Setting up a PDC on armhfp

arm

(Robert Moskowitz) #14

I started the install of the DC. It wanted me to specify a different address than what the system was running on. So I supplied 192.168.129.7 (currently on .14). Seems it is going to use a /24 subnet which will work for starters.

So it gets 62% done with the message adjust-services and hangs.

the last few messages from journalctl -f is:

Oct 09 18:47:10 klovia.htt-consult.com systemd[1]: Started DNS caching server…
Oct 09 18:47:10 klovia.htt-consult.com systemd[1]: Starting DNS caching server…
Oct 09 18:47:10 klovia.htt-consult.com dnsmasq[10475]: started, version 2.76 cachesize 4000
Oct 09 18:47:10 klovia.htt-consult.com dnsmasq[10475]: compile time options: IPv6 GNU-getopt DBus no-i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack ipset auth no-DNSSEC loop-detect inotify
Oct 09 18:47:10 klovia.htt-consult.com dnsmasq-tftp[10475]: TFTP root is /var/lib/tftpboot
Oct 09 18:47:10 klovia.htt-consult.com dnsmasq[10475]: using nameserver 50.253.254.2#53
Oct 09 18:47:10 klovia.htt-consult.com dnsmasq[10475]: read /etc/hosts - 2 addresses
Oct 09 18:47:10 klovia.htt-consult.com esmith::event[8963]: Action: /etc/e-smith/events/actions/adjust-services SUCCESS [3.58274]

So I check IP:

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br0 state UP group default qlen 1000
link/ether 02:c1:08:81:e2:d7 brd ff:ff:ff:ff:ff:ff
inet6 fe80::c1:8ff:fe81:e2d7/64 scope link
valid_lft forever preferred_lft forever

hmm, no IP address. So

cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=eth0
BOOTPROTO=none
BRIDGE=br0
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Ethernet
USERCTL=no

no wonder no IP address.

Since this is with the arm build, do you want to move this trouble shooting over to the arm testing thread(s)?


(Robert Moskowitz) #15

Looks like I was a bit premature on giving up and going away…

ifcfg-eth0 still the same, but I see:

cat /etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
BOOTPROTO=none
GATEWAY=
IPADDR=192.168.192.14
NETMASK=255.255.255.0
NM_CONTROLLED=no
ONBOOT=yes
TYPE=Bridge
USERCTL=no

And the install ended with errors:

 Task completed with errors

S96nethserver-dc-createldapservice #15 (exit status 256)
S95nethserver-dc-waitstart #23 (exit status 256)
S96nethserver-dc-createldapservice #24 (exit status 256)
S96nethserver-dc-join #25 (exit status 256)
S97nethserver-dc-password-policy #26 (exit status 256)
S98nethserver-dc-createadmins #28 (exit status 256)
Adjust service sssd #157 (exit status 1)
    failed
Template /var/lib/machines/nsdc/etc/ntp.conf #131 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/ntp.conf failed
Template /var/lib/machines/nsdc/etc/hosts #132 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/hosts failed
Template /var/lib/machines/nsdc/etc/resolv.conf #133 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/resolv.conf failed
Template /var/lib/machines/nsdc/etc/hostname #134 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/hostname failed
Template /var/lib/machines/nsdc/etc/systemd/system/nsdc-run@.service #135 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/systemd/system/nsdc-run@.service failed
Template /var/lib/machines/nsdc/etc/systemd/system/samba-provision.service #136 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/systemd/system/samba-provision.service failed
Template /var/lib/machines/nsdc/etc/systemd/system/nsdc-run.socket #137 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/systemd/system/nsdc-run.socket failed
Template /var/lib/machines/nsdc/etc/systemd/network/green.network #138 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/systemd/network/green.network failed
Template /var/lib/machines/nsdc/etc/samba/smb.conf.include #139 (exit status 1)
    expansion of /var/lib/machines/nsdc/etc/samba/smb.conf.include failed
Template /var/lib/machines/nsdc/srv/smb.ns6upgrade.conf #140 (exit status 1)
    expansion of /var/lib/machines/nsdc/srv/smb.ns6upgrade.conf failed
Template /var/lib/machines/nsdc/srv/post-provision.sh #141 (exit status 1)
    expansion of /var/lib/machines/nsdc/srv/post-provision.sh failed

for DNS name I used: homebase.htt-consult.com

for netbios name: HOMEBASE

and as I previously said the DC IP addr is 192.168.192.7

It is not too much of an issue to rebuild the image from scratch and start again tomorrow…

BTW, as I think of it, I would like the DNS name to be home.htt; something that is not usable at all externally. This is what I did with my ClearOS setup; I hope it will work here.


(Robert Moskowitz) #16

I read https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc739077(v=ws.10)

I don’t see this as a concern for my small home network. I am assuming that the server itself can keep its name in the htt-consult.com internal view.


(Mark Verlinde) #17

I took the liberty to change the subject, if you wish you can change back. :grinning:

Looks like the installation of (the packages of) the container failed.

Key to indicate success of this part of the installation is line 1266 in my log:

Oct 09 16:54:44 rpi3p.havak.lan esmith::event[1567]: Complete!
Oct 09 16:54:44 rpi3p.havak.lan esmith::event[1567]: Created symlink from /etc/systemd/system/multi-user.target.wants/machines.target to /usr/lib/systemd/system/machines.target.
Oct 09 16:54:44 rpi3p.havak.lan systemd[1]: Reloading.

Sorry to ask:
Did you grow your rootfs before installing the AD. I think i should have mentioned it won’t fit on the partition of the currently shipped image. see README in /root to grow the rootfs.


(Robert Moskowitz) #18

This is good.

#df -h
Filesystem      Size  Used Avail Use% Mounted on
devtmpfs        953M     0  953M   0% /dev
tmpfs          1007M     0 1007M   0% /dev/shm
tmpfs          1007M   25M  982M   3% /run
tmpfs          1007M     0 1007M   0% /sys/fs/cgroup
/dev/sda3       155G  1.2G  152G   1% /
/dev/sda1       642M  164M  459M  27% /boot
tmpfs           202M     0  202M   0% /run/user/0

I think I made it big enough for a lot of user data…

Now in order, I first installed file server (which auto installed firewall) THEN I ‘went back’ to install user/group provider.

Perhaps that has an impact?


(Mark Verlinde) #19

yes 152G should do it… (understatement of year :wink:)

Sorry I do not know. It may sould a bit strange: Having the nethserver-dc package dismissed for arm in the past, I am not very familiar with it.

Maybe others can chip in how to debug this.

Just can share my work flow:

  1. configure network: set green interface to fixed IP (and make a record for it in the my local DNS server)
  2. update
  3. grow rootfs partition
  4. reboot
  5. install account provider
  6. then install other modules, usually one at a time

to be accurate: between 1 and 2 provide a selfsigned-certificate trusted my local environment. This because firefox goes crazy if you have multiple exceptions for the same ip/hostname (which happens if you reinstall the same SBC over and over again)

A habit of me while testing/debugging is to reboot before installing the “test subject” and write hole journalctl of the event to a file. ( journalctl > my_event.log ).
There may be more sophisticated methods, it works for me…

BTW a log of the hole event should be logged in /var/log/messages which can also be viewed in the web-ui at Administration > Log viewer > /var/log/messages


(Robert Moskowitz) #20

Success!

I started from scratch with the base image. I expanded the rootfs partition while the drive was still connected to my notebook using gparted. I am lazy that way. Plus I like to look at what whatever arm image is doing partition-wise.

  1. changed the root password
  2. set the timezone to America/Detroit using timedatectl
  3. Install zram

Connected to port 980 and went through the setup.

This time it did not ask me to change the root password, as I changed it from the serial console earlier.

It prompted me for the timezone, offering that current was DETROIT; I wonder what would have happened if the tz file has a city name in two regions? :slight_smile: We had a discussion about setting time zones in both the Fedora user and Xfce lists. Gnome has moved past using the tz file, giving much better geo choices…

Then I was on the interface dialog and it recommended I change from a DHCP address. So this time I did. This is the important difference than before, where I kept the system on the dhcp address.

Note that when I changed the IP address, I lost my connection. I have been on devices where when I changed address, I was issued a redirect to the new address before the interface was bounced. Not the case here. You should have a warning here about reconnecting to the new address.

I then went to the install AD dialog. Set up domain dns as home.htt and Netbios as HOMEBASE and IP as on the same network as the static. This time the install worked.

So please update the install instructions page:

http://docs.nethserver.org/en/latest/accounts.html#samba-active-directory-local-provider-installation

to say the importance of changing to a static address if you expect the provider installation to work.

Oh, and I see on the Dashboard, that you are now picking up that I am running on a Cubietruck.

Onward!


(Mark Verlinde) #21

Thank you for your persistence in testing and feedback!

Yes prompts whatever is set, during image build it is set to UTC.
I did thinker to try to set it at first boot using one of the services out there:
curl https://ipapi.co/timezone && echo " is my timezone"

Allways good to have new eyes/thoughts and experiences! But is the yellow warning banner in the web-ui (something like, forgot the actual text) “green interface on dhcp” not good enough?


(Robert Moskowitz) #22

It does not say that some software installation will fail badly. In fact you could go the extra mile and have a flag for some software installs not to install if IP add is DHCP. I can think of at least one where it shouldn’t matter: SQL. But you can even go the distance that no software can be installed until static is set.

Thing is I can think of installations where DHCP is perfectly valid for the Green network.

You will get people like me that will try and push things because we always have and were there when DHCP was ‘invented’!

Now speaking about pushing things. I set up my AD DNS as home.htt, because I like my AD DNS to be really private, and Microsoft says I can.

Well, I can’t create and groups or users for this DNS. They are all for the server’s domain of htt-consult.com. I spent some time looking at what things I can configure, and I don’t see any way to work with groups or users for the AD domain. Perhaps it is not necessary? This will all be taken care of when a machine joins the domain?

I read through http://docs.nethserver.org/en/latest/accounts.html#samba-active-directory-local-provider-installation
a number of times and other than a tip not to do this, it does not come out and say that things won’t work?


(Mark Verlinde) #23

As said, I do know the nethserver-dc package very well. Encountered it doing some work on SOGo which binds to AD/LDAP.

Note you are referring to M$ documentation from 2009 applicable to M$server 2000-2003. AFAIK this are NT4.0 style PDC’s and we are in the era of the new style Active Directory.

Being Dutch -who are known for direct communication- I can agree documentation can be more compelling on some points. On the other hand: why dictate what you should do, advice you to choose a direction has it’s charm. And note with the e-smith configuration layer you can mold nethserver exactly to your like.


(Davide Principi) #24

I agree with you. Furthermore this issue has been already raised.

We’re probably going to add a validator that forbids AD provisioning if DHCP green exists.


(Robert Moskowitz) #25

I reread all the M$ docs and I will go with something like home.htt-consult.com; afterall I would not want Donald upset with me by disobeying his recommendations in RFC 2606! BTW, is old DEC nickname is ‘The Beast’ as supposedly he could really get upset when someone did not do ‘what was obvious’! Lots of interesting people worked at DEC back then and gave us lots of important tech (fortunately not DECNET).

So now another install from start as it warns not to change your AD DNS name.

Perhaps when I am in EU (Prague) in March for IETF 104 and spend the weekends in Amsterdam, we can get together. I have enjoyed my times in the Netherlands. But you have to be fast changing trains in Utrecht. Nothing like that here in the US.


(Markus Neuberger) #26

I updated my raspberry, removed ldap and installed AD, joined a Win 7 Client to the domain, logged in as Nethserver admin and it just worked.
Great work! :clap:

AD computers:

[root@nethpi3 ~]# net ads search -P objectClass=Computer | grep 'cn: ' | cut -f 2 -d ' ' | sort
NETHPI3
NSDC-NETHPI3
VMWIN7

(Mark Verlinde) #27

I prefer to discus AD issues for arm here :grinning:

This seems to fail:

EDIT:

# net ads info
LDAP server: 10.0.0.103
LDAP server name: nsdc-opi2e.ad.havak.lan
Realm: AD.HAVAK.LAN
Bind Path: dc=AD,dc=HAVAK,dc=LAN
LDAP port: 389
Server time: Fri, 12 Oct 2018 15:24:37 CEST
KDC server: 10.0.0.103
Server time offset: 0
Last machine account password change: Fri, 12 Oct 2018 14:30:11 CEST

# krb5exec klist -s && echo -e "Join is OK\n"
Join is OK

# krb5exec net ads search -k "(&(sAMAccountName=opi2e$)(objectCategory=computer))" name sAMAccountName distinguishedName servicePrincipalName objectSid dNSHostName pwdLastSet lastLogon whenCreated whenChanged accountExpires
Got 1 replies

whenCreated: 20181012123011.0Z
name: OPI2E
objectSid: S-1-5-21-1344550366-2459915244-3584623361-1104
accountExpires: 9223372036854775807
sAMAccountName: OPI2E$
pwdLastSet: 131838210114534150
dNSHostName: opi2e.havak.lan
servicePrincipalName: HOST/OPI2E
servicePrincipalName: HOST/opi2e.havak.lan
whenChanged: 20181012123013.0Z
lastLogon: 131838237341389380
distinguishedName: CN=OPI2E,CN=Computers,DC=ad,DC=havak,DC=lan

Do not know why :thinking:


(Robert Moskowitz) #28

I have a Win7 system ready to test to join and then see if I can access stuff. Just need to know that the basics for the AD are right.

This is still a test setup, the 1TB drive came yesterday for the production system. I am also seriously thinking of doing this on a Cubieboard2 with only 1GB memory (only effective difference for this purpose to the Cubietruck with 2GB).

net ads info

LDAP server: 192.168.129.3
LDAP server name: nsdc-homebase.home.htt-consult.com
Realm: HOME.HTT-CONSULT.COM
Bind Path: dc=HOME,dc=HTT-CONSULT,dc=COM
LDAP port: 389
Server time: Fri, 12 Oct 2018 09:55:23 EDT
KDC server: 192.168.129.3
Server time offset: 0
Last machine account password change: Thu, 11 Oct 2018 13:57:43 EDT

krb5exec klist -s && echo -e "Join is OK\n"

Join is OK

krb5exec net ads search -k "(&(sAMAccountName=homebase$)(objectCategory=computer))" name sAMAccountName distinguishedName servicePrincipalName objectSid dNSHostName pwdLastSet lastLogon whenCreated whenChanged accountExpires

Got 1 replies

whenCreated: 20181011175742.0Z
name: HOMEBASE
objectSid: S-1-5-21-1008287891-906313758-842324507-1104
accountExpires: 9223372036854775807
sAMAccountName: HOMEBASE$
pwdLastSet: 131837542627102600
dNSHostName: homebase.htt-consult.com
servicePrincipalName: HOST/HOMEBASE
servicePrincipalName: HOST/homebase.htt-consult.com
whenChanged: 20181011175748.0Z
lastLogon: 131838259756358170
distinguishedName: CN=HOMEBASE,CN=Computers,DC=home,DC=htt-consult,DC=com

(Mark Verlinde) #29

Sorry do not have a sed for you, but can you edit

/usr/libexec/nethserver/net-ads-info

and look for the line:

exec timeout --signal=HUP --kill-after=4 4 /usr/bin/bash -s <<EOF

and ease the timeout from 4 to let’s say 10

exec timeout --signal=HUP --kill-after=10 10 /usr/bin/bash -s <<EOF

ie change 4 in to 10 : exec timeout --signal=HUP --kill-after=10 10 /usr/bin/bash -s <<EOF

This did the trick for me…

EDIT: changed –kill-after too thanx @mrmarkuz (see below)


(Markus Neuberger) #30

Same here, 10 instead of 4:

exec timeout --signal=HUP --kill-after=10 10 /usr/bin/bash -s <<EOF


(Markus Neuberger) #31

Just another idea for arm:

Now that we have nethserver-dc (thanks for the great effort!) in arm what about adding Sambastatus: my first module for nethserver ?


Sambastatus: my first module for nethserver
(Robert Moskowitz) #32

Here is the SED command:

sed -i -e "s/--kill-after=4 4/--kill-after=4 10/w /dev/stdout" /usr/libexec/nethserver/net-ads-info

And it worked:

Domain htt-consult.com

NetBIOS domain name: HOME
LDAP server: 192.168.129.3
LDAP server name: nsdc-homebase.home.htt-consult.com
Realm: HOME.HTT-CONSULT.COM
Bind Path: dc=HOME,dc=HTT-CONSULT,dc=COM
LDAP port: 389
Server time: Fri, 12 Oct 2018 11:23:41 EDT
KDC server: 192.168.129.3
Server time offset: 0
Last machine account password change: Thu, 11 Oct 2018 13:57:43 EDT

Join is OK

whenCreated: 20181011175742.0Z
name: HOMEBASE
objectSid: S-1-5-21-1008287891-906313758-842324507-1104
accountExpires: 9223372036854775807
sAMAccountName: HOMEBASE$
pwdLastSet: 131837542627102600
dNSHostName: homebase.htt-consult.com
servicePrincipalName: HOST/HOMEBASE
servicePrincipalName: HOST/homebase.htt-consult.com
whenChanged: 20181011175748.0Z
lastLogon: 131838312116955690
distinguishedName: CN=HOMEBASE,CN=Computers,DC=home,DC=htt-consult,DC=com


(Mark Verlinde) #33

BTW you can also join liunx machines to the AD domain and enjoy the benefits of a single-sign-on;
See the great work @fausp did on this: