Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Directory and Authentication / Re: How does SYSVOL replication work in Zentyal 5?
« on: March 01, 2017, 01:42:42 am »
No idea how Zentyal does it, but the following link is for how to do it for Samba4
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
https://wiki.samba.org/index.php/Rsync_based_SysVol_replication_workaround
2
Installation and Upgrades / Re: Zentyal - Exchange email on Linux?
« on: October 28, 2016, 06:39:07 pm »
I wonder what the issues are with OpenChange that required dropping the functionality?
Does anyone know?
Could the 'issue' be related to SoGo pulling their public package repository?
https://sogo.nu/news/2016/article/sogo-package-repositories.html
Does anyone know?
Could the 'issue' be related to SoGo pulling their public package repository?
https://sogo.nu/news/2016/article/sogo-package-repositories.html
3
Other modules / Zentyal network module failed to start
« on: May 19, 2016, 12:13:18 pm »
I have a Zentyal server that powers off overnight and starts up automatically on BIOS alarm in the morning. The system is backed up and updates from the repos are automatically applied before shutdown. Today it couldn't load the Zentyal network and dns modules. Login for all users except root were affected.
I found this in /var/log/syslog
I looked at /etc/bind/named.conf and ownership and permissions were root:bind 0400
I changed the permissions to 0640 and rebooted.
The Zentyal dns module started OK but networking still reported a fail.
On the console I executed the command
I found this in /var/log/syslog
Code: [Select]
May 19 08:18:29 pc26415 named[1082]: ----------------------------------------------------
May 19 08:18:29 pc26415 named[1082]: BIND 9 is maintained by Internet Systems Consortium,
May 19 08:18:29 pc26415 named[1082]: Inc. (ISC), a non-profit 501(c)(3) public-benefit
May 19 08:18:29 pc26415 named[1082]: corporation. Support and training for BIND 9 are
May 19 08:18:29 pc26415 named[1082]: available at https://www.isc.org/support
May 19 08:18:29 pc26415 named[1082]: ----------------------------------------------------
May 19 08:18:29 pc26415 named[1082]: adjusted limit on open files from 4096 to 1048576
May 19 08:18:29 pc26415 named[1082]: found 1 CPU, using 1 worker thread
May 19 08:18:29 pc26415 named[1082]: using 1 UDP listener per interface
May 19 08:18:29 pc26415 named[1082]: using up to 4096 sockets
May 19 08:18:29 pc26415 named[1082]: loading configuration from '/etc/bind/named.conf'
May 19 08:18:29 pc26415 named[1082]: open: /etc/bind/named.conf: permission denied
May 19 08:18:29 pc26415 named[1082]: loading configuration: permission denied
May 19 08:18:29 pc26415 named[1082]: exiting (due to fatal error)
I looked at /etc/bind/named.conf and ownership and permissions were root:bind 0400
I changed the permissions to 0640 and rebooted.
The Zentyal dns module started OK but networking still reported a fail.
On the console I executed the command
Quote
sudo /etc/init.d/zentyal network statusIt chugged along for a while, in fact I thought the system had hung, but eventually Zentyal reported that the module was running. This was confirmed by all users being able to login in again and email flowing inbound and outbound.
4
Directory and Authentication / Re: Domain Server or Vlan or is it a combination of all and many others
« on: May 18, 2016, 01:43:33 pm »
Hi, I just thought I would let you know that this is a community site and a lot of us just don't have the time to read long wordy descriptions of system configurations and then try to visualise them. This is probably why you haven't had any replies yet.
My tips for getting responses from others on your configuration:
1. Create an easy to understand diagram of your config, hand drawn or in Visio, Dia, whatever. Get it into a PNG file format and upload it with your post as an attachment.
2. Don't fill your posts with lots of questions. One question at a time will get responses.
3. Make sure your subject line refers to the question topic to attract those that can answer to do so.
4. You can make as many separate posts as you like.
So without really spending any time at all to try visualising your configuration without a diagram my advice to you is as follows:
My tips for getting responses from others on your configuration:
1. Create an easy to understand diagram of your config, hand drawn or in Visio, Dia, whatever. Get it into a PNG file format and upload it with your post as an attachment.
2. Don't fill your posts with lots of questions. One question at a time will get responses.
3. Make sure your subject line refers to the question topic to attract those that can answer to do so.
4. You can make as many separate posts as you like.
So without really spending any time at all to try visualising your configuration without a diagram my advice to you is as follows:
- Don't use Zentyal as a firewall/router, use pfSense instead. Use Zentyal only as a replacement for MS Exchange.
- Don't use any version of Zentyal earlier than v4.2, upgrade to the next version when it is released on a test server in a separate test network before upgrading the live server.
- If you are using Samba anywhere else than in Zentyal, make sure that it is at least version 4.3 or newer.
- Have separate dedicated domain controllers. It's OK to have DNS and NTP on the dc, but don't use them for file serving or print serving. I often use repurposed thin client terminals for Samba domain controllers as they are cheap, powerful enough for the task, and don't use much power.
- VLAN's are great for segmentation but be smart with their use. Don't put a WAN side VLAN on the LAN side backbone. Use a separate network for WANs
5
Installation and Upgrades / Re: How to upgrade Samba4 AD-DC from Zentyal 3.2 to Zentyal 4.1
« on: May 17, 2016, 05:17:50 pm »Could anybody explain me, what is the best way to update from Zentyal 3.2 to 4.1 so that Samba works fine again?It is probably better to upgrade Zentyal as and when new releases are published as the changes due to upgrades are handled by the new Zentyal version. If you haven't upgraded because you needed features that Zentyal has dumped, upgrading outside of the recommended process will create a custom installation of Zentyal that may only be partially supported at a package level.
If this is the situation you are in then a reasonable way to do this upgrade is to start by creating a clone image of your complete production Zentyal 3.2 system to run in a Virtual Machine on an isolated test network. The test network should not be connected to your production system otherwise you will have big problems with Active Directory.
Once you have installed the cloned image of your production server into VirtualBox (or whatever VM system you prefer) on your test network you can begin. You take notes of everything you do as you will need them later when you refer to different VM snapshots. Record your thoughts on what you are trying to do, the expected outcome and the actual outcome along with all of the commands that you are executing. At the end of this process you will have developed a working plan through experimentation. You are likely to repeat this plan on your production hardware when you are ready to upgrade for real. Be prepared for having to backport some packages as I will be surprised if everything goes smoothly without dependency problems.
As you have already identified, you need to move Samba4 to the same directory hierarchy that Zentyal 4.x uses.
Take a snapshot of your Zentyal 3.2 VM.
Move the existing Samba to /var/lib
Do a global grep for files containing references to /opt/samba and change all of them to show /var/lib/samba
Take another snapshot.
Reboot the VM and test.
When Samba is working in the 'new' location properly, upgrade Ubuntu from 12.04 to 14.04
Snapshot the VM and test.
Change your /etc/apt/sources.list to use the current Zentyal repo and upgrade the system.
sudo apt-get -y update && sudo apt-get -y upgrade
Snapshot the VM and test.
When you have proven that everything is working in test as expected you can rerun the process that you have developed on your production equipment.
6
Installation and Upgrades / Re: Zentyal 3.5 installation unable to connect to localhost
« on: May 16, 2016, 02:18:59 am »
If you have just installed Zentyal 3.5 (in May 2016) and have been unable to get a network connection running, then you are lucky! You have just avoided a problem that has a complicated resolution for most people.
Zentyal 3.5 has a version of Samba that only knows five of the seven FSMO roles in Active Directory. If a Zentyal 3.5 system synchronises with an existing Active Directory and becomes master it is very difficult to transfer the master to another host as two FSMO roles always get left behind during the transfer. This means that if anything happens to your Zentyal 3.5 host that requires replacement of it's filesystem, you have a problem that could at worst mean that you have to recreate your Active Directory from the beginning again. If your Zentyal 3.5 system has already synchronised with Active Directory then you should act now to avoid trouble later.
The FSMO problem was fixed in Samba v4.3 . The current version of Zentyal 4.2 uses Samba v4.3.4 . I don't know if you can upgrade from Zentyal 3.5 to Zentyal 4.2 using Zentyal methods now. You should get this machine on Samba v4.3 or a later version. If this is not possible and your Zentyal system is 32-bit, you will have to build a development machine or VM running the same Ubuntu OS version as Zentyal 3.5 and backport Samba 4.3.x for installation on Zentyal 3.5 .
From a Windows Active Directory member, check to see if your Zentyal 3.5 has become a domain controller. If it's not a domain controller, scrap your Zentyal 3.5 and start again with Zentyal 4.2 .
Just in case anyone else thinks it is a good idea installing Zentyal 3.5 into an existing Active Directory in 2016, please think again.
I regularly backport a custom build of Samba 4.3.x as my domain controllers are running on 32-bit Devuan. If you are stuck backporting, I may be able to help.
Zentyal 3.5 has a version of Samba that only knows five of the seven FSMO roles in Active Directory. If a Zentyal 3.5 system synchronises with an existing Active Directory and becomes master it is very difficult to transfer the master to another host as two FSMO roles always get left behind during the transfer. This means that if anything happens to your Zentyal 3.5 host that requires replacement of it's filesystem, you have a problem that could at worst mean that you have to recreate your Active Directory from the beginning again. If your Zentyal 3.5 system has already synchronised with Active Directory then you should act now to avoid trouble later.
The FSMO problem was fixed in Samba v4.3 . The current version of Zentyal 4.2 uses Samba v4.3.4 . I don't know if you can upgrade from Zentyal 3.5 to Zentyal 4.2 using Zentyal methods now. You should get this machine on Samba v4.3 or a later version. If this is not possible and your Zentyal system is 32-bit, you will have to build a development machine or VM running the same Ubuntu OS version as Zentyal 3.5 and backport Samba 4.3.x for installation on Zentyal 3.5 .
From a Windows Active Directory member, check to see if your Zentyal 3.5 has become a domain controller. If it's not a domain controller, scrap your Zentyal 3.5 and start again with Zentyal 4.2 .
Just in case anyone else thinks it is a good idea installing Zentyal 3.5 into an existing Active Directory in 2016, please think again.
I regularly backport a custom build of Samba 4.3.x as my domain controllers are running on 32-bit Devuan. If you are stuck backporting, I may be able to help.
7
Installation and Upgrades / Re: zentayl 3.0.33
« on: May 14, 2016, 11:20:58 am »
The process using 98% of CPU is a PERL script.
Has someone modified the script so that it is now doing something that is using most of the CPU cycles?
Can you restore this script from a backup?
Has someone modified the script so that it is now doing something that is using most of the CPU cycles?
Can you restore this script from a backup?
8
Installation and Upgrades / Re: DNS problem: Why does nslookup return an IP that NOT is listed on my DNS servers
« on: March 31, 2016, 01:18:09 pm »
Example host file for all hosts
Make sure that your DNS zone data in AD matches the hosts file.
Code: [Select]
127.0.0.1 localhost.foo.bar localhost
192.168.1.1 dc2.foo.bar dc2
192.168.1.10 asterix.foo.bar asterix
192.168.1.16 vmhost.foo.bar vmhost
10.10.20.1 asterix-10.foo.bar asterix-10
10.10.20.16 vmhost-10.foo.bar vmhost-10
Make sure that your DNS zone data in AD matches the hosts file.
9
Installation and Upgrades / Re: DNS problem: Why does nslookup return an IP that NOT is listed on my DNS servers
« on: March 31, 2016, 12:57:30 pm »
Sorry for the delay responding...
Check /etc/hosts on both Zentyal machines, they should be identical with hostnames appearing only once and no use of the same hostname on another interface. Also 127.0.0.1 should be localhost not the hostname. I think your problem is in the hosts file.
Check AD DNS zone data by querying all of your records individually using
Check that the client resolvers use the same DNS in the same order provided by DHCP or statically in /etc/resolv.conf
Eg. /etc/resolv.conf
nameserver 192.168.1.10
nameserver 192.168.1.1
Check NTP time sync on both Domain Controllers
Check AD is synchronising DNS between Domain Controllers
Check /etc/hosts on both Zentyal machines, they should be identical with hostnames appearing only once and no use of the same hostname on another interface. Also 127.0.0.1 should be localhost not the hostname. I think your problem is in the hosts file.
Check AD DNS zone data by querying all of your records individually using
Code: [Select]
samba-tool dns queryCheck that the client resolvers use the same DNS in the same order provided by DHCP or statically in /etc/resolv.conf
Eg. /etc/resolv.conf
nameserver 192.168.1.10
nameserver 192.168.1.1
Check NTP time sync on both Domain Controllers
Check AD is synchronising DNS between Domain Controllers
10
Installation and Upgrades / Re: Bug: Unable to cleanly shutdown or reboot Zentyal
« on: March 31, 2016, 03:46:51 am »
I guess that you are running Zentyal server with a GUI on the server. I'm over 50 and prefer to run my servers with just a text based console to eliminate the risk of a graphics card problem.
My preferred shutdown command is:
sudo halt -p
Some things for you to check that I have found in the past have helped get a machine to shutdown and power off cleanly...
Is the BIOS up to date for the motherboard, all known bugs fixed?
Is the graphics card firmware up to date?
If running server on a PC, configure BIOS to disable suspend and hibernate.
If running server on a PC, disable APM, enable ACPI.
Disable all device wake-ups in BIOS, no wake up from mouse movement etc.
If running on server hardware, does IPMI chassis power control work? Check freeipmi is installed.
Enable CPU frequency scaling if supported.
Sometimes, you just can't get a PC to either power off or warmboot properly under Linux due to ACPI problems created by a buggy, non standards compliant AML compiler used by the BIOS manufacturer. Sadly most PC BIOS power management is optimised for Windows and the Linux optimisations are deliberately broken/untested/unoptimised. I have an ancient single core AMD64 machine that will poweroff but it will only reboot if it 'thinks' it is running Windows.
https://wiki.archlinux.org/index.php/DSDT
https://wiki.ubuntu.com/Kernel/Reference/ACPITricksAndTips
Best of luck.
My preferred shutdown command is:
sudo halt -p
Some things for you to check that I have found in the past have helped get a machine to shutdown and power off cleanly...
Is the BIOS up to date for the motherboard, all known bugs fixed?
Is the graphics card firmware up to date?
If running server on a PC, configure BIOS to disable suspend and hibernate.
If running server on a PC, disable APM, enable ACPI.
Disable all device wake-ups in BIOS, no wake up from mouse movement etc.
If running on server hardware, does IPMI chassis power control work? Check freeipmi is installed.
Enable CPU frequency scaling if supported.
Sometimes, you just can't get a PC to either power off or warmboot properly under Linux due to ACPI problems created by a buggy, non standards compliant AML compiler used by the BIOS manufacturer. Sadly most PC BIOS power management is optimised for Windows and the Linux optimisations are deliberately broken/untested/unoptimised. I have an ancient single core AMD64 machine that will poweroff but it will only reboot if it 'thinks' it is running Windows.
https://wiki.archlinux.org/index.php/DSDT
https://wiki.ubuntu.com/Kernel/Reference/ACPITricksAndTips
Best of luck.
11
Installation and Upgrades / Re: Zentyal as router?
« on: March 31, 2016, 02:59:48 am »
In the early days of Zentyal it was implemented by many as an internet gateway device. However, this function is no longer considered a core requirement since Zentyal's emphasis shifted to being a Microsoft Exchange alternative/replacement.
My preferred option is to use a dedicated PC running pfSense as an internet gateway/router/firewall. Ideally your firewall PC should have at least two network ports but it is possible (but not necessarily good) to run everything on VLANs through just one interface if you have a VLAN capable switch.
My preferred option is to use a dedicated PC running pfSense as an internet gateway/router/firewall. Ideally your firewall PC should have at least two network ports but it is possible (but not necessarily good) to run everything on VLANs through just one interface if you have a VLAN capable switch.
12
Installation and Upgrades / Re: General newbie type help
« on: March 31, 2016, 02:40:21 am »
Well done on the upgrade to 4. I don't know anything about SBS but if it originally provided Active Directory at the site and your Zentyal system is joined to it, make sure you are on Zentyal 4.2 running Samba 4.3.x and have transferred ALL seven FSMO roles to Zentyal before getting rid of SBS. https://wiki.samba.org/index.php/Transfering_/_seizing_FSMO_roles
If I read your post correctly, you have a web site hosted externally with a provider and have setup your Zentyal server with the same domain name on your LAN. This is OK, it's called split DNS. Don't use .local as it's not been a good choice since the global TLD expansion. If Zentyal is providing DNS to your LAN clients, setup a host record in Zentyal for www that resolves the same IP address that your hosting provider has given your website.
If you are using Zentyal generated certificates either permanently accept the self signed certificate when you get an error on the client or export your Zentyal CA public certificate and import it into your clients or add it to the clients certificate bundle.
Your 'relaying' problem is worrying. If you have an open mail relay you need to shut it down quickly and fix the configuration problem before your domain gets blacklisted for sending spam. Learn how to use nslookup and dig to test the public facing DNS that your website is using and what your public MX records are. Read up about split DNS and draw diagrams on paper to illustrate to yourself how it works in your environment.
If I read your post correctly, you have a web site hosted externally with a provider and have setup your Zentyal server with the same domain name on your LAN. This is OK, it's called split DNS. Don't use .local as it's not been a good choice since the global TLD expansion. If Zentyal is providing DNS to your LAN clients, setup a host record in Zentyal for www that resolves the same IP address that your hosting provider has given your website.
If you are using Zentyal generated certificates either permanently accept the self signed certificate when you get an error on the client or export your Zentyal CA public certificate and import it into your clients or add it to the clients certificate bundle.
Your 'relaying' problem is worrying. If you have an open mail relay you need to shut it down quickly and fix the configuration problem before your domain gets blacklisted for sending spam. Learn how to use nslookup and dig to test the public facing DNS that your website is using and what your public MX records are. Read up about split DNS and draw diagrams on paper to illustrate to yourself how it works in your environment.
13
Installation and Upgrades / Re: Domain Controller and File Server Step by Step Guide Start to Finish
« on: March 31, 2016, 01:49:55 am »
You might want to rethink your IP address range choices, particularly if devices on your network will be connecting to the internet. Your nets in 20.x.x.x, 30.x.x.x and 40.x.x.x will have problems. Better to have them as 10.10.x.x, 10.20.x.x, 10.30.x.x and 10.40.x.x instead.
I don't see the point in trying to get your DC to do what you ask, simple port based VLANs are all you really need at home.
If it really is important to you to do this it would be better to use a firewall router like pfSense and an Ethernet switch that is 802.1x VLAN capable. You could use RADIUS on pfSense (an installable package) to check with your DC on the policies you have implemented and get RADIUS to configure the tagged VLANs available at the switch port to match the policies.
Some useful reading for you...
https://technet.microsoft.com/en-us/library/cc755248%28v=ws.10%29.aspx
http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm
https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
I don't see the point in trying to get your DC to do what you ask, simple port based VLANs are all you really need at home.
If it really is important to you to do this it would be better to use a firewall router like pfSense and an Ethernet switch that is 802.1x VLAN capable. You could use RADIUS on pfSense (an installable package) to check with your DC on the policies you have implemented and get RADIUS to configure the tagged VLANs available at the switch port to match the policies.
Some useful reading for you...
https://technet.microsoft.com/en-us/library/cc755248%28v=ws.10%29.aspx
http://www.hp.com/rnd/pdf_html/guest_vlan_paper.htm
https://doc.pfsense.org/index.php/FreeRADIUS_2.x_package
14
Installation and Upgrades / Re: Where is the deb-src repository for Zentyal?
« on: February 03, 2016, 11:46:32 pm »
I worked around my specific problem by backporting from Debian.
I guess the only way to get Zentyal sources is to pull what you need from a GIT branch which works but is lot more work if you just want to modify a Zentyal package for your own needs.
I guess the only way to get Zentyal sources is to pull what you need from a GIT branch which works but is lot more work if you just want to modify a Zentyal package for your own needs.
15
Installation and Upgrades / Re: Samba4 (AD directory services), and Exchange (mail server) on separate servers?
« on: February 02, 2016, 02:16:40 am »
Hopefully, I am going to try this next week.
I backported Samba 4.3.(2?) a couple of weeks ago onto my two 32-bit Debian 8.2 domain controllers in my test domain and they have been running wonderfully under automated tests. I am going to build a Zentyal 4.2 in a VM and join it to Active Directory during install. When all of the synchronisation has settled down and the SysVol rsync replications are happy I will transfer the FSMO roles to my DC2 and demote the Zentyal box and run my tests again. I am confident that with all domain controllers running Samba 4.3.x it should work. Samba 4.3.x has the magic ingredient that can enable the transfer of all seven FSMO roles properly from one controller to another.
I backported Samba 4.3.(2?) a couple of weeks ago onto my two 32-bit Debian 8.2 domain controllers in my test domain and they have been running wonderfully under automated tests. I am going to build a Zentyal 4.2 in a VM and join it to Active Directory during install. When all of the synchronisation has settled down and the SysVol rsync replications are happy I will transfer the FSMO roles to my DC2 and demote the Zentyal box and run my tests again. I am confident that with all domain controllers running Samba 4.3.x it should work. Samba 4.3.x has the magic ingredient that can enable the transfer of all seven FSMO roles properly from one controller to another.