Custom data backup

Thanks for your reply and advice @mrmarkuz.

I’ll wait for @Andy_Wismer’s How to. I hope that will help solve the problems.
Unfortunately, the dummy interface cannot be created after installing the Nethserver ISO because both interfaces (Red and Green) are required during installation. In the case of VPS, the service provider only secures one (WAN, Red) interface, so a dummy interface is required, which can only be installed on the CentOS minimum.

The advantage of the dummy interface is that the VPS does not have a LAN-side (Green) interface, so no one can connect to it on site. And the console and WAN interface can be properly protected. I think these are important things for a Nethserver run by a service provider.

@mrmarkuz I got another network card and installed Nethserver on another PC. So Netserver now has two physical network interfaces and so we can rule out the dummy interface problem. I configured the WAN and the LAN interface but did not create Active Directory and users. I upgraded the system but did not install any applications.

I then restored the configuration save of the working Nethserver again. I selected network recovery and the appropriate WAN and LAN interfaces.

After restoring, the LAN interface does not work, Active Directory is not installed, and there are no users. Applications running on the LAN interface indicate an error. Understandable.

I don’t understand the whole thing. How do I reset the config to restore the server?
What if I need to restore my system on a VPS?

Did you set another container IP?

Just to understand:

What network configuration do you have on the source server?
What backup type/engine did you use? rsync, duplicity to smb or sftp…

I think it’s no problem to restore a backup to the same VPS.
For migration from server to VPS the manual rsync may could be the better method.

Yes, I set it up.

The source server
WAN (RED) IP:192.168.1.150
LAN (GREEN) IP: 192.168.10.2
NSDC IP: 192.168.10.151

I’m still in the process of restoring the config save. I configured and downloaded the config backup under System / Backup using the built-in backup features. Then I loaded it from a USB flash drive to the target server.

I did another try this morning. I created a new target Nethserver with two physical NIC (reinstalled from the Nethserver ISO) and with the same network and NSDC settings as the source server but I did not create the group and user on the source server. I did not install the applications on the source server, but I did update the packages on the target server.

I created a config backup on the source server and restored it on the destination server and selected to restore the network configuration.

After rebooting, apparently everything is restored on the target server from the config backup but the DC group and users are missing.

Also, I don’t see any other errors, NSDC is running and the network interfaces are up.

The next step would be to restore the data backup but I can’t start it until the config restore works properly. And it’s not a VPS with a virtual interface yet.

Why? Maybe the data restore fixes the issue.

Because there are no DC users and groups. It can be seen in the attached image.

Screenshot_20220204_2111252047×698 53 KB

If I restore the data backup then it will not be able to restore the backup to set the owner of the files.
According to the documentation:
Disaster recovery
Other restored configurations:
Users and groups
SSL certificates

According to this, config restore restores users and groups. But there is no Admin or Administrator here either.

I assume you recreated the bridge. Can you ping the DC IP?

Does the following work, it should show your AD settings:

account-provider-test dump

It should be there. Maybe the “reinstall packages” option didn’t work? The packages need to be downloaded so maybe it’s a network issue?

Of course, yes, I can ping DC IP from LAN (green) interface.

[root@nethserver ~]# account-provider-test dump
{
“BindDN” : “ldapservice@AD.MYDOMAIN.EU”,
“LdapURI” : “ldaps://nsdc-nethserver.ad.mydomain.eu”,
“DiscoverDcType” : “ldapuri”,
“StartTls” : “”,
“port” : 636,
“host” : “nsdc-nethserver.ad.mydomain.eu”,
“isAD” : “1”,
“isLdap” : “”,
“UserDN” : “dc=ad,dc=mydomain,dc=eu”,
“GroupDN” : “dc=ad,dc=mydomain,dc=eu”,
“BindPassword” : “password”,
“BaseDN” : “dc=ad,dc=mydomain,dc=eu”,
“LdapUriDn” : “ldap:///dc%3Dad%2Cdc%3Dmydomain%2Cdc%3Deu”

It seems to me that all the packages that were on the source server were installed.
Since I upgraded the system before restoring the config backup I don’t think there would be a network problem. I tested it and it works towards name resolution and the internet.

Is the sssd service running?

systemctl status sssd -l

Does getent passwd admin work?

[root@testserver ~]# getent passwd admin
admin@domain.tld:*:123456789:123456789:admin:/var/lib/nethserver/home/admin:/bin/bash

Can you search objects in AD?

net ads search -P objectClass=User

Of course, both are running.

[root@nethserver ~]# systemctl status sssd -l
● sssd.service - System Security Services Daemon
Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2022-02-14 22:55:31 CET; 29min ago
Main PID: 1792 (sssd)
CGroup: /system.slice/sssd.service
├─1792 /usr/sbin/sssd -i --logger=files
├─2038 /usr/libexec/sssd/sssd_be --domain mydomain.eu --uid 0 --gid 0 --logger=files
├─2682 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
└─2683 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files

Feb 14 22:55:55 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 1
Feb 14 22:55:55 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 2
Feb 14 23:10:52 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 1
Feb 14 23:10:52 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 1
Feb 14 23:10:52 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 1
Feb 14 23:10:52 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 2
Feb 14 23:24:55 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 1
Feb 14 23:24:55 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 1
Feb 14 23:24:55 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 1
Feb 14 23:24:55 nethserver.mydomain.eu sssd_be[2038]: GSSAPI client step 2

[root@nethserver ~]# getent passwd admin
admin@mydomain.eu:*:549201105:549200513:admin:/var/lib/nethserver/home/admin:/bin/bash

So it seems only the view in server manager isn’t working?

Unfortunately, I don’t know…

[root@nethserver ~]# net ads search -P objectClass=User
Got 8 replies

I get a very long reply… It includes admin, Administrator, my teszt user, guest and etc.

OK, so AD seems to work. Does the following work? It’s used to get the users in cockpit…

/usr/libexec/nethserver/list-users -s

There is something wrong with this:

[root@nethserver ~]# /usr/libexec/nethserver/list-users -s
(49) 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1 at /usr/share/perl5/vendor_perl/NethServer/LdapClient.pm line 135.

I logged in old Server Manager and I see an error message:

Account Provider error: invalid credentials (49)

Screenshot_20220214_235516689×654 56.1 KB

Can this help?

Is the ldapservice user there?

net ads search -P objectClass=User | grep ldapservice

Does the password work?

Get password by executing

account-provider-test dump

or it’s also saved in /var/lib/nethserver/secrets/ldapservice

Does it work to search in AD with these credentials (insert your <DC IP>)?

ldapsearch -Z -x -D ldapservice@ad.domain.tld -w 'password' -b CN=Users,DC=ad,DC=domain,DC=tld -h <DC IP>

Do you have this line in /var/lib/machines/nsdc/etc/samba/smb.conf (just to exclude it prevents password change for ldapservice) ?

check password script = /usr/local/sbin/checkpassword.pl

[root@nethserver ~]# net ads search -P objectClass=User | grep ldapservice
cn: ldapservice
name: ldapservice
sAMAccountName: ldapservice
userPrincipalName: ldapservice@ad.mydomain.eu
distinguishedName: CN=ldapservice,CN=Users,DC=ad,DC=mydomain,DC=eu

The password same as in dunp and /var/lib/nethserver/secrets/ldapservice file.

The list below is very long but includes users.
[root@nethserver ~]# ldapsearch -Z -x -D ldapservice@ad.mydomain.eu -w ‘password’ -b CN=Users,DC=ad,DC=mydomain,DC=eu -h 192.168.10.151
# extended LDIF
#
# LDAPv3
# base <CN=Users,DC=ad,DC=mydomain,DC=eu> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
…
# search result
search: 3
result: 0 Success

# numResponses: 25
# numEntries: 24

Can you list the groups?

/usr/libexec/nethserver/list-groups -s

Initially, there should be two groups: account and domain admin. Apparently they are.

[root@nethserver ~]# /usr/libexec/nethserver/list-groups -s
{“account”:{“members”:[]},“domain admins”:{“members”:[]}}

OK, so listing of users doesn’t work. AD is ok, groups are ok.
Do you see the groups “account” and “domain admins” in the server manager?
Do you have usernames including special characters?

I don’t see groups or users in the server manager.
There is only one user and it does not contain special characters: teszt.