Need to share on the defunct admin User

davidep · November 13, 2016, 9:43pm

It comes to my mind the Email address page: it gets the list of accounts from NethServer::Database::Passwd and stores specific settings in esmith DB, like IMAP access enabled/disabled or mail forward address.

As said in the past, on ns7 the assumptions changed. We have “multisite”/remote account providers, we need other solutions.

The Users and groups module in ns7 is not designed to be extended by plugins for the same reason.

No it’s not possible. For example, if my account provider is a remote OpenLDAP instance how/when a user-create event can be invoked? As the instance is remote there’s no way to signal user-create on my server from the OpenLDAP instance.

The same for user-modify and user-delete.

Would you mind providing more details about your issue?

robb · November 13, 2016, 10:03pm

Just jumping in (take note I am not a devver, but you all know this)
If you want introduce a new application, in my opinion it would be a good idea to give this application a dedicated ‘admin’ user (for database issues etc)
As a default convention you could opt for 'admin_modulename’
The install process should create that user in the account provider and create the same user in the database (mysql or mariadb)
I don’t know if you can trigger the creation of these accounts during the process automaticly?
(I realize now I should have read all replies before jumping in… )

robb · November 14, 2016, 8:17am

Think about this scenario: I can’t think of a situation where you deploy a service and you don’t control the account provider. I mean, you offer a service without you have access to the users using it? That does not compute… I mean, we are still looking at a small business server… What remote LDAP/AD are you thinking of when adding a service that needs authentication?

giacomo · November 14, 2016, 11:24am

You can’t rely on user create/modify/delete events, but you can still save some local properties in a custom esmith db.

In this case, I’d go with a new modules which uses a “webaccess” db.
Each record is the name of the user with a status prop, something like this:

myuser=webaccess
   status=enabled

You should then add a “Synchronize” button (or something like this), which eventually deletes from webaccess db all non-existent users.

I agree.

Of course you can, but not on the user provider (openldap/samba4). You can surely do inside the app.

You have two servers inside the LAN:

mail server with all users
a firewall using web filters based on user profile

If the administrator creates a new user inside the mail server, the firewall doesn’t know it.

robb · November 14, 2016, 1:02pm

I don’t know if we understand each other here.
If we consider a Network with NethServer(7) as base, the accountprovider is either OpenLDAP or Samba4.
Then all authentication is based on the accountprovider of choice. Isn’t it so that in that case, the mailserver and the firewall use the same accounts in order to provide the service?

Where I want to get to is: do we want to support a remote account provider for services hosted by NethServer?
I also realize that IF we don’t want to support a remote accountprovider, we must change the current way Samba4 is implemented, since it is now impossible to join an existing AD domain as a (fullblown) DC. In order to be able to add/change/delete accounts in an existing AD, NethServer Samba4 implementaion must change to allow for that scenario. @Christian what do you think?

davidep · November 14, 2016, 1:25pm

Yes, we already do it! The nsdc container is actually a “remote” account provider. In the future I’d like to provide an additional DC to an existing AD domain. Here we talk about “replacing” (i guess there are limitations on what can be replaced) but should be similar to “add”:

robb · November 14, 2016, 1:31pm

@davidep: In previous discussions it has been mentioned: currently it is not possible to add a NS7 server as a DC in an existing AD domain. IMO this means that NS is supporting a 'cripled’Samba4 implementation, since samba4 allows this. And what I understood from the previous discussion is that the main reason is that there is no anonymous bind to the Samba4 directory.
Without the intention of doing that whole discussion again, I still don’t get exactly why the choice of limiting access to authenticated users to the directory has been done. Maybe I overlooked the statement or (more likely) just didn’t understand the statement when I read it, but I sure would like to know (and understand)

davidep · November 14, 2016, 1:35pm

Right, it is a (still) unsupported scenario. We’re working on it.

No, this is not related with the scenario above.

No such choice was made, AFAIK it’s the default behavior of Samba (and MS AD, too).

stephdl · November 14, 2016, 8:22pm

You hit the bell, I got it now. Indeed if I modify locally I can not do the sync on the remote authenticator.

Well this option is nice but it is not the one I choose. I do prefer to get one ‘admin’ for every webapp…let’s things simple…the name is ‘admin’. I just need it to authenticate in apache, for other purposes like for mysql DB, each database gets its user.

Yeah one way, for now I store all users in one property from a textArea box in Nethgui…the cons is that the separation between user name is not a comma but a line break and therefore you cannot modify manually the property by the command line. the pro is that the content is easily readable.

github.com

stephdl/nethserver-shellinabox/blob/ns7/root/usr/share/nethesis/NethServer/Module/ShellInaBox.php#L27


      
              return \Nethgui\Module\SimpleModuleAttributesProvider::extendModuleAttributes($base, 'Configuration', 6);
          }
          
          public function initialize()
          {
              parent::initialize();
              $this->declareParameter('FixedIP', Validate::ANYTHING, array('configuration', 'shellinaboxd', 'FixedIP'));
              $this->declareParameter('TCPPort', Validate::PORTNUMBER, array('configuration', 'shellinaboxd', 'TCPPort'));
              $this->declareParameter('status', Validate::SERVICESTATUS, array('configuration', 'shellinaboxd', 'status'));
              $this->declareParameter('WebAuth', Validate::SERVICESTATUS, array('configuration', 'shellinaboxd', 'WebAuth'));
              $this->declareParameter('ShellUsers', Validate::ANYTHING, array('configuration', 'shellinaboxd', 'ShellUsers'));
              $this->declareParameter('PublicAccess', $this->createValidator()->memberOf('private','public','IP'), array('configuration', 'shellinaboxd', 'PublicAccess'));
          }
          
          
          public static function splitLines($text)
          {
              return array_filter(preg_split("/[,;\s]+/", $text));
          }
          
          public function readFixedIP($dbList)

github.com

stephdl/nethserver-shellinabox/blob/ns7/root/usr/share/nethesis/NethServer/Template/ShellInaBox.php#L22


      
              ->insert($view->fieldsetSwitch('PublicAccess', 'private', $view::FIELDSETSWITCH_EXPANDABLE)
                  ->insert($view->fieldsetSwitch('WebAuth', 'enabled',$view::FIELDSETSWITCH_CHECKBOX | $view::FIELDSETSWITCH_EXPANDABLE)->setAttribute('uncheckedValue', 'disabled')
                      ->insert($view->textArea('ShellUsers', $view::LABEL_ABOVE)->setAttribute('dimensions', '5x30')->setAttribute('placeholder', $view['ShellUsers_default']))))
          
              ->insert($view->fieldsetSwitch('PublicAccess', 'public', $view::FIELDSETSWITCH_EXPANDABLE)
                  ->insert($view->textArea('ShellUsers', $view::LABEL_ABOVE)->setAttribute('dimensions', '5x30')->setAttribute('placeholder', $view['ShellUsers_default'])))
          
              ->insert($view->fieldsetSwitch('PublicAccess', 'IP',$view::FIELDSETSWITCH_EXPANDABLE)
                  ->insert($view->textArea('FixedIP', $view::LABEL_ABOVE)->setAttribute('dimensions', '5x30')->setAttribute('placeholder', $view['FixedIP_default']))
                  ->insert($view->fieldsetSwitch('WebAuth', 'enabled',$view::FIELDSETSWITCH_CHECKBOX | $view::FIELDSETSWITCH_EXPANDABLE)->setAttribute('uncheckedValue', 'disabled')
                      ->insert($view->textArea('ShellUsers', $view::LABEL_ABOVE)->setAttribute('dimensions', '5x30')->setAttribute('placeholder', $view['ShellUsers_default']))))
          
          );
          
          echo $view->buttonList($view::BUTTON_SUBMIT | $view::BUTTON_HELP);

and the template

github.com

stephdl/nethserver-shellinabox/blob/ns7/root/etc/e-smith/templates/etc/httpd/admin-conf.d/shellinabox.conf/10base#L76


      
              }
          
          
          if (($shellinaboxd{'PublicAccess'} eq 'public') || ($shellinaboxd{'WebAuth'} eq 'enabled'))
              {
              $OUT .=  qq(
              AuthType Basic
              AuthBasicProvider PAM
              AuthPAMService shellinabox
          );
              my @shelluser = split(/,/, ($shellinaboxd{'ShellUsers'} || ""));
              my $shelluser ="admin admin\@$DomainName";
              foreach (@shelluser) {
                  $shelluser = $shelluser . ' ' . $_;
                  }
              $OUT .= "Require user $shelluser\n";
          
              }
          
          $OUT .= "\n</Location>";
          }

Thanks a lot all, it seems clear now

davidep · November 14, 2016, 10:40pm

I like it! We could define a simple convention. Just a couple of props in config DB…

sysconfig=configuration
    ...
    adminUser=administrator
    adminGroup=administrators

…and the @domain suffix added by templates. Individual packages that need an administrative identity can read those props and use them in their configurations.

The default values proposed above would fit 90% of our account providers. AD has them, our OpenLDAP can be provisioned in the same way. For remote LDAP directories where we cannot make any kind of assumption (the 10%), the two props can be fixed and a system-adjust event issued at the end.

stephdl · November 18, 2016, 9:26pm

Indeed the Idea to have a generic user created from base with a default password is great for me. It will avoid to create it manually like I ask it now for my modules. Of course all Module authors could in the future rely on it also.

Obviously only the rpm nethserver-directory needs to be modified, some idea on how to do it ?

davidep · November 18, 2016, 9:41pm

Can you give a list of modules that would benefit from this convention?

When the LDAP tree is provisioned for the first time we could run luseradd and lgroupadd to create the administrator user and administrators group.

Are you going to open a PR?

stephdl · November 18, 2016, 9:51pm

Honestly, near quite all web applications I did for NS6

nethserver-BackupPC-1.0.1-2.ns6.src.rpm
nethserver-linux-dash-1.0.0-1.ns6.src.rpm
nethserver-shellinabox-0.0.8-1.ns6.sdl.src.rpm
nethserver-tt-rss-1.0.0-5.ns6.sdl.src.rpm
nethserver-urbackup-0.0.2-1.ns6.sdl.src.rpm

For NS7, some module are done (shellinabox, tt-rss) but my dream would be to use a token in the server-manager like it is possible in Formagick and get rid of the password authentication…it could be so cool

{
    $OUT .= "LoadModule auth_tkt_module modules/mod_auth_tkt.so\n";

    my $secret = ${'httpd-admin'}{TKTAuthSecret} || "34322500-7330-4400-423A-3A00434F5245";
    $OUT .= "TKTAuthSecret \"$secret\"\n";
}

Like this you can display the web application and restrict it if you are authenticated in the server-manager…the solution of the random url is nice also, but not enough secured

davidep · November 18, 2016, 10:23pm

2 posts were merged into an existing topic: Apache TKTAuth for modules proposal

stephdl · November 18, 2016, 10:32pm

Ok, I will try a go next week, this wk is like a mini fossdem for me…good time, meet people, share on code!!!

What else

the action /etc/e-smith/events/actions/nethserver-directory-init-admin in NS6 is probably a good starting point

davidep · November 18, 2016, 10:37pm

Caution! getent calls would not work before nethserver-sssd-save event!

davidep · November 19, 2016, 12:12pm

Sorry but …I couldn’t resist!

This is my idea:

https://github.com/NethServer/nethserver-directory/compare/master...DavidePrincipi:admin

(TODO: don’t know how to set executable permissions on GitHub web interface)

stephdl · November 19, 2016, 2:09pm

thanks

davidep · November 21, 2016, 9:34am

Opened issue

davidep · November 22, 2016, 1:53pm

Let’s think about the admin user name for a while. What should be the default value we put in the config DB?

Candidates are:

administrator, the default in the Microsoft world
admin, the default in ns6 and many other software projects out there

Initially I was thinking about the first, to keep things consistent between AD and LDAP providers. I was talking about this with @filippo_carletti, @giacomo and @nrauso and came to the following conclusion:

…well, maybe @stephdl is laughing at me but… I prefer admin. At the end of the day, let’s get it back!

If we go with admin, we should create it in our Samba Active Directory when the domain is configured the first time. This can be done automatically. Also (as @nrauso suggests) the default administrator AD account could be disabled, as happens in the latest Windows versions.

For an existing Active Directory where we cannot write, as for any other LDAP DB where we don’t have write access, the last resort is a manual procedure, like:

config setprop admins user SOMEUSER group SOMEGROUP
signal-event ...

For the last scenario, our LDAP configuration in nethserver-directory, the admin user and administrators group can be created automatically.

In any case, the default admin user and group is created only on brand new installations. Existing account databases are never touched!