yes so progression has been achieved, now no more missing cert. pem file and samba is also running, and the server has also restored the name resolution without any further adjustments, of course the elte.hu addresses are translated outside, but I will deal with that later, because I still can’t reach the server from the browser, I think next time I will have to install it by first doing the manual ssl key generation, then start the websetup, so that the setup script can run normally.
Nice …
Maybe again a problem with the cert/bundle-file … this time check if the service is running correctly:
service linuxmuster-webui status
or
service linuxmuster-webui restartCheck if you can connect:
openssl s_client -connect yourservername.fqdn.hu:443Normally there’s no need to do this manually. I use Let’s Encrypt (ACME) directly on the OPNSense. So the OPNSense does the job and all I have to do is to copy the certs to the server. Works like a charm…
Hi Fenyo,
im very glad that you are now a step further: Thanks to Michael.
I wanted to say something to the Name Resolution:
it is normal, that nameresolution is not working, when the samba-ad-dc service is not running, since this it is the DNS too. In a windows Network, the Client is only trusting a server, if the server IP is resolved by a trusted DNS. Our trusted DNS is the Server itselfe.
Now to Nameresolution in General:
It is nessesary, that the Server is the mainDNS in the System: also for the Firewall, since there are services in the Firewall, that are authenticating against the server with kerboros Tokens: hence the trust issue is there as well.
Now i explain how the nameresolution in OPNsense is korrektly configured:
- in OPNsense go to:
System → Settings → General
scoll down an put in the IP of the lmn Server as first and only! DNS. - untick the Square in front of „Allow overwriting of DNS Serverlist by DHCP“
tick the Sqare in front of: Use local DNS-service not as Nameserver for this System
Untick „Allow alteration of standard Gateway“ - go to
Service-> unbound → Query Overwriting and put in the DNS you want to.
Here is my Query Overwriting Page (in German … sorry
)
Importaint: untick the „Use System Nameservers“ on Top of the Page (as shown in Picture).
After that: restart unbound via the Buttons on Top and on the Right.
After that, all Hooks in Kerberos auth should be green and should stay that way.
Yours
Holger
The webui service is running on the server and I can connect to it with openssl on port 443, so I should be able to connect from the client but I can’t, either I set the client to a fixed no-proxy group static ip or I set it to dhcp (in this case there is no net, so proxy filtering works).
Is it possible to create the ssl keys before and run websetup only afterwards, or is this a pretty stupid idea?
I could do this tomorrow, though.
The ldap server dns name resolution works sometimes or not, depending on the refresh button pressed, but the firewall hostname dns resolution does not work at all.
Ok … maybe ask the v7-server with
[root@server:]$ dig firewall.eltetrefort.lan @172.16.0.1The name-resolution should work when samba-ad-dc is running!
You can also try to insert the first client manually into the file
mcedit /etc/linuxmuster/sophomorix/default-school/devices.csv
Insert a line like this:
room-p123;computername1;win10;00:MA:CA:DD:RE:SS;172.16.1.1;---;---;;classroom-studentcomputer;---;1;;;;MIGRATION;;
after that run:
linuxmuster-import-devicesand see what happens.
I always use these commands directly via ssh instead of using the WebUI …
(In german I would say „Macht der Gewohnheit“ now but I have no clue if there’s an understandable translation for this?!)
btw:
https://172.16.0.1/view/login/normal should work as well
(of course with a SSL_ERROR_BAD_CERT_DOMAIN warning in this case)
here the output of the dig command and nslookup confirms that the server’s dns cannot resolve the firewall hostname.
I’m fine with command line if I have to, but students and teachers will need webui at least to change their passwords. Their habit („Macht der Gewohnheit“) is the colourful smell of gui.
Hmmm – – some strange things are still happening over there.
I can’t remember if these entries in the file devices.csv were automatically set or if I added these settings later by myself 
But maybe it’s worth a try:
cd /etc/linuxmuster/sophomorix/default-school/
mcedit devices.csv
->
serverraum;server;nopxe;b5:78:2b:3b:40:b0;172.16.0.1;---;---;;addc;---;0;;;;SETUP;;
serverraum;firewall;nopxe;00:50:ba:ac:81:81;172.16.0.11;---;---;;server;---;0;;;;SETUP;;
and afterwards
linuxmuster-import-devicesand then again dig … the name-resolution should work.
btw: the IP 172.16.0.11 for the firewall is not usual as well … most of us use .254
devices.csv already exists, and it has about what you wrote, except instead of serverraum it just has server, and yours has some hyphens in it, do they count?
So I imported the unmodified file, so it can now resolve the firewall hostname of the server, interesting that it didn’t do that automatically then either.
I tried earlier with a 254 default end firewall ip address, but it didn’t matter.
Sometimes if I refresh several times the green row comes up, but the webui is still not available from the client (I imported a client as a test, but that didn’t work either).
the first column is the roomname … so serverroom makes more sense. Hyphens doesn’t matter.
Back to the client: Do you use PXE-Boot on that client? Does it get the IP-address from your devices.csv? The client should be able to ping/nslookup the server and the firewall as well.
Yes, almost everything you listed works on the client, pxe booting starts the linbo, dhpc gets the ip address specified in device.csv, nslookup can resolve both the server and the firewall, but can only ping the server, not the firewall, I guess that’s why webui is not available from the browser, it says that the firewall or proxy refused the connection, because it is unreachable.
However, the client in the noproxy group can ping the firewall, but it can’t reach the webui either.
Which ip address does the client in the noproxy-group get while booting?
Is it from the same subnet 172.16.0.0/24?
Are there any firewall rules for this net on your OPNSense?
Can you check the settings on your OPNSense
Firewall: Aliases
Which ip addresses are listet there for the alias „NoProxy“??
When you cannot even reach the WebUI on Port 443 of the server you won’t be able to reach anything else either, right? I think that the client is still blocked completely 
As I don’t use the webproxy-settings of the OPNSense I can’t help you any further here. Our clients are always online. But I think Holger (@baumhof) can help you with this.
The noproxy group is the first 10 ip addresses of the ip container, as websetup configured all the rules deafult left by it configured. The noproxy client is on a static ip address in the noproxy domain, so it can access anything on the net, dhcp and of course nothing, both clients are on the same network (172.16.0.0/16).
I don’t understand this sentence 
Hi Fenyo,
di d you korrekt the settings in the OPNsense as i adviced some POsts ago?
After i did this: i did not have any more Problems with Nameresolution.
Especially the Kerberos Ticks in OPNsense are always green.
Maybe you could check again if everything is as i adviced.
Maybe you can share screenshots of the Pages in OPNsense here.
Yours
Holger
I gave the client on the static ip address an ip address from the no-proxy group ip addresses (172.16.0.10), so it can access everything on the internet without restriction.
The client with dhcp on the other hand is covered by the proxy, so as long as it is not in the domain I guess, it should not be allowed to access anything except the webui if I guess correctly.
Holger, yes I have done the suggested unbounded dns settings, but I can only take a screenshot of that tomorrow.
I’m not entirely sure, but as I understand it, the teacher is responsible for either enabling or disabling the students-clients. So the teacher must be the only one who can access the WebUI in order to allow or block the clients from accessing the Internet, right?
I’m not sure if a students-client itself can access the WebUI while it’s disabled. Holger? Is this correct?
it might well be, that a Client, that is not registered and uses an IP Adress that is in the free DHCP Lease, might not be able to access the WebUI.
A Clietn with 172.16.0.2 to 172.16.0.10 should be able: no matter if registerd or not.
But i dont know for sure: i do not have had unregisterd Clients for a very long time.
Best you register one and try.
A Client which is not in the noproxy Group is not able to reache the Internet directly, no matter what you do.
You have to enter the Proxy: firewall.YOUR.DOMAIN.?? with Port 3128 so the Client tries to pass trough the Proxy. A Credentialfield will beshown in the Browser when you try to access the Internet.
If SSO works and the Token is Valid no Credentials will beasked and the INternet is accessable trough the Proxy. Only Clients „in the Domain“ can use SSO and it aplys only to users in Default-School (global-admin is NOT in the Default-School … )
Yours
Holger
here are the unbounded dns settings.
Yes, I think you should go with the client in the no-proxy group, otherwise the initial setup is more complicated, especially for the beginner who is not familiar with command line imports and the necessary structure of csv files.
On the dhcp client if I manually enter the proxy settings it will access the net, but it asks for authentication, so I would have to put the client in domain to make it work, or until it is not put in it would be good to have some solution, I don’t know if you can turn off authentication somewhere or if not where to set it, I am a bit lost with the opnsense proxy on this one too, so if we get there I will definitely need help there too. 
What’s even stranger is that I installed a minimal gui on the server, but the webui is not available from the browser. 
The webui is running according to the server, the error message is, cant open pid file (/run/ajenti.pid) after start, but it starts.
And here is the ajenti.log;
It seems there are still ssl problems (fqdn cert and keyfile)…
Hi Fenyo,
First about the Nameresolution. The Settings look good.
Could you post a screenshot of the Page: System → Settings → General
?
Mine look like that:
To test if SSO is working you have to check the Following Things:
-
go to System → Access → Server (i guess it is called like that in an englich OPNsense).
There should be the Server in there:
-
go to system → Access → Tester
and test the login with an existing Domainuser (not global-admin)
- go to services → Squid Proxy → SingleSignOn → Kerberos auth
There is a tester too. Test a Domain User.
if thats not working, but 2) did work, then klick on „Delete Keytable“ then enter the credentials of global-admin just above the Buttons an klick on: create Keytabel". Then test again.
To the Client: the Prxyauth Windows will always keep reappearing on every new request of a Webpage. Giving correkt Credentials there is no solution. If you go through the Proxy, you must have SSO working.
If you want to work around that Problem for the Time beeing, go to Firewall → Rules → LAN an activate the Rule „Allow entire LAN“ and click on „Reload“.
After that tell the Client to „directly access the INternet“ (without Proxy) and you are in: like everyone Else on the NEtwork.
Yours
Holger