NethServer 7.2 alpha 3 - "First Blood"

Samba upstream package does not provide the DC role, by now.

@giacomo and @mark_nl already answered, I just want to add: Samba itself suggests keeping the file server / domain controller roles on separate servers.

They say:

Whilst the Domain Controller seems capable of running as a full file server, it is suggested that organisations run a distinct file server to allow upgrades of each without disrupting the other

Moreover, I must admit it simplified a lot the configuration both on the file server side (the ā€œhostā€ machine) and the domain controller side (the ā€œguestā€ machine/container).

So Iā€™m sure an additional IP address is a small price to pay for having them both on NS7 :wink:

5 Likes

Thank you all for enlighten me! I really didnā€™t know!

Of course doesnā€™t matter. I just want to understand some things which are new for me.

1 Like

Your question was not stupid at all. I want to say thank you @GG_jr for sharing your experience: your feedback is very important for developers and Iā€™m sure it will be very useful to those who endeavor NS7 testing :blush:

4 Likes

I think is the first NS 7a3 AD configured! Isnā€™t?

Thank you all!

1 Like

AFAIK the first outside Pesaro :smile:

You were asking about accounts from multiple domainsā€¦ like john@dom1.com patricia@dom2.net

You know this is not supported on ns6 neither it is planned on ns7. However I hope it can be implemented easily with SSSD, with OpenLDAP backend. I tried it with AD, but realmd seems supporting the join to a single domain only.

1 Like

I probably would have tripped up on this too, so Iā€™m glad you talked this out here for us to understand it too.

2 Likes

Ahhh, I thought you guys were going to get rid of that 90 sec shutdown hold timeout.

2 Likes

Yeahā€¦ But power on is fast.

Hi Davide,

Any news about ā€œsogo-frontendsā€ package?

I installed snort clean after updates to a fresh install rule policy Expert andā€¦

May 23 11:34:26 server88 snort[2705]: FATAL ERROR: /etc/snort/rules/snort.rules(6698) Unknown rule option: 'ssl_version'. May 23 11:34:26 server88 snortd: Starting snort: [FAILED]

[root@server88 rules]# cat snort.rules |grep 6698 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SUSPICIOUS services.exe in URI"; flow:established,to_server; content:"GET"; http_method; urilen:<100; content:"/services.exe"; http_uri; nocase; fast_pattern:only; pcre:"/\/services\.exe$/Ui"; reference:md5,145c06300d61b3a0ce2c944fe7cdcb96; classtype:bad-unknown; sid:2016698; rev:12;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DUware DUdownload SQL Injection Attempt -- detail.asp action ASCII"; flow:established,to_server; content:"/detail.asp?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"ASCII"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:cve,CVE-2006-6367; reference:url,www.securityfocus.com/bid/21405; reference:url,doc.emergingthreats.net/2006698; classtype:web-application-attack; sid:2006698; rev:7;)

Those run-time thingy thingies still are in the hart of nethserver, probably the heritage of SME.
systemctl reboot/poweroff should take care of that, why can it not be trusted?

Only the Expert policy has more than 10 rules enabled, it seems the rule policy still need some tweaking, I know weā€™ve talked about this before when I was trying ips in v6.7.
I canā€™t test snort at all really until I can get snort running with Expert policy per my previous post.

May 23 11:34:03 server88 /sbin/e-smith/db[2666]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|connectivity
May 23 11:34:03 server88 /sbin/e-smith/db[2666]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|expert

May 23 11:34:23 server88 esmith::event[2669]: Rule Stats...
May 23 11:34:23 server88 esmith::event[2669]: #011New:-------27256
May 23 11:34:23 server88 esmith::event[2669]: #011Deleted:---0
May 23 11:34:23 server88 esmith::event[2669]: #011Enabled Rules:----20467
May 23 11:34:23 server88 esmith::event[2669]: #011Dropped Rules:----0
May 23 11:34:23 server88 esmith::event[2669]: #011Disabled Rules:---6789
May 23 11:34:23 server88 esmith::event[2669]: #011Total Rules:------27256


May 23 11:56:45 server88 /sbin/e-smith/db[3246]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|expert
May 23 11:56:45 server88 /sbin/e-smith/db[3246]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|security

May 23 11:56:59 server88 esmith::event[3249]: Rule Stats...
May 23 11:56:59 server88 esmith::event[3249]: #011New:-------0
May 23 11:56:59 server88 esmith::event[3249]: #011Deleted:---0
May 23 11:56:59 server88 esmith::event[3249]: #011Enabled Rules:----8
May 23 11:56:59 server88 esmith::event[3249]: #011Dropped Rules:----906
May 23 11:56:59 server88 esmith::event[3249]: #011Disabled Rules:---26342
May 23 11:56:59 server88 esmith::event[3249]: #011Total Rules:------27256


May 23 12:10:50 server88 /sbin/e-smith/db[3878]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|security
May 23 12:10:50 server88 /sbin/e-smith/db[3878]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|balanced

May 23 12:11:03 server88 esmith::event[3881]: Rule Stats...
May 23 12:11:03 server88 esmith::event[3881]: #011New:-------0
May 23 12:11:03 server88 esmith::event[3881]: #011Deleted:---0
May 23 12:11:03 server88 esmith::event[3881]: #011Enabled Rules:----10
May 23 12:11:03 server88 esmith::event[3881]: #011Dropped Rules:----785
May 23 12:11:03 server88 esmith::event[3881]: #011Disabled Rules:---26461
May 23 12:11:03 server88 esmith::event[3881]: #011Total Rules:------27256


May 23 12:12:34 server88 /sbin/e-smith/db[4403]: /var/lib/nethserver/db/configuration: OLD pulledpork=configuration|Policy|balanced
May 23 12:12:34 server88 /sbin/e-smith/db[4403]: /var/lib/nethserver/db/configuration: NEW pulledpork=configuration|Policy|connectivity

May 23 12:12:47 server88 esmith::event[4406]: Rule Stats...
May 23 12:12:47 server88 esmith::event[4406]: #011New:-------0
May 23 12:12:47 server88 esmith::event[4406]: #011Deleted:---0
May 23 12:12:47 server88 esmith::event[4406]: #011Enabled Rules:----2
May 23 12:12:47 server88 esmith::event[4406]: #011Dropped Rules:----8
May 23 12:12:47 server88 esmith::event[4406]: #011Disabled Rules:---27246
May 23 12:12:47 server88 esmith::event[4406]: #011Total Rules:------27256

Trusted?
Not a big deal at all, just, what seems an unnecessary delay during reboot, I donā€™t think any of my v6.7 installs have a delay, Iā€™ve only noticed this on v7, but now I canā€™t remember about v6.7.

Shoot, I just realized I forgot to snapshot this install before I installed ips, now Iā€™ll have to reinstall to test anything else. Boo.

2 Likes

I think I did that for about 10 times. :joy:

1 Like

3 posts were split to a new topic: Why ā€œin the Forgeā€ and not ā€œin the NSā€ as before

Your in the testing mode, so try a systemctl reboot and time it :wink:

No need for systemctl, simply shutdown at shell shuts the machine down in a couple seconds.
The 90 delay is triggered when using the gui shutdown options.

1 Like

I bet snort changed default configuration once again.
@filippo_carletti can you take a look on it?

I just removed the package from the yum group, you can install sogo from the UI as soon as mirrors are in sync.

I think the timeout on shutdown from interface is something more systemd related. We are investigating it!

Listed modes are from upstream project pulled pork.

2 Likes

Saw a LSB for httpd-admin more then once, I would start there

1 Like