Only the Expert policy has more than 10 rules enabled, it seems the rule policy still need some tweaking, I know we’ve talked about this before when I was trying ips in v6.7.
I can’t test snort at all really until I can get snort running with Expert policy per my previous post.
May 23 11:34:03 server88 /sbin/e-smith/db[2666]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|connectivity
May 23 11:34:03 server88 /sbin/e-smith/db[2666]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|expert
May 23 11:34:23 server88 esmith::event[2669]: Rule Stats...
May 23 11:34:23 server88 esmith::event[2669]: #011New:-------27256
May 23 11:34:23 server88 esmith::event[2669]: #011Deleted:---0
May 23 11:34:23 server88 esmith::event[2669]: #011Enabled Rules:----20467
May 23 11:34:23 server88 esmith::event[2669]: #011Dropped Rules:----0
May 23 11:34:23 server88 esmith::event[2669]: #011Disabled Rules:---6789
May 23 11:34:23 server88 esmith::event[2669]: #011Total Rules:------27256
May 23 11:56:45 server88 /sbin/e-smith/db[3246]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|expert
May 23 11:56:45 server88 /sbin/e-smith/db[3246]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|security
May 23 11:56:59 server88 esmith::event[3249]: Rule Stats...
May 23 11:56:59 server88 esmith::event[3249]: #011New:-------0
May 23 11:56:59 server88 esmith::event[3249]: #011Deleted:---0
May 23 11:56:59 server88 esmith::event[3249]: #011Enabled Rules:----8
May 23 11:56:59 server88 esmith::event[3249]: #011Dropped Rules:----906
May 23 11:56:59 server88 esmith::event[3249]: #011Disabled Rules:---26342
May 23 11:56:59 server88 esmith::event[3249]: #011Total Rules:------27256
May 23 12:10:50 server88 /sbin/e-smith/db[3878]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|security
May 23 12:10:50 server88 /sbin/e-smith/db[3878]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|balanced
May 23 12:11:03 server88 esmith::event[3881]: Rule Stats...
May 23 12:11:03 server88 esmith::event[3881]: #011New:-------0
May 23 12:11:03 server88 esmith::event[3881]: #011Deleted:---0
May 23 12:11:03 server88 esmith::event[3881]: #011Enabled Rules:----10
May 23 12:11:03 server88 esmith::event[3881]: #011Dropped Rules:----785
May 23 12:11:03 server88 esmith::event[3881]: #011Disabled Rules:---26461
May 23 12:11:03 server88 esmith::event[3881]: #011Total Rules:------27256
May 23 12:12:34 server88 /sbin/e-smith/db[4403]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|balanced
May 23 12:12:34 server88 /sbin/e-smith/db[4403]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|connectivity
May 23 12:12:47 server88 esmith::event[4406]: Rule Stats...
May 23 12:12:47 server88 esmith::event[4406]: #011New:-------0
May 23 12:12:47 server88 esmith::event[4406]: #011Deleted:---0
May 23 12:12:47 server88 esmith::event[4406]: #011Enabled Rules:----2
May 23 12:12:47 server88 esmith::event[4406]: #011Dropped Rules:----8
May 23 12:12:47 server88 esmith::event[4406]: #011Disabled Rules:---27246
May 23 12:12:47 server88 esmith::event[4406]: #011Total Rules:------27256
Trusted?
Not a big deal at all, just, what seems an unnecessary delay during reboot, I don’t think any of my v6.7 installs have a delay, I’ve only noticed this on v7, but now I can’t remember about v6.7.
No need for systemctl, simply shutdown at shell shuts the machine down in a couple seconds.
The 90 delay is triggered when using the gui shutdown options.
i set up a NS7A3 VM for test and installed Samba AD as discribed above.
I tried to join a win7 machine to this domain, but got a message, that the domain was identified as “nsdc-test.ns7a3.at”, but however it could not connect to domain controllers.
-- Logs begin at Tue 2016-05-24 11:17:54 CEST, end at Tue 2016-05-24 13:31:02 CEST. --
May 24 11:17:54 nsdc-test.ns7a3.at systemd-journal[14]: Runtime journal is using 8.0M (max allowed 91.9M, trying to leave 137.9M free of 911.9M available → current limit 91.9M).
May 24 11:17:55 nsdc-test.ns7a3.at systemd-journal[14]: Permanent journal is using 8.0M (max allowed 1.7G, trying to leave 2.6G free of 15.1G available → current limit 1.7G).
May 24 11:17:55 nsdc-test.ns7a3.at systemd-journal[14]: Time spent on flushing to /var is 1.084ms for 2 entries.
May 24 11:17:55 nsdc-test.ns7a3.at systemd-journal[14]: Journal started
May 24 11:17:55 nsdc-test.ns7a3.at systemd[1]: Starting Flush Journal to Persistent Storage...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Flush Journal to Persistent Storage.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Create Volatile Files and Directories...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Create Volatile Files and Directories.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Update UTMP about System Boot/Shutdown...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Update UTMP about System Boot/Shutdown.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Reached target System Initialization.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting System Initialization.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Daily Cleanup of Temporary Directories.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Daily Cleanup of Temporary Directories.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Reached target Timers.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Timers.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Listening on D-Bus System Message Bus Socket.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting D-Bus System Message Bus Socket.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Reached target Sockets.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Sockets.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Reached target Basic System.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Basic System.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started D-Bus System Message Bus.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting D-Bus System Message Bus...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Network Service...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Domain controller provisioning...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Permit User Sessions...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Login Service...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Cleanup of Temporary Directories...
May 24 11:17:56 nsdc-test.ns7a3.at systemd-networkd[24]: host0 : Cannot configure IPv4 forwarding for interface host0: Read-only file system
May 24 11:17:56 nsdc-test.ns7a3.at systemd-networkd[24]: host0 : Cannot configure IPv6 forwarding for interface: Read-only file system
May 24 11:17:56 nsdc-test.ns7a3.at systemd-networkd[24]: Enumeration completed
May 24 11:17:56 nsdc-test.ns7a3.at systemd-networkd[24]: host0 : link configured
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Network Service.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Reached target Network.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Network.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Cleanup of Temporary Directories.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Permit User Sessions.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Console Getty.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Console Getty...
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Getty on tty1.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Reached target Login Prompts.
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Starting Login Prompts.
May 24 11:17:56 nsdc-test.ns7a3.at systemd-networkd[24]: host0 : gained carrier
May 24 11:17:56 nsdc-test.ns7a3.at systemd[1]: Started Login Service.
May 24 11:17:56 nsdc-test.ns7a3.at systemd-logind[27]: New seat seat0.
May 24 11:17:56 nsdc-test.ns7a3.at samba-tool[25]: Looking up IPv4 addresses
May 24 11:17:56 nsdc-test.ns7a3.at samba-tool[25]: Looking up IPv6 addresses
May 24 11:17:56 nsdc-test.ns7a3.at samba-tool[25]: No IPv6 address will be assigned
May 24 11:17:56 nsdc-test.ns7a3.at samba-tool[25]: Setting up share.ldb
May 24 11:17:57 nsdc-test.ns7a3.at samba-tool[25]: Setting up secrets.ldb
May 24 11:17:58 nsdc-test.ns7a3.at samba-tool[25]: Setting up the registry
May 24 11:18:04 nsdc-test.ns7a3.at samba-tool[25]: Setting up the privileges database
May 24 11:18:06 nsdc-test.ns7a3.at samba-tool[25]: Setting up idmap db
May 24 11:18:07 nsdc-test.ns7a3.at samba-tool[25]: Setting up SAM db
May 24 11:18:07 nsdc-test.ns7a3.at samba-tool[25]: Setting up sam.ldb partitions and settings
May 24 11:18:07 nsdc-test.ns7a3.at samba-tool[25]: Setting up sam.ldb rootDSE
May 24 11:18:08 nsdc-test.ns7a3.at samba-tool[25]: Pre-loading the Samba 4 and AD schema
May 24 11:18:08 nsdc-test.ns7a3.at samba-tool[25]: Adding DomainDN: DC=ns7a3,DC=at
May 24 11:18:08 nsdc-test.ns7a3.at samba-tool[25]: Adding configuration container
May 24 11:18:08 nsdc-test.ns7a3.at samba-tool[25]: Setting up sam.ldb schema
May 24 11:18:12 nsdc-test.ns7a3.at samba-tool[25]: Setting up sam.ldb configuration data
May 24 11:18:12 nsdc-test.ns7a3.at samba-tool[25]: Setting up display specifiers
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Modifying display specifiers
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Adding users container
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Modifying users container
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Adding computers container
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Modifying computers container
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Setting up sam.ldb data
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Setting up well known security principals
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Setting up sam.ldb users and groups
May 24 11:18:13 nsdc-test.ns7a3.at samba-tool[25]: Setting up self join
May 24 11:18:17 nsdc-test.ns7a3.at samba-tool[25]: Adding DNS accounts
May 24 11:18:18 nsdc-test.ns7a3.at samba-tool[25]: Creating CN=MicrosoftDNS,CN=System,DC=ns7a3,DC=at
May 24 11:18:22 nsdc-test.ns7a3.at samba-tool[25]: Creating DomainDnsZones and ForestDnsZones partitions
May 24 11:18:28 nsdc-test.ns7a3.at samba-tool[25]: Populating DomainDnsZones and ForestDnsZones partitions
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: Setting up sam.ldb rootDSE marking as synchronized
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: Fixing provision GUIDs
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: A Kerberos configuration suitable for Samba 4 has been generated at /var/lib/samba/private/krb5.conf
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: Once the above files are installed, your Samba4 server will be ready to use
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: Server Role: active directory domain controller
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: Hostname: nsdc-test
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: NetBIOS Domain: NS7A3
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: DNS Domain: ns7a3.at
May 24 11:18:41 nsdc-test.ns7a3.at samba-tool[25]: DOMAIN SID: S-1-5-21-2032105811-1728666049-3903918006
May 24 11:18:41 nsdc-test.ns7a3.at cp[35]: '/var/lib/samba/private/krb5.conf' -> '/etc/krb5.conf'
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Started Domain controller provisioning.
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Started Samba domain controller daemon.
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Starting Samba domain controller daemon...
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Reached target Multi-User System.
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Starting Multi-User System.
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Reached target Graphical Interface.
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Starting Graphical Interface.
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Started Stop Read-Ahead Data Collection 10s After Completed Startup.
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Starting Update UTMP about System Runlevel Changes...
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Started Update UTMP about System Runlevel Changes.
May 24 11:18:41 nsdc-test.ns7a3.at systemd[1]: Startup finished in 47.085s.
May 24 11:18:41 nsdc-test.ns7a3.at samba[36]: samba version 4.4.3 started.
May 24 11:18:41 nsdc-test.ns7a3.at samba[36]: Copyright Andrew Tridgell and the Samba Team 1992-2016
May 24 11:18:41 nsdc-test.ns7a3.at samba[36]: samba: using 'standard' process model
May 24 11:18:42 nsdc-test.ns7a3.at samba[36]: Attempting to autogenerate TLS self-signed keys for https for hostname 'NSDC-TEST.ns7a3.at'
May 24 11:18:42 nsdc-test.ns7a3.at winbindd[50]: [2016/05/24 11:18:42.104708, 0] ../source3/winbindd/winbindd_cache.c:3245(initialize_winbindd_cache)
May 24 11:18:42 nsdc-test.ns7a3.at winbindd[50]: initialize_winbindd_cache: clearing cache and re-creating with version number 2
May 24 11:18:42 nsdc-test.ns7a3.at winbindd[50]: [2016/05/24 11:18:42.601264, 0] ../lib/util/become_daemon.c:124(daemon_ready)
May 24 11:18:42 nsdc-test.ns7a3.at winbindd[50]: STATUS=daemon 'winbindd' finished starting up and ready to serve connections
May 24 11:18:43 nsdc-test.ns7a3.at smbd[40]: [2016/05/24 11:18:43.939815, 0] ../lib/util/become_daemon.c:124(daemon_ready)
May 24 11:18:43 nsdc-test.ns7a3.at smbd[40]: STATUS=daemon 'smbd' finished starting up and ready to serve connections
May 24 11:18:44 nsdc-test.ns7a3.at samba[36]: TLS self-signed keys generated OK
May 24 11:19:14 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool domain passwordsettings set --min-pwd-age=0 --max-pwd-age=180.
May 24 11:19:14 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool domain passwordsettings set --min-pwd-age=0 --max-pwd-age=180...
May 24 11:19:15 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool domain passwordsettings show.
May 24 11:19:15 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool domain passwordsettings show...
May 24 11:19:16 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool domain passwordsettings show.
May 24 11:19:16 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool domain passwordsettings show...
May 24 11:19:17 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool domain passwordsettings set --complexity=on --history-length=default.
May 24 11:19:17 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool domain passwordsettings set --complexity=on --history-length=default...
May 24 11:31:46 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool user add jeckel --random-password --must-change-at-next-login --login-shell=/usr/libexec/openssh/sftp-server --unix
May 24 11:31:46 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool user add jeckel --random-password --must-change-at-next-login --login-shell=/usr/libexec/openssh/sftp-server --uni
May 24 11:31:48 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool user setexpiry jeckel --days=180.
May 24 11:31:48 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool user setexpiry jeckel --days=180...
May 24 11:32:17 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool user setpassword jeckel.
May 24 11:32:17 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool user setpassword jeckel...
May 24 11:32:18 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool user enable jeckel.
May 24 11:32:18 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool user enable jeckel...
May 24 11:33:06 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/pdbedit -w administrator.
May 24 11:33:06 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/pdbedit -w administrator...
May 24 11:33:41 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool user setpassword administrator.
May 24 11:33:41 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool user setpassword administrator...
May 24 11:33:42 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/samba-tool user enable administrator.
May 24 11:33:42 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/samba-tool user enable administrator...
May 24 11:33:55 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/pdbedit -w administrator.
May 24 11:33:55 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/pdbedit -w administrator...
May 24 11:35:40 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/pdbedit -w administrator.
May 24 11:35:40 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/pdbedit -w administrator...
May 24 11:39:23 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/pdbedit -w administrator.
May 24 11:39:23 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/pdbedit -w administrator...
May 24 13:30:59 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/pdbedit -w administrator.
May 24 13:30:59 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/pdbedit -w administrator...
May 24 13:31:02 nsdc-test.ns7a3.at systemd[1]: Started /usr/bin/pdbedit -w administrator.
May 24 13:31:02 nsdc-test.ns7a3.at systemd[1]: Starting /usr/bin/pdbedit -w administrator...
lines 87-141/141 (END)
As far as i see there is no error in messages or something strange related to nsdc.
PS: i tried to join a ns6.7-vm-pdc from the same machine (gateway and dns point to this ns6.7-vm) and it worked.
After I have configured AD on NS7a3, I managed to join to the newly created domain, an Windows 10 pro notebook.
There are probably to many screenshots below but I wanted to show step by step how I did.
Attention at the screenshot no. 5: the username must be “username@domain.tld”!
If you will put only “username” and the domain at “Domain name”: “domain.tld”, after you click on “Next”, you will get an error and the joining to the domain will fail (at least at me).
Unfortunatelly, after restart, I could not login (the last screenshots).
I will try again tomorrow and I will check the logs to see if I can find something about this.
As said above, multiple account domains/realms are not planned at the moment, but we could attempt to set up a custom-template for sssd.conf and OpenLDAP.