that on the fly, I hadn't enabled universe for xenial-updates and the like.
Adding universe everywhere fixes most of the dependency issues for package installation.
There are still collisions with gnupg, libgnutls-openssl27 and libgnutls30 (Depends: libgnutls30 (= 3.4.10-4ubuntu1.4) but 3.5.6-4 is to be installed.)
6
Installation and Upgrades / "Password incorrect" after fresh installation from package- alternative solution
« on: February 14, 2018, 12:55:31 pm »
First of all, let me say that it is DECIDEDLY RIDICULOUS that a project that has "contribute" in huge letters on its homepage has no discernible way of transmitting information to the community without registering first.
Neither Redmine nor these forums nor the wiki allow for unregistered posting.
That's a rather stupid obstacle for contribution.
In addition, if you must force registration, you could at least go for a less incompetently designed user interface - it is decidedly not obvious that the huge input field directly below the CAPTCHA doesn't actually belong to the CAPTCHA.
Putting both CAPTCHA and the security question next to each other with a bit of whitespace would be a much better choice, but even a single, empty line would drastically improve the chances of noticing the VERY IMPORTANT text between CAPTCHA and input box.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
That being said:
Dear fellow tormented individual, if you have installed Zentyal from packages according to the Installation Guide, if you have followed the advice to add your user to the sudo group, and you still get the "password incorrect" error despite everything being in order, check the group ownership of /etc/shadow (ls -ahl /etc/shadow).
The user ebox must be in the shadow group and the shadow group must have read access to /etc/shadow.
If /etc/shadow has an ownership of root:root rather than root:shadow, you will not be able to login.
You can correct the situation with chgrp shadow /etc/shadow. Also make sure that group has read permissions on that file. Permissions should be rw-r-- (-rw-r----- in long form), or 640 numerically.
If this doesn't help either, you can touch /etc/pam_debug to get debug output for the authentication procedure (to wherever your system has debug logging configured).
Dear developers: To tell the user his password is wrong when really you can't read the password database is bad design.
You should check and ideally fix the readability of /etc/shadow during the installation, and at least complain about lacking permissions during runtime.
Sending users on a wild goose chase and answering every occurrence of "password incorrect" after installation with "add to sudo" and then silence helps no one.
Not to mention that the leap "password incorrect" -> "add to sudo" isn't particularly obvious either. There should be better reporting on that as well.
Symptoms/keywords of this issue for future people's searches:
password incorrect
fresh installation
packages
unix_chkpwd[]: check pass; user unknown
unix_chkpwd[]: password check failed for user ()
uwsgi: pam_unix(zentyal:auth): authentication failure; logname= uid=113 euid=113 tty= ruser= rhost= user=
------------------------------------------------------------------------------------------------------------------------------------
And since I'm here anyway: In the next step I can choose packages to be installed.
I did so. What did I get?
For two: How is that even possible? How are you calling the package manager to screw up something as anciently solid as apt's dependency installation?
Thirdly, why are there no further instructions? I can deal with this on my own, but a novice may have no idea how to solve this. Basically: What good is this information to someone who is not familiar with Linux package management?
And last but not least: Why is the OK button not working? Why am I stuck on a stupid error that shouldn't have occurred in the first place?
Neither Redmine nor these forums nor the wiki allow for unregistered posting.
That's a rather stupid obstacle for contribution.
In addition, if you must force registration, you could at least go for a less incompetently designed user interface - it is decidedly not obvious that the huge input field directly below the CAPTCHA doesn't actually belong to the CAPTCHA.
Putting both CAPTCHA and the security question next to each other with a bit of whitespace would be a much better choice, but even a single, empty line would drastically improve the chances of noticing the VERY IMPORTANT text between CAPTCHA and input box.
-----------------------------------------------------------------------------------------------------------------------------------------------------------
That being said:
Dear fellow tormented individual, if you have installed Zentyal from packages according to the Installation Guide, if you have followed the advice to add your user to the sudo group, and you still get the "password incorrect" error despite everything being in order, check the group ownership of /etc/shadow (ls -ahl /etc/shadow).
The user ebox must be in the shadow group and the shadow group must have read access to /etc/shadow.
If /etc/shadow has an ownership of root:root rather than root:shadow, you will not be able to login.
You can correct the situation with chgrp shadow /etc/shadow. Also make sure that group has read permissions on that file. Permissions should be rw-r-- (-rw-r----- in long form), or 640 numerically.
If this doesn't help either, you can touch /etc/pam_debug to get debug output for the authentication procedure (to wherever your system has debug logging configured).
Dear developers: To tell the user his password is wrong when really you can't read the password database is bad design.
You should check and ideally fix the readability of /etc/shadow during the installation, and at least complain about lacking permissions during runtime.
Sending users on a wild goose chase and answering every occurrence of "password incorrect" after installation with "add to sudo" and then silence helps no one.
Not to mention that the leap "password incorrect" -> "add to sudo" isn't particularly obvious either. There should be better reporting on that as well.
Symptoms/keywords of this issue for future people's searches:
password incorrect
fresh installation
packages
unix_chkpwd[]: check pass; user unknown
unix_chkpwd[]: password check failed for user ()
uwsgi: pam_unix(zentyal:auth): authentication failure; logname= uid=113 euid=113 tty= ruser= rhost= user=
------------------------------------------------------------------------------------------------------------------------------------
And since I'm here anyway: In the next step I can choose packages to be installed.
I did so. What did I get?
Quote
Some packages could not be installed. This may mean that you haveFor one: Why is that even possible? Why can the user even select an impossible scenario?
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:
The following packages have unmet dependencies:
zentyal-groupware : Depends: zentyal-mail but it is not going to be installed
Depends: zentyal-sogo but it is not going to be installed
For two: How is that even possible? How are you calling the package manager to screw up something as anciently solid as apt's dependency installation?
Thirdly, why are there no further instructions? I can deal with this on my own, but a novice may have no idea how to solve this. Basically: What good is this information to someone who is not familiar with Linux package management?
And last but not least: Why is the OK button not working? Why am I stuck on a stupid error that shouldn't have occurred in the first place?
Pages: [1]