Accounts provider update

accounts-provider
v7

(Davide Principi) #1

@giacomo and I finally managed to release these long awaited features! :tada:

After a few (re)iterations of development/testing/fixing the new UI for accounts provider management and ns6 upgrade is available from nethserver-updates repository. Briefly,

on running systems, after updates are installed:

  • local accounts provider can be uninstalled
  • Samba DC can be updated to 4.6

on new installations, download updates from the Software Center before configuring the Accounts provider.

Let’s see what’s new!

Accounts provider

  • Both AD and LDAP local accounts provider can be installed/uninstalled from Accounts provider page
  • LDAP remote accounts provider: connection parameters are probed automatically
  • AD remote accounts provider: NetBIOS domain name and LDAP connection parameters are probed automatically
  • AD local accounts provider:
    • you can assign any DNS domain/Realm to AD. It is no longer bound to the host domain name. This fixes many issues with mail server configurations
    • Upgrade the Samba DC to 4.6 from UI
    • DC runs NTP server
  • Change the IP of the nsdc Linux Container: available with a shell script
  • Server Manager LDAP client uses GSSAPI authentication method (no additional domain credentials needed); no more limits on returned entries number (perldoc NethServer::LdapClient)

Please read carefully the updated “Accounts provider” page in Admin’s manual for more details:

http://docs.nethserver.org/en/v7/accounts.html

ns6 upgrade

  • backup/restore strategy. If LDAP server (nethserver-directory) was installed in ns6, it is restored as LDAP local accounts provider in ns7
  • LDAP local accounts provider can be upgraded to Samba AD from the “Accounts provider” page, if Samba was installed in ns6

Please read carefully the updated “Upgrade from ns6” page in Admin’s manual for more details:

http://docs.nethserver.org/en/v7/upgrade.html

sme8 migration

Many fixes. See http://docs.nethserver.org/en/v7/migration.html

What’s next

  • Allow changing the host FQDN after an accounts provider has been configured
  • Add NethServer as a new DC to an existing Active Directory domain
  • Change the IP of the nsdc Linux Container also from UI

More info

https://github.com/NethServer/dev/issues/5253
https://github.com/NethServer/dev/issues/5234


Accounts provider - Service Pack 1
Upgrade paths to ns7
NethServer 7.3 update 1 Released
Development Updates - July 2017
(Davide Principi) #2

(Gabriel GHEORGHIU) #3

Already in Software Center!

Congrats!

Gabriel


(Nicola) #4

Kudos to all development team! :wink:


(Dominik) #5

Thank you dev team !
How to send you beer(s) :wink: ?


(Gordon) #6

I think the new Accounts Provider is great but this maybe a bug

Firstly it added the ad and secondly the NetBios it picked. I did change them before SUBMIT but the result was admin@com.au.
Will have a look if pre setting the required domain and workgroup in the configuration DB solves the issue.

This is fresh install of NS7 with no user data imported as yet.


SOGO unable to receive mails/wrong domain prefix
(Gabriel GHEORGHIU) #7

Hi @compsos ,

I did not tested also the change of an existing Samba AD domain: Domain name and/or Domain IP.
Just the upgrade of an existing Samba AD domain.

On the NS which was installed from scratch, first i have installed OpenLDAP, after that I uninstalled it and then I have installed and configured Samba AD without issues (1. DNS Domain name; 2. NetBIOS domain name; 3. Domain Controller IP address, which must be different than the NS IP address but from the same network segment).

If I understand well, you wanted to change the name of an existing AD domain but the operation failed?


(Gordon) #8

Hi @GG_jr
I did not do any of the OpenLDAP as in the previous arrangement it was either OpenLDAP or AD and not both.
My target is a new system to which I will import the users and eventually their data. So the boxes coming up with .com.au and COM was not a surprise but when I entered the required values and submitted, the system ignored my entries and produced a domain .com.au with admin@com.au.
The uninstall routine does seem to have reversed out the AD OK so now looking for how to get it to process the correct data.


(Gordon) #9

Hi @GG_jr
Just tried modifying the configuration DB but DomainName is protected and does not change
"[WARNING] configuration DB: DomainName is deprecated on ns7 and read-only!
[root@bament ~]# config show DomainName
DomainName=com.au"
I would expect i need to edit the DomainName and then the AD will come out correct.

So looking at your text tried putting in a local OpenLDAP configuration but it returns
LDAP URI: ldap://127.0.0.1

Base DN
dc=directory,dc=nh
User DN
ou=People,dc=directory,dc=nh
Group DN
ou=Groups,dc=directory,dc=nh

Bind DN
cn=ldapservice,dc=directory,dc=nh
Bind password

Have I missed a step somewhere or is the code being stubborn?

The following shows the confusion occurring. Some entries to the conf files are “com.au” and others are correct “domainname.com.au”. The incorrect entries are calling the configuartion db DomainName property which is read only !!

Binary file /etc/aliases.db matches
/etc/amavisd/amavisd.conf:$mydomain = ‘domainname.com.au’;
/etc/amavisd/amavisd.conf:@local_domains_maps = ( [‘domainname.com.au’,‘domainname.localdomain’,‘localhost’,‘domainname.com.au’] ); # list of all local domains
/etc/amavisd/amavisd.conf:@spam_lovers_maps = ([‘postmaster@domainname.com.au’,‘postmaster@domainname.localdomain’,‘postmaster@localhost’,‘postmaster@domainname.com.au’]);
/etc/cups/cupsd.conf:ServerAdmin admin**@com.au**
/etc/dnsmasq.conf:domain=com.au
/etc/dnsmasq.conf:mx-host=com.au,smtp.com.au
/etc/dnsmasq.conf:srv-host=_xmpp-client._tcp.com.au,domainname.com.au,5222,0,5
/etc/dnsmasq.conf:srv-host=_xmpp-server._tcp.com.au,domainname.com.au,5269,0,5
/etc/dovecot/dovecot.conf: prefix = Shared/%%n@com.au/
/etc/ejabberd/ejabberd.cfg:{hosts, [“com.au”]}.
/etc/ejabberd/ejabberd.cfg:%{domain_certfile, “com.au”, “/etc/ejabberd/ejabberd.pem”}.
/etc/ejabberd/ejabberd.cfg: {mod_echo, [{host, “echo.com.au”}]},
/etc/hostname:srv.domainname.com.au
/etc/hosts:192.168.220.1 domainname.com.au domainname smtp.com.au imap.com.au pop.com.au pop3.com.au domainname.domainname.com.au
/etc/httpd/admin-conf/httpd.conf:ServerAdmin root.com.au
/etc/krb5.conf: domainname.com.au = domainname.COM.AU
/etc/krb5.conf: .domainname.com.au = domainname.COM.AU
/etc/lvm/archive/VolGroup_00000-1652244450.vg:creation_host = “domainname.com.au” # Linux domainname.com.au 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64
/etc/lvm/archive/VolGroup_00000-1652244450.vg: creation_host = “domainname.com.au
/etc/lvm/archive/VolGroup_00000-1652244450.vg: creation_host = “domainname.com.au
/etc/lvm/backup/VolGroup:creation_host = “domainname.com.au” # Linux domainname.com.au 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64
/etc/lvm/backup/VolGroup: creation_host = “domainname.com.au
/etc/lvm/backup/VolGroup: creation_host = "domainname.com.au"
Binary file /etc/openldap/certs/cert8.db matches
/etc/openvpn/host-to-net.conf:push “dhcp-option DOMAIN com.au
/etc/postfix/main.cf:virtual_mailbox_domains = com.au
/etc/postfix/main.cf:virtual_alias_domains = domainname.com.au
/etc/postfix/virtual:postmaster@domainname.com.au postmaster
Binary file /etc/postfix/virtual.db matches
/etc/postfix/internal_access:com.au reject
/etc/postfix/internal_access:localhost.com.au reject
/etc/postfix/internal_access:domainname.com.au reject
Binary file /etc/postfix/internal_access.db matches
/etc/resolv.conf:domain com.au
/etc/resolv.conf:search com.au
/etc/resolv.conf.save:search com.au
/etc/sssd/sssd.conf:domains = com.au
/etc/sssd/sssd.conf:default_domain_suffix = com.au
/etc/sssd/sssd.conf:[domain/com.au]

OK A bit more investigation and it looks like a intended design. So how is the AD more flexible if you can not set the DNS domain name or NetBIOS name?
from the config.pm file
if ($self->{FILENAME} eq ‘/var/lib/nethserver/db/configuration’) {
if($key eq ‘SystemName’
|| $key eq ‘DomainName’
|| $key eq ‘TimeZone’) {
warn("[WARNING] configuration DB: $key is deprecated on ns7 and read-only!\n");
}


(Gordon) #10

@GG_jr
OK solved it. Where the initial setup says domainname it actually needs hostname.domainname. If it has been done incorrectly then go to the Server Name in the server-manager and reenter it as hostname.domainname and then submit.
Sorry for all the questions but could not correct it in the configuration database.


(Gabriel GHEORGHIU) #11

Sorry, but I’m a little bit confused.
Please correct me if I’m wrong:

You want to create a Domain Controller for your organisation.
Your FQDN is ad.com.au, where:

  • the Host name is ad
  • the Domain name is com
  • the Top level domain name is .au (or the correct is .com.au ?)

When you will configure an Active Directory domain, you will use:

  • for DNS domain name: ad.com.au
  • for NetBIOS domain name: ad
  • for Domain Controller IP address: a free IP different than the NS IP address but from the same network segment.

I think you missed the FQDN format which must be as follow:

[hostname].[domain].[tld]

[ad].[?].[com.au]


SOGO unable to receive mails/wrong domain prefix
(Gabriel GHEORGHIU) #12

Now I see your last post.
Good to hear that everything is OK!


(Alessio Fattorini) #13

I’m putting that improvement on our new newsletter :slight_smile:
What about these steps :top: ? Do you have any plan?


(Davide Principi) #14

Allow changing the host FQDN after an accounts provider has been configured

No developments yet.

Add NethServer as a new DC to an existing Active Directory domain

Updated the wiki page, useful for migrations from other Samba 4 / Microsoft systems. However a multiple DC forest has some implications on the backup/restore side and cannot be trivially implemented.

Change the IP of the nsdc Linux Container also from UI

Giacomo has implemented the procedure, it is now in the junior-jobs list.


I’m focused on the Backup UI. We have now three big improvements for our next ISO release (7.3.1707?):

  1. Accounts provider configuration
  2. Start restore from post-install procedure and config-backup history
  3. @stephdl’s diagtools

I know @giacomo is working hard on a new OpenVPN net2net page!


Release plan for ISO 7.3.1611 - update 1
(Alessio Fattorini) #15

Just opened a new topic for that:

Looks great.
17-07? Did you plan a date yet? :slight_smile:


(Walter Ferry Dissmann) #16

This is great news too! :smiley: