For the last two days I’ve been trying to install and configure NethServer (in short referred as NS).
Title : NethServer as Active Directory, Gateway, Web server
Author: Bogdan C.
This document will describe in short how to create an infrastructure based on Nethserver as primary domain controller.
The clients will be:
One Microsoft (short MS) Windows 2012 server (or alternative MS machine)
One Linux Mint 17.1 machine.
The desired goal is to have both types of operating systems integrated with NS. So, each user from the domain will be able to log in onto each machine without any restriction, and access the resources allocated to his/her account not bounded by one architecture.
- Roaming profiles
- access to his/her shares independently on which type of machine it is using
- default applications available on both machines Libre office, Thunderbird, Web browser, Multimedia, etc. (available for both Linux/Win).
Ex: If user “X” logs into the Linux machine
His home directory from the NS will be mounted to the linux machine
And if the user “X” has access to “public” share on NS, that share will be mounted in a folder to his home directory.
The same scenario should apply if the user is going to log in onto the windows machine
Below I’ll describe the setup steps and also the personal notes of what I think it should be added as options/features.
Warning! This is a long post and it is presented as a “How-to” step by step setup.
It is not relevant for all purposes and it is done for achieving a NS installation that will be Gateway, IDS, AD, mail, web server, proxy and web filter server for a set of Virtual machines and able to scale to a large number via VmWare network Switch connected to an Ethernet card.
(The same setup should be valid for a local network with physical machines)
If you plan to do this in a virtual environment.
- You should be familiar with VmWare or other virtualisation settings and concepts.
- Also you should be able to set up a virtual machine (it’s really easy) and it will not be covered by this “How-to” since it is not in the scope. Only minor configurations will be provided when apropiate.
- Read before (but not mandatory):
- How to set up an ESX free server (or other virtualisation environment of your choosing),
- How to set up a Virtual machine,
- How to set up VmWare (or appropriate to your platform) networking for virtual machines,
Alternative to Virtual setup (with changes to comply accordingly to your setup where applicable)
You can do this with physical machines if you have enough of them and some common network equipment:
1 internet line
1 router (home grade is ok) to connect the NS to internet
1 switch to connect the 3 machines between them
Minimum 1 machine with Linux/Windows/OSx or other machine with a web browser to be able to configure the NS via web console (you can also use a tablet but it will be a pain )
Alternative Physical setup diagram:
Note: (the 2012 server is optional but it will be used in this setup as MS is set in real world. You can use a Win xp / Vista / Win7 machine as client instead of 2012)
First let me describe the setup.
1 Firewall / Router as internet Gateway for the LAN
1 Workstation with Linux mint
1 HP 110 ML G6 server
- 16 GB
- 2 x 160 hdd ESX install and Datastore for ISO’s
- 1 x 1TB hdd Datastore for virtual machines hdd and files
- 3 x 1 Gbs Nics
Vmware ESX 6 Hypervisor (can be also 5.0, 5.5, or other virtualisation setup XEN or Openstack or Proxmox VE, etc)
Definition for network
[VM network] - Virtual switch connected to real LAN via 1Gbps nic. IP 172.29.10.x; internet access
[VM internal network] - Virtual switch, used internally by the Virtual machines (bridged to a physical interface but not connected to anything yet)
VM Linux Mint : Already set up
- 20 G hdd;
- 1 Gbps eth0 [VM internal network]
VM Win 2012 srv: Already set up
- 20G hdd;
- 1 Gbps eth0 [VM internal network]
VM Nethserver 6.6
20 G hdd
1 Gbps eth0 [VM network]
1 Gbps eth1 [VM internal network]
The Nethserver VM machine
After starting the installer, NS is asking what is the LAN (green) card, select eth1.
Then the installer presents the config for static IP configuration (IP 192.168.1.1; NM: 255.255.255.0; GW: 192.168.1.253; DNS: 188.8.131.52 )
- it should also present options to select RED interface and assign configuration for IP static / DHCP
** No option to automatically start DHCP on LAN (green) interface for clients
*** No option to set root password by the user
(the setup continues with graphical installer to show progress)
**** Since no WAN (red) interface has been selected/configured, the installer does not check/bring updates before installing the software
Install is finished and the machine is rebooted.
Now we switch to the Linux mint machine to complete the setup.
Linux mint 17 VM
Since the NS is not giving any ip’s on the LAN (Green) interface we need to set up the mint machine network.
First open a terminal and type:
‘sudo ifconfig eth0 192.168.1.100 netmask 255.255.255.0’
This will enable eth0 and set network ip of the Mint machine in the same segment as the NS.
Open Firefox and add the ip address of the NS https://192.168.1.1:980
The first configuration wizard starts
Change the password to the root user
- There is no mention about the complexity the password should have.
Ex: Should contain minimum:
1 Capital letter (A - Z)
1 digit ( 0 - 9)
1 symbol ( !@#$_,…)
Minimum lenght 6 characters
After the password is set we set up the hostname and domain
- the domain field is ambiguous. It is not clearly if this will be internet domain (www / email) used by the server for webserver or local domain for AD
Then we select the timezone (Bucharest for my setup)
Then select the port to use for SSH (2222 or 2233 or whatever you want to use as ssh port in your organisation)
The last step is to send usage statistics (you select “yes” or “no” depending on your preferences, this will be valid only after you have set up RED interface)
The last page presents the steps that you have set up
Hit [Apply] and you see the tasks progress bar.
Then you are presented with the NETWORK submenu where you have your interfaces
eth0 xx:xx:xx:xx:xx:xx no role
eth1 xx:xx:xx:xx:xx:xx LAN (green) 192.168.1.1 (Note, should be different from your physical router subnet IP address )
Hit [Edit] for eth0 and the form for this interface is presented
There is only one option in the ROLE field LAN (green). not possible to select RED
- In here I try to set up the eth0 as RED to have access to internet but it is not possible
** if you select the Software center option the page will stay with the “loading” circle for some time and then throw errors regarding not being able to contact mirror lists repositories.
This is a big problem since if you can’t set one interface to RED and configure it’s ip as STATIC/DHCP you can’t contact the software center.
Reboot the server so the Hostname / Domain and other settings to be applied. (not really necessary but better to be sure)
WORKAROUND for internet access:
Into vSphere Client switch to the VM-Nethsh machine console.
Log into the machine with the user root and password set by you in the initial config wizard (Nethesis,1234 is not valid anymore; you have change it in the initial config! )
- It should be better if, on the login prompt, the ip and port should be presented (like vmware or pfsense or others Ex: use http://ip:980 in web browser to configure this machine)
after the login banner appears, type :
Check that the eth0 has received ip configuration, type:
Test now that it can reach the internet, type :
see that we get “64 bytes from cache.google.com …”
Hit [CTRL + c]
Note: we can start update from cli now with ‘yum update’ and ‘yum upgrade’ but it is recommended to issue the upgrade from the web control pannel
Now exit from NS shell and return to linux mint machine.
In the webcontrol interface of NS go to [Status] -> [Dashboard]
Check that in the interfaces tab, the eth0 is up and has a green OK
** Missing RED interface settings will be setup latter in this document
Into the web interface go to the [Administration] -> [Software center] submenu
Now the NS has access to the repositories and it is getting the software lists.
Go to [Updates] tab
you see the list of updates available.
Hit [Download and install].
After the updates are finished the “Operation completed sucessfully” green banner appears, click the [Available] tab in the Software center.
Select / check the following:
[x] Backup - will be used to save data
[x] Basic Firewall
[x] DNS and DHCP server
- [x] nethserver-roundcubemail
- [x] unrar
- should be split into [x] Email / [x] Webmail (if you select webmail will automatically check Email)
[x] File server
- [x] nethserver-samba-audit
[x] Intrusion Prevention System
[x] MySQL server (if you plan to use dynamic webpages Joomla Wordpress etc)
[x] POP3 proxy (used to scan emails) * should be set as sub-option to Email
- [x] nethserver-collectd-web
- [x] nethserver-cgp
[x] Web filter
- [x] nethserver-lightsquid
- [x] nethserver-lightsquid
Hit [Add] to complete
Check that everything is correct on the “Confirm system changes” summary page and then hit [Apply Changes]
Wait for the tasks to finish.
After the modules have been installed you should see two yellow banners:
“Change admin’s password” - - required to enable admin’s Samba account
“Enable backup” - - configuration of data backup (not set yet)
** Setting up the internet RED interface (now that we have basic firewall)
Go to [Configuration] -> [Network] submenu
Select [Edit] on the eth0 row
Set the role to: “Internet (red)”
Note: in this setup we get the ip address from our VmWare network switch that is connected to the physical Internet router.
if you have everything on physical machines (Alternative setup) you will get DHCP IP via the switch that connects your router to the eth0 of NS
Select first link “Change admin’s password”
You are then redirected to the [Management] -> [Users] submenu
You should see only one row with the admin details.
The page displays the user details in a formular
- Note the username can’t be changed. It is good practice to rename the default ‘admin’ or ‘administrator’ account. Not possible here
Hit [Change password] button. The form to insert a new password is presented.
Enter the desired password for ‘admin’ user
- Note, the same information of password complexity policy settings are missing here too.
- Minimal password length 6
- 1 Capital letter
- 1 Digit
- 1 Symbol
After you type the new password hit [Submit]
Now go to [Configuration] -> [DNS] -> [DNS Servers] tab (it is presented as default)
As primary DNS set the address of the NS lan address
As secondary DNS set the address of your internet lan router address
*We use the ip of the NS as dns because it will be set as AD server.
- it is not clear that this will be set by default when it is configured as AD server so we specify manually to use itself as primary DNS
Go to [Hosts] tab
Hit [CREATE NEW] button
in the Hostname field enter the NS hostname.domain that you set in the initial config wizard “vm-netsh.vmdom”
(we used vm-netsh so we enter that one and the domain)
In the IP address field enter : 192.168.1.1
IP address: 192.168.1.1
in the description field enter what you want to describe this entry. (Ex: NethServer static dns entry)
Description: NethServer static dns entry
After the settings are applied go to [Configuration] -> [DHCP] submenu
Check the box to enable DHCP on the eth1 so that the clients of the virtual-internal network will receive IP’s and dns settings from the NS.
[x] eth 1 - green
In the IP range set
IP range Start: 192.168.1.100
IP range End: 192.168.1.150
(this should be sufficent for most setups )
- no other options are available for DHCP settings (pxe, bootp, ntp options etc)
- in the DHCP if it is already enabled you should see the DHCP server settings.
We can set the static entries for our two virtual machines. Linux Mint and Windows server.
Go to [IP reservation] tab,
Hit [Create new]
In the hostname set: vm-ws2012 (this is the hostname for the windows server machine)
In the MAC Address set: xx:xx:xx:xx:xx (enter the mac address of the network interface from your windows machine)
in the IP address enter: 192.168.1.101
- The MAC address field, a helper check function should convert mac addresses entered with “-” or without a separator to desired format xx-xx-xx-xx-xx to be converted at submit to xx:xx:xx:xx:xx Useful when you copy-paste from different sources
Redo the same for your linux virtual machine
Enter Hostname (as set in the linux machine)
Mac address: yy:yy:yy:yy:yy (copy this from Linux mint, just type ‘ifconfig eth0’ and then copy HWaddr)
IP address: 192.168.1.102
Description: Linux Mint Virtual machine
** Optional step 2 **
After this you can have static entries in the DNS for the other two machines: Linux Mint and Windows Server.
Remember to put in hostname field the correct hostname set also in the machine OS (write down their hostnames on a paper) Also remember to put the domain after the hostname hostname.domain
And match the IP with the one you have on those machines or you set in the IP reservation from DHCP
After the tasks are applied you should now have two entries in the IP reservation tab;
Now we set up NS to be AD,
for this go to [Configuration] - > [Windows Network] submenu
On the Server role in Windows network you have 3 options. Since we want the NS to be a Active Directory server we select [Primary Domain Controller]
Then you sould see the Domain field set with “VMDOM” as set by the initial config wizard
(enable roaming profiles if you will need them for your users)
- After the NS is set up as AD, on this page the LDAP settings should be visible.
This information is useful and needed to configure connections for different tools like Apache LDAP editor and other tools
Wait for the tasks to be applied.
Now we make sure that anything from NS lan is permited to reach the server:
Go to: [Gateway] -> [Firewall rules]
Hit [Create rule at bottom]
see that rule is Enabled,
Source : click Source and select Role green
Description: Anything from Lan side accepted.
Note: this rule is defined in this setup for general purpose. You should carefully make your own rules according to the security that you need in your own environment (for example add rules to accept HTTP, HTTPS or FTP etc. and then add a last rule to deny anything else)
The rules are applied from TOP to bottom. So if you add a deny for anything at the top you will not be able to access NS anymore
- A rule to always allow access to Webconfig from LAN should be added in the firewall by default. Also, you should not to be able to remove this rule. (anti lockout)
Then hit [Apply Changes] to confirm
Wait for the task to be applied
Go to [Security] -> [Trusted networks]
Add a new rule by pushing [Create New]
Network address: 192.168.1.0
Network Mask: 255.255.255.0
Wait for the task to finish.
Go to [Configuration] -> [Backup (configuration)]
Hit [Backup Now]
- An option to download the backup file is necessary to be able to save it in another location (DRP DRS site)
Now we reboot the NS to make sure that everything get’s applied and works.
Go to [Shutdown]
select Reboot and then hit [Shutdown the system]
- the submit button should reflect the desired action (Reboot or Poweroff) otherwise it can confuse some users
After the NS machine reboots return to Dashboard.
Now we must reboot the other two machines to make them obtain the DHCP ip addresses assigned to them and other domain settings
Reboot the Linux mint host (this will make the machine get the DHCP / DNS settings from NS)
After the Linux Mint machine reboots log on into it and check that it got the correct settings:
Open a terminal and type:
You should see that it got the address set by you in dhcp IP reservation (if you set up one in optional step)
now to see that it gets the NS information type:
you should see that it get’s the correct hostname and domain:
PING vm-netsh.vmdom (192.168.1.1) 56(84) bytes of data.
64 bytes from vm-netsh.vmdom (192.168.1.1): icmp_seq=1 ttl=64 time=0.082 ms
64 bytes from vm-netsh.vmdom (192.168.1.1): icmp_seq=2 ttl=64 time=0.102 ms
hit [CTRL + C] to stop
You can also see if the linux machine obtains information regarding the windows machine
to test this we enquire the DNS about the windows machine, type:
and you should receive:
This means that the NS DNS is responding to queries for the hostnames set by us.
Finally let’s see that we get Internet access from our linux mint machine trough NS. Type:
You should see that you get reply for ping
64 bytes from cache.google.com (xxx.xxx.xxx.xxx): icmp_seq=1 ttl=64 time=2.402 ms
hit [CTRL + C]
Now let’s get the Windows machine ready.
Reboot the Windows 2012 host (this will make the machine get the DHCP / DNS settings from NS)
Login as Administrator
Go to [Start]
Then click on [Control Panel]
Select and click on [Windows Firewall]
Check that windows Firewall is turned OFF !
If it is ON, click on [Turn Windows Firewall on or off] link from the right side
Then check the “Turn off Windows Firewall” option in both Private and Public sections.
Next we see that the time is set to the same value as NS.
Return to [Control Panel]
Select [Date and Time] link
Click on the [Internet Time] tab
Then Click the [Change settings] button
Confirm that the check-box “Synchronize with an internet time server” is checked
In the “Server” field type the hostname of our NethServer: vm-netsh
Click on [Update now] button
This should configure the clock from windows machine to be the same as the NS.
Let’s Join the Win server to our vmdom domain
First start Firefox or Chrome (if do not have those browsers installed now it is a good time to install them )
in Firefox or Chrome, open the NS webcontrol page.
Go to [Configuration] -> [Windows network] submenu
Click on the [Client registry settings]
From that page right-click on the Win7samba.reg link and select [Save as]
After it is downloaded go to [Start] menu from windows and type: “regedit” hit [Enter] after
In the “Registry Editor” go to [File] menu, select [Import…]
Go to the location that you have saved the previous registry file and select it (if you do not see the file check the selection “All Files” from the extension box.
Select the “win7samba.reg” file and then Click [Open] button.
A message box that confirms the registry key has been imported should appear.
Then close the “Registry Editor”
Close Firefox/Chrome browser.
Click on [Server Manager] icon from the taskbar.
After the Server manager window appears go to [Local Server]
On the right side of the window click the [workgroup] link
The “System Properties” window should appear.
Go to the [Change] button that is on the right side and click on it
Now the “Computer Name/Domain Changes” windows has appeared.
On the bottom side you see “Member of” and you have two options Domain and Workgroup (this is selected by default)
Click and select the Domain button
On the field enter: vmdom
A “Windows Security” box apears asking for credentials.
We use the SAMBA admin account to join the server into the domain
Enter the name: ‘admin’ ( without the quotes )
Enter password: set by you for that user
A message with “Welcome to VMDOM domain” should confirm that you joined sucessfully
This should join the Windows machine into the domain
- if Any error message appear take not of them and double-check your steps.
Reboot the Win2012 server.
After the machine reboots login with your domain admin account.
if you see VM-WS2012\ under the user name select “other user” and enter your Samba admin credentials
Make sure that under the user login form the VMDOM is specified
After you have sucessfully loged in open Firefox/Chrome to NS webcontrol page
Now we need to populate our Active Directory with users and Groups.
Go to [Management] -> [Groups] submenu
Hit [Create new] button
In “Group name” field enter: dom-users
In “Description” field enter your desired description (Ex: “Normal domain users” )
- Add as many groups as you see fit
Let’s add some more users into the domain
Go to [Management] -> [Users] submenu
Hit [Create new]
In User name enter the desired login name that the user will use to login to the domain.
Complete the “First name” field with desired information"
Complete the “Last name” field with desired information"
in the [Groups] field type dom and then select the previous create group “dom-users”
Also you can add the Domain admins group if you desire
NOTE: Be very carefoul with assigning group membership to users.
You will see the user you just created under the admin user. But it is grey and has a key right to his username.
This means that the user is disabled and does not have a password.
Click on [Edit] for the user you just selected
In the user properties click on [Change password] button
Enter the new password for that user
- The complexity warning required for the password is missing
- Minimal password length
- Capital letter
NOTE: the password has an expiration date!
You can tweak this from the NS cli (read the docs)
*Add as many users as you see fit
Log out of NS webconsole and also from Win Server and test your new user created account.
If everything went well (and I’m sure it did ) you have logged in with a domain user from NS into a Win2012 server.
TODO: Join the Linux Mint machine to NS LDAP server
TODO: Use Apache LDAP explorer to configure / tweak LDAP
TODO: create scripts for WINDOWS / LINUX to automount the shared folders from NS that they have permission to access.
- automatic generation of automount.xml and login.cmd for LDAP users from NS when you create/update a share or user
If you have any questions, tips, tweaks that you consider it will improve this “How-to”, please add and I’ll add them to this document.