Unexpected upgrade to 7.5.1804 beta

domain
v75

(Enrique D) #1

Grettings.
I’m learning to setup & manage nethserver for a PDC & file server.

My brain is storming trying to write a mix of issues and questions, please bear with me.

I setup a proxmox server to install a VM for nethserver.

Questions:

  • Is possible to remain in the “stable” branch and don’t enter to beta releases and where I can set this option?
  • Can I set some default mirror and block some that I see are problematic on my side?
  • Is possible to establish the bandwidth usage to get updates, my speed connections is not stellar, and when I try to update, some services that depend of this connection are DOSed.
  • Is possible to disable the creation of “user home” folders; so the can only see the file shares on the NS server; I try to avoid some “hidden content” that consume the disk space on the NS server. (Or maybe set up a zero quota on the home folders?). I see that each time a new user logs to see the file shared a “home user folder” is created, by example: userx@avion.lan.
  • If I plan to use nextcloud; the home folder is needed? (hope not)

Of my recent and shiny nethserver setup:
I managed to set up my users and groups (almost with the same password as my current PDC). Actually the PDC use the domain “avion.local”, in nethserver to avoid conflicts a use “avion.lan” on the same network segment (192.168.16.1/21); I can confirm that users with the same password are validated and can use the ERP (I’m very happy with that) that need account validation, even access shared files on the old server; and users from my old server can access files on the new NS server.

Issues:

  • After and unexpected upgrade to beta (it was not my intention) I see this warning banner on https://192.168.16.3:980/en-US/Account :
    AccountProvider_Error_82
    And I can’t see any user & group added previously.

After the upgrade+reboot, we got an internet outage for almost 1 hour; then I see an incorrect time on the “DateTime” module; then I change to a local NTP server (a debian server, that I use to time sync all my internal servers: the windows one too); I think it was related with the error message, but maybe not, because I reboot the VM NS server and the warning-error remains (the time is corrected).

I don’t know what to do to fix that error, and maybe this error is related to beta.

Searching I found where Davide Principi ask for the content of my /etc/krb5.conf file; maybe helps if I put the content here too:

# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/

includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

 default_realm = AVION.LAN
[realms]
 AVION.LAN = {
 }

[domain_realm]
 avion.lan = AVION.LAN
 .avion.lan = AVION.LAN

Regards, I appreciate the help.

update #1: I can see the users/groups using the windows tools:
image


(Markus Neuberger) #2

Hi Enrique,

It’s possible and it’s a new feature:

If you mean repos, yes, that’s possible at least with the “enabled” param in the .repo file.

This should be possible:

http://docs.nethserver.org/en/v7/firewall.html#traffic-shaping

What about hiding the home share?

mkdir -p /etc/e-smith/templates-custom/etc/samba/smb.conf
echo "browseable=no" > /etc/e-smith/templates-custom/etc/samba/smb.conf/91hidehome
signal-event nethserver-samba-save

http://samba.2283325.n4.nabble.com/Possible-to-hide-homes-td2407634.html

http://docs.nethserver.org/projects/nethserver-devel/en/v7/templates.html

No, Nextcloud has its own folders in /var/lib/nethserver/nextcloud/

Are there errors in /var/log/messages?

Please post the output of the following commands:

config show sssd
config show nsdc
account-provider-test dump
/usr/libexec/nethserver/list-users >/dev/null; echo $?

(Enrique D) #3

Thank you Markus!

This morning, I can see the content in the Account tab (I didn’t do anything):
image image

/var/log/messages show this errors:

(before upgrade)
May 20 12:49:20 ads sssd: ; TSIG error with server: tsig verify failure
May 20 12:49:21 (repeated 3 more times)
May 20 12:49:21 ads sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
May 20 12:49:21 (repeated 2 more times).

May 21 12:49:20 ads sssd: ; TSIG error with server: tsig verify failure
May 21 12:49:21 (again)

(after upgrade)
May 22 16:52:19 ads sssd: ; TSIG error with server: tsig verify failure
May 22 16:52:19 (3 more times)

May 22 21:10:33 ads sssd: ; TSIG error with server: tsig verify failure
May 22 21:10:33 (3 more times)

May 22 16:20:11 ads sssd: ; TSIG error with server: tsig verify failure
May 22 16:20:11 (3 more)
May 22 16:20:11 ads sssd: tkey query failed: GSSAPI error: Major = Unspecified GSS failure. Minor code may provide more information, Minor = Server not found in Kerberos database.
May 22 16:20:11 (2 more times).

But today May 23 that errors doesn’t show again.

And this is the output for :

config show sssd
sssd=service
AdDns=192.168.16.4
BindDN=ldapservice@AVION.LAN
BindPassword=****************
LdapURI=
Provider=ad
Realm=AVION.LAN
Workgroup=AVION
status=enabled
.
config show nsdc
nsdc=service
IpAddress=192.168.16.4
ProvisionType=newdomain
bridge=br0
status=enabled
.
account-provider-test dump
{
“BindDN” : “ldapservice@AVION.LAN”,
“LdapURI” : “ldaps://avion.lan”,
“StartTls” : “”,
“port” : 636,
“host” : “avion.lan”,
“isAD” : “1”,
“isLdap” : “”,
“UserDN” : “dc=avion,dc=lan”,
“GroupDN” : “dc=avion,dc=lan”,
“BindPassword” : “****************”,
“BaseDN” : “dc=avion,dc=lan”,
“LdapUriDn” : “ldap:///dc%3Davion%2Cdc%3Dlan”
}
.
/usr/libexec/nethserver/list-users >/dev/null; echo $?
0

Maybe I’m wrong but I believe that CentOS mirrors and repos were the same, need to correct my terminology (I came from a Debian world and got confused in the Red Hat world) :blush:

The errors that I got when trying to update before are:

http:/ /mirror.compevo.com/centos/7.5.1804/updates/x86_64/Packages/kernel-tools-libs-3.10.0-862.2.3.el7.x86_64.rpm: [Errno 14] curl#18 - "transfer closed with 6446085 bytes remaining to read"
Trying other mirror.

Error downloading packages:
kernel-tools-libs-3.10.0-862.2.3.el7.x86_64: [Errno 256] No more mirrors to try.
.

Then I try again more times (using some tips to don’t redownload all again); but not luck, I need to change to another internet connection more stable but slow; and I finally got the updates.

Thank you again, I’ll follow your advice to hidden the home folders (and trying to revert it just in case)


(Enrique D) #4

First some comments of pure joy!
I’m still testing the user migration. Right now from w7 to w10, all can connect an validate on the new AD on NS. I need to check if wXP can be migrated (I can’t remember if still got one or two xp desktop).

BTW. I see that my very old win2000 can’t access any shared folder on my shiny NS. Not a problem really, just that I need to copy some files from the old one to NS; but using a win8.1 to pivot the copy process.

I’m discovering the samba-audit is really informative.
Question #1 I wonder if the size of samba-audit logs will grow so huge or if it has an auto-purge?

Question #2 As you know that my NS is currently on beta. If I follow the post above to opt-out of beta updates, when the stable version arrive; my NS will be upgraded correctly?

Regards NS Team (I don’t forget you Samba/CentOS/RedHat Team) :heart_eyes::heart_eyes::heart_eyes:

/edit1: What about hiding the home share? It works! @mrmarkuz , thank you.


(Markus Neuberger) #5

The samba audit logs in a database. I found log entries from 2017 so I don’t think there’s an autopurge. You may delete the logs from web UI.

http://docs.nethserver.org/projects/nethserver-devel/en/v7/samba_audit.html
http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-base.html#log-retention-and-rotation

I assume it will. At least there will be documentation how to update correctly.

I have to mention that XP is not supported anymore and is a security risk.
Here are some infos on XP:

Glad it works.


(Enrique D) #6

Aha! that’s why my w2000 can’t access the shared folders too.
I gladly can use Linux to replace those XP desktops (I did it twice some months ago); the old remaining XP don’t have internet access anymore; but yes they are a huge risk.