Hello,
Here are the screenshots, but I don’t have a domain user yet, because of ssl problems I can’t reach the webui where I could easily create a test user, and I haven’t looked into the manual import yet, paradoxically if I could get into the webui I could find the csv structure and stuff that I would need for the manual import.
And in the kerberos tab, the firewall and server name and ip resolves will be green or red quite randomly, the first 2 and kerberos fixed green, no keytab file, fixed red.
The web proxy is a good thing if you have web filtering on student machines, I would definitely like that, and I don’t know if you can make a rule on a classroom full of machines to ban everything except one web page, this is a relatively common scenario for a competition or exam.
Teachers’ machines and other servers, and then I suppose there is no choice but to put them in a noproxy group. The problem might be something that’s not in the domain (say, teacher-owned laptops), but still occasionally gets onto the internal network to, say, print this or that.
please remove all DNS Servers except the lmnServer in System-> Settings → General
Save on Bottom of the Page.
Then go to kerberos auth and look at the Hook. All green now?
And for the manual adding of Users:
first go to
/etc/linuxmuster/sophomorix/default-school/school.conf
and adjust the length of the Passwords and if studentnames should be generates wits 4 Digits of the Surname an 2 Digits of the GivenName (i use that)
here are Examples for
/etc/linuxmuster/sophomorix/default-school/students.csv
Ok, thanks for removing all the other name resolvers from the general tab, so now everything is consistently green except the kerberos key, because it’s not there.
I created 2 test users manually, but I don’t know their passwords because I couldn’t rescroll them, since it’s a real machine, not kvm, and the less package wasn’t installed, and afterwards it’s useless. Is there any way to know or change it afterwards?
Or is there a way to set a preset password in the csv? The same question applies to the usernames of the students, would it be possible to enter them in csv instead of pre-generating them? Dots cannot be used in usernames, is there a way to override this?
For students, I figured out how to manually enter the username, the second value after the date of birth in the sample above. However, if the first (after the date of birth) is the password, then unfortunately sso doesn’t work due to the server hostname ssl authentication error noted above, which is why webui doesn’t work. So I guess it should fix that first.
i would advice you not to give Usernames for students as you wish, but let the System give them to you.
I strongly advice not to use special Characters like - in the Username.
To see the Usernames and Passwords, you can print them to a File with
sophomorix-print -c CLASSNAME
CLASNAME as given in the students.csv
The Output is found in
/var/lib/sophomorix/print-data/
To change the Password of a User use
sophomorix-passwd -u USERNAME --passwd=SecretPassWord
Thank you, unfortunately SSO doesn’t work with the correct passwords either, same error, hostname ssl authentication error, which is what webui is referring to, so that’s the obstacle we’re stuck with now.
The reason I would stick to my own usernames is because for one thing they are the ones used so far, and first Elte generates the office365 accounts (typically surname + first few characters of first name +, then hyphenate the starting year for easier later management), then I take these as domain username and wifi username, and google classroom name too, so for simplicity I don’t need 4 usernames, just one to remember.
… but the People get easily mixed up, when the have 4 times the Same Username and not the Same Passwordorigin.
If the change the Password in one Account, the others stay on the old Password …
Anyway: your Choice.
I would advice you to put Students with Username by your Choice in the /etc/linuxmuster/sophomorix/default-school/extrastudents.csv
Yes: it all comes down to your ssl Problem, and i still have no clue where that comes from.
Check the /etc/samba/smb.conf File, if it is pointing to the right Direction.
Are there the right name & path for your subsequently manually generated certificate bundle??
Does your trefortserver.cert.bundle.pem consist of the three parts that I mentioned above?
Yes, the bundle file is where it should be (physically and in the config.yml file too), but I did not generate the bundle file manually, only cert.pem and key.pem. So should I generate them manually too? Just as a test I ran the renew-cert script again and now the firewall’s could be updated, but the server’s could not, but the firewall’s new credentials gave me an extra hour compared to the real time, is this normal? I checked and both server and firewall are good and same time. Here is the contents of the ssl folder.
Holger, none of the SSO testers are working, only the Kerberos single sign-on tab is now consistently all green except for the keytab, which is not exists.
if u look at the time stamps of your trefortcerts… that cannot be correct!
the bundle is from may20, the rest from may22.
so the trefortserver.cert.bundle.pem cannot be correct and has to be generated out of the other ones…
… and have a look at the size of the files: trefortserver.cert.bundle.pem and trefortserver.csr are the same!
So there’s still missing the part that in mentionend in #71
Use the cat command from above and the .bundle. file will be generated…
Ok, thanks, So then for bundle key I don’t need to generate new key pairs just merge trefortserver.fullchain.pem and trefortserver.key.pem according to this, I’ll try it tomorrow and report back.
I merged the two files, but unfortunately nothing changed, I get the same ssl error message.
So for some reason the fullchain and key are either not a pair (I generated the key manually, the original key file was bit for bit the same as the bundle file, I tried to merge the fullchain with it, but the result is the same) or the error is elsewhere.
Yes, everything seems fine, but ajenti.pid won’t start because of the above ssl (fqdn cert and key pair not found in place, but apparently they are there, so the path is not the cause of the error) authentication error.
I have webui available on port 80 in prepare mode, then ajenti does not write any errors yet. After the websetup runs, it is sure that the sever ssl authentication keys are not generated automatically, whether there is something left unconfigured I don’t know, ajenti then only complains that it can’t find the server fqdn ssl authentication keys, so webui won’t start. In version 7.3, besides the server ssl keys, the dhcp server configuration is definitely left unconfigured.
What could be tried, then correct me if I write nonsense, to check ssl authentication without it being turned off to see if the webui works, based on the previous config.yml file you could reset the webui to port 80, question after websetup if port 443 is mandatory which would prevent this.
In home conditions also install a test system to see if the problem can be reproducible, whether it is a problem with physical machines, because nowadays everything is tested only in virtual environment, e.g. ubuntu server 22.04.3 and newer, because of a bug, it is not possible to set up software raid on real machine, it works only on virtual machine.
Since the ssd’s are already here, I will be able to try Proxmox next week, but since it is completely unknown territory for me, it will take some time, so I might have questions about that too.
