Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - JLLEWELYN

Pages: 1 2 [3] 4 5
31
Spanish / [Desarrollo] Bash Script Samba-AD-DC Bind9_DLZ Backend
« on: August 15, 2018, 07:36:33 am »
Descripción: Script Bash como alternativa para crear un servidor Samba Directorio Activo, Controlador de Dominio DNS Bind9_DLZ Backend para Ubuntu Server 18.04 LTS.
Nota: En desarrollo, solo para pruebas, no intente usar en entorno producción.

Primero identifiquemos los interfaz de red:
Code: [Select]
ip -o link show | awk -F': ' '{print $2}'

resultado:
Code: [Select]
lo
enp4s0
enp4s1
enp6s0
wlp5s0

edite /etc/netplan/01-netcfg.yaml para configurar los adaptadores de red, el nombre de cada adaptador puede ser diferente en su equipo.

ejemplo:
Code: [Select]
# This file describes the network interfaces available on your system
# For more information, see netplan(5).
network:
  version: 2
  renderer: networkd
  ethernets:
    enp6s0:
      dhcp4: no
      addresses: [192.168.1.2/24]
      gateway4: 192.168.1.1
      nameservers:
              search: [savidoca.com]
              addresses: [192.168.1.1,192.168.1.2]

    enp4s0:
      dhcp4: yes
      dhcp6: yes
    enp4s1:
      dhcp4: yes
      dhcp6: yes
    wlp5s0:
      dhcp4: yes
      dhcp6: yes

aplicar cambios
Code: [Select]
sudo netplan apply


Esta en desarrollo.
Samba-ad-dc_DNS-Backend.sh
pastebin: https://pastebin.com/LK6vfKpT
Code: [Select]
#!/bin/bash
# Autor: John Llewelyn
# Description: Instalar Samba Directorio Activo, Controlador de Dominio Bind9_DLZ DNS Backend
echo 'Configure la contraseña root'
sudo passwd root
clear
read -p 'Introduzca el nombre de host, ejemplo [ servidor ]: ' hostname
clear
read -p 'Introduzca el nombre de dominio, ejemplo [ savidoca.com ]: ' domain
clear
read -p 'Introduzca el nombre de grupo de trabajo, ejemplo [ SAVIDOCA ]: ' workgroup
clear
read -p 'Introduzca la direccion IP de su red, ejemplo [ 192.168.1.0/24 ]: ' network
clear
read -p 'Introduzca la direccion IP broadcast de su red, ejemplo [ 192.168.1.255 ]: ' broadcast
clear
read -p 'Introduzca la direccion IP del AD DC, ejemplo [ 192.168.1.2 ]: ' ipaddress
clear
read -p 'Introduzca la direccion IP de su gateway, ejemplo [ 192.168.1.1 ]: ' gw
clear
read -p 'Introduzca la direccion IP inversa de su AD DC, ejemplo: [ 1.168.192 ]: ' reverse
clear
read -p 'Introduzca las direcciones DNS reenviadores para su AD DC, ejemplo: [ 8.8.8.8;8.8.4.4; ] ' forwarders
clear
read -sp 'Introduzca la contraseña para AD: ' password
clear
echo el nombre de tu host es: $hostname
echo el nombre de dominio es: $domain
echo el nombre de tu grupo de trabajo es: $workgroup
echo el esquema de la tu red es: $network
echo el broadcast de tu red es: $broadcast
echo la direccion ip de tu AD DC es: $ipaddress
echo la direccion ip de tu gateway es: $gw
echo la direccion inversa de tu dominio es: $reverse.in-addr.arpa.
echo la direcciones DNS reenviadores son: $forwarders
read -p "Esta seguro que estos son los datos correctos? " -n 1 -r
echo    # (optional) move to a new line
if [[ ! $REPLY =~ ^[Yy]$ ]]
then
    exit 1
fi
clear
# Ajustes hostname, resolvconf, hosts, acl, attr
sudo hostnamectl set-hostname "$hostname"
sudo bash -c 'echo -e "nameserver $ipaddress\ndomain $domain" > /etc/resolvconf/resolv.conf.d/tail'
sudo chmod 644 /etc/resolvconf/resolv.conf.d/tail
sudo resolvconf -u
sudo bash -c 'echo -e "127.0.0.1 localhost localhost.localdomain\n$ipaddress $hostname $hostname.$domain\n# The following lines are desirable for IPv6 capable hosts\n::1 ip6-localhost ip6-loopback\nfe00::0 ip6-localnet\nff00::0 ip6-mcastprefix\nff02::1 ip6-allnodes\nff02::2 ip6-allrouters\nff02::3 ip6-allhosts" > /etc/hosts'
sudo sed -i.old -r '/[ \t]\/[ \t]/{s/(ext4[\t ]*)([^\t ]*)/\1\2,user_xattr,acl,barrier=1/}' /etc/fstab
sudo mount -a -o remount,rw /

# Instalando samba, krb5, winbind, bind9, chrony, openssl
sudo apt install acl attr samba smbclient winbind libpam-winbind libnss-winbind krb5-user krb5-config krb5-locales bind9 bind9utils bind9-doc binutils ldb-tools chrony openssl isc-dhcp-server -y

# Preparando Servicio samba-ad-dc
sudo systemctl stop samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl disable samba-ad-dc.service smbd.service nmbd.service winbind.service
sudo systemctl unmask samba-ad-dc
sudo rm -f /etc/samba/smb.conf
sudo rm -f /var/run/samba/*.[t,l]db
sudo rm -f /var/lib/samba/*.[t,l]db
sudo rm -f /var/cache/samba/*.[t,l]db
sudo rm -f /var/lib/samba/private/*.[t,l]db
sudo rm -r /var/lib/samba/sysvol/*
# provisionando ad-dc
sudo samba-tool domain provision --server-role=dc --use-rfc2307 --dns-backend=BIND9_DLZ --realm=$domain --domain=$workgroup --function-level=2008_R2 --adminpass=$password

# Ajustes krb5.conf
sudo rm -f /etc/krb5.conf
sudo ln -sf /var/lib/samba/private/krb5.conf /etc/krb5.conf
sudo sed -i "/dns_lookup_kdc = true/a \        rdns = no" /var/lib/samba/private/krb5.conf

# Ajustes smb.conf
sudo sed -i "/[global]/a         security = auto" /etc/samba/smb.conf
sudo sed -i "/security = auto/a allow dns updates = secure only" /etc/samba/smb.conf
sudo sed -ri 's/server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbindd, ntp_signd, kcc, dnsupdate/server services = -dns/g' /etc/samba/smb.conf
sudo sed -i "/workgroup = $workgroup/a /n# dns forwarder = $ipaddress" /etc/samba/smb.conf
sudo sed -i "/dns forwarder = /a # interfaces = " /etc/samba/smb.conf
sudo sed -i "/interfaces = /a # bind interfaces only = yes" /etc/samba/smb.conf
sudo sed -i "/idmap_ldb:use rfc2307 = yes/a n\ # Default idmap config for local BUILTIN accounts and groups\n idmap config * : backend = tdb\n idmap config * : range = 3000-7999" /etc/samba/smb.conf
sudo sed -i "/idmap config * : range = /a n\ # idmap config for the $workgroup domain\n idmap config $workgroup:backend = ad\n idmap config $workgroup:schema_mode = rfc2307\n idmap config $workgroup:range = 10000-999999" /etc/samba/smb.conf
sudo sed -i "/idmap config $workgroup:range = /a n\ idmap config $workgroup: unix_nss_info = yes\n idmap config $workgroup: unix_primary_group = yes" /etc/samba/smb.conf
sudo sed -i "/unix_primary_group = /a n\ # Template settings for login shell and home directory\n template shell = /bin/bash\n template homedir = /home/%U" /etc/samba/smb.conf
sudo sed -i "/template homedir/a n\ winbind enum users = yes\n winbind enum groups = yes\n winbind use default domain = yes\n winbind use default domain = yes\n winbind offline logon = no\n winbind cache time = 300\n winbind nss info = rfc2307" /etc/samba/smb.conf
sudo sed -i "/winbind nss info = /a n\ server signing = auto\n# server role check:inhibit = yes\n# dsdb:schema update allowed = yes\n# drs:max object sync = 1200\n# kernel share modes = yes\n# client use spnego = yes\n# client NTLMv2 auth = yes\n# client min protocol = SMB2\n# client max protocol = SMB3\n# server min protocol = SMB2\n# server max protocol = SMB3\n restrict anonymous = 2\n map to guest = Never" /etc/samba/smb.conf
sudo sed -i "/map to guest/a n\log level = 3" /etc/samba/smb.conf
sudo sed -i "/log level/a log file = /var/log/samba/samba.log" /etc/samba/smb.conf
sudo sed -i "/log file/a max log size = 100000" /etc/samba/smb.conf
sudo sed -i "/max log size/a \n# Configuring LDAP over SSL (LDAPS)\ntls enabled = yes\ntls keyfile = tls/samba.key\ntls certfile = tls/samba.crt\ntls cafile = " /etc/samba/smb.conf
sudo sed -i "/tls cafile/a n\# printing = CUPS" /etc/samba/smb.conf
sudo sed -i "/printing = /a n\# include = /etc/samba/shares.conf\n# include = /etc/samba/profiles.conf\n# include = /etc/samba/printers.conf" /etc/samba/smb.conf
# Incompleto falta modificar 1 linea.

# Roaming Windows User Profiles
sudo bash -c 'echo -e "[profiles]\n        comment = Users profiles\n        path = /srv/samba/profiles/\n        browseable = No\n        read only = No\n        force create mode = 0600\n        force directory mode = 0700\n        csc policy = disable\n        store dos attributes = yes\n        vfs objects = acl_xattr" >> /etc/samba/profiles.conf'
sudo mkdir -p /srv/samba/profiles/
sudo chgrp -R "Domain Users" /srv/samba/profiles/
sudo chmod 1750 /srv/samba/profiles/

# Creando /etc/samba/shares.conf
sudo bash -c 'echo -e "[homes]\n    comment = Directorios de usuario\n    path = /home/%S\n    read only = no\n    browseable = no\n    create mask = 0611\n    directory mask = 0711\n    vfs objects = acl_xattr full_audit\n    full_audit:success = connect opendir disconnect unlink mkdir rmdir open rename\n    full_audit:failure = connect opendir disconnect unlink mkdir rmdir open rename" >> /etc/samba/shares.conf'

# Creando /etc/samba/printers.conf
sudo bash -c 'echo -e "[printers]\n       path = /var/spool/samba/\n       printable = yes" >> /etc/samba/printers.conf'
mkdir -p /var/spool/samba/
chmod 1777 /var/spool/samba/
# smbcontrol all reload-config

# Ajustes windbind , PAM
sudo sed -ri 's/passwd:         compat systemd/passwd:         compat winbind/g' /etc/nsswitch.conf
sudo sed -ri 's/group:          compat systemd/group:          compat winbind/g' /etc/nsswitch.conf
sudo sed -ri 's/dns myhostname/dns mdns/g' /etc/nsswitch.conf
# sudo sed -ri 's/pam_winbind.so use_authtok try_first_pass/pam_winbind.so try_first_pass/g' /etc/pam.d/common-password
sudo pam-auth-update

# Ajustes Bind9
sudo wget -q -O /etc/bind/db.root http://www.internic.net/zones/named.root
sudo wget -q -O /etc/bind/bind.keys https://ftp.isc.org/isc/bind9/keys/9.11/bind.keys.v9_11
sudo bash -c 'echo -e "include \"/var/lib/samba/private/named.conf\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/named.conf.logging\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/rndc.key\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "include \"/etc/bind/rndc.conf\";" >> /etc/bind/named.conf'
sudo bash -c 'echo -e "controls {\n         inet 127.0.0.1 port 953 allow { localhost; } keys { "rndc-key"; };\n};" >> /etc/bind/rndc.conf'
sudo chgrp bind /var/lib/samba/private/dns.keytab
sudo chmod g+r /var/lib/samba/private/dns.keytab
sudo rndc-confgen -a
sudo chown root:bind /etc/bind/rndc.key
sudo chmod 640 /etc/bind/rndc.key
sudo sed -i "/directory/a \        sortlist {\n        { $network ;{ $network ; };};\n        };"  /etc/bind/named.conf.options
sudo cp -b /etc/bind/db.local /var/lib/bind/db.$reverse
sudo chown bind:bind /var/lib/bind/db.$reverse
sudo chmod 640 /var/lib/bind/db.$reverse
sudo sed -ri 's/RESOLVCONF=no/RESOLVCONF=yes/g' /etc/default/bind9
sudo bash -c 'echo -e "acl "trusted" {\n    localhost;\n    localnets;\n};\n\nacl "internal-local-nets" {\n    $network;\n};\n" >> /etc/bind/named.conf.local'
sudo bash -c 'echo -e "zone "$reverse.in-addr.arpa" {\n    type master;\n    file \"/var/lib/bind/db.$reverse\";\n    update-policy {\n        // The only allowed dynamic updates are PTR records\n        grant $domain. subdomain $reverse.in-addr.arpa. PTR TXT;\n        // Grant from localhost\n        grant local-ddns zonesub any;\n    };\n};\n" >> /etc/bind/named.conf.local'
sudo sed -i "/directory/a \        cleaning-interval 1440;\n        max-cache-ttl 2419200;\n        max-ncache-ttl 86400;\n        max-cache-size unlimited;\n        stacksize unlimited;\n        datasize unlimited;\n        coresize unlimited;\n        \n        listen-on { any; };"  /etc/bind/named.conf.options
sudo sed -i "/listen-on-v6/a \        allow-query { any; };\n        allow-recursion { trusted; };\n        allow-query-cache { trusted; };\n        allow-transfer { none; };\n        notify no;"  /etc/bind/named.conf.options
sudo sed -i "/dnssec-validation/a \        #dnssec-lookaside auto;"  /etc/bind/named.conf.options
sudo sed -i 's[// forwarders[forwarders[g' /etc/bind/named.conf.options
sudo sed -i "s[// \t0.0.0.0;[      $forwarders[g" /etc/bind/named.conf.options
sudo sed -i "s[// };[};[g" /etc/bind/named.conf.options
sudo sed -i "/listen-on-v6/a \        tkey-gssapi-keytab\"/var/lib/samba/private/dns.keytab\";" /etc/bind/named.conf.options
sudo sed -i "/tkey-gssapi-keytab/i \        // DNS dynamic updates via Kerberos "/var/lib/samba/private/dns.keytab";" /etc/bind/named.conf.options
sudo sed -i "/notify no/a \        empty-zones-enable no;" /etc/bind/named.conf.options
sudo sed -i 's[//include[include[g' /etc/bind/named.conf.local
sudo bash -c 'echo -e "# Samba4 DLZ and Active Directory Zones (default source installation)\n/usr/lib/x86_64-linux-gnu/ldb/** rwmk,\n/usr/lib/x86_64-linux-gnu/samba/** rwmk,\n/var/lib/samba/** rm,\n/var/lib/samba/private/dns/** rwmk,\n/etc/samba/smb.conf r,\n/var/lib/samba/private/named.conf r,\n/var/lib/samba/private/dns.keytab r,\n/etc/bind/rndc.key  r,\n/var/tmp/** rwmk,\n/dev/urandom rw,\n/var/log/bind/** rw," >> /etc/apparmor.d/local/usr.sbin.named'
sudo bash -c 'echo -e "logging {\n        channel update_debug {\n                file \"/var/log/update_debug.log\" versions 3 size 100k;\n                severity debug;\n                print-severity  yes;\n                print-time      yes;\n        };\n        channel security_info {\n                file \"/var/log/security_info.log\" versions 1 size 100k;\n                severity info;\n                print-severity  yes;\n                print-time      yes;\n        };\n        channel bind_log {\n                file \"/var/log/bind.log\" versions 3 size 1m;\n                severity info;\n                print-category  yes;\n                print-severity  yes;\n                print-time      yes;\n        };\n\n        category default { bind_log; };\n        category lame-servers { null; };\n        category update { update_debug; };\n        category update-security { update_debug; };\n        category security { security_info; };\n};" >> /etc/bind/named.conf.logging'
sudo mkdir -p /var/log/bind
sudo chown -R bind:root /var/log/bind
sudo chmod -R 775 /var/log/bind

# Ajustes NTP
sudo bash -c 'echo -e "# samba4 ntp signing socket\n/var/lib/samba/ntp_signd/socket rw," >> /etc/apparmor.d/local/usr.sbin.chronyd'
sudo install -d /var/lib/samba/ntp_signd
sudo chown root:_chrony /var/lib/samba/ntp_signd
sudo chmod 750 /var/lib/samba/ntp_signd
sudo sed -ri 's/pool ntp.ubuntu.com        iburst maxsources 4/server 0.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 0.ubuntu.pool.ntp.org iburst maxsources 1/server 1.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 1.ubuntu.pool.ntp.org iburst maxsources 1/server 2.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo sed -ri 's/pool 2.ubuntu.pool.ntp.org iburst maxsources 2/server 3.south-america.pool.ntp.org iburst/g' /etc/chrony/chrony.conf
sudo bash -c 'echo -e "# This directive tells 'chronyd' to parse the 'adjtime' file to find out if the\n# real-time clock keeps local time or UTC. It overrides the 'rtconutc' directive.\nhwclockfile /etc/adjtime" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "bindcmdaddress $ipaddress" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "broadcast 60 $broadcast" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "allow $network" >> /etc/chrony/chrony.conf'
sudo bash -c 'echo -e "ntpsigndsocket /var/lib/samba/ntp_signd" >> /etc/chrony/chrony.conf'
sudo timedatectl set-local-rtc 1

# Certificado autofirmado
sudo rm -f /var/lib/samba/private/tls/cert.pem
sudo rm -f /var/lib/samba/private/tls/key.pem
sudo rm -f /var/lib/samba/private/tls/ca.pem
# sudo openssl req -newkey rsa:2048 -keyout /var/lib/samba/private/tls/samba.key -nodes -x509 -days 365 -out /var/lib/samba/private/tls/samba.crt
# sudo chmod 600 /var/lib/samba/private/tls/samba.key

# Certificado de confianza
sudo openssl genrsa -out /var/lib/samba/private/tls/samba.key 2048
sudo openssl req -new -key /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.csr
sudo openssl x509 -req -days 365 -in /var/lib/samba/private/tls/samba.csr -signkey /var/lib/samba/private/tls/samba.key -out /var/lib/samba/private/tls/samba.crt
sudo chmod 600 /var/lib/samba/private/tls/samba.key

sudo systemctl start samba-ad-dc
sudo systemctl enable samba-ad-dc
sudo systemctl daemon-reload
sudo systemctl reload apparmor
sudo systemctl restart systemd-networkd
sudo systemctl restart systemd-resolved
sudo systemctl restart bind9
sudo systemctl restart chrony

kinit administrator@$domain
sudo samba-tool group addmembers DnsAdmins dns-$hostname
sudo samba-tool user setpassword administrator
sudo samba-tool user setexpiry administrator --noexpiry
sudo samba-tool domain passwordsettings set --complexity=on
sudo samba-tool domain passwordsettings set --store-plaintext=off
sudo samba-tool domain passwordsettings set --history-length=0
sudo samba-tool domain passwordsettings set --min-pwd-age=0
sudo samba-tool domain passwordsettings set --max-pwd-age=0
sudo samba-tool domain passwordsettings set --min-pwd-length=7
sudo samba-tool domain passwordsettings set --account-lockout-duration=30
sudo samba-tool domain passwordsettings set --account-lockout-threshold=0
sudo samba-tool domain passwordsettings set --reset-account-lockout-after=30

# Configurando DHCP Server
sudo samba-tool user create dhcpduser --description="Unprivileged user for TSIG-GSSAPI DNS updates via ISC DHCP server" --random-password
sudo samba-tool user setexpiry dhcpduser --noexpiry
sudo samba-tool group addmembers DnsAdmins dhcpduser
sudo samba-tool domain exportkeytab --principal=dhcpduser@$domain /etc/isc-dhcp-server/dhcpduser.keytab
# incompleto en desarrollo
exit 0

32
Other modules / Re: DHCP allocation ip secondary classes
« on: August 15, 2018, 03:02:54 am »
Zentyal menu> DHCP
disabled | eth0 interface | Configuration:
enabled | eth1 interface | Configuration: Ranges: Add Name: DYNRANGE Of 192.168.2.11 For 192.168.2.249
enabled | eth2 interface | Configuration: Ranges: Add Name: DYNRANGE From 192.168.3.11 to 192.168.3.249

Spanish:
Zentyal menu > DHCP
deshabilitado | interfaz eth0 | configuración:
habilitado | interfaz eth1 | configuración: Rangos: Añadir Nombre: DYNRANGE De 192.168.2.11 Para 192.168.2.249
habilitado | interfaz eth2 | configuración: Rangos: Añadir Nombre: DYNRANGE De 192.168.3.11 Para 192.168.3.249

33
Hola, saludos a la comunidad de Zentyal.
Haciendo uso de este espacio para solicitar ayuda, estoy haciendo un bash script que automatice la instalación de un Directorio Activo con soporte SMB/CIFs, CUPS, Bosque y Árbol funcional Windows Server 2012_R2, Controlador de Dominio primario y esclavo DNS Backend con soporte de MySQL para instalar con facilidad en varios servidores Ubuntu Server 16.04 LTS y que se actualice automáticamente los paquetes sin dañar la instalación.

Otro script que facilite la inserción muchos usuarios con su respectivas unidades organizativas y grupos.
La idea es para los que nos toca empresas medianas y grandes.

El problema es que hay muchas guías pero de diferentes maneras de instalar, otras incompletas.

lo que necesito es información concreta para ir construyendo un script bash, quede al final perfecto y compartido con ustedes.

El bash script debe ser interactivo, preguntar los datos de configuración para luego instalar y configurar todos los servicios.
también Zentyal puede hacer uso de el script para mejoras del producto.

Necesito Guías de manera correcta:
Instalar Samba
Instalar Bind
Instalar MySQL Server
Instalar DHCP Server
Instalar NTP Server
Instalar TFTP Server
Configurar para el servidor AD DC SMB/CIFs CUPS DNS Backend con soporte DLZ y MySQL
Firewall y permisos.

Tengo un equipo el cual voy hacer pruebas.

34
Other modules / Re: [HELP] ZENTYAL 5.0 SERVER FILE SHARE PROBLEM
« on: July 26, 2018, 08:23:47 pm »
The same thing happened to me in version 5.0, after updating to version 5.1.1 it works well for me.

I had the same problem, stops authenticating users and stops sharing folders.

Code: [Select]
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: failed (Result: exit-code) since jue 2018-07-26 13:18:58 -04; 52min ago
     Docs: man:named(8)
 Main PID: 3141 (code=killed, signal=ABRT)

jul 26 13:18:36 servidor named[3141]: automatic empty zone: EMPTY.AS112.ARPA
jul 26 13:18:38 servidor named[3141]: configuring command channel from '/etc/bind/rndc.key
jul 26 13:18:38 servidor named[3141]: reloading configuration succeeded
jul 26 13:18:38 servidor named[3141]: any newly configured zones are now loaded
jul 26 13:18:39 servidor named[3141]: success resolving 'star-z-mini.c10r.facebook.com/A'
jul 26 13:18:58 servidor systemd[1]: bind9.service: Main process exited, code=killed, stat
jul 26 13:18:58 servidor rndc[30141]: rndc: connect failed: 127.0.0.1#953: connection refu
jul 26 13:18:58 servidor systemd[1]: bind9.service: Control process exited, code=exited st
jul 26 13:18:58 servidor systemd[1]: bind9.service: Unit entered failed state.
jul 26 13:18:58 servidor systemd[1]: bind9.service: Failed with result 'exit-code'.

the solution:
Code: [Select]
administrator@servidor:~$ sudo systemctl restart bind9
administrator@servidor:~$ sudo systemctl status bind9
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since jue 2018-07-26 14:13:35 -04; 2s ago
     Docs: man:named(8)
 Main PID: 12404 (named)
    Tasks: 7
   Memory: 49.7M
      CPU: 217ms
   CGroup: /system.slice/bind9.service
           └─12404 /usr/sbin/named -f -u bind -4

jul 26 14:13:36 servidor named[12404]: zone 168.192.in-addr.arpa/IN: loaded serial 1
jul 26 14:13:36 servidor named[12404]: zone 24.172.in-addr.arpa/IN: loaded serial 1
jul 26 14:13:36 servidor named[12404]: zone 23.172.in-addr.arpa/IN: loaded serial 1
jul 26 14:13:36 servidor named[12404]: zone 127.in-addr.arpa/IN: loaded serial 1
jul 26 14:13:36 servidor named[12404]: zone 27.172.in-addr.arpa/IN: loaded serial 1
jul 26 14:13:36 servidor named[12404]: zone 16.172.in-addr.arpa/IN: loaded serial 1
jul 26 14:13:36 servidor named[12404]: zone 28.172.in-addr.arpa/IN: loaded serial 1
jul 26 14:13:36 servidor named[12404]: zone 1.168.192.in-addr.arpa/IN: loaded serial 20180
jul 26 14:13:36 servidor named[12404]: all zones loaded
jul 26 14:13:36 servidor named[12404]: running
lines 1-23


35
Other modules / Re: [HELP] ZENTYAL 5.0 SERVER FILE SHARE PROBLEM
« on: July 17, 2018, 11:32:47 pm »
The same thing happened to me in version 5.0, after updating to version 5.1.1 it works well for me.

36
Other modules / Re: DNS restart failure
« on: July 17, 2018, 12:10:05 am »
apply the command:
Code: [Select]
sudo samba-tool group addmembers DnsAdmins dns-servidor
sudo reboot

Now I have a new error ...
Code: [Select]
Command output: .
Exit value: 2
2018/07/16 18:06:04 ERROR> Service.pm:967 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/4lAlq8VQIe failed.
2018/07/16 18:06:04 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/4lAlq8VQIe failed.
Error output: ; TSIG error with server: tsig indicates error
 update failed: NOTAUTH(BADKEY)

Command output: .
Exit value: 2

37
Other modules / Re: DNS restart failure
« on: July 16, 2018, 06:54:22 pm »
I have the same problem.

https://forum.zentyal.org/index.php/topic,32300.0.html

From what I understand it must be like this:
Code: [Select]
sudo samba-tool group list
ldb_wrap open of secrets.ldb
Allowed RODC Password Replication Group
Enterprise Read-Only Domain Controllers
Denied RODC Password Replication Group
Pre-Windows 2000 Compatible Access
Windows Authorization Access Group
Certificate Service DCOM Access
Network Configuration Operators
Terminal Server License Servers
Incoming Forest Trust Builders
Read-Only Domain Controllers
Group Policy Creator Owners
Performance Monitor Users
Cryptographic Operators
Distributed COM Users
Performance Log Users
Remote Desktop Users
Account Operators
Event Log Readers
RAS and IAS Servers
Backup Operators
Domain Controllers
Server Operators
Enterprise Admins
Print Operators
Administrators
Domain Computers
Cert Publishers
DnsUpdateProxy
Domain Admins
Domain Guests
Schema Admins
Domain Users
Replicator
IIS_IUSRS
Vendedores
DnsAdmins     <------
Gerentes
Guests
Cybers
Users
IT

Code: [Select]
sudo samba-tool user list
ldb_wrap open of secrets.ldb
john
anyerli
taquilla-01
taquilla-02
Administrator
dns-servidor  <----
gerente
kerio
krbtgt
Guest
01
02
03
04
05
06
07
08
09
10
11
12

Code: [Select]
sudo samba-tool group addmembers DnsAdmins dns-servidor

Code: [Select]
sudo samba-tool group listmembers DnsAdmins
ldb_wrap open of secrets.ldb
dns-servidor   <-------

I'm not sure.

38
Directory and Authentication / Error restarting DNS service
« on: July 16, 2018, 05:09:15 pm »
Some time ago I have this error, since I updated from version 5.0 to 5.1.
Every so often I lose connectivity with the active directory and the computers lose access to the shared folders and do not login with the domain.
After inquiring, it is a problem to have to restart the server completely. Try restarting the DNS service and it is not possible.

Code: [Select]
Command output: .
Exit value: 1
2018/07/16 10:58:12 ERROR> Service.pm:967 EBox::Module::Service::restartService - root command nsupdate -g -t 10 /var/lib/zentyal/tmp/UUoao5tSs8 failed.
2018/07/16 10:58:12 ERROR> RestartService.pm:61 EBox::SysInfo::CGI::RestartService::_process - Restart of DNS from dashboard failed: root command nsupdate -g -t 10 /var/lib/zentyal/tmp/UUoao5tSs8 failed.
Error output: ; Communication with 127.0.1.1#53 failed: timed out
 dns_request_createvia3: address family not supported

Command output: .
Exit value: 1

Code: [Select]
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since lun 2018-07-16 10:58:01 -04; 1h 30min ago
     Docs: man:named(8)
  Process: 12593 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 12600 (named)
    Tasks: 7
   Memory: 45.8M
      CPU: 17.304s
   CGroup: /system.slice/bind9.service
           └─12600 /usr/sbin/named -f -u bind -4

jul 16 11:43:55 servidor named[12600]: client 192.168.1.105#60346: update 'savidoca.com/IN' denied
jul 16 11:43:55 servidor named[12600]: samba_dlz: cancelling transaction on zone savidoca.com
jul 16 11:46:19 servidor named[12600]: samba_dlz: starting transaction on zone savidoca.com
jul 16 11:46:19 servidor named[12600]: client 192.168.1.111#65288: update 'savidoca.com/IN' denied
jul 16 11:46:19 servidor named[12600]: samba_dlz: cancelling transaction on zone savidoca.com
jul 16 11:46:19 servidor named[12600]: samba_dlz: starting transaction on zone savidoca.com
jul 16 11:46:19 servidor named[12600]: samba_dlz: disallowing update of signer=M11\$\@SAVIDOCA.COM name=M11.savidoca.com type=
jul 16 11:46:19 servidor named[12600]: client 192.168.1.111#57933/key M11\$\@SAVIDOCA.COM: updating zone 'savidoca.com/NONE':
jul 16 11:46:19 servidor named[12600]: samba_dlz: cancelling transaction on zone savidoca.com
lines 1-23

Code: [Select]
● bind9.service - BIND Domain Name Server
   Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
  Drop-In: /run/systemd/generator/bind9.service.d
           └─50-insserv.conf-$named.conf
   Active: active (running) since lun 2018-07-16 18:06:00 -04; 16min ago
     Docs: man:named(8)
  Process: 11040 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
 Main PID: 11048 (named)
    Tasks: 7
   Memory: 51.1M
      CPU: 2.915s
   CGroup: /system.slice/bind9.service
           └─11048 /usr/sbin/named -f -u bind -4

jul 16 18:07:46 servidor named[11048]: client 192.168.1.108#58217/key M08\$\@SAVIDOCA.COM: updating zone 'savidoca.com/NONE': adding an RR at 'M08.savidoca.com' A 192.168.1.108
jul 16 18:07:46 servidor named[11048]: samba_dlz: added rdataset M08.savidoca.com 'M08.savidoca.com.        1200        IN        A        192.168.1.108'
jul 16 18:07:46 servidor named[11048]: samba_dlz: committed transaction on zone savidoca.com
jul 16 18:13:26 servidor named[11048]: samba_dlz: starting transaction on zone savidoca.com
jul 16 18:13:26 servidor named[11048]: client 192.168.1.111#55467: update 'savidoca.com/IN' denied
jul 16 18:13:26 servidor named[11048]: samba_dlz: cancelling transaction on zone savidoca.com
jul 16 18:13:26 servidor named[11048]: samba_dlz: starting transaction on zone savidoca.com
jul 16 18:13:26 servidor named[11048]: samba_dlz: disallowing update of signer=M11\$\@SAVIDOCA.COM name=M11.savidoca.com type=AAAA error=insufficient access rights
jul 16 18:13:26 servidor named[11048]: client 192.168.1.111#51058/key M11\$\@SAVIDOCA.COM: updating zone 'savidoca.com/NONE': update failed: rejected by secure update (REFUSED)
jul 16 18:13:26 servidor named[11048]: samba_dlz: cancelling transaction on zone savidoca.com

39
Tienes que ir a Red --> Servicios --> Añadir Nuevo
Nombre del servicio: tftpd-hpa.service
Descripción: Servicio TFTP Server
Añadir+
seleccionar botón configuración de tftpd-hpa.service
añadir nuevo+
Protocolo: UDP
Puerto origen: Cualquiera
Puerto destino: Puerto único: 69

Cortafuegos --> Filtrado de Paquetes --> Reglas de filtrado desde las redes internas a Zentyal --> Configurar Reglas
Añadir nuevo+
Decisión: Aceptar
Origen: Cualquiera
Servicio: tftpd-hpa.service
Descripción: Servicio TFTP
Añadir+
Guardar Cambios.

Espero que te funcione.

40
Spanish / Re: Crear usuario de manera masiva o por lotes
« on: July 15, 2018, 10:45:41 pm »
Hola si es posible.
debes crear un archivo bash script, dar permisos de ejecución o hacer una archivo de texto que ejecute los comando en el orden en nuestro equipo de trabajo.

ejemplo en Windows con el programa putty:
Code: [Select]
putty.exe -ssh administrator@host -P 22 -pw MiContraseña -m D:\AD\Scripts\script.txt

ejemplo en Linux:
Code: [Select]
ssh administrator@host -pw MiContraseña -m /home/Administrator/Documents/AD/Scripts/script.txt
Esta parte no la e probado aun.

A continuación lo que continua lo puedes ir agregando los comandos en tu archivo de script.txt a tu gusto.

Primero debemos configurar unas opciones del Dominio sobre la seguridad del tiempo de contraseñas, eso es al gusto:
Code: [Select]
sudo samba-tool domain passwordsettings set --complexity=on
sudo samba-tool domain passwordsettings set --store-plaintext=off
sudo samba-tool domain passwordsettings set --history-length=0
sudo samba-tool domain passwordsettings set --min-pwd-length=7
sudo samba-tool domain passwordsettings set --min-pwd-age=0
sudo samba-tool domain passwordsettings set --max-pwd-age=365
sudo samba-tool domain passwordsettings set --account-lockout-duration=30
sudo samba-tool domain passwordsettings set --account-lockout-threshold=0
sudo samba-tool domain passwordsettings set --reset-account-lockout-after=30

Cambiar la contraseña del administrator del dominio:
Code: [Select]
sudo samba-tool user setpassword administrator
password:

Si queremos que no expire la contraseña:
Code: [Select]
sudo samba-tool user setexpiry administrator --noexpiry

Hay que crea Unidades Organizativas (OU) con el Panel de Zentyal, no recuerdo los comando para esto...
Code: [Select]
Vendedores
Gerentes
Compras
Contadores
Abogados

Esta parte no estoy muy claro..
Creamos una plantilla LDIF
Code: [Select]
sudo nano ou.ldif
dn: ou=Vendedores,dc=example,dc=com
objectClass: organizationalUnit
ou: Vendedores

dn: ou=Compras,dc=example,dc=com
objectClass: organizationalUnit
ou: Compras

dn: ou=Gerentes,dc=example,dc=com
objectClass: organizationalUnit
ou: Gerentes
guardamos esta plantilla

Creo que es el comando para crear Unidades Organizativas (OU) es:
Code: [Select]
ldbadd --url=/var/lib/samba/private/sam.ldb ou.ldif

Y para modificar:
hay que agregar el atributo en la plantilla "changetype: add"
Code: [Select]
ldbmodify -H /var/lib/samba/private/sam.ldb ou.ldif
pero no tengo mucha información al respecto, no se si en zentyal se puede aplicar.
aquí conseguí información al respecto: https://www.itzgeek.com/how-tos/linux/debian/install-and-configure-openldap-on-ubuntu-16-04-debian-8.html/2

o aqui: https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system


Este es el comando para crear grupos:
Code: [Select]
sudo samba-tool group add vendedores --group-type=Security --group-scope=Global
sudo samba-tool group add compras --group-type=Security --group-scope=Global
sudo samba-tool group add gerentes --group-type=Security --group-scope=Global

Tipo de Grupos y Alcance de Grupos de acuerdo a tu preferencia:
Code: [Select]
--group-scope=GROUP_SCOPE
  Group scope (Domain | Global | Universal)

--group-type=GROUP_TYPE
  Group type (Security | Distribution)

mas información: https://windowserver.wordpress.com/2012/12/14/uso-recomendado-de-grupos-en-dominios-windows-server/

Este es el comando para crear usuarios:
Code: [Select]
sudo samba-tool user create carlos --userou='ou=Vendedores'
sudo samba-tool user setpassword carlos
sudo samba-tool user create ana --userou='ou=Vendedores'
sudo samba-tool user setpassword ana
sudo samba-tool user create pedro --userou='ou=Vendedores'
sudo samba-tool user setpassword pedro
sudo samba-tool user create angela --userou='ou=Gerentes'
sudo samba-tool user setpassword angela

Si quieres crear un usuario con mas detalle:
Code: [Select]
sudo samba-tool user create angela password --given-name=Angela --surname=Pirelli --userou='ou=Gerentes'
si quieres que los usuarios tengas mas especificaciones debes agregar mas cosas al comando, ver esta web:
https://wiki.samba.org/index.php/Adding_users_with_samba_tool

Este es el comando para agregar a los usuarios al grupo:
Code: [Select]
sudo samba-tool group addmembers vendedores pedro,angela,ana

Para que los usuarios no expiren la contraseña:
Code: [Select]
sudo samba-tool user setexpiry carlos --noexpiry

41
News and Announcements / Re: Zentyal 5.1 available!
« on: May 22, 2018, 08:36:05 pm »
In this version of Zentyal does it support installation in the Ubuntu Server 18.04 LTS operating system?

42
Other modules / There are missing options to the FTP module.
« on: May 22, 2018, 08:32:23 pm »
There are missing options to the FTP module such as:
customize the anonymous FTP directory path to store in other units.
maximum speed downloads and loads allowed, maximum connections allowed for anonymous users.
Settings as FTP Active Mode or FTP Passive Mode.
FTP and FTPS settings.

43
Hola amigos, por si tienen este problema muy frecuente de "Error en la relación de confianza entre la estación de trabajo y el dominio Principal", aquí esta la solución:

https://www.youtube.com/watch?v=oOdCK3RhksA

también recomiendo leer este articulo:
https://theitbros.com/fix-trust-relationship-failed-without-domain-rejoining/

44
Directory and Authentication / Re: GPO not work
« on: May 15, 2018, 02:51:03 pm »
Hi, I had the same problem at the beginning but in windows 10 64 bit in Mexican Spanish, you should download the RSAT for Windows Server 2016 in English US and log in with your DOMAIN NAME \ Administrator and domain password. you must change the language as the default EN-US and then install the RSAT. to show the GPO access.


Spanish:
Hola, yo tuve el mismo problema al principio pero en windows 10 64 bit en Español Mexicano, debes descargar el RSAT para Windows Server 2016 en ingles US e iniciar sesion con tu  NOMBRE DE DOMINIO\Administrator y contraseña de dominio. debes cambiar el idioma como predeterminado EN-US y despues instalas el RSAT. para que aparezca los acceso a GPO.

45
Directory and Authentication / [HELP] DNS Service
« on: April 16, 2018, 07:23:08 pm »
Hello friends from the Zentyal community.
I have a server with Zentyal 5.1.1

I have a new problem with DNS names.
I have a firewall server with the Kerio Control operating system with 2 network adapters with Internet input and output and another server within the Zentyal network with the ip address 192.168.1.2.
My Zentyal Server is created with the name savidoca.com
My Firewall server is called firewall.savidoca.com

I'm having a problem with the name, I do not know if this is serious since the address www.tvfanb.mil.ve points to my DNS server and I do not know if the problem is from the military institution or something I did wrong.

http://www.tvfanb.mil.ve.ipaddress.com/

Pages: 1 2 [3] 4 5