Topics

1

Installation and Upgrades / DNS, DHCP, Samba Dynamic Issues

« on: November 02, 2019, 05:02:50 pm »

I recently began having issues with our Zentyal 6 server, in regards to dynamic DNS, DHCP and Samba. DNS queries no longer work, dynamic DNS registration through DHCP and Samba DLZ no longer works. I installed a new perimeter firewall and changed the IP of the Zentyal box to something else; ever since then, things haven't worked quite right. It doesn't seem that Samba can update the changes in DNS, using DLZ.

I thought that maybe it was the dns.keytab, located in /var/lib/samba/private, so I deleted, recreated and reinitialized it...

Code: [Select]

sudo samba-tool domain exportkeytab --principal=dns-ZENTYAL@MY.DOMAIN.COM /var/lib/samba/private/dns.keytab
sudo ktutil -v -k /var/lib/samba/private/dns.keytab list
sudo kinit -k -t /var/lib/samba/private/dns.keytab dns-ZENTYALOf course, I have sterilized the actual principal and domain, using dns-ZENTYAL and MYDOMAIN.COM. You can find these entries by typing:

Code: [Select]

sudo klist
That doesn't seem to have helped, since it is not allowing some of the cleanup to take place. I ran the command:

Code: [Select]

sudo samba_dnsupdate --verbose
There are multiple instances where the update failed, for instance, here is some of the output, again, sterilized.

Code: [Select]

update (samba-tool): A DomainDnsZones.MYDOMAIN.com 192.168.15.2
Calling samba-tool dns for A DomainDnsZones.MYDOMAIN.com 192.168.15.2 (add)
Calling samba-tool dns add -k no -P ['192.168.15.2', 'MYDOMAIN.com', 'DomainDnsZones', 'A', '192.168.15.2']
lpcfg_load: refreshing parameters from /etc/samba/smb.conf
ldb_wrap open of secrets.ldb
Using binding ncacn_ip_tcp:192.168.15.2[,sign]
Failed to connect host 192.168.15.2 on port 135 - NT_STATUS_CONNECTION_REFUSED
Failed to connect host 192.168.15.2 (192.168.15.2) on port 135 - NT_STATUS_CONNECTION_REFUSED.
ERROR: Connecting to DNS RPC server 192.168.15.2 failed with (-1073741258, 'The transport-connection attempt was refused by the remote system.')
  File "/usr/lib/python2.7/dist-packages/samba/netcmd/dns.py", line 44, in dns_connect
    dns_conn = dnsserver.dnsserver(binding_str, lp, creds)
Failed 'samba-tool dns' based update of A DomainDnsZones.MYDOMAIN.com 192.168.15.2
This failure also happens for ForestDnsZones, gc(._msdcs), SERVERNAME, @.

The Samba server IS listening, but on the wrong IP...

Code: [Select]

netstat -nap | grep :135
tcp        0      0 192.168.15.1:135        0.0.0.0:*               LISTEN      2426/samba         
tcp        0      0 127.0.1.1:135           0.0.0.0:*               LISTEN      2426/samba
tcp        0      0 127.0.0.1:135           0.0.0.0:*               LISTEN      2426/samba
If you notice, Samba is listening on the OLD IP address and Zentyal has not told all its services to switch to the new IP address of 192.168.15.2. When the command, samba_dnsupdate is run, it's looking on the correct address, but Zentyal is starting Samba on the wrong address, so the update fails to change the corresponding DNS properties in the Samba database. This also means that HTTPS, IMAP and almost everything else is listening on the wrong IP.


Does anyone know why or how to fix it?

2

Installation and Upgrades / Admin Interface: Restrict IP Addresses

« on: October 04, 2019, 07:41:10 pm »

I need to modify the web interface to restrict it to serve only certain external IP addresses, but it doesn't seem the version of nginx is compiled with the http_access_module. I can't use the firewall, because Zentyal's firewall sees all packets from the router as "internal". Any ideas?

Zentyal 6

3

Installation and Upgrades / Openchange Removal

« on: March 17, 2018, 10:12:23 pm »

I just read, in the changelog, that Zentyal removed OpenChange. How has that effected the way Zentyal integrates with Outlook's Exchange features? Does it still work?

4

Installation and Upgrades / zentyal Missing from init.d

« on: March 17, 2018, 09:53:39 pm »

Has something changed in Zentyal 5.0.10 in regards to init.d, because the zentyal script is missing in my fresh install. What is the procedure to restart the modules?

5

Installation and Upgrades / Second Host on Zentyal Server

« on: July 27, 2017, 02:31:28 pm »

I am trying to install a second, ssl enabled vhost on my Zentyal server, but I'm running into difficulty with the proxy. I keep getting the error

Code: [Select]

The stylesheet https://www.[i]mysecondsite[/i].com/SOGo.woa/WebServerResources/dtree.css?lm=1459872312 was not loaded because its MIME type, “application/octet-stream”, is not “text/css”.
I have a ProxyPass directive, to send everything non-sogo related into another server. That doesn't seem to be having any effect on the above error. I have even tried copying and pasting the original sogo conf file, to the second site, but it doesn't work. I have tried with and without the SOGo.woa proxypass directive. Sogo does not seem to pick up the Alias /SOGo.woa/WebServerResources/ , as it won't load any of the .woa resources, without the ProxyPass /SOGo.woa ... Does anyone have any ideas?

Here is my .conf file That I am currently working with. Keep in mind that I have heavily changed the second, ssl, virtualhost.

Code: [Select]

user  www-data
group www-data

WSGILazyInitialization On
WSGIPythonPath /usr/lib/openchange/web/rpcproxy
WSGIScriptAlias /rpc/rpcproxy.dll /usr/lib/openchange/web/rpcproxy/rpcproxy.wsgi
WSGIScriptAlias /rpcwithcert/rpcproxy.dll /usr/lib/openchange/web/rpcproxy/rpcproxy.wsgi

<VirtualHost *:443>
    ServerName zentyal.[i]myfirstsite[/i].com
    ServerAlias autodiscover.[i]myfirstsite[/i].com
    DocumentRoot /var/www/html

    SSLEngine on
    SSLCertificateFile /etc/ocsmanager/[i]myfirstsite[/i].com.pem
    ProxyAddHeaders On

    ############################
    #### Autodiscover begin ####
    ############################
    ProxyPassMatch /[Aa]utodiscover(.*)$ http://127.0.0.1:5000/autodiscover$1

    #############
    #### EWS ####
    #############
    ProxyPass /ews http://127.0.0.1:5000/ews

    #########################
    #### RPC Proxy begin ####
    #########################
    # Extremely high timeout required by clients)
    Timeout 300
    KeepAlive On
    KeepAliveTimeout 120
    MaxKeepAliveRequests 500
    AddDefaultCharset utf-8

    Include /etc/apache2/mods-available/wsgi.load
    Include /etc/apache2/mods-available/env.load

    <Directory /usr/lib/openchange/web/rpcproxy/>
        SetEnv RPCPROXY_LOGLEVEL INFO
        SetEnv NTLMAUTHHANDLER_WORKDIR /var/cache/ntlmauthhandler
        SetEnv SAMBA_HOST 127.0.0.1
        WSGIPassAuthorization On
        WSGIProcessGroup %{GLOBAL}
        Require all granted
    </Directory>

    ############################
    #### SOGo webmail begin ####
    ############################
    Alias /SOGo.woa/WebServerResources/         /usr/lib/GNUstep/SOGo/WebServerResources/
    Alias /SOGo/WebServerResources/         /usr/lib/GNUstep/SOGo/WebServerResources/
    AliasMatch /SOGo/so/ControlPanel/Products/(.*)/Resources/(.*)         /usr/lib/GNUstep/SOGo/$1.SOGo/Resources/$2

    <Directory /usr/lib/GNUstep/SOGo/>
        AllowOverride None
        Require all granted

        # Explicitly allow caching of static content to avoid browser specific
        # behavior. A resource URL MUST change in order to have the client
        # load the new version.
        <IfModule expires_module>
            ExpiresActive On
            ExpiresDefault "access plus 1 year"
        </IfModule>
    </Directory>

    <LocationMatch "^/SOGo/so/ControlPanel/Products/.*UI/Resources/.*\.(jpg|png|gif|css|js)">
        SetHandler default-handler
    </LocationMatch>

    ## Uncomment the following to enable proxy-side authentication, you will then
    ## need to set the "SOGoTrustProxyAuthentication" SOGo user default to YES and
    ## adjust the "x-webobjects-remote-user" proxy header in the "Proxy" section
    ## below.
    #<Location /SOGo>
    #  AuthType XXX
    #  Require valid-user
    #  SetEnv proxy-nokeepalive 1
    #  Allow from all
    #</Location>
    ProxyRequests Off
    SetEnv proxy-nokeepalive 1
    ProxyPreserveHost On

    # When using CAS, you should uncomment this and install cas-proxy-validate.py
    # in /usr/lib/cgi-bin to reduce server overloading
    #
    # ProxyPass /SOGo/casProxy http://localhost/cgi-bin/cas-proxy-validate.py
    # <Proxy http://localhost/app/cas-proxy-validate.py>
    #   Order deny,allow
    #   Allow from your-cas-host-addr
    # </Proxy>

    ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
    ProxyPass /sogo/ http://127.0.0.1:20000/SOGo
    ProxyPass /sogo http://127.0.0.1:20000/SOGo
    ProxyPass /webmail/ http://127.0.0.1:20000/SOGo
    ProxyPass /webmail http://127.0.0.1:20000/SOGo
    ProxyPass /_debug http://127.0.0.1:5000/_debug retry=0

    <Proxy http://127.0.0.1:20000/SOGo>
        ## When using proxy-side autentication, you need to uncomment and
        ## adjust the following line:
        #  RequestHeader set "x-webobjects-remote-user" "%{REMOTE_USER}e"
        RequestHeader set "x-webobjects-server-url" "https://%{REQUEST_HOST}e:443"
        SetEnvIf Host "(.*):?" REQUEST_HOST=$1
        AddDefaultCharset UTF-8
        Require all granted
    </Proxy>

    # For apple autoconfiguration
    <IfModule rewrite_module>
        RewriteEngine On
        RewriteRule ^/.well-known/caldav/?$ /SOGo/dav [R=301]
    </IfModule>

    CustomLog ${APACHE_LOG_DIR}/ocsmanager-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/ocsmanager-error.log
</VirtualHost>




##################################################################
##################################################################
##################################################################






<VirtualHost *:80>
ServerName www.[i]mysecondsite[/i].com
    ServerAlias [i]mysecondsite[/i].com
    DocumentRoot /var/www/[i]mysecondsite[/i].com
        <Directory /var/www/[i]mysecondsite[/i].com>
                Require all granted
        </Directory>
Redirect / https://www.[i]mysecondsite[/i].com
</VirtualHost>

<Virtualhost *:443>
ServerName www.[i]mysecondsite[/i].com
ServerAlias [i]mysecondsite[/i].com
ServerAlias autodiscover.[i]mysecondsite[/i].com

SSLCertificateFile /etc/apache2/ssl/www_[i]mysecondsite[/i]_com.crt
SSLCertificateKeyFile /etc/apache2/ssl/www_[i]mysecondsite[/i]_com.key
SSLCACertificateFile /etc/apache2/ssl/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle
SSLEngine on
SSLProxyEngine on

ProxyPassInherit off
ProxyPreserveHost on
SetEnv proxy-nokeepalive 1


### I have tried every permutation of the proxy directives, that I can think of. Nothing works to load the .css.

ProxyPass /SOGo http://127.0.0.1:20000/SOGo retry=0
ProxyPassReverse /SOGo http://127.0.0.1:20000/SOGo #with or without, this directive makes no difference
ProxyPass /sogo/ http://127.0.0.1:20000/SOGo
ProxyPass /sogo http://127.0.0.1:20000/SOGo
ProxyPass /webmail/ http://127.0.0.1:20000/SOGo
ProxyPass /webmail http://127.0.0.1:20000/SOGo
ProxyPass /_debug http://127.0.0.1:5000/_debug retry=0
ProxyPass /SOGo.woa http://127.0.0.1:20000/SOGo.woa
ProxyPassReverse /SOGo.woa http://127.0.0.1:20000/SOGo.woa #with or without, this directive makes no difference

#This proxy directive has been modified from the original, but it makes no difference.

<Proxy http://127.0.0.1:20000/SOGo>
<IfModule headers_module>
  RequestHeader set "x-webobjects-server-port" "443"
  RequestHeader set "x-webobjects-server-name" "%{HTTP_HOST}e" env=HTTP_HOST
  RequestHeader set "x-webobjects-server-url" "https://%{HTTP_HOST}e" env=HTTP_HOST
  RequestHeader unset "x-webobjects-remote-user"
  RequestHeader set "x-webobjects-server-protocol" "HTTP/1.0"
</IfModule>
</Proxy>

    CustomLog ${APACHE_LOG_DIR}/acr-ocsmanager-access.log combined
    ErrorLog ${APACHE_LOG_DIR}/acr-ocsmanager-error.log

ProxyPass / http://10.28.45.100/[i]mysecondsite[/i]/
ProxyPassReverse / http://10.28.45.100/[i]mysecondsite[/i]/
</VirtualHost>

6

Other modules / [SOLVED] Contacts and Calendars in Database

« on: July 25, 2017, 09:23:02 pm »

Does anyone know exactly where Zentyal 4.2x/SOGo stores the calendars and contacts for users and/or (depending on the answer) how to export them without using the user's web interface?

7

Contributions / Tips&Tricks / Features Requests / Forum Issue

« on: April 27, 2017, 06:50:56 pm »

I am not sure exactly how to find an admin on here, but I was just in the middle of creating a long post, explaining how I found a solution to another user's problem, only to be greeted with the login prompt, when I clicked submit, losing all my work. Admins, please fix this issue, removing the auto-logout, creating a drafts option or, at minimum, increase the auto-logout time.

8

Installation and Upgrades / Just installed 4.2 Samba Broken

« on: July 01, 2016, 02:50:43 pm »

I just finished installing 4.2 and, low and behold, something is wrong with Samba, no one can log in, now. In the logs, I get:

Code: [Select]

Jul  1 07:40:37 sbs-server smbd[32374]: [2016/07/01 07:40:37.326656,  0] ../source3/auth/auth.c:380(load_auth_module)
Jul  1 07:40:37 sbs-server smbd[32374]:   load_auth_module: can't find auth method samba4!
When trying to do an smbclient search, I get:

Code: [Select]

session setup failed: NT_STATUS_NO_LOGON_SERVERS
Has anyone come across this, yet?

9

Installation and Upgrades / Changing the Webmail Logo

« on: April 24, 2016, 05:50:08 pm »

I want to change the webmail logo and I found the .wox template responsible, in /usr/share/GNUstep/SOGo/Templates/MainUI/SOGoRootPage.wox, but my question is, if I change it, here, can't/won't it be reverted, during an upgrade of SOGO?

What is the correct way to change the logo, as a permanent solution, for all users?

10

Installation and Upgrades / Default Gateway not Adding

« on: April 21, 2016, 01:51:17 am »

For some reason, I can't get my Zentyal server on the internet, because it isn't putting a default gateway into its routing table. All it is adding is the local network. I have added the network in the default gateway tab and it is set to default.

It should say,
0.0.0.0     192.168.15.1     0.0.0.0   ...  eth0

All it has is:
192.168.1.0     0.0.0.0     255.255.255.0    ...   eth0

If I add the route, manually,  it works, fine. Any idea why it's not getting populated into the routing table?

11

Installation and Upgrades / Zentyal Server Keeps Losing Default Gateway

« on: November 14, 2015, 12:31:06 am »

For some reason, I have a server that keeps losing its route to the default gateway. Anytime the network is refreshed, I have to manually go to a terminal and issue "route add default gw 192.168.15.1 netmask 0.0.0.0 dev eth0"

The default gateway is set and is default, in the Zentyal settings and the DHCP server hands it out, like expected, but Zentyal, even though the address is static, does not keep its gateway.

Thanks for the help.

12

Installation and Upgrades / Change the Certificate for Webmail

« on: November 13, 2015, 05:17:33 am »

My users will be accessing their webmail from mail.domain.local on the inside of our network and mail.domain.com on the outside. How do I get Zentyal to issue a webmail certificate, for the two domains?

Zentyal 4.2

13

Installation and Upgrades / Thousands of "defaults entries" errors

« on: November 11, 2015, 11:43:37 pm »

I installed Zentyal 4.3 on an Ubuntu box and root keeps getting thousands of "ebox : problem with defaults entries ; TTY=unknown ; PWD=/ ; " email errors.
auth.log

Code: [Select]

Nov 11 16:42:40 timeserver sudo:     ebox : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/var/lib/zentyal/tmp/Ex9dycF1A4.cmd
Nov 11 16:42:40 timeserver sudo: pam_unix(sudo:session): session opened for user root by (uid=0)
Nov 11 16:42:40 timeserver sudo: pam_unix(sudo:session): session closed for user root
Not only is it devourinig resources, it is making the log files unusable.

Does anyone know what this is about?

Thanks.

14

Installation and Upgrades / Zentyal Samba LDAP Access Owncloud HOWTO

« on: July 19, 2015, 04:48:05 am »

Herein lies instructions on how to connect Owncloud to the Zentyal/Samba LDAP Active Directory. I couldn't find a definitive answer, so I had to craft one. In this little tutorial, I hope I'll show you how to get the credentials for the Base DN, Login and sAmAccountName, necessary to connect Owncloud to Zentyal. This example assumes you already know and have entered some of the information and setup the necessary server, like the server's address or domain name, you are running LDAP, and that you are able to access it, either from the outside world or as localhost, you have installed, configured, setup, mastered and have a black belt in the Active Directory Plugin in Zentyal (Domain Controllers and File Sharing Module) and you have a user account and password setup and ready to go, in  the a fore mentioned Zentyal module. Configuring those settings are beyond this tutorial.

Here is what you will need:
Windows Box connected to your AD Domain (to install Administrative tools on)
Zentyal, running the necessary AD services (my version was 4.1)
Port 389 open (to connect to LDAP. Don't forget to check the Zentyal firewall module for that.)
Owncloud, setup and ready with the LDAP plugin (but anything needing LDAP would work, I suspect.) (My version was 8.1.0)


Step 1 Download tools for Windows.
First, we will have to install some tools on the windows box. Because the address may change over time, I'll tell you what to look for AND include the address. I searched google for "Windows Active Directory Tools". The first webpage that came up was, "Download Remote Server Administration Tools for Windows 7" HERE is the link. Go through the installation process and turn on the tools. Instructions for that can be found a little further down, in the previous link under, Installation Instructions.

Step 2 Retrieve the LDAP settings
Once installed, Launch the ADSI editor, in the newly installed Administrative Tools sections of All Programs. It will open with two panes. The one on the left is your tree view and should only contain ADSI Edit. Right click on it and select Connect To. If you are correctly connected to your Zentyal Domain, everything will be filled out for you; just click ok. In the Left pane, expand Default naming context, DC=yourdomain,DC=tld, CN=Users. Search for the user you would like to connect to LDAP AD with, right click the name and click properties. Search for the attribute, distinguisedName. Click on the attribute, highlighting it and click View. You will need to type this into the "User DN" Box of Owncloud's LDAP Settings and enter the user's password, in the box, underneath. Your base dn is usually the DC=yourdomain,DC=tid. Of course, substitute your settings, not the example. It can be found in the ADSI Editor, right under Default Naming Context. Click Continue and it should say, configuration OK.

Step 3 Selecting Users to Add
I left the "Only these object classes" With nothing in it. In "Only from these groups:" choose Domain Users or whatever group you want. You should see something like this, below: (|(|(memberof=CN=Domain Users,CN=Users,DC=yourdomain,DC=tld)(primaryGroupID=513))) Click the Verify Settings and it should tell you settings ok, and display the number of users you'll be dealing with. If that worked, click Continue.

Step 4 Selecting Login Attributes
This is where you will enter what attributes are used to authenticate against. ie, what they will type into the username filed to log into Owncloud. Choose LDAP / AD Username and, under Other Attributes: sAmAccountName. You should see something like this, under your settings: (&(|(|(memberof=CN=Domain Users,CN=Users,DC=yourdomain,DC=tld)(primaryGroupID=513)))(|(samaccountname=%uid)(|(sAMAccountName=%uid)))) Type the name of a known user in the Domain Users group and Click the Verify settings button. If you aren't sure what you'll typing in, find the user in the ADSI editor, like above. Right click them and select properties, then scroll all the way down to the sAMAccountName Attribute. The value it shows is the username to login with, that you will type in your test box. If you setup everything correctly, it should say, user found and settings verified. Click Continue

Step 5 Setting up Groups
Inder Only these object classes: I chose group and under Only from these groups: I chose Domain Users, but you can choose whatever you want. Click the Verify settings button and it should tell you how many groups you've added.

Step 6 Finalizing
At this stage, you should have a green light and Configuration OK confirmation. Attempt to login, using the sAmAccountName. If you did your job, the user should login.

Please let me know if I have missed anything and need to correct this article.

15

Installation and Upgrades / Zentyal: Get CardDAV and CalDAV Address

« on: February 13, 2015, 03:12:04 pm »

I am posting this, because it may not be obvious how to do it...

To get the CardDAV and CalDAV addresses, perform the following steps:
CardDAV:
1) In the web interface, open the address book.
2) On the left of the page, you will see a list of your address books. Right click on the book you want, then click properties.
3) Click on "Links to this Address Book"

CalDAV:
1) In the web interface, open the Calendar page.
2) Right click on the calendar you want to sync. Click properties
3) Click on "Links to this Calendar"

Notes:
1) If you are using an internal address, like "mydomainname.lan", that will not resolve outside your network (aka, in the real world), you will need to modify the address given, to reflect your external domain name.
2) The port required to access the CalDAV and CardDAV protocols is 443. You will need to open this port on your firewall, forward it on your router, or both, if you are accessing it, outside your network.