Why Shorewall block AD?

Hi;

I did’nt change (tweak/hack) nothing, yet,
simply install services and configured them

• Nethserver 7.7 with AD and one NIC card which is configured as bridge under GREEN zone.
  nethserver is 192.168.100.254
  the AD as been deployed on 192.168.100.254

it’s probably of the bridge, but I expect this working since I create it through cockpit

When I try to create a user it fail
the old interface tell me

ads_connect: No logon servers are currently available to service the logon request.
Didn't find the ldap server!
kinit: Cannot contact any KDC for realm 'AD.DOMAIN.TLD' while getting initial credentials

While Shorewall log
Shorewall:fw2lan:REJECT:IN= OUT=br0 SRC=192.168.100.254 DST=192.168.100.253 LEN=65 TOS=0x00 PREC=0x00 TTL=64 ID=54831 DF PROTO=UDP SPT=6813 DPT=53 LEN=45

|PRIORITY|6|
| --- | --- |
|SYSLOG_FACILITY|0|
|SYSLOG_IDENTIFIER|kernel|
|_BOOT_ID|6f5e4cf7072d4a39a2d7603a1b6aaddf|
|_HOSTNAME|neth.domain.tld|
|_MACHINE_ID|8c7442d2f7fa43488eb62450386db8de|
|_SOURCE_MONOTONIC_TIMESTAMP|63219817694|
|_TRANSPORT|kernel|
|__CURSOR|s=0b24e0c139db47adab6d639b1e08e6c0;i=8b74;b=6f5e4cf7072d4a39a2d7603a1b6aaddf;m=eb84ae4ab;t=59c4cb9fc8ada;x=3ad8524fdaa30e0b|
|__MONOTONIC_TIMESTAMP|63221458091|
|__REALTIME_TIMESTAMP|1579228235336410|

But then when I scan from my laptop the port are open

Discovered open port 135/tcp on 192.168.100.253
Discovered open port 53/tcp on 192.168.100.253
Discovered open port 445/tcp on 192.168.100.253
Discovered open port 139/tcp on 192.168.100.253
Discovered open port 88/tcp on 192.168.100.253
Discovered open port 49154/tcp on 192.168.100.253
Discovered open port 389/tcp on 192.168.100.253
Discovered open port 636/tcp on 192.168.100.253
Discovered open port 3268/tcp on 192.168.100.253
Discovered open port 49153/tcp on 192.168.100.253
Discovered open port 49152/tcp on 192.168.100.253
Discovered open port 3269/tcp on 192.168.100.253
Discovered open port 464/tcp on 192.168.100.253

so I’m confuse now
Why shorewall block it

NSDC AND NethServer are using the same IPv4 Address?
Did I understood correctly? If it’s the case, that’s… not right.

https://docs.nethserver.org/en/v7/accounts.html#samba-active-directory-local-provider-installation

Hi

NethServer and AD do not use the same IP, but the same Interface. The Interface is bridged for the Linux Container running in NethServer which provides the AD capability. (Sounds complicated, but usually just works…).
Personally, I have the NethServer of my clients on IP .20, and the AD on .11.
I also specify the AD as WINS, and make the Entry in DHCP, so that is propagated to clients…

This may be a bug in the new interface.
-> Needed entries for Shorewall are not being made.

Try deleting your AD, and re-creating it from the old Interface ( Port :980 ).
Report if that helps, so the bug can be weeded out…

My 2 cents
Andy

Nope;
AD = 192.168.100.253
Nethserver = 192.168.100.254

but yes as @Andy_Wismer they use the same physical interface which configured as a bridge because I plan to use Nethserver as a KVM Host.

Sorry

1. I don’t like the idea of deleting AD
2. I don’t really understand how to do that without reinstalling.

if I restart SSSD I have the service keep running but I have this error in /var/log/sssd/sssd_DOMAIN.TLD.log

(Fri Jan 17 16:45:51 2020) [sssd[be[DOMAIN.TLD]]] [orderly_shutdown] (0x0010): SIGTERM: killing children

@JOduMonT

As I understand, this is a new server, so there are probably few or no entries in that AD.
It isn’t even working properly. What can you lose?
No reinstalls needed, no CLI needed, all via Web…

Just for your Info:

• Use the old Interface and make a Config-Save (See Backup in the old Interface) BEFORE deleting your AD.
• Delete the AD (also old Interface)
• Reboot, and restore that saved config (You can specify which backup you want to restore).

NethServer will rebuild exactly that AD, but set the correct settings so everything works, including Shorewall. NethServer generally restores WITH all modules, they’re downloaded if needed.

I’ve had to do this before, a samba update a while back screwed my AD. I repaired by using the above procedure. It also worked on a few client installation inflicted by the update…

NethServer is very resilent, I assume you may have found a bug in the new Interface, but the old one works as far as the mentionned issues are concerned… (Shorewall et Al.)

My 2 cents
Andy

I’m rusty didn’t use CentOS/Nethserver for 2years

via CLI: I remove nethserver-samba, reboot than reinstall nethserver-samba without success
via OldInterface: I remove file-server, reboot than reinstall file-server without success

but as good habit transcend distribution I did snapshot

after the restoration now I understand what you means by uninstall the AD, the button wasn’t there before

image523×585 32.9 KB

but anyway now everything is kaput.
I don’t know
I’ll just reinstall
10-4 Rodger

@JOduMonT
@dev_team

Hi

Did you manually reinstall nethserver-samba / file-server or did you - as suggested - Restore your settings?

Most likely you found a bug in the new Interface - please report that to the Bugtracker. I’m just not sure personally, what the right link is, but someone on the Dev-Team should be able to give you the right pointers…

Andy

At first I installed everything blindly via the Cockpit
without paying attention of when I do update, reboot, bridge and/or samba-ad

I gave me 3 try to resolve the issue

1. via the CLI: yum remove nethserver-samba, than reboot than reinstall the package via the commandline

the second 2 shoots, I followed your advise to use the old interface (anyway I can’t figure how to uninstall via cockpit)

2. after restoring and rebooting, remove file-server than reboot than reinstall
3. after restoring and rebooting, restored my FreshInstall snapshot but choose the option to reinstall every package

So I reinstall NethServer and take a more methodical approach
do snapshot and reboot after

1. creating the bridge
2. doing update
3. installing samba-ad which works

So maybe something has being corrupted by doing update bridging and install package or maybe samba-ad as being interrupted because of another plugin.

As I said, I’m looking more carefully at the logs while I install it and do snapshot, hopefully I’ll be able to point it out.

@JOduMonT

If it works, by all means take the easiest route.
If it doesn’t, do step by step, if running in a virtual environment, make snapshots.

It’s like insurance. Better to never to have to claim insurance for whatever.
If you DO need it, it’s always better knowing, it been dealt with, and paid for…

Snapshots save you from starting from scratch.

My 2 cents
Andy

After reinstalling almost everything

the diff of the old machine which didn’t work and the new one

1. I used the old interface to configure almost everything except the backup part because I backup to Backblaze, but I’m not ready to blame cockpit or the nethserver dev to team for this.

2. Another different was /tmp was on a different partition of 1GB but the default permission

3. packages/software/modules I didn’t reinstall
   3.1 mattermost
   3.2 squid (proxy and filter)
   3.3 report (network-dante)
   3.4 freepbx
   3.5 snmp
   3.6 ipsec

And…
does it work now?
AD and all else needed?

• nextcloud I see “ldap user”
• share drive respect my users right
• domain accounts give me info
  

So I’d would say yes it’s work

Good luck with your further progress…

@Andy_Wismer thank for cheering me up on this

You’re welcome!

I like helping people with Open Source stuff, that’s part of the community idea!

I just figure, I was based in Switzerland before but on the french part

If you’re in Thailand, you’ve got beautiful nature down there. True, B’kok is a sprawling metrapolis, but nature isn’t far. I am swiss, but was living in Malaysia the first ten years of my life and been a few times since then to visit.
I’m now in central Switzerland (Just outside of Zug), here’s my view:

20200116_170144.jpg5208×1336 2.08 MB

The two mountains in the middle background are Rigi and Pilatus, both popular tourist destinations.

Regards
Andy