Did you ever try NethServer ?

triple9

@alefattorini I tried NethServer, it seems really nice, very polished. I liked OpenVPN part a lot, though I would like to see self-service portal for end users, where they could download ovpn file (or have I missed it?)
I had one problem, not sure if I'm to blame. I wanted to setup server as AD DC, and things went really bad. Installation was stuck in the middle, and I could not stop it or do anything with it. I didn't have time to investigate what happened, but I plan to do it later.

travisdh1

@triple9 I gave setting up an AD DC on Nethserver a shot tonight myself. Had some issues right off the bat. From the documentation page:

Samba machine needs an IP address in a green network, different from the machine one. It also requires a bridge on the green interface. If needed, this bridge is created automatically.

I could do one manually on CentOS with less hassle than this

alefattorini

@travisdh1 I can't get your point, you're able to setup a Samba4 DC on CentOS, managed by webinterface with one click?

@triple9 did you check your connectivity? Check the log to look up some errors

triple9

@alefattorini the problems started when I tried to add bridge. Server lost connectivity, and I had to remove bridge manually to get it back online. I'll try with fresh install and see if it happens again.

triple9

@alefattorini what's more funny, I could update system, and perform other tasks. But AD DC installation was stuck at nearly 50% and would not move from that point

scottalanmiller

@alefattorini said in Did you ever try NethServer ?:

@travisdh1 I can't get your point, you're able to setup a Samba4 DC on CentOS, managed by webinterface with one click?

I've not had luck getting that working on NethServer either. I ran into the bridge problem, now into this one:

0_1489051183564_Screenshot from 2017-03-09 10-19-09.png

What's the reason for the green interface requirement? This seems like an unnecessary complication, there should never be any interface except the green interface on a server. What assumption is being made here?

alefattorini

@triple9 said in Did you ever try NethServer ?:

where they could download ovpn file (or have I missed it?)

You're right, we have to improve that part enabling users to download config file independently

scottalanmiller

Giving this bit a try now. The bridging bit, I think, should either be removed or done transparently as part of a base setup rather than having users be faced with it later. It's confusing. Even as a senior engineer on both Linux and Windows, I'm unclear why this is needed or even a good idea. If it is going to be required, I think the target audience should not be faced with it as a choice. Make the first interface green, and make it a bridge if you need - but keep it automatic.

0_1489051721980_Screenshot from 2017-03-09 10-27-29.png

alefattorini

I'm sorry for that guys, where are you running NethServer? VPS?

@scottalanmiller said in Did you ever try NethServer ?:

What's the reason for the green interface requirement? This seems like an unnecessary complication, there should never be any interface except the green interface on a server. What assumption is being made here?

Here we tried to answer all the questions about samba container.
http://community.nethserver.org/t/i-still-dont-get-why-samba-has-to-be-run-in-a-container/4878
Suggestions are welcome!

scottalanmiller

@alefattorini said in Did you ever try NethServer ?:

I'm sorry for that guys, where are you running NethServer? VPS?

@scottalanmiller said in Did you ever try NethServer ?:

What's the reason for the green interface requirement? This seems like an unnecessary complication, there should never be any interface except the green interface on a server. What assumption is being made here?

Here we tried to answer all the questions about samba container.
http://community.nethserver.org/t/i-still-dont-get-why-samba-has-to-be-run-in-a-container/4878
Suggestions are welcome!

Ah, I see, the bridge is to support the container? Then that makes sense, but my "you need to automate that" part still remains. Maybe notify the user in a "just so you know" way, but don't make them be involved. Your target audience is scared of Linux and doesn't know what a bridge is.

scottalanmiller

Quote from the above link:

The default file server in Samba 4.0 is our smbd file server from Samba
3.x, simply updated with the latest work from that line of
development.

No matter if you are running an AD DC, or a file server as a member
server, we use the same code for file server operations. However, some
support infrastructure varies between the operating modes, and some
options are forced on in the AD DC, so as to emulate NT ACLs in the way
we must for the SYSVOL share. We also use a different winbind
implementation.

For smaller sites, where there is just one server, using the AD DC as
the file server is perfectly fine and supported. It will work well.

For other (generally larger) sites, the knowledge that the file server
and DC can be configured, upgraded and replicated independently will be
far more important, and so follow our advise to separate these roles.
Andrew Bartlett

alefattorini

@scottalanmiller said in Did you ever try NethServer ?:

Your target audience is scared of Linux and doesn't know what a bridge is.

Good point, thanks for that. We're working on getting rid of it and adding a free IP checker for container

scottalanmiller

@triple9 said in Did you ever try NethServer ?:

@alefattorini what's more funny, I could update system, and perform other tasks. But AD DC installation was stuck at nearly 50% and would not move from that point

Is this where you got stuck?

0_1489052045317_Screenshot from 2017-03-09 10-33-47.png

scottalanmiller

@alefattorini said in Did you ever try NethServer ?:

@scottalanmiller said in Did you ever try NethServer ?:

Your target audience is scared of Linux and doesn't know what a bridge is.

Good point, thanks for that. We're working on getting rid of it and adding a free IP checker for container

Knowing that this is a container, I now believe that I know why two of us have gotten stuck and where the GUI is wrong. Look at this...

0_1489052134800_Screenshot from 2017-03-09 10-34-54.png

Nowhere am I told about the container or get any explanation. So as a well versed IT pro, I'm not given the info needed to figure out what is wrong. That's fine. This isn't meant for me. BUT, let's look at it from the directions point of view...

IP must be in the range of the green network. Check, it is.
Green Network must be a bridge. You force me there, so that's definitely done correctly. Check.
The IP address must not be used by any OTHER machine. Check. Followed the directions perfectly. I supplied the IP address of THIS machine, definitely not used by any OTHER machine. 192.168.88.228 is the IP address of the machine I am working on, the only IP address that I have for this machine. But wait, had I known that this was a container and was getting its own IP address, I instantly knew that this was wrong. But without being told that we were virtualizing this workload, and with the instructions telling me to obviously pick this IP address (otherwise it would say ANY machine not OTHER machine) and since the IP Address field is populated only with an asterisk.... this is where we end up.

That wording needs to be fixed. I think that those instructions are leading directly to a problem as they are incorrect.

alefattorini

@scottalanmiller said in Did you ever try NethServer ?:

That wording needs to be fixed.

I guess you're right, so you have filled out this field with the IP address of the machine you're working on.
Sorry for that, sometimes a different perspective is very useful

alefattorini

Recently we came to the same conclusion, we need to improve and automatize that panel. Thanks for pointing it out

alefattorini

@scottalanmiller What would you write on that page? And which choices should be avoided for you?

scottalanmiller

@alefattorini said in Did you ever try NethServer ?:

@scottalanmiller said in Did you ever try NethServer ?:

That wording needs to be fixed.

I guess you're right, so you have filled out this field with the IP address of the machine you're working on.
Sorry for that, sometimes a different perspective is very useful

Yeah, I followed the instructions to the tee. My machine had one IP assigned to it, no other machine used it, it was green. Seemed like the obvious choice. But knowing that there is a container involved makes it obvious why that's a problem. Without knowing that there is a container being created, it's not even suggestive that a second IP would be even possible.

scottalanmiller

Using a different IP address now for the container, it does run but I get this...

0_1489054052204_Screenshot from 2017-03-09 11-07-08.png

scottalanmiller

@alefattorini said in Did you ever try NethServer ?:

@scottalanmiller What would you write on that page? And which choices should be avoided for you?

So what we have now...

0_1489054164543_Screenshot from 2017-03-09 11-09-01.png

Domain Controller configuration

Set a new IP address for the Domain Controller function.

The chosen IP address must satisfy all of the below conditions:

The IP address must be in the same subnet range of the green network. (Show this range.)
The IP address must be unused currently.

IP address - before doing unused detection, start by blocking the IP addresses of known things like the green interface itself and the gateway.

Then in a sidebar have a note: "To provide full Samba Active Directory Domain Controller (AD DC) functionality, this feature is implemented in a container and requires its own IP address. The green interface will be added to a bridge to accommodate this function automatically.