Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - hjt

Pages: [1]
1
Hangs during upgrade.

Code: [Select]
*** Preparing for upgrade to Zentyal 7.0...
+ echo

+ prepareZentyalRepositories
+ wget -qO - keys.zentyal.org/zentyal-7.0-packages.asc
+ sudo apt-key add -
OK
+ '[' -f /etc/apt/sources.list.d/zentyal-archive.list ']'
+ '[' -f /var/lib/zentyal/.commercial-edition ']'
+ sed -ri '/zentyal(.)6.2/d' /etc/apt/sources.list
+ echo 'deb http://packages.zentyal.org/zentyal 7.0 main extra'
+ grep -qR http://ppa.launchpad.net/oisf/suricata-stable/ubuntu /etc/apt/sources.list /etc/apt/sources.list~ /etc/apt/sources.list.d
+ echo 'deb http://ppa.launchpad.net/oisf/suricata-stable/ubuntu focal main'
+ apt-key adv --keyserver keyserver.ubuntu.com --recv-keys D7F87B2966EB736F
Executing: /tmp/apt-key-gpghome.LfsjAz87zp/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys D7F87B2966EB736F

I had the same, solution was to deinstall IPS before upgrading to 7.

2
Email and Groupware / [SOLVED] Out of office reply
« on: November 04, 2019, 02:58:59 pm »
Out of the box the out-of-office notifications are not enabled in Zentyal.
Is there any reason not to enable this?

For anyone interested in this, this requires modification of the stubs/mason files.
The standard stub is first copied from the default location to the /etc/zentyal/stubs location.
This is where zentyal looks for modified mason files. This way after an upgrade, you have the new stubs in /usr/share/zentyal/stubs and the custom ones in /etc/zentyal/stubs.

sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/sogo
cp /usr/share/zentyal/stubs/sogo/sogo.conf.mas /etc/zentyal/stubs/sogo/
sudo nano /etc/zentyal/stubs/sogo/sogo.conf.mas

find the line   
SOGoVacationEnabled = NO;
and change to:
SOGoVacationEnabled = YES;

save the file and restart SOGo from the dashboard.

Now when you login to your webmail, click the settings icon behind your name, click " mail", now you see the out-of-office option.


3
Other modules / Re: OpenVPN authorisation by common name
« on: November 04, 2019, 02:35:29 pm »
To finalise this issue, in my opinion this is a bug, as Zentyal does not act as advertised on the web-interface.

To solve the problem I had to make an adjustment to the stub/mason file:

sudo mkdir /etc/zentyal/stubs
sudo mkdir /etc/zentyal/stubs/openvpn
sudo cp /usr/share/zentyal/stubs/openvpn/openvpn.conf.mas /etc/zentyal/stubs/openvpn/
sudo nano /etc/zentyal/stubs/openvpn/openvpn.conf.mas

then change the line
verify-x509-name <% $tlsRemote %> name
into:
verify-x509-name <% $tlsRemote %> name-prefix

After this restart the VPN service from the dashboard, and things are good to go.

[The reason why behind this]

This way I can make seperate certificates for different users, preventing them from connecting to other OpenVPN server instances that are running on my server.

So I have two OpenVPN servers:
  • vpn-client
  • vpn-lan2lan

Then I create certificates for the users:

vpn-client.user1
vpn-client.user2
vpn-client.user3

and

vpn-lan2lan.remotelan1
vpn-lan2lan.remotelan2

Now I can enforce that vpn-client users cannot connect to the vpn-lan2lan service, and still revoke individual certificates.

4
Other modules / Re: OpenVPN authorisation by common name
« on: November 04, 2019, 02:16:01 pm »
OK, this is what I found out so far:

in the vpn config file ( /etc/openvpn/client.d/client.conf ) there is the line:

verify-x509-name vpn-client name

To check only the start of the common name this should be changed in:

verify-x509-name vpn-client name-prefix

After a restart of the VPN service the config file is overwritten again, so I have to find out how to make this persistent. Search direction is probably mason-files, but I have no experience in this area so far.

5
Other modules / [SOLVED] OpenVPN authorisation by common name
« on: November 04, 2019, 12:47:48 pm »
I have a working VPN server, I can connect and ping the network.

In the server settings of the (Open)VPN there is an option "Client autorisation by common name"
The description says : "If enabled, only certificates whos common name begins with the selected value will be able to connect"

My server certificate common name is "vpn-client" (confusing, but to indicate this server is for mobile clients, as opposed to lan2lan)
My client certificates common name is "vpn-client.henkjan" and I also tried "vpn-client henkjan"
The client autorisation by common name is set to "vpn-client"

In my opinion the command name of the client starts with " vpn-client", so I expected it to work.
The connection works when I set "Client authorisation by common name" to disabled.
Enabling the setting gives in the VPN log file :

VERIFY X509NAME ERROR: C=NL, ST=Undefined, L=Town, O=Company, CN=vpn-client henkjan, must be vpn-client

So it appears to be checking the complete common name, as opposed to only the start.

Am I missing something?

6
Email and Groupware / Re: Fetchmail and Gmail: Oauth required
« on: February 21, 2019, 01:19:39 pm »
As from a few hours ago, Gmail stopped throwing AUTH errors and is delivering mail again. Not sure if they changed their policy or if there was a technical error involved.
Anyhow mail is flowing again, and the problem is solved so far, for what I'm concerned.

It appears that Oauth authentification will be a standard part of Fetchmail 7, so I'll be waiting for that to come to Zentyal.

7
Email and Groupware / Fetchmail and Gmail: Oauth required [SOLVED]
« on: February 21, 2019, 01:46:06 am »
Apparently Google is tightening security, and closing down Imap(s) an POP3(s) access to  Gmail accounts.
(I am aware of the "Allow less secure app", but even when this is set access is not allowed anymore)

On both my production server (5.0) and a clean test install (6.0) the /var/log/mail.log throws errors:
Fetchmail Query status=3 (AUTHFAIL) Authorization failure on ######

It seems that Oauth is now required to get the mails from Gmail.
I found an article that covers giving Fetchmail (6.3 and 6.4) support for Oauth2 : http://mmogilvi.users.sourceforge.net/software/oauthbearer.html

But I cannot figure out how to get this into the Zentyal server. Anyone succeeded at this?


8
Installation and Upgrades / Re: Install failure - incomplete?
« on: September 07, 2017, 12:30:31 pm »
This is probably due to a graphics driver problem.

Get to the command prompt (either through ssh of pressing crtl-alt-f1. The latter is a bit irritating, because it jumps back to the other screen every time, but you can actually manage by pressing crtl-alt-f1 every time).

On the command prompt type: sudo apt-get install xserver-xorg-video-all

This will install the video driver and things should be up and running after this.

-edit- More specifically for Hyper-V you can install only the fbdev driver:  sudo apt-get install xserver-xorg-video-fbdev

Pages: [1]