NethServer 7.2 alpha 3 - "First Blood"

I think i your case a free IP in edit 192.168.1.x range…

1 Like

My range is 192.168.1.0/24

“Free” meaning “not assigned”

1 Like

Sorry, see edit

1 Like

Thank you @davidep, @mark_nl !

@davidep,
As we are on the subject, why do we need a vanilla samba in the nspawn container?

Stupid question: why two IPs for the same server?

2 Likes

SAMBA dc runs in a systemd nspawn container.

3 Likes

Good catch! Because Samba 4 runs inside a container which is basically a virtual machine inside the real NS :slight_smile:

1 Like

Samba upstream package does not provide the DC role, by now.

@giacomo and @mark_nl already answered, I just want to add: Samba itself suggests keeping the file server / domain controller roles on separate servers.

They say:

Whilst the Domain Controller seems capable of running as a full file server, it is suggested that organisations run a distinct file server to allow upgrades of each without disrupting the other

Moreover, I must admit it simplified a lot the configuration both on the file server side (the “host” machine) and the domain controller side (the “guest” machine/container).

So I’m sure an additional IP address is a small price to pay for having them both on NS7 :wink:

5 Likes

Thank you all for enlighten me! I really didn’t know!

Of course doesn’t matter. I just want to understand some things which are new for me.

1 Like

Your question was not stupid at all. I want to say thank you @GG_jr for sharing your experience: your feedback is very important for developers and I’m sure it will be very useful to those who endeavor NS7 testing :blush:

4 Likes

I think is the first NS 7a3 AD configured! Isn’t?

Thank you all!

1 Like

AFAIK the first outside Pesaro :smile:

You were asking about accounts from multiple domains… like john@dom1.com patricia@dom2.net

You know this is not supported on ns6 neither it is planned on ns7. However I hope it can be implemented easily with SSSD, with OpenLDAP backend. I tried it with AD, but realmd seems supporting the join to a single domain only.

1 Like

I probably would have tripped up on this too, so I’m glad you talked this out here for us to understand it too.

2 Likes

Ahhh, I thought you guys were going to get rid of that 90 sec shutdown hold timeout.

2 Likes

Yeah… But power on is fast.

Hi Davide,

Any news about “sogo-frontends” package?

I installed snort clean after updates to a fresh install rule policy Expert and…

May 23 11:34:26 server88 snort[2705]: FATAL ERROR: /etc/snort/rules/snort.rules(6698) Unknown rule option: 'ssl_version'. May 23 11:34:26 server88 snortd: Starting snort: [FAILED]

[root@server88 rules]# cat snort.rules |grep 6698 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:12;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006698; classtype:web-application-attack; sid:2006698; rev:7;)

Those run-time thingy thingies still are in the hart of nethserver, probably the heritage of SME.
systemctl reboot/poweroff should take care of that, why can it not be trusted?