davidep
(Davide Principi)
June 15, 2017, 7:35am
7
Yes! I should reproduce this one, too… It is complex to reproduce in a development environment, though. Please be patient. I hope other people help us to confirm the second bug.
Well, the first problem (bind-on-alias-ip ) seems trivial.
I’d prefer my fix only because the implementation is straightforward and I love removing code. However it still does not prove it is effective as your.
Your fix is definitely better than mine: less invasive, no possibility of regression.
The second problem (connect-nsdc-from-vpn ) must be investigated. Yes, I’d open a separate thread once it is reproducible.
sharpec
(EnzoC)
June 15, 2017, 7:57am
8
However, la connessione it fails only on vpn, but also from local
1 Like
davidep
(Davide Principi)
June 15, 2017, 8:00am
9
There’s also a third problem : during the restore-config procedure, if the IP configuration is not applied automatically, smbd and nmbd waits indefinitely for that specific IP list to appear.
The wildcard approach would prevent the third problem.
sharpec
(EnzoC)
June 15, 2017, 8:14am
10
i have check this
netstat -an |grep 389
tcp 0 0 192.168.1.241:48668 192.168.1.2:389 ESTABLISHED
192.168.1.2 is a bridged nsdc interface of DC
ldap problem whit alias ip?
davidep
(Davide Principi)
June 15, 2017, 8:32am
11
I’m not sure I understand your network configuration. Could you attach the output of
db networks show
config show sssd
config show nsdc
sharpec
(EnzoC)
June 15, 2017, 8:35am
12
[root@samba log]# db networks show
192.168.18.0=network
Description=
Mask=255.255.255.0
192.168.180.0=network
Description=vpn
Mask=255.255.255.0
br0=bridge
gateway=192.168.1.254
ipaddr=192.168.1.241
netmask=255.255.255.0
role=green
br0:0=alias
ipaddr=192.168.12.241
netmask=255.255.255.0
role=alias
br1=bridge
FwInBandwidth=
FwOutBandwidth=
bootproto=none
gateway=
ipaddr=192.168.10.241
netmask=255.255.255.0
role=green
em1=ethernet
FwInBandwidth=
FwOutBandwidth=
bridge=br0
role=bridged
em2=ethernet
FwInBandwidth=
FwOutBandwidth=
bootproto=none
bridge=br1
role=bridged
em3=ethernet
bootproto=none
role=
em4=ethernet
role=
ppp0=xdsl-disabled
AuthType=auto
FwInBandwidth=
FwOutBandwidth=
Password=
name=PPPoE
provider=xDSL provider
role=red
user=
[root@samba log]# config show sssd
sssd=service
AdDns=192.168.1.2
LdapURI=
Provider=ad
Realm=XXXXX.IT
Workgroup=XXXXX
status=enabled
[root@samba log]# config show nsdc
nsdc=service
IpAddress=192.168.1.2
ProvisionType=newdomain
bridge=br0
status=enabled
1 Like
davidep
(Davide Principi)
June 15, 2017, 8:41am
13
sharpec:
netstat -an |grep 389
It is a normal condition: it is a connection betweeen your local br0 green (192.168.1.241) and remote nsdc LDAP server.
Probably it is the sssd LDAP client opening that socket.
# ss -np 'dport = 389'
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port
tcp ESTAB 0 0 192.168.5.252:45260 192.168.5.251:389 users:(("sssd_be",pid=2526,fd=29))
sharpec
(EnzoC)
June 15, 2017, 8:46am
14
ok, but in my case, br0 and nsdc ldap server is the same machine
192.168.1.241 physical network
192.168.1.2 bridged DC network
192.168.12.241 bridged ipsec network
same machine, same interface br0
davidep
(Davide Principi)
June 15, 2017, 8:49am
15
Could you paste also (an excerpt of) /var/log/firewall.log
?
sharpec
(EnzoC)
June 15, 2017, 8:56am
16
Jun 12 10:05:24 samba kernel: Shorewall:net2loc:DROP:IN=br0 OUT=br0 PHYSIN=em1 PHYSOUT=vnet0 MAC=52:54:00:70:bf:d5:18:03:73:f1:9c:f5:08:00 SRC=192.168.18.24 DST=192.168.12.248 LEN=92 TOS=0x00 PREC=0x00 TTL=3 ID=32300 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=57
last entry,
before adding network 18 to safe network
12.248 is a VM on the same samba machine
davidep
(Davide Principi)
June 15, 2017, 9:04am
17
Are you running KVM, too? How many services did you install?
rpm -qa | grep ^neth
sharpec
(EnzoC)
June 15, 2017, 9:13am
18
nethserver-firewall-base-3.2.1-1.ns7.noarch
nethserver-firewall-base-ui-3.2.1-1.ns7.noarch
nethserver-base-3.0.22-1.ns7.noarch
nethserver-avahi-1.1.0-1.ns7.noarch
nethserver-duc-1.4.2-1.ns7.noarch
nethserver-mail-smarthost-0.1.1-1.ns7.noarch
nethserver-lang-en-1.1.10-1.ns7.noarch
nethserver-mysql-1.1.1-1.ns7.noarch
nethserver-httpd-3.1.4-1.ns7.noarch
nethserver-bandwidthd-1.0.2-1.ns7.noarch
nethserver-yum-1.4.1-1.ns7.noarch
nethserver-nethforge-release-7-0.3.ns7.noarch
nethserver-memcached-1.1.0-1.ns7.noarch
nethserver-libvirt-1.1.0-1.ns7.noarch
nethserver-stephdl-1.0.0-2.ns7.sdl.noarch
nethserver-lsm-1.2.3-1.ns7.noarch
nethserver-dnsmasq-1.6.4-1.ns7.noarch
nethserver-net-snmp-1.1.0-1.ns7.noarch
nethserver-lib-2.2.3-1.ns7.noarch
nethserver-letsencrypt-1.1.4-1.ns7.noarch
nethserver-openssh-1.2.1-1.ns7.noarch
nethserver-sssd-1.2.1-1.ns7.noarch
nethserver-release-7-3.ns7.noarch
nethserver-cgp-2.1.2-1.ns7.noarch
nethserver-unbound-1.1.0-1.ns7.noarch
nethserver-ibays-3.1.1-1.ns7.noarch
nethserver-lang-it-1.1.10-1.ns7.noarch
nethserver-vsftpd-1.1.0-1.ns7.noarch
nethserver-httpd-admin-2.0.11-1.ns7.noarch
nethserver-cups-1.2.0-1.ns7.noarch
nethserver-hosts-1.2.1-1.ns7.noarch
nethserver-mail-common-1.6.3-1.ns7.noarch
nethserver-smartd-1.1.0-1.ns7.noarch
nethserver-dc-1.2.3-1.ns7.x86_64
nethserver-tomcat-1.1.0-1.ns7.noarch
nethserver-backup-data-1.3.1-1.ns7.noarch
nethserver-webvirtmgr-1.1.1-1.ns7.noarch
nethserver-crontabmanager-0.0.7-1.ns7.sdl.noarch
nethserver-samba-2.0.7-1.ns7.noarch
nethserver-backup-config-1.5.6-1.ns7.noarch
nethserver-postgresql-1.1.0-1.ns7.noarch
nethserver-antivirus-1.2.1-1.ns7.noarch
nethserver-phonehome-1.2.1-1.ns7.noarch
nethserver-samba-audit-1.1.2-1.ns7.noarch
nethserver-spamd-1.0.0-1.ns7.noarch
nethserver-collectd-3.0.5-1.ns7.noarch
nethserver-restore-data-1.2.3-1.ns7.noarch
nethserver-php-1.2.0-1.ns7.noarch
nethserver-ntp-1.1.3-1.ns7.noarch
Hardware
Connection qemu:///system
Hostname samba.xxxxx.it
Hypervisor qemu
Memory 63,9 GB
Logical CPUs 40
Processor Intel(R) Xeon(R) CPU E5-2630 v4 @ 2.20GHz
Architecture x86_64
Virtual Machine
erpnext Running 4 8192MB
mail-xxxx Running 2 2048MB
mysql Running 8 16384MB
target Running 4 8192MB
web Running 2 4096MB
too many?
1 Like
davidep
(Davide Principi)
June 20, 2017, 2:58pm
19
I tried to configure a similar system on a VPS with red+green interface,
host IP <green>.2
configured Active Directory DC IP <green>.7
configured IPsec tunnels
I can ping the host <green>.2
from the remote network. However the DC IP does not respond.
To fix this situation I did the following:
yum --installroot=/var/lib/machines/nsdc install iproute iputils bind-utils
systemd-run -M nsdc -t /bin/bash
From nsdc shell:
ip ro add default via <green>.2
Created <green>.22
and <green>.1
aliases: smbd seems to bind on the first IP, <green>.1
.
Applied the proposed workaround above: I can connect from smbclient on the remote network.
@sharpec , please see if defining a default route in your nsdc container fixes your connection problems with DC (and file server).
1 Like
sharpec
(EnzoC)
June 20, 2017, 3:29pm
20
I have to admit I’m a little afraid to do this on DC
1 Like
sharpec
(EnzoC)
June 21, 2017, 6:50am
21
ok, I’m doing right now,
But I have problems when I have to enter the static route. In fact I can not give it to you
ip ro add 192.168.18.0/24 via 192.168.12.253
-------------------remote net------------ip of FW with vpn ipsec
ip ro add 192.168.18.0/24 via 192.168.12.253
RTNETLINK answers: Network is unreachable
ip a
host0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
link/ether 1a:d0:ba:25:2c:52 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 192.168.1.2/24 brd 192.168.1.255 scope global host0
valid_lft forever preferred_lft forever
inet 192.168.12.2/32 scope global host0:1
valid_lft forever preferred_lft forever
inet6 fe80::18d0:baff:fe25:2c52/64 scope link
valid_lft forever preferred_lft forever
In essence it is the same logic I used for all the machines I want to publish in vpn ipsec, alias ip and static route!
Why should I set it as default?
Why locally come with ip direct? Does everything else send on gateways?
davidep
(Davide Principi)
June 21, 2017, 8:04am
22
I’m sorry, my bad: your configuration does not have a red interface! However it is really complex!
IIUC you have two green networks and need to communicate with other networks behind a VPN router…
At the moment, the nsdc network configuration sets the green network gateway as default (and unique) route. That gateway is the only responsible for all packet routing rules.
We are planning to set NethServer itself as gateway, if a red interface is present. This scenario is still not covered by our configuration and needs to be fixed.
Meanwhile I’d move forward with the original problem:
sharpec
(EnzoC)
July 13, 2017, 2:09pm
23
Sorry @davidep You think I’ve exaggerated with the services?
davidep
(Davide Principi)
July 14, 2017, 1:47pm
24
NethServer has a modular design and is often considered an all-in-one server. It’s perfectly fine to install all modules on a single system, however if something is not working properly it’s more difficult to debug.
Some people prefer to split the roles across different machines, expecially firewall and everything else.
1 Like
davidep
(Davide Principi)
Split this topic
October 4, 2017, 4:25pm
25
A post was split to a new topic: SMB access denied with VPNs