There you are … so far so good!
Next step would be:
But let’s continue now in a new topic …
Thank you, After some digging around in the interface today, I’m well on my way to installing until the qemu-guest-agent, which produces the following error.
Sorry this hasn’t gone to the new thread yet, in fact if I get this far, after that it’s just a matter of taking snapshots of the 2 systems before running the critical websetup.
Hmmm — maybe try to install „dialog“ … it seems that it‘s missing?
It’s already installed (dialog), so it’s not the problem, when I try to enable it with systemctl, it gives the following error:
Let’s say it still runs, who understands that 
, I guess I can move on.
Well under Proxmox, server ssl authentication key pairs are not created either, so this is a pretty much confirmed bug now. Maybe this should be a new topic then?
I did notice while running lmn-appliance that some pem file is missing under /var/lib/samba, but it was running too fast to remember exactly, could this be related?
Hi.
The qemu-guest-agent is not so important for the beginning. It’s just useful for information on the proxmox-host (like IP-address of the VM) and for shutdowns from the proxmox-UI. But it’s not relevant for the operation of the server.
The other problem seems to be a bug … I’m still wondering why nobody else seems to be affected by it 
It might be better to open a new issue directly here
so that the developer will notice it.
Unfortunately, I don’t have a github account, so I guess I’d have to register one first and find out how to report a bug there.
If indeed no one else is affected by this bug when installing from scratch, then the question is, what exactly does the ssl keypairing script part do, does it have to do with a national network? I don’t think too many people have tried it from here in Hungary.
I don’t think that this is some kind of „national problem“ … once I had a problem with Geolocation on the OPNSense when I used Lets Encrypt. In the GeoIP-settings some countries were blocked and this was a problem when re-newing the certs. But as you don’t use Lets Encrypt so far the CA on the v7-Server should really generate some self-signed certs without any problems
A github-account is quite easy and reporting an issue even more:
If you want to try it on the OPNSense … here are the docs
So at this point only the developer can help, maybe I can ask someone here in Hungary to try to install it and see what it does.
In the meantime here is the error message that the lmn-appliance script says, I don’t know if it is relevant?
I checked the path … on our server the files are there.
This might be a problem with different variants for the samba-database in the background → LDB - SambaWiki
And I don’t know why sophomorix says: Version 3.79.3 there … here: 3.92.1-3
The installed version is 3.92, the script just says that the minimum expected version is 3.79.
And I’ll look into the opnsense ssl cert creation you mentioned above, but it doesn’t seem to be the easiest at first, I think I’ll try that tomorrow, until then I’ll hammer the system until it only misses the bundle cert.
When the samba-ad-dc service is up an running you should be able to search for all users … try something like:
sophomorix-user -iu <your-username>
It should bring you all information about your account.
Samba seems to work I can add ad users and then list them.
So that leaves the opnsense cert.bundle magic to see if it works.
maybe try ldapsearch as well (not sure it it’s installed by default?)
(apt install ldap-utils )
ldapsearch -b "ou=default-school,ou=SCHOOLS,dc=eltetrefort,dc=lan" -H ldap://172.16.0.1 -x -D gipszja@eltetrefort.lan -W givenName=Jakab
(with user's sophomorixFirstPassword: System25*)and if you want to test it with a certificate (which will probably fail at the moment) like this:
ldapsearch -b "ou=default-school,ou=SCHOOLS,dc=eltetrefort,dc=lan" -H ldaps://trefortserver.eltetrefort.lan:636 -x -D gipszja@eltetrefort.lan -W givenName=JakabFirst ldapsearch will try to connect to port 389 and the second one to 636.
If the cert is installed correctly, both ways (IP-address or FQDN) will work.
The ldap also seems to work, both questions give valid results;
So it seems really only the fdqn cert.bundle is not working, say now that I read the opnsense cert creation, it says the bundle file is 3 parts.
The creation of the cert itself seems to be automatic just wondering which is which (Root CA public key, Intermediate CA public key, Leaf Certificate public key, Leaf Certificate private key), it would be nice to create them with the same name so that you don’t have to edit the paths afterwards.
if I add tefortserver.cert.pem (I think this might be the Root CA public key) to the bundle, then I can access webui from https, but I can’t log in with domain user only with the root, because of invalid credentials, so this will probably not be the correct cert settings.
Did you use the username root there?
Try global-admin with the given password
On that (global-admin) wrote invalid credentials, it only lets you in with root, so the cert is not good yet, as you can see the https is also crossed out.
It would be nice to try opnsense cert creation, but as I wrote above, I can’t match them nomenclaturally to lmn certs.
And here is the samba web-log;
I’m running out of ideas …
(Thomas (@tjordan) can probably assess why the certificate isn’t working and what it should look like. He also helped me back when I had this problem.)
Maybe it’s still the best idea to open a new issue on github. I’m not sure if one of the developers is willing to read this gigantic thread
But as I mentioned above: I don’t use the OPNSense to let it create self-signed certs but to create Let’s Encrypt certs. That’s way better for us … when I go to https://server.my-domain.de there’s a valid cert on all clients…
Ok, yesterday I opened a new issue on the previously linked github page, for now there is nothing to do but wait patiently for my turn to be accepted.
Anyway, although the firewall ssl cert keys are all generated, the https for the firewall is also shown crossed out, so ssl probably doesn’t work there either, but it’s less of a problem there.
Anyway, I’ve used let’s Encrypt to authenticate a wordpress site with https, but there it was handled by a very easy to use plugin that automatically generated a key pair, which you just had to upload to the appropriate folders in wordpress and that was it.
Hi!
There is an issue when installing from scratch, the server ssl authentication keypairs are not created correctly · Issue #29 · linuxmuster/linuxmuster-prepare · GitHub
I cannot reproduce this on my test system. Could anyone of you reproduce this?
Regards, Thomas