Setting up a PDC on armhfp

arm

(Mark Verlinde) #21

Thank you for your persistence in testing and feedback!

Yes prompts whatever is set, during image build it is set to UTC.
I did thinker to try to set it at first boot using one of the services out there:
curl https://ipapi.co/timezone && echo " is my timezone"

Allways good to have new eyes/thoughts and experiences! But is the yellow warning banner in the web-ui (something like, forgot the actual text) “green interface on dhcp” not good enough?


(Robert Moskowitz) #22

It does not say that some software installation will fail badly. In fact you could go the extra mile and have a flag for some software installs not to install if IP add is DHCP. I can think of at least one where it shouldn’t matter: SQL. But you can even go the distance that no software can be installed until static is set.

Thing is I can think of installations where DHCP is perfectly valid for the Green network.

You will get people like me that will try and push things because we always have and were there when DHCP was ‘invented’!

Now speaking about pushing things. I set up my AD DNS as home.htt, because I like my AD DNS to be really private, and Microsoft says I can.

Well, I can’t create and groups or users for this DNS. They are all for the server’s domain of htt-consult.com. I spent some time looking at what things I can configure, and I don’t see any way to work with groups or users for the AD domain. Perhaps it is not necessary? This will all be taken care of when a machine joins the domain?

I read through http://docs.nethserver.org/en/latest/accounts.html#samba-active-directory-local-provider-installation
a number of times and other than a tip not to do this, it does not come out and say that things won’t work?


(Mark Verlinde) #23

As said, I do know the nethserver-dc package very well. Encountered it doing some work on SOGo which binds to AD/LDAP.

Note you are referring to M$ documentation from 2009 applicable to M$server 2000-2003. AFAIK this are NT4.0 style PDC’s and we are in the era of the new style Active Directory.

Being Dutch -who are known for direct communication- I can agree documentation can be more compelling on some points. On the other hand: why dictate what you should do, advice you to choose a direction has it’s charm. And note with the e-smith configuration layer you can mold nethserver exactly to your like.


(Davide Principi) #24

I agree with you. Furthermore this issue has been already raised.

We’re probably going to add a validator that forbids AD provisioning if DHCP green exists.


(Robert Moskowitz) #25

I reread all the M$ docs and I will go with something like home.htt-consult.com; afterall I would not want Donald upset with me by disobeying his recommendations in RFC 2606! BTW, is old DEC nickname is ‘The Beast’ as supposedly he could really get upset when someone did not do ‘what was obvious’! Lots of interesting people worked at DEC back then and gave us lots of important tech (fortunately not DECNET).

So now another install from start as it warns not to change your AD DNS name.

Perhaps when I am in EU (Prague) in March for IETF 104 and spend the weekends in Amsterdam, we can get together. I have enjoyed my times in the Netherlands. But you have to be fast changing trains in Utrecht. Nothing like that here in the US.


(Markus Neuberger) #26

I updated my raspberry, removed ldap and installed AD, joined a Win 7 Client to the domain, logged in as Nethserver admin and it just worked.
Great work! :clap:

AD computers:

[root@nethpi3 ~]# net ads search -P objectClass=Computer | grep 'cn: ' | cut -f 2 -d ' ' | sort
NETHPI3
NSDC-NETHPI3
VMWIN7

(Mark Verlinde) #27

I prefer to discus AD issues for arm here :grinning:

This seems to fail:

EDIT:

# net ads info
LDAP server: 10.0.0.103
LDAP server name: nsdc-opi2e.ad.havak.lan
Realm: AD.HAVAK.LAN
Bind Path: dc=AD,dc=HAVAK,dc=LAN
LDAP port: 389
Server time: Fri, 12 Oct 2018 15:24:37 CEST
KDC server: 10.0.0.103
Server time offset: 0
Last machine account password change: Fri, 12 Oct 2018 14:30:11 CEST

# krb5exec klist -s && echo -e "Join is OK\n"
Join is OK

# krb5exec net ads search -k "(&(sAMAccountName=opi2e$)(objectCategory=computer))" name sAMAccountName distinguishedName servicePrincipalName objectSid dNSHostName pwdLastSet lastLogon whenCreated whenChanged accountExpires
Got 1 replies

whenCreated: 20181012123011.0Z
name: OPI2E
objectSid: S-1-5-21-1344550366-2459915244-3584623361-1104
accountExpires: 9223372036854775807
sAMAccountName: OPI2E$
pwdLastSet: 131838210114534150
dNSHostName: opi2e.havak.lan
servicePrincipalName: HOST/OPI2E
servicePrincipalName: HOST/opi2e.havak.lan
whenChanged: 20181012123013.0Z
lastLogon: 131838237341389380
distinguishedName: CN=OPI2E,CN=Computers,DC=ad,DC=havak,DC=lan

Do not know why :thinking:


(Robert Moskowitz) #28

I have a Win7 system ready to test to join and then see if I can access stuff. Just need to know that the basics for the AD are right.

This is still a test setup, the 1TB drive came yesterday for the production system. I am also seriously thinking of doing this on a Cubieboard2 with only 1GB memory (only effective difference for this purpose to the Cubietruck with 2GB).

net ads info

LDAP server: 192.168.129.3
LDAP server name: nsdc-homebase.home.htt-consult.com
Realm: HOME.HTT-CONSULT.COM
Bind Path: dc=HOME,dc=HTT-CONSULT,dc=COM
LDAP port: 389
Server time: Fri, 12 Oct 2018 09:55:23 EDT
KDC server: 192.168.129.3
Server time offset: 0
Last machine account password change: Thu, 11 Oct 2018 13:57:43 EDT

krb5exec klist -s && echo -e "Join is OK\n"

Join is OK

krb5exec net ads search -k "(&(sAMAccountName=homebase$)(objectCategory=computer))" name sAMAccountName distinguishedName servicePrincipalName objectSid dNSHostName pwdLastSet lastLogon whenCreated whenChanged accountExpires

Got 1 replies

whenCreated: 20181011175742.0Z
name: HOMEBASE
objectSid: S-1-5-21-1008287891-906313758-842324507-1104
accountExpires: 9223372036854775807
sAMAccountName: HOMEBASE$
pwdLastSet: 131837542627102600
dNSHostName: homebase.htt-consult.com
servicePrincipalName: HOST/HOMEBASE
servicePrincipalName: HOST/homebase.htt-consult.com
whenChanged: 20181011175748.0Z
lastLogon: 131838259756358170
distinguishedName: CN=HOMEBASE,CN=Computers,DC=home,DC=htt-consult,DC=com

(Mark Verlinde) #29

Sorry do not have a sed for you, but can you edit

/usr/libexec/nethserver/net-ads-info

and look for the line:

exec timeout --signal=HUP --kill-after=4 4 /usr/bin/bash -s <<EOF

and ease the timeout from 4 to let’s say 10

exec timeout --signal=HUP --kill-after=10 10 /usr/bin/bash -s <<EOF

ie change 4 in to 10 : exec timeout --signal=HUP --kill-after=10 10 /usr/bin/bash -s <<EOF

This did the trick for me…

EDIT: changed –kill-after too thanx @mrmarkuz (see below)


(Markus Neuberger) #30

Same here, 10 instead of 4:

exec timeout --signal=HUP --kill-after=10 10 /usr/bin/bash -s <<EOF


(Markus Neuberger) #31

Just another idea for arm:

Now that we have nethserver-dc (thanks for the great effort!) in arm what about adding Sambastatus: my first module for nethserver ?


Sambastatus: my first module for nethserver
(Robert Moskowitz) #32

Here is the SED command:

sed -i -e "s/--kill-after=4 4/--kill-after=4 10/w /dev/stdout" /usr/libexec/nethserver/net-ads-info

And it worked:

Domain htt-consult.com

NetBIOS domain name: HOME
LDAP server: 192.168.129.3
LDAP server name: nsdc-homebase.home.htt-consult.com
Realm: HOME.HTT-CONSULT.COM
Bind Path: dc=HOME,dc=HTT-CONSULT,dc=COM
LDAP port: 389
Server time: Fri, 12 Oct 2018 11:23:41 EDT
KDC server: 192.168.129.3
Server time offset: 0
Last machine account password change: Thu, 11 Oct 2018 13:57:43 EDT

Join is OK

whenCreated: 20181011175742.0Z
name: HOMEBASE
objectSid: S-1-5-21-1008287891-906313758-842324507-1104
accountExpires: 9223372036854775807
sAMAccountName: HOMEBASE$
pwdLastSet: 131837542627102600
dNSHostName: homebase.htt-consult.com
servicePrincipalName: HOST/HOMEBASE
servicePrincipalName: HOST/homebase.htt-consult.com
whenChanged: 20181011175748.0Z
lastLogon: 131838312116955690
distinguishedName: CN=HOMEBASE,CN=Computers,DC=home,DC=htt-consult,DC=com


(Mark Verlinde) #33

BTW you can also join liunx machines to the AD domain and enjoy the benefits of a single-sign-on;
See the great work @fausp did on this: