NS8: Random musings

EddieA · May 12, 2023, 8:15pm

Clean minimal Rocky install.

So I add a user. Not sure what I can do with him as he can’t log on at a terminal. He can’t log on to the web page, even after I promote him to a Domain Admin.

Going back to a terminal, root can no longer log on to administer the OS. *** Update *** Ignore this, stupid operator error.

Create a Samba share. Go over to my Windows, and yes, it can be seen:

Try and connect to it. Ooops:

Finished playing around, so let’s shut down the VM. Oh dear, there’s no shutdown to be found on the Admin web pages and I can’t log in via a terminal any more.

Cheers, (with my tongue firmly in my cheek),

giacomo · May 15, 2023, 10:30am

Users are available only for NS8 modules, they do not have access to the underlying system: so no SSH access.

That’s strange, it should not be related: NS8 does not change PAM nor SSH configuration.

I will try to reproduce.
How did you enter the credentials? If the Windows machine is not joined to the AD, I think you should enter the full credentials with the domain.
Maybe @davidep has already did some tests on this.

NS8 is not meant to manage the distro. You could install Cockpit to access such operations from a web UI.

EddieA · May 15, 2023, 4:14pm

Understood. But what’s the Domain Admins group. It doesn’t control who has access to the web UI, that’s via Cluster Settings.

Nope, that was my bad.

I tried again today, but this time with the domain qualified name, still no go.

Gottcha.

Cheers.

Andy_Wismer · May 15, 2023, 4:56pm

Hi @EddieA

A “Domain Admins” Group is a requirement of MS Active Directory, in NS7 required if you need authenticated shares…

My 2 cents
Andy

giacomo · May 16, 2023, 6:47am

The users are available only to applications like:

file server
nextcloud
mail server
etc.

I will need to check it again: card added

EddieA · May 18, 2023, 1:10am

After rebuilding the Cluster (and breaking the Mail install again), I tried the FileShare again.

This time it worked, but only with the unqualified user name. The qualified one kept reporting an incorrect password.

And only with the IP address, even though the FQDN is resolvable correctly on the Windows machine.

Cheers.

giacomo · May 18, 2023, 10:05am

Sorry but I do not get.
I will try with an example, correct me if wrong.

Machine hostname: server.nethserver.org
AD domain/Realm: ad.nethserver.org
User for shares: giacomo@ad.nethserver.org

This one should work.

Does the Windows machine uses the AD as DNS? It also need to resolve some extra DNS records.

EddieA · May 18, 2023, 3:51pm

Using your examples:
\\server.nethserver.org\ShareIt
Throws this without asking for password:

In a Windows command window (obviously using “my” hostname)"

C:\Users\Eddie>ping server.nethserver.org

Pinging server.nethserver.org [192.168.0.145] with 32 bytes of data:
Reply from 192.168.0.145: bytes=32 time<1ms TTL=64
Reply from 192.168.0.145: bytes=32 time<1ms TTL=64
Reply from 192.168.0.145: bytes=32 time<1ms TTL=64
Reply from 192.168.0.145: bytes=32 time<1ms TTL=64

Next, using this:
\\192.167.0.145\ShareIt
I get the correct password prompt.
At that prompt, if I use:
giacomo@nethserver.org
I get a message saying the password is wrong. But using:
giacomo
Worked correctly and presented the shared folder.

Cheers.

giacomo · May 19, 2023, 6:46am

Noted, thank you for the great details!

EddieA · May 19, 2023, 6:24pm

Except now using Markus’s new Rocky image I’m getting slightly different results.

I can now connect to the share by both name and IP.

Cheers.