Messages

1

Installation and Upgrades / Re: Mail Forwarding

« on: October 30, 2010, 03:34:41 am »

AHHA! I've been trying to figure out how to do something like this for a while. I resorted to hacking the mason templates and tinkering with postfix directly...

Now to back all that out and start learning SIEVE.

Once I've got the two scripts I need, I'll post them in the tips and tricks forum under my thread.
I need:
double-redirection (boss@domain -> bossname@domain -> bossname@gmail) (Like this guy)
Vacation autoresponder (Here's the example I found)

2

News and Announcements / Re: Zentyal Active Directory Synchronizer 2.0 available!

« on: October 07, 2010, 07:29:11 pm »

You can find all the information to download and configure it here:

http://trac.zentyal.org/wiki/Document/Documentation/EBoxActiveDirectorySync

As usual, your feedback will be really appreciated.

I note it says "Windows 2003" and "Windows 2008", but no specific mention of 2008R2.
Will it work? (or more to the point, how well has it been tested?)

3

Installation and Upgrades / Decapitation with NoMachine 3.4

« on: September 11, 2010, 12:54:09 am »

Fun with Headless Zentyal!

Code: [Select]

apt-get install python-software-properties
add-apt-repository ppa:freenx-team
apt-get update
apt-get install freenx-server

Then set up your nxclient like this:

4

Installation and Upgrades / Re: Zentyal and the Ubuntu SCSI "problem"

« on: September 07, 2010, 11:11:54 pm »

Sorry for being tardy in getting back to this.

After posting here I stumbled across Plop Boot Manager. This permits booting from USB drives on machines with no native USB boot support. I made a standard boot disk at the Ubuntu desktop using the Zentyal image, created a floppy boot disk using the Plop image, inserted both and started the machine. At the boot menu I selected USB, and off it went.

I'll report back if that doesn't work to installation finish, but just getting past the old "crash" spot in the install was a happy moment.

Hmm, I'll have to give PLOP a shot on my Dell Latitude D810 and see if it can find my USB U3-cdrom-partition after booting from the U3-flash-partition.

5

Installation and Upgrades / Re: Upgrade from ebox 1.5.1x to zentyal 2.0

« on: September 07, 2010, 11:08:03 pm »

Thanks a lot for pasting your log Kamilion.

I'm kind of new to Linux commands.

Even though, your log is the most straight-forward i've seen here for upgrading.

I'm using an 1.4.6 eBox as a gateway installed on a PC, and would like to upgrade to Zentyal 2.0.

Will this procedure work for me?

Probably not. You'll most likely have problems with the ebox-usersandgroups module, the LDAP schema has changed pretty heavily to allow the new features of 2.0.

Fortunately, just about all of the other modules will upgrade fine.
Personally, however, I would highly suggest backing up your 1.4 installation, restoring it in a virtual machine, and then performing the upgrade on the VM until you get it right. Then either backup the VM and restore to the physical machine, or perform the upgrade in-situ when you're familiar enough.

Have a look at my message here if you'd like to backup and restore individual modules (Like OpenVPN certs, etc):
http://forum.zentyal.org/index.php?topic=2360.msg13418#msg13418

Note: That message was written in February during the 1.2 -> 1.4 upgrade cycle. Your mileage may vary.

6

Installation and Upgrades / Re: 1.5 to 2.0 is possible?

« on: September 03, 2010, 01:54:39 am »

This might help:
http://forum.zentyal.org/index.php?topic=4780.0

7

Installation and Upgrades / Re: Please upload and seed a Torrent of Zential image

« on: September 01, 2010, 11:56:08 pm »

Here you are:
http://files.sllabs.com/zentyal-2.0-i386.iso.torrent

Torrent Infohash: 08c46e72168c08b40234add822ed10ec335a2933
Number of Chunks: 921
Chunksize: 512KB

Webseed Source: http://files.sllabs.com/zentyal-2.0-i386.iso

Trackers:
http://tracker.openbittorrent.com:80/announce
udp://tracker.openbittorrent.com:80/announce
http://tracker.publicbt.com:80/announce
udp://tracker.publicbt.com:80/announce
http://tracker.mytorrenttracker.com:6099/announce
udp://tracker.mytorrenttracker.com:6099/announce

MD5s:
69b1068c82554e5b89c57dedb6b9121f  zentyal-2.0-i386.iso.torrent
dc2e5f4005b960b7baa99ccc98c88e01  zentyal-2.0-i386.iso

SHA1s:
32e553183ec433e7b3494efa5f9da247c6f9413c  zentyal-2.0-i386.iso.torrent
e06089471249fe7dfb73a5af30965cb782f1c6b8  zentyal-2.0-i386.iso


Webseed is enabled from my Rackspace instance, and I'm seeding from my 45mbit link.

Good luck, enjoy your Zentyal, and try not to lose your hands if they catch you with it.

8

Installation and Upgrades / Re: Bugs and Security Issues with 2.0rc

« on: September 01, 2010, 10:10:56 pm »

another problem is with restarting or shutting down via graphical interface in vbox.
it opens the window for what i want to do, but whatever i click, nothing happens apart from log off.
reboot or shutdown is not working.

You need to

Code: [Select]

sudo apt-get install acpid
This will pull in the ACPI powerbutton scripts and let vbox shutdown the machine by faking a powerbutton event from the UI.

Most ubuntu-server installations need this additional package installed for powerbutton control as they generally do not want people in datacenters pushing buttons and killing off machines.

9

Installation and Upgrades / Upgrade from ebox 1.5.1x to zentyal 2.0

« on: September 01, 2010, 08:51:26 pm »

Well, everything went smoothly. Didn't even have to reboot, but I did a couple minutes later anyway.

I made sure I was at the latest 1.5 in the old PPA before upgrading.

Code: [Select]

root@hub:~# add-apt-repository ppa:zentyal/2.0
Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --primary-keyring /etc/apt/trusted.gpg --keyserver keyserver.ubuntu.com --recv 22D7149FCBC2389157BA52CF0E83F6EB10E239FF
gpg: requesting key 10E239FF from hkp server keyserver.ubuntu.com
gpg: key 10E239FF: public key "Launchpad Zentyal 2.0 series" imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)
root@hub:~# apt-get update
Hit http://ppa.launchpad.net lucid Release.gpg
Ign http://ppa.launchpad.net/ebox/1.5/ubuntu/ lucid/main Translation-en_US     
Get:1 http://ppa.launchpad.net lucid Release.gpg [307B]                       
Hit http://archive.ubuntu.com lucid Release.gpg                               
Hit http://us.archive.ubuntu.com lucid-proposed Release.gpg                   
Ign http://archive.ubuntu.com/ubuntu/ lucid/main Translation-en_US             
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-proposed/main Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-proposed/restricted Translation-en_US
Ign http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main Translation-en_US 
Hit http://ppa.launchpad.net lucid Release                                     
Ign http://archive.ubuntu.com/ubuntu/ lucid/restricted Translation-en_US       
Ign http://archive.ubuntu.com/ubuntu/ lucid/universe Translation-en_US         
Ign http://archive.ubuntu.com/ubuntu/ lucid/multiverse Translation-en_US       
Hit http://archive.ubuntu.com lucid-updates Release.gpg                       
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/main Translation-en_US     
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/restricted Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/universe Translation-en_US
Ign http://archive.ubuntu.com/ubuntu/ lucid-updates/multiverse Translation-en_US
Hit http://archive.ubuntu.com lucid Release                                   
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-proposed/universe Translation-en_US
Ign http://us.archive.ubuntu.com/ubuntu/ lucid-proposed/multiverse Translation-en_US
Hit http://us.archive.ubuntu.com lucid-proposed Release                       
Get:2 http://ppa.launchpad.net lucid Release [57.3kB]                         
Hit http://archive.ubuntu.com lucid-updates Release                           
Hit http://us.archive.ubuntu.com lucid-proposed/main Packages                 
Hit http://archive.ubuntu.com lucid/main Packages                             
Hit http://archive.ubuntu.com lucid/restricted Packages                       
Hit http://archive.ubuntu.com lucid/universe Packages                         
Hit http://archive.ubuntu.com lucid/multiverse Packages                       
Hit http://archive.ubuntu.com lucid/main Sources                               
Hit http://us.archive.ubuntu.com lucid-proposed/restricted Packages           
Hit http://us.archive.ubuntu.com lucid-proposed/universe Packages             
Hit http://us.archive.ubuntu.com lucid-proposed/multiverse Packages           
Hit http://us.archive.ubuntu.com lucid-proposed/main Sources                   
Hit http://us.archive.ubuntu.com lucid-proposed/restricted Sources             
Hit http://us.archive.ubuntu.com lucid-proposed/universe Sources               
Hit http://archive.ubuntu.com lucid/restricted Sources                         
Hit http://archive.ubuntu.com lucid/universe Sources                           
Hit http://archive.ubuntu.com lucid/multiverse Sources                         
Hit http://archive.ubuntu.com lucid-updates/main Packages                     
Hit http://archive.ubuntu.com lucid-updates/restricted Packages               
Hit http://archive.ubuntu.com lucid-updates/universe Packages                 
Hit http://archive.ubuntu.com lucid-updates/multiverse Packages               
Hit http://archive.ubuntu.com lucid-updates/main Sources                       
Hit http://us.archive.ubuntu.com lucid-proposed/multiverse Sources             
Hit http://archive.ubuntu.com lucid-updates/restricted Sources                 
Hit http://archive.ubuntu.com lucid-updates/universe Sources                   
Hit http://ppa.launchpad.net lucid/main Packages                               
Hit http://archive.ubuntu.com lucid-updates/multiverse Sources                 
Get:3 http://ppa.launchpad.net lucid/main Packages [17.9kB]                 
Hit http://security.ubuntu.com lucid-security Release.gpg                   
Ign http://security.ubuntu.com/ubuntu/ lucid-security/main Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/restricted Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/universe Translation-en_US
Ign http://security.ubuntu.com/ubuntu/ lucid-security/multiverse Translation-en_US
Hit http://security.ubuntu.com lucid-security Release
Hit http://security.ubuntu.com lucid-security/main Packages
Hit http://security.ubuntu.com lucid-security/restricted Packages
Hit http://security.ubuntu.com lucid-security/universe Packages
Hit http://security.ubuntu.com lucid-security/multiverse Packages
Hit http://security.ubuntu.com lucid-security/main Sources
Hit http://security.ubuntu.com lucid-security/restricted Sources
Hit http://security.ubuntu.com lucid-security/universe Sources
Hit http://security.ubuntu.com lucid-security/multiverse Sources
Fetched 75.4kB in 4s (17.2kB/s)
Reading package lists... Done
root@hub:~# apt-get dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
The following packages will be upgraded:
  ebox ebox-ca ebox-firewall ebox-ftp ebox-mail ebox-monitor ebox-network
  ebox-ntp ebox-objects ebox-openvpn ebox-services ebox-software
  ebox-usersandgroups ebox-webmail ebox-webserver libebox
16 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 3,935kB of archives.
After this operation, 262kB of additional disk space will be used.
Do you want to continue [Y/n]? y
Get:1 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-objects 2.0 [23.6kB]
Get:2 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-services 2.0 [24.6kB]
Get:3 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-network 2.0 [172kB]
Get:4 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-firewall 2.0 [73.4kB]
Get:5 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-ca 2.0 [114kB]
Get:6 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-webserver 2.0 [43.4kB]
Get:7 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-usersandgroups 2.0 [168kB]
Get:8 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-mail 2.0 [218kB]
Get:9 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-webmail 2.0 [38.5kB]
Get:10 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-ntp 2.0 [32.6kB]
Get:11 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-openvpn 2.0 [1,767kB]
Get:12 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-ftp 2.0 [16.9kB]
Get:13 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-monitor 2.0 [64.9kB]
Get:14 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox-software 2.0 [333kB]
Get:15 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main ebox 2.0 [646kB]
Get:16 http://ppa.launchpad.net/zentyal/2.0/ubuntu/ lucid/main libebox 2.0 [199kB]
Fetched 3,935kB in 2s (1,891kB/s)
Preconfiguring packages ...
(Reading database ... 30060 files and directories currently installed.)
Preparing to replace ebox-objects 1.5.1-0ubuntu1~ppa1~lucid1 (using .../ebox-objects_2.0_all.deb) ...
Unpacking replacement ebox-objects ...
Preparing to replace ebox-services 1.5.4-0ubuntu1~ppa1~lucid1 (using .../ebox-services_2.0_all.deb) ...
Unpacking replacement ebox-services ...
Preparing to replace ebox-network 1.5.8-0ubuntu1~ppa1~lucid1 (using .../ebox-network_2.0_all.deb) ...
Unpacking replacement ebox-network ...
Preparing to replace ebox-firewall 1.5.6-0ubuntu1~ppa1~lucid1 (using .../ebox-firewall_2.0_all.deb) ...
Unpacking replacement ebox-firewall ...
Preparing to replace ebox-ca 1.5.4-0ubuntu1~ppa1~lucid1 (using .../archives/ebox-ca_2.0_all.deb) ...
Unpacking replacement ebox-ca ...
Preparing to replace ebox-webserver 1.5.5-0ubuntu1~ppa1~lucid1 (using .../ebox-webserver_2.0_all.deb) ...
Unpacking replacement ebox-webserver ...
Preparing to replace ebox-usersandgroups 1.5.10-0ubuntu1~ppa1~lucid1 (using .../ebox-usersandgroups_2.0_all.deb) ...
Unpacking replacement ebox-usersandgroups ...
Preparing to replace ebox-mail 1.5.5-0ubuntu1~ppa1~lucid1 (using .../archives/ebox-mail_2.0_all.deb) ...
Unpacking replacement ebox-mail ...
Preparing to replace ebox-webmail 1.5.2-0ubuntu1~ppa1~lucid1 (using .../ebox-webmail_2.0_all.deb) ...
Unpacking replacement ebox-webmail ...
Preparing to replace ebox-ntp 1.5.2-0ubuntu1~ppa1~lucid1 (using .../archives/ebox-ntp_2.0_all.deb) ...
Unpacking replacement ebox-ntp ...
Preparing to replace ebox-openvpn 1.5.4-0ubuntu1~ppa1~lucid1 (using .../ebox-openvpn_2.0_all.deb) ...
Unpacking replacement ebox-openvpn ...
Preparing to replace ebox-ftp 1.5.2-0ubuntu1~ppa1~lucid1 (using .../archives/ebox-ftp_2.0_all.deb) ...
Unpacking replacement ebox-ftp ...
Preparing to replace ebox-monitor 1.5.6-0ubuntu1~ppa1~lucid1 (using .../ebox-monitor_2.0_all.deb) ...
Unpacking replacement ebox-monitor ...
Preparing to replace ebox-software 1.5.6-0ubuntu1~ppa1~lucid1 (using .../ebox-software_2.0_all.deb) ...
Unpacking replacement ebox-software ...
Preparing to replace ebox 1.5.14-0ubuntu1~ppa1~lucid1 (using .../apt/archives/ebox_2.0_all.deb) ...
Saving gconf files backup...
Unpacking replacement ebox ...
Preparing to replace libebox 1.5.10-0ubuntu1~ppa1~lucid1 (using .../archives/libebox_2.0_all.deb) ...
Unpacking replacement libebox ...
Processing triggers for ureadahead ...
Processing triggers for man-db ...
Setting up libebox (2.0) ...

Setting up ebox (2.0) ...
Installing new version of config file /etc/cron.daily/ebox ...
Reconnecting to redis server... at /usr/share/perl5/EBox/Config/Redis.pm line 521, <GEN3> line 1.
Reconnecting to redis server... at /usr/share/perl5/EBox/Config/Redis.pm line 521, <GEN5> line 1.
Reconnecting to redis server... at /usr/share/perl5/EBox/Config/Redis.pm line 521, <GEN7> line 1.
Reconnecting to redis server... at /usr/share/perl5/EBox/Config/Redis.pm line 521, <GEN9> line 1.
 * Stopping Zentyal module: apache                                                                                                                                    [ OK ]
 * Restarting Zentyal module: apache                                     [ OK ]

Setting up ebox-objects (2.0) ...

Setting up ebox-services (2.0) ...

Setting up ebox-network (2.0) ...
 * Restarting Zentyal module: network                                    [ OK ]

Setting up ebox-firewall (2.0) ...
 * Restarting Zentyal module: logs                                                                                                                                    [ OK ]
 * Restarting Zentyal module: firewall                                                                                                                                [ OK ]

Setting up ebox-ca (2.0) ...

Setting up ebox-webserver (2.0) ...
 * Restarting Zentyal module: webserver                                  [ OK ]

Setting up ebox-usersandgroups (2.0) ...

Configuration file `/etc/ebox/80users.conf'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : background this process to examine the situation
 The default action is to keep your current version.
*** 80users.conf (Y/I/N/O/D/Z) [default=N] ? y
Installing new version of config file /etc/ebox/80users.conf ...
 * Restarting Zentyal module: users                                      [ OK ]
Stopping OpenLDAP: slapd.
Starting OpenLDAP: slapd.

Setting up ebox-mail (2.0) ...
 * Restarting Zentyal module: logs                                                                                                                                    [ OK ]
 * Restarting Zentyal module: mail                                       [ OK ]

Setting up ebox-webmail (2.0) ...
 * Restarting Zentyal module: webmail                                    [ OK ]

Setting up ebox-ntp (2.0) ...

Setting up ebox-openvpn (2.0) ...
We assume /etc/openvpn/ebox-dh1024.pem is a Diffie-Hellman parameter file with 1024 byte length. If the assumption is false, please remove it and create a new one manually. If you do NOT do so, your OpenVPN tunnels may be compromised
 * Restarting Zentyal module: logs                                                                                                                                    [ OK ]
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/HTML/Mason/Component/Subcomponent.pm line 34.
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/HTML/Mason/Component/Subcomponent.pm line 34.
Use of uninitialized value in concatenation (.) or string at /usr/share/perl5/HTML/Mason/Component/Subcomponent.pm line 34.
 * Restarting Zentyal module: openvpn                                    [ OK ]
 * Restarting Zentyal module: firewall                                                                                                                                [ OK ]

Setting up ebox-ftp (2.0) ...

Setting up ebox-monitor (2.0) ...
 * Restarting Zentyal module: monitor                                    [ OK ]

Setting up ebox-software (2.0) ...

Processing triggers for ebox ...
 * Restarting Zentyal module: apache                                     [ OK ]
root@hub:~# rm -v /etc/apt/sources.list.d/ebox-1.5-lucid.*
removed `/etc/apt/sources.list.d/ebox-1.5-lucid.list'
removed `/etc/apt/sources.list.d/ebox-1.5-lucid.list.save'
root@hub:~#


Anyone else run into upgrade woes yet?

10

Installation and Upgrades / Re: Help! Locked out of my 2.0RC box by new Admin Username

« on: August 27, 2010, 11:45:32 pm »

Yes, that would help a lot for ldap-bound gui login, but the default should *still* be for rssh. I'm serious here.

Is /usr/sbin/nologin also a good default? We would prefer to not add more dependencies if possible...

Yeah, internet's consensus says that's acceptable.

Honestly, I'd prefer both a geeky system-wide-default with SHELL-ENABLED CHECKBOXES for nologin plus each known shell in /etc/shells in the LDAP Settings module (listing available shells by path, so '/bin/bash' or '/usr/sbin/nologin') *AND* an 'easy' dumbed down drop-down menu to pick an enabled shell in the user editor that doesn't need to display the full path.
Just the basename; 'nologin' or 'bash' is fine, don't want to confuse our Secretary while adding users.
(Got some oracle csh users around here :/ )

So, for example: I go into LDAP Settings under PAM settings, and only /usr/sbin/nologin and /bin/bash should be checkmarked by default. If I go to the user editor, these are the only two options in the dropdown.
If I go back into the LDAP/PAM settings, tickmark csh and save settings, then that dropdown should now contain only "bash, csh, nologin".

If I go into /etc/shells and add /usr/bin/screen and /usr/bin/byobu to the file, THEY SHOULD SHOW UP IN LDAP/PAM SETTINGS. Then I put a tickmark to enable, save, and now my User Editor dropdown should contain "bash, byobu, csh, nologin, screen".

You will have to special case "/usr/sbin/nologin" and "/usr/bin/rssh" because they will not be in /etc/shells. Make sure to check for the existance of rssh with file -e /usr/bin/rssh before exposing it; if you're not going to mark it as a dependancy of zentyal-usersandgroups, we can still check for the file and use rssh if the package is manually installed.

If the second part's too much work right now, put it off for 2.0-updates or 2.1 and we can get by with 'sudo /usr/share/ebox-usersandgroups/ebox-ldapvi' after a 'sudo apt-get install ldapvi' to switch shells manually.

See below though; for why /usr/sbin/nologin should not be added to /etc/shells.

http://lists.debian.org/debian-ssh/2007/04/msg00010.html

Code: [Select]

> > The openssh install process should detect whether /usr/sbin/nologin
> > isn't present in /etc/shells, and it should add it if necessary if ssh
> > is going to use /usr/sbin/nologin as its shell.

> Wouldn't that be exactly the wrong thing to do given the purpose of
> /etc/shells?

>        Be aware that there are programs which consult this file to find
>        out if a user is a normal user.  E.g.:  ftp daemons traditionally
>        disallow access to users with shells not included in this file.

> That's exactly the behavior we want.

Yes, then that makes perfect sense to me, too. I suppose that's why you
guys are the developers/maintainers!

The package tiger started this inquiry (I looked into /usr/sbin/nologin,
after), but I don't think that would qualify as a bug in tiger.

Should the Debian package of openssh have user sshd use /bin/false
instead? The man pages seem to indicate that /usr/sbin/nologin and
/bin/false provide the same function.


Code: [Select]

> Should the Debian package of openssh have user sshd use /bin/false
> instead? The man pages seem to indicate that /usr/sbin/nologin and
> /bin/false provide the same function.

/usr/sbin/nologin is supposed to be a more secure way of doing the same
thing.  There was a long discussion about this a while back, and I think
the conclusion was that /usr/sbin/nologin was better than /bin/false for
this purpose.

And a related vsftpd bug in ubuntu:
https://bugs.launchpad.net/ubuntu/+source/vsftpd/+bug/372770

And some more related info from freebsd:
http://www.mail-archive.com/freebsd-bugs@freebsd.org/msg00951.html

Code: [Select]

> Sorry, I don't understand what you are saying. I thought the fact that
> /usr/sbin/nologin exists and is executable is so that it *could* be
> listed in /etc/shells safely.

I'm not really an expert, but I believe you are incorrect.  The
documentation for nologin(8) says otherwise ("intended as a replacement
shell field for accounts that have been disabled").  Furthermore, other
functionality is available to accounts with valid shells.  System
accounts are given nologin as a shell for this reason.  Putting nologin
into shells by default would open up, for example, the "bind" user to be
able to FTP into the box on many existing systems. This would Not be Good.

>                               /usr/sbin/nologin is a lot better than
> giving the user a shell that does not exist.

Somewhat, yes.


Also; something to be noted is System/Service accounts are *LOCKED* and have no password.
/bin/false works just fine here, because of the empty password and the account's locked.

Only *PASSWORDED USERS* should have /usr/sbin/nologin -- service accounts can safely be left at /bin/false.

11

News and Announcements / Re: Zentyal 2.0-rc2 released!

« on: August 27, 2010, 10:52:31 pm »

There is an important change in the way you log into Zentyal on this new version: the installer doesn't ask you anymore for a password for the administration interface, now you can log in with the username and password asked before (the same you use to get root console).

If you already have installed a Zentyal 2.0-rc1 or eBox 1.5 you can also upgrade your packages to the latest versions available.

NOTES: You must be a member of the 'admin' group to login to the web console.
Some PPA-based installations may lack this group. It will safely do nothing if the group already exists.

To fix:

Code: [Select]

sudo addgroup --system admin
sudo adduser <LDAP+PAM_account-or-local_username> admin

See this post for more information:
http://forum.ebox-platform.com/index.php?topic=4707.0

12

Installation and Upgrades / Re: Reset Administrator Password for Dashboard

« on: August 27, 2010, 10:38:05 pm »

Easy fix. SSH in and add the admin group. (It will do nothing if the group already exists.)

Code: [Select]

addgroup --system admin

Code: [Select]

Adding group `admin' (GID 121) ...
Done.

Code: [Select]

addgroup --system admin

Code: [Select]

addgroup: The group `admin' already exists as a system group. Exiting.


Code: [Select]

adduser kamilion admin

Code: [Select]

Adding user `kamilion' to group `admin' ...
Adding user kamilion to group admin
Done.

In this case, admin is a local group, and kamilion is a zentyal ldap user.

OPTIONALLY, allow sudo access for 'admin' group users:

Code: [Select]

echo "%admin ALL=(ALL) ALL" >> /etc/sudoers
* Cribbed from Ubuntu Forums

13

Installation and Upgrades / Re: Help! Locked out of my 2.0RC box by new Admin Username

« on: August 27, 2010, 01:50:25 pm »

Yes, that would help a lot for ldap-bound gui login, but the default should *still* be for rssh. I'm serious here.

Against a /bin/false user:
(Who cannot bash, sftp-server, scp, or rsync)

Code: [Select]

ssh -N -L4242:localhost:4242 falsie@ebox &
ssh -N -R4242:localhost:4242 falsie@ebox &
telnet localhost 4242

Code: [Select]

while :; do sysctl kern.openfiles; sleep 1; done
kern.openfiles: 242
kern.openfiles: 242
kern.openfiles: 278
kern.openfiles: 652
kern.openfiles: 896
kern.openfiles: 1082
kern.openfiles: 1246
Once that hits ~65000, Splat goes 32-bit ebox VM.

/bin/false is demonstrably insecure.

Code: [Select]

kamilion@SmallBlock:~$ ssh -vN -D1080 kamilion@ebox.domain.com
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to ebox.domain.com [10.10.10.10] port 22.
debug1: Connection established.
debug1: identity file /home/kamilion/.ssh/identity type -1
debug1: identity file /home/kamilion/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/kamilion/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'ebox.domain.com' is known and matches the RSA host key.
debug1: Found key in /home/kamilion/.ssh/known_hosts:37
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/kamilion/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 533
debug1: Authentication succeeded (publickey).
debug1: Local connections to LOCALHOST:1080 forwarded to remote address socks:0
debug1: Local forwarding listening on ::1 port 1080.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 1080.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
# ONE MINUTE GOES BY...
^Cdebug1: channel 0: free: port listener, nchannels 2
debug1: channel 1: free: port listener, nchannels 1
debug1: Killed by signal 2.
kamilion@SmallBlock:~$

In OpenSSH's default config, that socks tunnel has unlogged full access to every route on every adapter ebox has. VPN endpoints, wifi clients on subnets, bridges, the works. IPv6 too.

1.4 is NOT vulnerable. This hole is only opened for those of us 1.5 dev users who have turned on the Enable PAM checkbox so LDAP users show up as local accounts with passwords and homedirs and all the trimmings.
Please keep it that way. 2.0 users *should* not be vulnerable at all with rssh, and with the happy benefit of sftp!

14

Installation and Upgrades / Re: Help! Locked out of my 2.0RC box by new Admin Username

« on: August 27, 2010, 01:26:26 pm »

PAM is meant to allow users to login in the server, if you don't want that, just do not enable it. On the next version we will improve shell and other unix parameters management.

It is? Then why's the default shell /bin/false? Using rssh is a much saner default shell; providing sftp, scp, and rsync access and protecting against arbitrary exec commands. Look, for people I want to have real shells, I'll go and switch them to /bin/bash myself; but by default, if pam's enabled, they should at least get sftp homedir access -- /bin/false doesn't even give them that: can't execute sftp-server, so it's useless except to port forward with -N which is just as good as unrestricted VPN access.

15

Installation and Upgrades / Re: Help! Locked out of my 2.0RC box by new Admin Username

« on: August 27, 2010, 12:48:53 pm »

Yeah, I had PAM enabled before the upgrade. I'll figure it out later today and post a solution in case someone else runs into this.

Thank you very much for your collaboration, and sorry for any inconvenience this has caused to you...

*Laughs* Consider it jumping on a landmine first so others don't have to. I saw the commits this morning and was waiting for them to hit the launchpad build queue to play with my new username field. Had the packages installed a minute or two after they were built. Thanks for #2008, appreciated that quick fix

No worries; I'll figure it out when I get up. Make sure the rest of us early adopters ain't stubbing their toes in four days.

Oh -- one last thing. Do us all a favor and add rssh as a dep of ebox-usersandgroups and use it as the default shell instead of /bin/false. It's a huge security hole: try 'ssh -vN -D1080 binfalseuser@ebox.domain.com' yourself.