Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - zentypenguin

Pages: [1] 2
1
German / Re: Mounten von NFS-Shares funktioniert nicht mehr (Kerberos)
« on: December 05, 2013, 03:34:16 pm »
Hallo benjamin,

schön, dass es mal einen Leidensgenossen gibt. Ich muss zugeben, zur Zeit frustriert mich das Thema etwas und ich habe zur Zeit wenig Zeit, mich darum zu kümmern.
Linux-Clients scheinen ja nicht gerade die Zielgruppe des Projektes zu sein.

Aber vielleicht erbarmt sich ja mal jemand, der hier noch den ultimativen Tipp hat, wie man einen Linux-Client sauber implememtiert  ;)

Wenn ich wieder mehr Luft habe, werde ich mich da sicher wieder kümmern - oder wenn es einen anderen entscheidenden Motivationsschub gibt ;)

Ralf

2
German / Mounten von NFS-Shares funktioniert nicht mehr (Kerberos)
« on: September 30, 2013, 06:30:41 pm »
Hallo,

ich bastle (leider) immer noch an meinem Server und habe nun das Problem, dass ich NFS-Shares nicht mehr mounten kann. Nach einiger Recherche und einer Anleitung von hier http://people.zentyal.org/~bencer/auth-nfs-howto/html/nfsserver.html (mit kleinen Korrekturen) habe ich es mit Zentyal 3.0 und einem Linux Mint Debian Edition-Client erfolgreich hinbekommen.

Nun, habe ich im Zuge von Hardware-Wechsel und da es ja nun 3.2 gibt, neu installiert und habe mit meiner bisherigen Step-by-Step Doku versucht, alles wieder zum fliegen zu bekommen.

Alles gut - bis auf, dass das Mounten der NFS-Shares nicht mehr klappt.

Im Log des Client finde ich folgendes:
Code: [Select]
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: handling gssd upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8)
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: handle_gssd_upcall: 'mech=krb5 uid=0 service=* enctypes=18,17,16,23,3,1,2 '
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt8)
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: process_krb5_upcall: service is '*'
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: Full hostname for 'deep-thought.solaris.home' is 'deep-thought.solaris.home'
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: Full hostname for 'lmde-laptop.solaris.home' is 'lmde-laptop.solaris.home'
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: No key table entry found for LMDE-LAPTOP.SOLARIS.HOME$@SOLARIS.HOME while getting keytab entry for 'LMDE-LAPTOP.SOLARIS.HOME$@SOLARIS.HOME'
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: No key table entry found for root/lmde-laptop.solaris.home@SOLARIS.HOME while getting keytab entry for 'root/lmde-laptop.solaris.home@SOLARIS.HOME'
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: Success getting keytab entry for 'nfs/lmde-laptop.solaris.home@SOLARIS.HOME'
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: WARNING: Client not found in Kerberos database while getting initial ticket for principal 'nfs/lmde-laptop.solaris.home@SOLARIS.HOME' using keytab 'FILE:/etc/krb5.keytab'
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: ERROR: No credentials found for connection to server deep-thought.solaris.home
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: doing error downcall
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: Closing 'gssd' pipe for /var/lib/nfs/rpc_pipefs/nfs/clnt8
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt9
Sep 29 00:30:21 lmde-laptop rpc.gssd[2059]: destroying client /var/lib/nfs/rpc_pipefs/nfs/clnt8

Für mich sieht das so aus, dass es keine Kerberos-Tickets für
  • LMDE-LAPTOP.SOLARIS.HOME$@SOLARIS.HOME
  • root/lmde-laptop.solaris.home@SOLARIS.HOME
gibt.

Ein kadmin -l und dann list * gibt auch preis, dass sie auf dem Server nicht existieren.

Ich habe den Client per net ads join -U in die Domain aufgenommen und im Verzeichnisbaum wird der Client auch unter Computer angezeigt.

Ich glaube  ;) , dass ich diese Ticket-Einträge in der alten Version meiner Installation gesehen habe, aber ich weiß beim besten Willen nicht, wie die da hin gekommen sind.

Vielleicht habe ich beim Basteln auch einfach vergessen, ein paar wichtige Schritte mit zu dokumentieren.

Würde ich vielleicht mit Like Wise Open, dass es ja mit Ubuntu gibt, weiter kommen? Aber eigentlich sollte es mit LMDE doch auch noch möglich sein. Wie gesagt, hat schon mal geklappt und der Server war kurz vor dem Produktivgang. Nun bin ich zurückgeworfen.

Hat hier vielleicht jemand einen Tipp?

Mit herzlichen Grüßen,

Ralf

3
Hallo mwolf2013,

vielen Dank für Deine Antwort. Mir stellt sich hier aber die Frage, wie nachhaltig diese Änderungen sind, wenn ich sie in /usr/share/perl5/EBox/.. durchführe. Wird das nicht überschrieben, sobald ein Update rein kommt?

Gibt es da keine Möglichkeit, für die Module, die für den Pfad verantwortlich sind, Hooks zu verwenden? Die wären nach einem Update ja immer noch vorhanden, wenn ich das richtig verstanden habe.

Mit herzlichen Grüßen,

Ralf

4
Installation and Upgrades / Re: Linux user cannot connect to /home/user
« on: September 23, 2013, 10:30:26 pm »
Hi,

I don't know how to setup for MAC, but I was successful connecting my Linux-Box with Zentyal as a NFS file server. Btw. my Linux testing box is Linux Mint Debian Edition.

I followed these instructions here: http://people.zentyal.org/~bencer/auth-nfs-howto/html/nfsserver.html - server and client.

But pay attention! In one detail, this instruction is wrong. If you want to map the NFS mount, you have to use the same kerberos security level, e.g. you export with krb5i, you must set sec=krb5i in mount command.

Another trick I found yesterday is, that, if you want to use autofs, you can't mount the share with the graphical file browser out of the box. There seems to be a bug. In debug mode of automount, I recognized that it tried to map a file called ".hidden" that does not exist anywhere.

First of all, you have to make a "ls /path/to/remote/folder" in the terminal in user context. Than, after a successful automount, the mount will appear in the devices sectionv of nautilus or nemo, whatever. Now you can bookmark the mount and give it a name you like. If you try to remount by using the bookmark, it works properly. You have to mount the shares in the /media folder, not /mnt!

Hope it helps.

Good luck,

Ralf

5
Hallo,

ich bin schon ein Stückchen weiter gekommen.

Habe die Datei /etc/zentyal/samba.postsetconf mit fogendem Inhalt angelegt:
Code: [Select]
#!/bin/sh
sed -i 's/path = \/home\/\%S$/path = \/home\/userdata\/\%S/' /etc/samba/smb.conf
    exit 0
Damit erreiche ich, dass das Home-Verzeichnis in der smb.conf nach meinen Wünschen angepasst ist.

Allerdings werden neue User immer noch im /home angelegt.

Also, wie ich befürchtet habe, es muss mehr getan werden.

Aber ich habe bislang keine weitere Konfiguration gefunden, in der das Home-Verzeichnis irgendwie definiert wird.

Auch die Datei /etc/adduser.conf, wo das Home-Verzeichnis definiert wird, scheint für die Userverwaltung nicht verwendet zu werden.

Gibt es überhaupt eine Möglichkeit?

Am schönsten wäre natürlich, wenn man beim Anlegen eines Users einen alternativen Pfad zum Home angeben könnte, der dann auch im Ldap gespeichert würde und in allen Bereichen berücksichtigt wird.
Ob das mal gibt?

Vielen Dank für Eure Hinweise,

Ralf

6
Hallo,

Ich bastele schon eine ganze Weile am Zentyal-Server, unter anderem, um ihn auch mit Linux-Clients sinnvoll einsetzen zu können. Bislang habe ich es geschafft, dass sich User, die auf dem Server eingerichtet sind, sich auf einem Linux-Client anmelden können und das mappen von Verzeichnissen klappt auch inzwischen ganz gut.

Als nächsten Schritt möchte ich eigentlich zwei Exports verwenden, eines, um die allgemeinen Shares zu mouten, und eines, um die User-Verzeichnisse zu mounten, so dass lokale systemrelevante User-Verzeichnisse nicht sichtbar sind. Und dann soll das mit Windows-Boxen ja auch noch weiter klappen.

Leider ist das Home-Verzeichnis im Samba aber festgelegt. Wie kann ich die Konfiguration so anpassen, dass die Home-Verzeichnisse der produktiven User unterhalb des Verzeichnisses /home/userdata/ angelegt werden, so dass ich das Verzeichnis "userdata" dann exportieren kann, statt "home"?

Ich vermute mal, dass es nicht damit getan ist, nur die Samba-Konfiguration anzupassen. Ich fürchte ja, dass man im LDAP auch noch Anpassungen durchführen müsste.

Gibt es eine Möglichkeit, die richtige Konfiguration in /etc/zentyal/hooks/ anzulegen und wie müsste das dann aussehen?

Ich stelle mir den Verzeichnisbaum etwa so vor:

/home/
/home/userdata/
/home/userdata/user1
/home/userdata/user2
/home/userdata/user3
/home/userdata/...
/home/samba/profiles
/home/samba/shares
/home/samba/shares/share1
/home/samba/shares/share2
/home/samba/shares/...

Und dann eben als exports /home/userdata/ und /home/samba/shares/

Würde mich freuen, wenn jemand mir Hinweise geben könnte, wie ich das umsetzen kann.

Mit herzlichen Grüßen,

Ralf

7
Hello,

I'm playing around with Zentyal for a while now. Not enough time to work straight forward. Because I plan to work with an heterogene network, Linux an MS-Clients, Zentyal was my choice.
Now, a few month later, I reached some of my goals, but not perfectly.
I found the documentation, masakre used, too, and I followed the instructions, to let a Linux client sucessfully mount to nfs. I could solve some mistakes:
  • on the client, in /etc/default/nfs-common not only NEED_GSSD has to be activated, but also NEED_IDMAPD has to be set to YES
  • in the mount command, you have to use the same security level, you configured for the exports on the server: if you uses krb5i for exports definitions, you have to give sec=krb5i as an option to the mount command
Now, a user that exists on the server only can log in on my Linux client (LMDE) and is able to mount the nfs devices.

My problem is, that i get an error message every time, I mount the device: "Timeout waiting for mount to appear". The other problem, or wish is, that I would like to let the client mount the nfs on boot time, before a valid user logs in.

Maybe somebody has a solution for that?

If I can solve these problems, too, it would be a very interesting milestone for me and I could go on configure the other services, I would like to run on my Zentyal box.

And it would be nice, if it would be possible, to hide some folders and files of the nfs, that are not important for a common user.

For me, it's one of my most important goals to have a transparent file server working with linux and(!) windows clients.

Maybe somebody has any experiences with it?

Thanks a lot,

Ralf

8
Installation and Upgrades / Re: Experiences with sssd?
« on: March 26, 2013, 11:25:05 pm »
This is my configuration for now:

Following this instructions: http://trac.zentyal.org/wiki/Documentation/Community/Development/sssd

My /etc/krb5.conf looks like this:
Code: [Select]
[libdefaults]
    default_realm = <% kerberos realm %>
    dns_lookup_kdc = true
    dns_lookup_realm = true
    default_tgs_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
    default_tkt_enctypes = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
    preferred_enctypes   = arcfour-hmac-md5 des-cbc-md5 dec-cbc-crc
...

After installing sssd and heimdal-clients, create /etc/sssd/sssd.conf, set permissions to 600, this is my config:
Code: [Select]
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = SOLARIS

[nss]
filter_users = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
filter_groups = root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
reconnection_retries = 3

[pam]
reconnection_retries = 3
offline_credentials_expiration = 0

[domain/SOLARIS]
description = LDAP Domain with AD Server
debug_level = 9

min_id = 1000

id_provider = ldap
auth_provider = krb5
chpass_provider = krb5

ldap_uri = ldap://deep-thought.solaris.home:390
ldap_search_base = dc=solaris,dc=home
ldap_schema = rfc2307bis
enumerate = True
cache_credentials = True
ldap_default_bind_dn = cn=zentyal,dc=solaris,dc=home
ldap_default_authtok_type = password
ldap_default_authtok = mypasswordfoundinldap

krb5_server = deep-thought.solaris.home:8880
krb5_realm = SOLARIS.HOME

I had to open "LDAP" in the firewall, because ldap default port 389 was open, but 390 was filtered.

This is my /etc/nsswitch.conf:
Code: [Select]
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat sss
group:          compat sss
shadow:         compat sss

netgroup:       nis sss

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

Additionally I added this lines to my /etc/pam.d/common-session:
Code: [Select]
session optional pam_umask.so
session optional pam_mkhomedir.so skel = /etc/skel/ mask=0077
If a user logs in the first time, a home directory will be created.

After a restart of the sssd I recognized, that sssd resolved the external ip address of my server so I configured my /etc/hosts like this, to force resolving the internal ip address:
Code: [Select]
192.168.0.200 deep-thought.solaris.home
Maybe I can solve this problem in a different way?

With
Code: [Select]
getent passwdthe users on just only configured on the server appeared.

With kinit username@DOMAIN.NAME I can log in. With klist I can list the kerberos ticket.

Now I can log in with a servers user, it's possible to log in offline, too.

Maybe this configuration has to be optimized, but I'm lucky, that it works for the moment.

some things are not solved, yet. For example, I cannot see nor change file or directory permissions of a samba share. Only "unknown" is displayed for user, group or permission in my file manager. Same on my windows box.

Any idea what might be wrong there?

Thanks a lot,

Ralf

(hope, I didn't forgot something)

9
Installation and Upgrades / Re: Experiences with sssd?
« on: March 25, 2013, 01:13:07 pm »
Hi, Marcus,

sssd means System Security Services Daemon.

I found a hint some month ago in the Zentyal wiki and I thought, it fits to my needs, but after a while, the link was broken. Now, last week, I recognized it again here:

http://trac.zentyal.org/wiki/Documentation/Community/Development/sssd

Btw. The link is broken here:

http://trac.zentyal.org/wiki/Documentation/Community/Document/SingleZentyal#LinuxClientconfiguration

Maybe somebody can fix it?

So, last weekend I start to configure and I was successful. Using a LMDE-Client, a user configured on the Zentyal server is able to login. Now I try do write a documentation about my experiences and, when I solved some other problems I found, I will try to write a howto.

If I get the time, I will post my first experiences here this evening.

Have a nice day,

Ralf

10
Installation and Upgrades / Experiences with sssd?
« on: March 20, 2013, 06:51:46 pm »
Hallo,

does anybody has positive experiences with sssd to connect a Linux box to the Zentyal server?

I played around for a while, but I wasn't successful, yet.

I can get a Kerberos ticket for my user with kinit and klist, but nothing else for the moment.

What do I have to do to make the following work:

- Login with a Zentyal user
- Access to its folders on the server
- Possibility to login offline, without a connection to the server (laptop)
- maybe more ...

Thank you for your hints,

Ralf

11
Hallo all,

I did a fresh test installation of Windows 7 pro in a virtualbox and to join the domain was successful at once. Strange but OK for now. I think, the pre-installed Windows of my box might have some problems because of some custom network tools I never un-installed.

I will reinstall my box, when my Zentyal server will go productive.

Thank you all,

Ralf

12
Hi!

Thanks a lot! That was really confused to me.

And the "missing" ports were found by scanning the udp ports ;-)

Being up-to-date (for the moment ;-) )

Btw. I think, I have a problem with me pre installed Windows 7. There was no problem joining the domain with a fresh test installation in a virtual environment using virtualbox. The prompt to enter the domain admins credentials came at once and the greeting message as expected. Maybe some problems with the network adaptor configuration? >:(

zentyalpenguin

13
Hallo all,

I did a fresh install of Zentyal 3 last weekend to create a productivity server after playing around weeks with the system. I did it twice, same result.

My last test installation 2 weeks ago seemed to work, my windows 7 client could join the domain as expected (after months of trouble).

Now 2 weeks later, nothing works. Samba does not create log files as expected. log.nmbd and log.smbd are missing, just only samba.log was found in /var/log/samba/.
When I did a nmap localhost, I couldn't find port 137 an 138. Shouldn't they be present?
I compared the configuration templates in the "stubs"-folder and the new file differs in comparison to the old file, I found in my old installation from 2 weeks ago. For example wins support is missing and because of that, it's set to no (default). Checked with testparm.

And, at least, joining of the domain is not possible, of course.

Core version 3.0.14, zentyal-samba version 3.0.14, as everything is up-to-date.

Does anybody has a hint, what might be goes wrong again?

Thank you very much,

zentyalpenguin

14
Still not satisfied!

Last weekend, I did a new fresh install, now on my future productivity hardware, but it failed again. I did twice with same result followed my personal documentation that worked for the installation in the past (5th of February).

But now, zentyal-samba version 3.0.14 was installed and now it seems, that samba does not work properly.

I couldn't find the log files log.nmbd and log.smbd in /var/log/samba as it used to be in the past. I also discovered, that the configuration file samba.stubs differs in various things from my last installation. For example wins support is missing and because of that it's set to disabled now (default value). I did a testparm to find out, that it is disabled.

What's going wrong with samba on Zentyal?

It's disappointing to me. It took half a year to let samba4 work and now it seamed to be destroyed again?

Ralf

15
Sorry, guys!

But now, it seems to work!!! After I did the last post, I started my server and I recieved an update including one for zentyal-network to version 3.0.2. I don't know, if this was the solution, but now, when I tried to join the domain, at first, I got a totally different error message concerning a problem with my entered DNS servers. In the past, I not only entered Zentyals IP address as DNS server, but also that of my router. That might be wrong.
After I deleted the IP address of the router in the network configuration of my Windows box, I could join the domain as I expected.
I tested to leave the domain and joined again, no problem.

My latest test was to delete the last fixed entered DNS server in the network adapters configuration, too, to let windows get all network informations via DHCP and this works too!

Maybe, there is somebody out there and has the same expieriences?

Thanks for reply to all,

Ralf

Pages: [1] 2