Messages

1

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 29, 2013, 10:20:23 pm »

Hello,

i have given up and installed Ubuntu 12.04 -now without zentyal.

Nevertheless, I appreciate your help.

Greetings,
Hendrik

2

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 24, 2013, 09:21:30 pm »

Hello,

I don't see such a permissions process.

I still do not get the Web-Interface

I fear I will have no alternative to re-installing, do I?

What I would really would like to try at last is to start the Web-IF on the commandline to see the possible error message. Is that somehow possible?

Greetings,
Hendrik

3

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 21, 2013, 01:21:05 pm »

Hello,

that looked good, but still I get no web-interface :-(

I would like to trace down where it fails.

I understand that /etc/init.d/zentyal is responsible for starting the Web-IF. But it does not do it directly.
Can I somewhere see where it fails, e.g. starting the script that launches the web-if manually on the commandline?

Regards,
Hendrik

4

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 21, 2013, 10:12:34 am »

Hello,

I suspected /etc/init/zentyal.
But doesn't this then also "fix" (read break) my permissions?
Well, I tried, and it did not bring up the Web-IF. The files in /var/log/zentyal are all unchanged.

Is there a way I can temporarily deactivate the permissions-routine?

What would you recommend?

Regards,
Hendrik

5

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 21, 2013, 09:49:34 am »

Hello,

the web-if does not work (chrome reports: server not found).
The reason for this might be:

Code: [Select]

[Sun Jul 21 07:41:52 2013] [warn] Useless use of AllowOverride in line 13 of /var/lib/zentyal/conf/remoteservices/soap-loc.conf.
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:52 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:52 2013] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations
[Sun Jul 21 07:41:56 2013] [notice] SIGHUP received.  Attempting to restart
[Sun Jul 21 07:41:56 2013] [warn] Useless use of AllowOverride in line 13 of /var/lib/zentyal/conf/remoteservices/soap-loc.conf.
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sun Jul 21 07:41:56 2013] [warn] RSA server certificate CommonName (CN) `eBox Server' does NOT match server name!?
[Sun Jul 21 07:41:56 2013] [notice] Apache/2.2.22 (Ubuntu) mod_ssl/2.2.22 OpenSSL/1.0.1 mod_perl/2.0.5 Perl/v5.14.2 configured -- resuming normal operations
[Sun Jul 21 08:46:18 2013] [notice] caught SIGTERM, shutting down
I suspect, that after boot, the permissions are set (wrongly) by zentyal. Then the Web-If tries to start and it fails.
I fix the permissions, but I need to re-start the web-if, as it failed starting.
So: What init-script starts the web-if?

Greetings,
Hendrik

6

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 21, 2013, 08:58:14 am »

Ok.
Do you have a hint, where to start fixing the gui?

I think, the apache instance for the web-if does not work, does it?

Code: [Select]

root      3687  0.0  0.1 297748 12008 ?        Ss   08:48   0:00 /usr/sbin/apache2 -k start
www-data  3802  0.0  0.2 307168 21216 ?        S    08:48   0:00 /usr/sbin/apache2 -k start
www-data  3803  0.0  0.2 305404 19244 ?        S    08:48   0:00 /usr/sbin/apache2 -k start
www-data  3804  0.0  0.2 304640 18652 ?        S    08:48   0:00 /usr/sbin/apache2 -k start
www-data  3805  0.0  0.0 297940  7816 ?        S    08:48   0:00 /usr/sbin/apache2 -k start
www-data  3806  0.0  0.0 297796  6804 ?        S    08:48   0:00 /usr/sbin/apache2 -k start
www-data 16622  0.0  0.0 297796  6804 ?        S    08:53   0:00 /usr/sbin/apache2 -k start
www-data 19687  0.0  0.0 297780  6552 ?        S    08:54   0:00 /usr/sbin/apache2 -k start
www-data 19688  0.0  0.0 297780  6552 ?        S    08:54   0:00 /usr/sbin/apache2 -k start
www-data 19689  0.0  0.0 297780  6552 ?        S    08:54   0:00 /usr/sbin/apache2 -k start
www-data 19690  0.0  0.0 297780  6552 ?        S    08:54   0:00 /usr/sbin/apache2 -k start

I have in my mind a line in the output of ps, that included .../zentyal/.... behind apache2..

What script (init) starts the web-if?

Greetings,
Hendrik

7

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 21, 2013, 08:47:41 am »

Hello,

no, I could not (as the web-if is still not working). But I was suspecting that...

I will check if I can find where they are stored.

Greetings,
Hendrik

8

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 20, 2013, 10:57:56 pm »

Hello,

I see. Of course I already have added something in the tracker:
http://trac.zentyal.org/ticket/7008

Regarding PAM:
By re-installing (apt-get install --reinstall libnss-ldap libpam-ldap nscd) pam, I fixed the "...not known by the underlying..." Problem.

Still:
su henfri
/bin/sh cannot be executed

by chmod 755 / this is fixed.

Unfortunately, this reverted after reboot.

Any ideas? How can I see the access-rights of /?

Greetings,
Hendrik

9

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 20, 2013, 08:42:12 pm »

You are very welcome to propose any feature you might consider helpful under Feature Requests in this forum

I am not sure, weather you are being serious.
In my view it is a serious bug.

The system removes any previous ACL and set new ones based on what has been defined in the share
According to http://pubs.opengroup.org/onlinepubs/8329799/pam_authenticate.htm you should definitely check PAM...(permissions on config files as well)

What in that link are you refering to? I really don't see it. Sorry.

Greetings,
Hendrik

10

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 19, 2013, 08:45:35 pm »

Hello creating a share cannot be prevented to do under / as it would prevent any share to be created.

That depends how it is implemented.
I am sure, you can check for "/" rather than "/*". I still think, that this really should be prevented. no matter how unlikely this appears. If it can destroy the whole system. Risk=likelyhood*consequence. So the risk is high her.

About your question, when a share is created this is what is done:

• Create the folder if it does not exist
• Clear POSIX ACLs
• Modify Path and user, and set NTACL's if guest access is allowed[/li
  
  • Build POSIX and NT ACL's

The system should run without ACLs, if I understand correctly, right?
So if I clear all ACLs, I can rule out that wrong ACLs are the problem?!

Would wrong ACLs explain, why the "user cannot be found by the underlying authentication service"?

You can get that looking at this https://github.com/Zentyal/zentyal/blob/3.0/main/samba/src/EBox/Samba/Model/SambaShares.pm

Thanks. I am not too familiar with perl, so I fear that this will not be so helpful. But I'll try.

Greetings -I appreciate your help,
Hendrik

11

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 18, 2013, 09:06:55 pm »

Hello,

I have replaced the pam.d directory by one out of an (very old) backup.
No change.
The Server is a Production one, but it is "only" at my home. I would really dislike re-installing, as the set-up of (non-zentyal programs) was lots of work.

Can you tell me please, what is done/executed when adding a Samba-Share?

And one more thing:
I had the impression, that you felt my doing quite unreasonable. I don't really see, why that is (and I think there is no need discussing this), but if this can break the system in such a way, this *must* be prevented (similarly sharing /var/www is prevented, where I don't see the reason (a handy way to update the web-sites)). I have opened a ticket for that in the bug-tracker.

Greetings,
Hendrik

12

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 18, 2013, 07:54:41 am »

Hello,

it seems, noone has an Idea how to fix this. My last Idea: Can someone say, what is actually done, when storing the samba configuration?

Is there a way to re-initialize everything, i.e. re-running the post-install wizard without re-installing the whole system?

Greetings,
Hendrik

13

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 17, 2013, 08:22:55 pm »

Hello again,

I searched for files that changed in the last 24h and filtered them for obvious stuff (/run, /var/log, /proc, /dev etc).

I found some files that might be related, but I am not sure:

Code: [Select]

/etc/samba/smb.conf
/etc/ldap.conf
/etc/mtab
/var/lib/ldap/__db.002
/var/lib/ldap/__db.003
/var/lib/ldap/__db.004
/var/lib/ldap/__db.005
/var/lib/ldap/__db.006
/var/lib/libnss-ldap
/var/lib/libnss-ldap/ldap.conf.20130716202741.diff

/opt/samba4/private
/opt/samba4/private/ldap_priv
/opt/samba4/private/ldap_priv/ldapi
/opt/samba4/private/secrets.tdb
/opt/samba4/private/ldapi
/opt/samba4/private/schannel_store.tdb
/opt/samba4/private/smbd.tmp/msg
/opt/samba4/private/smbd.tmp/msg/names.tdb
/opt/samba4/private/smbd.tmp/msg/msg.25592.1
/opt/samba4/private/smbd.tmp/msg/msg.9201
/opt/samba4/private/smbd.tmp/msg/msg.9208
/opt/samba4/private/smbd.tmp/msg/msg.9203.30
/opt/samba4/private/smbd.tmp/msg/msg.9210
/opt/samba4/private/smbd.tmp/msg/msg.9196
/opt/samba4/private/smbd.tmp/msg/msg.0
/opt/samba4/private/smbd.tmp/msg/msg.9200
/opt/samba4/private/smbd.tmp/msg/msg.9203
/opt/samba4/private/smbd.tmp/msg/msg.9209
/opt/samba4/private/smbd.tmp/msg/msg.9202
/opt/samba4/private/smbd.tmp/msg/msg.9195
/opt/samba4/private/smbd.tmp/msg/msg.9198
/opt/samba4/private/smbd.tmp/msg/msg.9199
/
Any hints?

Greetings,
Hendrik

14

Installation and Upgrades / Re: User-Rights gone wrong

« on: July 17, 2013, 07:36:02 pm »

Hello,

Thanks for your reply.
The output is:

Code: [Select]

total 168K
drwx------  25 root root 4,0K Jul 10 20:44 .
drwx------  25 root root 4,0K Jul 10 20:44 ..
-rw-------   1 root root  14K Feb 24 13:51 aquota.group
-rw-------   1 root root  14K Feb 24 13:51 aquota.user
drwxr-xr-x   2 root root 4,0K Jul 10 20:41 bin
drwxr-xr-x   3 root root 4,0K Jul 10 20:46 boot
drwxr-xr-x   3 root root 4,0K Jul  1 18:44 build
drwxr-xr-x   2 root root 4,0K Apr 13 22:32 .config
drwxr-xr-x  19 root root 4,4K Jul 16 20:29 dev
drwxr-xr-x 158 root root  12K Jul 16 20:29 etc
drwxr-xr-x  14 root root 4,0K Jul  6 22:45 home
lrwxrwxrwx   1 root root   33 Jul 10 20:44 initrd.img -> /boot/initrd.img-3.2.0-49-generic
lrwxrwxrwx   1 root root   33 Mai 18 11:27 initrd.img.old -> /boot/initrd.img-3.2.0-43-generic
-rw-r--r--   1 root root  351 Mär  9 20:09 iostat-ios.state
drwxr-xr-x  20 root root 4,0K Jul 10 20:41 lib
drwxr-xr-x   2 root root 4,0K Mai 18 11:24 lib64
drwx------   2 root root  16K Nov 27  2012 lost+found
drwxr-xr-x   4 root root 4,0K Jun 29 20:59 media
drwxrwxrwx  10 root root 4,0K Apr 19 20:47 mnt
drwxr-xr-x   4 root root 4,0K Feb 24 11:30 opt
dr-xr-xr-x 182 root root    0 Jul 16 20:28 proc
drwx------  64 root root 4,0K Jul 13 23:12 root
drwxr-xr-x  28 root root 1,2K Jul 17 19:32 run
drwxr-xr-x   2 root root  12K Jul 10 20:41 sbin
drwxr-xr-x   2 root root 4,0K Mär  5  2012 selinux
drwxr-xr-x   8 root root 4,0K Jun 13 21:11 srv
dr-xr-xr-x  13 root root    0 Jul 16 20:28 sys
drwxrwxrwt   7 root root 4,0K Jul 17 19:30 tmp
-rw-r--r--   1 root root 1,1K Nov 27  2012 ubuntu
-rw-r--r--   1 root root 1,1K Dez 26  2012 ubuntu.1
drwxr-xr-x  11 root root 4,0K Jun 30 20:40 usr
drwxr-xr-x  15 root root 4,0K Jul 16 20:28 var
lrwxrwxrwx   1 root root   29 Jul 10 20:44 vmlinuz -> boot/vmlinuz-3.2.0-49-generic
lrwxrwxrwx   1 root root   29 Mai 18 11:27 vmlinuz.old -> boot/vmlinuz-3.2.0-43-generic
-rw-r--r--   1 root root 8,2K Dez 26  2012 webmin-setup.out

At least it does not look as if all folders got the same permissions (which I would assume if what you discribed happened).

e.g. /home/henfri has the rights 755 and is owned by henfri and the group is users, so that looks right.

I had the impression, that the authentication module was not working (the indication was that the su henfri didn't work).

Code: [Select]

su: User not known to the underlying authentication moduleSo, what is the underlying auth module? LDAP? how can I check it?

Regarding the web-if:
I get some entries of apache looking at ps:

Code: [Select]

root      3067  0.0  0.1 301120 12624 ?        Ss   Jul16   0:02 /usr/sbin/apache2 -k start
www-data  3264  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3265  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3270  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3271  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3272  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3777  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  3975  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  9795  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  9796  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start
www-data  9797  0.0  0.1 314956  8768 ?        S    Jul16   0:00 /usr/sbin/apache2 -k start

But usually there was something like ...apache-2 /...zentyal, right?

Greetings,
Hendrik

15

Installation and Upgrades / User-Rights gone wrong

« on: July 16, 2013, 08:48:20 pm »

Hello,

I changed the settings of the file-sharing (samba). Since I did that, I cannot access the web-interface any longer.
Thus, I rebooted. No improvement.
I also noted, that I can only log in as root via ssh. Even su to my username does not work:
su henfri
Cannot execute /bin/sh: Permission denied
su: User not known to the underlying authentication module

What has gone wrong here?

Note: I added "/" to the shared folders (I know I should not, but /var/www was not allowed, and I DO have good reasons to share this (I want to edit the web-pages from windows).

Greetings,
Hendrik