This is quite complex, the fast, but insecure, fix is to disable certificate verification, see this.
Otherwise you need a way to correctly distribute certs among all machines.
↧
[solved] Enable certificate renewal-hook in nethserver
↧
[solved] Enable certificate renewal-hook in nethserver
Unfortunatelly this is not an option as the router refuses to do unencrypted ldap queries. I think, I just need to copy the correct certificate to the router so it can make encrypted query against the remote attached nethserver. The question is, which certificate is necessary then - the letsencrypt one on the remote neth or the selfsigned one used in the nsdc container? And whichever it is, the second question, from point of view of the router does he need to query against the hostname bdc.ourdomain.com or against ad.ourdomain.com. Because this hostname must be in the certificate.
If I could know which Bind Credentials, Base-DN and User-DN cn=ldapservice,ou=User,dc= ad or bdc ,dc=ourdomain,dc=com: will it be used for queries against remote nethserver, I might be able to test with ldapqueries from console, and then test both certificates to see where it gets?
I mean how does lets say nextcloud query ldap on the remote attached nethserver?
↧
↧
NethServer 8: planning an evolution
Been there, done that and even bought the T-shirt!
I did 30 years ago what you did 15 years ago, but even then I had the fixed conception that a good IT guy is actually a lazy guy:
- Too lazy to do the same job twice, that’s why it’s long been scripted.
- Too lazy to visit a server unneeded, that’s why all have remote access.
- Too lazy to daily change Storage Tape, or replenish the Cartridge changer for Backups, that’s why several generations of Backups In and Out of House are fully automated.
- Too lazy to check for problems, get someone (better something) to do it for me.
The last item started with my own scripts/Batch Jobs, later Scotty/Tkined, Big Brother, Nagios a finally Zabbix…
A really good idea would be a “Delegate Authority” Button, or something similiar. If the company has someone to do the Job, that he can easily get auth for the server without too much trouble.
My 2 cents
Andy
↧
New conflict Epel repository
@ibinetwork everything is ready to be tested
You should do:
yum --enablerepo=nethserver-testing update asterisk\*
↧
Microsoft SQL Server Import Problems
NethServer Version: 7.8.2003 (final)
Module: Microsoft SQL Server latest from Software center
Hello, i try to figure out to change a SQL Express Server with a Database from a Win 10 System to SQL Nethserver. Unfortunately i am not experienced with it. I get the Connections etc, but ending always with an error if i try to import/migrate the Database. I tried it with the Migration tool form MS and also with a Restore Tool from the Company who programmed the Database. Maybe someone has an idea . The database is around 10 GB big and works without errors on a sql express 2014 right now. it is an advanced one cause its need the advanced text research. it seems to be a right problem with the database what i build also, but i have no clue why, maybe someone has make it in the past and have an idea.
this is the error what i got at the point when import starts.
this is the database right now
↧
↧
Microsoft SQL Server Import Problems
IMVHO is a “limit” of SQL Server on linux, I am not sure if Linux can use OLE processes with SQL Server.
Also… Size is tremendously close to the limit of 10GB, current limit for “express” versions of SQL Server even 2016.
So… seems not related do NethServer, but more to SQL Server on Linux, IMVHO
↧
NethServer 8: planning an evolution
Been there, done that. And yes, the scripting part and automating as much as possible was there too. But in a pre-virtualization era having a safe patch process, you just can’t run the patch and hope and pray nothing breaks on mission critical servers. MS Windows Servers…
So we had the OS on a Raid1 volume and broke the raid prior to patching the server.
First some 10 less important servers as a testrun on friday after patch-tuesday. Then a week later, if nothing went wrong some 100+ other servers on the next friday.
Yes it meant to bring down all those servers one by one and reboot with broken raid1. And when they had ran the weekend without issues, raid was rebuilt by replugging the removed disk.
Today it would be much easier, just by creating a snapshot and update. In fact, I do that with my (subsciption) VPS now: before a major update I take a snapshot. Before I install a new service, I take a snapshot.
AFAIK this is we already have now:
https://wiki.nethserver.org/doku.php?id=delegation_of_authority
↧
NethServer 8: planning an evolution
Experiences are interesting.
Needs and projects seems more interesting to help Nethesis to create a “path”.
If I can agree that the use of containers is quite useful addon and the ability to dev-ops some applications and installs (but this seems more Linux-related than NethServer), the strict connection of services to the server is still (IMVHO) a nice value for the distro.
Some things should not be virtual or into containers:
- Firewall
- Content Filtering
- Protocol filtering
- “simple” file and print services
- reverse proxy
- VPN
- remote control tools (guacamole)
- certificate management (should be aware of containered softwares)
- ldap (which could or could not be uses as user repository for other sofware/services)
Some other tools may be containered:
- mail server
- webmail/groupware app (this leads to a bigger effort in configuration)
- ticketing
- monitoring (i prefere this on bare metal/out of container)
- PBX and unified communication services
- video-conferencing / chat (at least as server + webclient)
- ERP/CRM
- (surely i am forgetting something)
The idea of @Andy_Wismer might be a “killer app”, which could also being already used by other platforms: a “one shot” invitation with separate channel of comunication for allow connection to a system.
This could allow to easily and safely access to the server without give the “root” access" via SSH.
Also the biggest question to Nethesis should be: still sticking to “multi-user/mono-firm” (this leads to multi domain but without virtual domains)
↧
Microsoft SQL Server Import Problems
thank you for the info´s
↧
↧
Shared Folder access for non domain access
@greavette would you please post a brief/simplifed version of your script? Or the abstract.
also, if possible, explaining which OS is used when the script is launched and what system (DBMS? OS? External tool?)
↧
Shared Folder access for non domain access
Hello all,
This is SQL script running on Windows server 2012 so we would need to enable xp_cmdshell (net use can’t be used in SQL scripts AFAIK). I would first map a network drive in windows to the Nethserver share , then in the SQL script connect to that mapped drive letter using xp_cmdshell. Then we would need another startup script in SQL to reconnect to the mapped drive (because xp_cmdshell is not persistent across restart). This is all doable but I thought if Nethserver could allow free access to anyone for this one particular share without credentials then I wouldn’t need to jump through these scripting hoops.
So what does Nethserver Guest access access and Everyone access mean on shared drives?
I’ll try and get a copy of the script from our DBA.
Thank you.
↧
NethServer 8: planning an evolution
Hi All!
Good as a starter, but should have a “time bomb” option, like “valid the next 24h…”.
I would also dare to suggest a “Multi-Tenant” Button during setup or later might also be a good idea. Include a warning that things might be a trifle more complex by activating this “button”. But, to keep things simple, make it more or less just one way…
If at some point later in time Multi-Tenant isn’t needed, a reinstall or manual cleanup would be needed. An option to save the data for migration / reinstallation would be a cool option. Keeps things simpler for Devs, but if needed or wanted, it could be there.
-> Open Pandoras box, if you want and need it, but be warned… 
NethServer, as it stands, is a VERY usable general server, comes with engaged developers and supporters and one of the best forums in Open Source. Let’s keep things that way, while still moving on in life…
And remember: A general server like NethServer can easily run VMs, LXC and Docker, besides doing orchestration. And NethServer does a good job out of the box, secure & good enough even as a mail or web server for SME or home users without much IT know-how. On the other hand, trying to get a bunch of Docker Apps as well integrated as NethServer is entails more work than most imagine! (And a lot of great work has gone into NethServer!).
I would NOT object in a move to a Debian base, actually i would quite welcome it!
My 2 cents
Andy
↧
NethServer 8: planning an evolution
I think it’s worth pointing out that there are two orthogonal questions being discussed here:
- What should Neth do?
- “out of the box”
- by way of “factory” module
- by way of community module or other add-on
- With what architecture should this be implemented?
I don’t think I’m qualified to have a strong opinion on the second question, other than that big changes from what we’re doing now will probably affect my ability to keep my modules going. On the first, for my needs, the bare minimum would be mail and web (LAMP) server. Ability to have webmail, Nextcloud, etc., running with a couple of clicks would be nice, but if I’m given a LAMP stack I can set those up myself if needed.
↧
↧
NethServer 8: planning an evolution
Putting words where comes from…
Only I nominee Debian as “option” for an possible (not considered) leap if CentOS 8 would not fit the needs of NethServer. Leaving behind a such a stable and well supported distro is not a thing that the devs would consider without deep thinking and evaluating. The distro arrival is surely good and well mantained, but it’s not the shortest step in the world.
Also, the most “not nice” thing of CentOS 7 is Kernel 3.10. I know, is mantained maybe from the largest community of “server interest” developers, but consumer Linux is on 5.4 and several advantages are achieved from Kernel 4.1x or 3.10. I’m asking myself if the 3.1x kernel could properly/fully use the capabilites of chiplet-based CPU, unlocking the “full power” could be delivered, and i also don’t know (it’s me lacking of info) if such interesting things like NVMe and PCIe4 are on board or not for stable performance improvement.
Getting on topic… ARM is a really nice toy, but Small Medium Enterprise servers will be x64-based for at least 5 more years. Maybe some ARM boards will be interesting for small use services or non-x64 appliances (bit more efficient) but with such a loss of computational power. (I am eager to see the first embedded AMD Zen-Based APU/CPUs)
↧
Shared Folder access for non domain access
Hi Charles
My classic Method with Windows Servers / SQL is have the SQLdump run sometime (say 02:00) and leave the Dump in D:\Backups. In the beginning I’d have Windows copy the Backup to NAS or whatever Backup storage was in use at 03:00 - the SQL dump took max 20-30 minutes. The dump was about 1TB in size… (To big for offsite backups conventionally).
Later I let SQL do it’s dump as before, but shared the backup folder. SME-Server, later NethServer would mount the drive at 03:00, run rsync in a special script so I had 7 generations / week, and when finished, unmount the drive.
These 2 scripts included simple logging on the windows side, and a bit more on the linux side.
I too had issues with what a script could do in windows, so I moved on and polished the simple, but robust setup… Still working today, the script started in 1997 (!)
To optimize rsync synching to offsite, I even had the dumpfiles of SQL NOT contain date and time info in the filename, so every backup had the same name. The rsync copied the files to the NAS, and right into the daily folders, where a subfolder “Backup-SQL” was waiting…
Here is a screenshot of the Backup Folder on the NAS, this entire folder is again synched every night home, where another (identical) NAS was waiting. I say Identical, this was on purpose, to have a hardware spare ready in case of failure during a long weekend like xmas weekend, and no spare or support available…
This was Read-Only to any user, even Domain Admins can only read a file (To prevent a cryptolocker). User are allowed to copy the file away, and put it back into the right position.
This is a bit special, but since the financial company had 2 chiefs, and 5 employees and only 1 change in employees in the 15 years I’ve been doing their network, the users are very trusted.
My 2 cents
Andy
↧
NethServer Docker 1.0.1 released
Found why : I unknowingly deleted the persistent folder on the host. It should be noted that this folder is created right where you are when the “docker run” command is issued.
↧
NethServer Docker 1.0.1 released
docker run -d --name pihole -e TZ=“Europe/Vienna” -e WEBPASSWORD=“admin” -v “(pwd)/etc-pihole/:/etc/pihole/" -v "(pwd)/etc-dnsmasq.d/:/etc/dnsmasq.d/” --cap-add NET_ADMIN --net=aeria --mac-address=0e:6f:47:f7:26:1a --restart=unless-stopped pihole/pihole:latest
For me it was needed to run pihole -r after install and reconfigure the thing because it was linked to an (not existent) eth0 interface instead of the br00 interface used by the aeria network.
↧
↧
No warning on subscription expiration -- again
That was much much much faster then I expected. @edoardo_spadoni jumped it and … notifications will start flowing since tomorrow! Kudos to Edoardo! 
This in example:
Currently notifications are sent differently for:
- trial users will receive 3 mails: 2 weeks, 1 week and 1 day before expiration
- paying users will receive 2 mails: 1 week and 1 day before expiration
The mail will also contain information about how to un-register the machine if the user want to quit the subscription program!
/cc @flatspin
↧
FreePBX - update
Check here:
↧
NethServer 8: planning an evolution
Fully agree!
Moving away from such a stable and well maintained distro isn’t the thing to do on an impulse, not even after a nights sleep.
But if pushed far enough, I tend to plan ahead and verify my options. If the day X comes, where a drop of water makes the barrel overflow, I’ll be ready long ahead!
Hardware / CPU:
At the moment, there’s no real alternative for Intel / AMD, both which use x86 compatibility. ARM is nice, I use Raspberries even professionally, but comparing the CPUs of x86 and ARM isn’t really a fair comparison. And a SOC, like the Raspberry uses, does have it’s IO issues, as all peripherals including LAN are connected via a USB3 (RPi4) hub internally. And even though that sounds not too bad, you need to take into account, that a Raspberry can’t reach full USB3 speed.
My 2 cents
Andy
↧