Unable to retrieve Puppet agent SSL certificate from Puppet master - configuration

I have configured a Puppet Master-Agent setup (OS: Ubuntu). Both can ping/ssh each other. DNS is set properly. Master is able to generate new CA and cert while Agent is throwing error when 'puppet agent -t' is executed to generate the certificates.
I received error along with the solution and I performed as suggested and further received:
Exiting; failed to retrieve certificate and waitforcert is disabled
Kindly help in getting this one resolved.
Below is the /etc/puppet/puppet.conf (Same on Master-Agent)
#Settings in [main] are used if a more specific section does not set a value.
[main]
certname = puppetmaster01.example.com
logdir=/var/log/puppet
vardir=/var/lib/puppet
basemodulepath = /etc/puppetlabs/puppet/environments/production/modules:/opt/puppet/share/puppet/modules
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
server = puppetmaster01.example.com
user = puppet
group = puppet
archive_files = true
archive_file_server = puppetmaster01.example.com
[master]
# This section is used by the Puppet master and Puppet cert applications.
dns_alt_names = puppet,puppet.example.com,puppetmaster01,puppetmaster01.example.com,puppetagent01,puppetagent01.example.com
certname = puppetmaster01.example.com
reports = http,puppetdb
reporturl = https://localhost:443/reports/upload
node_terminus = exec
external_nodes = /etc/puppetlabs/puppet-dashboard/external_node
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
storeconfigs_backend = puppetdb
storeconfigs = true
autosign = true
# This section is used by the Puppet agent application.
[agent]
report = true
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
graph = true
pluginsync = true
environment = production

In a puppet master/agent deployment and from the docs, the administrator will need to sign the client's Cert on the puppet master. Have you signed the cert on your puppet master?
Depending on which version of puppet you're on:
Try running sudo puppetserver ca sign fullnameOFhost.something.com
or
sudo puppet cert sign <name of host>
You can look at outstanding client certs that need signing by running sudo puppet cert list or sudo puppetserver ca list, again depending on the version.

Related

Samba server does not show all folder/files unless few are deleted

I have Samba 4.14.5 installed on RHEL8.
If I create a few subfolders and then create say 500 files/folders there , about 350 show up. But all can be accessed if I give the complete adress in the windows
explorer.
If I create 350, then all show up. If I create the 351st
folder, then one gets ramdomly invisible but it can be accessed if I
give the complete address in the windows explorer.
If I delete the 351st dir, then the other 350 show up correctly.
If I create another subfolder, maybe 200 will show up, so this is ramdom.
The servers is an EC2 instance and the mount is an EFS.
Config in samba.conf
[global]
realm = SAMPLE.ORG
workgroup = EXAM
security = ads
kerberos method = secrets and keytab
template homedir = /home/%U
idmap config * : backend = tdb
idmap config * : range = 10000-199999
idmap config EXAM : backend = sss
idmap config EXAM : range = 200000-2147483647
load printers = no
machine password timeout = 0
log level = 4
[data-robo]
comment = AWS EFS share drive
browseable = Yes
read only = No
write list = #group1,#group2
public = No
path = /data/robo2
valid users = #group1,#group2
force directory mode = 777
Thanks,
Just adding I see this same behavior with a CentOS 8 Stream samba 4.16.4 server sharing NFS mounts from a VAST appliance. I do not see it when sharing an NFS mount from another CentOS 8 Stream box. I also do not see it when sharing the VAST NFS mounts on a CentOS7 samba server running 4.10.16.
So the solution for us for now is to share the VAST NFS mounts only from a CentOS7 samba server. I assume the same would be true for EFS

howto to setup a remote share in a standalone linux workstation with user/passwd

I have a linux workstation in which I want to offer an access to a share folder using a user login and password.
All files remotely created will belong to the local workstation user named operator
in my linux workstation, I created this special account PenguinUser as user login for this share :
sudo useradd --no-create-home PenguinUser
sudo smbpasswd -a PenguinUser
I setted up the samba server as follow :
[global]
workgroup = OUTOFWORLD
server string = SHARED MACHINE
security = user
map to guest = Bad Password
passdb backend = tdbsam
obey pam restrictions = Yes
guest account = operator
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
logging = syslog#0
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
show add printer wizard = No
dns proxy = No
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
invalid users = root
usershare allow guests = No
[files]
comment = operator files
path = /home/operator/files_folder
valid users = operator,PenguinUser
read list = operator
create mask = 0777
directory mask = 0777
force user = operator
force group = automat
guest ok = No
browseable = Yes
writable = Yes
2 questions :
1/ why do we need to create a user account in the main company server ?? In this case, I would agree, if it is possible to manage the user / login password from this server and not the workstation ?
2/ Howto allow write accesses in the folders created in the remote directory ? This actual setup does not permit it.
1/ why do we need to create a user account in the main company server ??
So that the Samba users can save files to the share
1A/ In this case, I would agree, if it is possible to manage the user / login password from this server and not the workstation ?
Big problem, you can add 'unix password sync = yes' to '[global]' and this will keep the Unix & Samba passwords in sync on the server, but there is nothing standard that will keep the client password in sync with the server, why do you think they came up with domains ? (note: that wasn't the only reason)
2/ Howto allow write accesses in the folders created in the remote directory ? This actual setup does not permit it.
recreate your smb.conf like this:
[global]
workgroup = OUTOFWORLD
server string = SHARED MACHINE
security = user
obey pam restrictions = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n .
unix password sync = yes
logging = syslog#0
log file = /var/log/samba/log.%m
max log size = 50
load printers = No
show add printer wizard = No
dns proxy = No
panic action = /usr/share/samba/panic-action %d
[files]
comment = operator files
path = /home/files_folder
valid users = PenguinUser
create mask = 0700
directory mask = 0700
read only = no
This will allow only the user 'PenguinUser' to connect to the 'files' share.

Issue using samba 4.9 with Time Machine

TL;DR: Time Machine cannot create a new backup on my shared drive, but can add to an existing backup.
I'm running macOS Catalina and my Time Machine backs up to a Debian 10 server with NetAtalk and Avahi. Since Mavericks macOS has preferred SMB, and given SMB is marginally faster I decided to switch to using SMB for the Time Machine shares. On a fresh AFP share I can start a new Time Machine backup in System Preferences and it will create a new .sparseimage without complaint.
If I use the exact same directory (/usr/local/smb), so same permissions etc, and create a samba share, when Time Machine attempts to create a new backup it give the error: "Time Machine couldn’t complete the backup to SERVER.local. The backup disk image could not be created."
If I first connect to the share with AFP and do the initial backup, I can then connect with SMB and add subsequent incremental backups without error. I thought maybe a permissions issue, but for debugging purposes I have /usr/local/smb set to 0777 and still get the error.
ls -la showing permissions of the share point:
drwxrwxrwx 5 root smbusers 4096 Apr 3 12:35 smb
I find the following possibly helpful error in the log:
Failed to create '/Volumes/.timemachine/SERVER._smb._tcp.local/DDE06691-7411-41DD-8419-24FEFC21CE29/TimeMachine Set A - SMB/8E394711-7E3F-520B-800C-192D4F680177.sparsebundle', results: {
}, error: 13 Permission denied
afp.conf:
[Global]
; Global server settings
vol preset = default_for_all
log file = /var/log/netatalk.log
uam list = uams_dhx2.so,uams_clrtxt.so
save password = no
[default_for_all]
file perm = 0664
directory perm = 0774
cnid scheme = dbd
[Time Machine Set A - AFP]
path = /usr/local/smb
time machine = yes
vol size limit = 4000000
I'm using some smb.conf options suggested in this GitHub: https://gist.github.com/ChloeTigre/4c2022c0d1a281deedba6f7539a2e3ae
smb.conf:
[global]
## Browsing/Identification ###
# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = WORKGROUP
wins support = yes
#### Debugging/Accounting ####
# This tells Samba to use a separate log file for each machine
# that connects
log file = /var/log/samba/log.%m
# Cap the size of the individual log files (in KiB).
max log size = 1000
# We want Samba to only log to /var/log/samba/log.{smbd,nmbd}.
# Append syslog#1 if you want important messages to be sent to syslog too.
logging = file
# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d
###MacOS compatability stuff
guest account = smbguest
min protocol = SMB2
map acl inherit = yes
vfs objects = catia fruit streams_xattr
fruit:metadata = netatalk
fruit:model = MacSamba
fruit:posix_rename = yes
fruit:veto_appledouble = yes
durable handles = yes
kernel oplocks = no
kernel share modes =no
posix locking = no
smb2 leases = yes
#Turned off for testing compatability
#fruit:wipe_intentionally_left_blank_rfork = yes
#fruit:delete_empty_adfiles = yes
####### Authentication #######
# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone server" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
server role = standalone server
obey pam restrictions = yes
# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
unix password sync = yes
# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan#informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
pam password change = yes
# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
map to guest = bad user
######Security#######
security = user
valid users = #smbusers
username map = /etc/samba/users.map
guest ok = no
# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
usershare allow guests = yes
#======================= Share Definitions =======================
[TimeMachine Set A - SMB]
path = /usr/local/smb
comment = SMB Time Machine Destination Set A
browsable = yes
writeable = yes
create mode = 0664 #tried turning this off, no fix
directory mode = 0777 #tried turning this off, no fix
vfs objects = catia fruit streams_xattr
fruit:aapl = yes
fruit:time machine = yes
#guest ok = yes
fruit:time machine max size = 3.9T #tried turning this off, no fix
inherit acls = yes
As I was so helpfully informed here the issue boiled down to one variable. I needed to change fruit:metadata = netatalk to fruit:metadata = stream.
Thought I'd post some additional info for people. My currently working smb.conf is as follows. Note this is on Debian 10 (Buster) so things like password change command will be different on other distributions. Also note that the order of modules in the setting vfs objects = catia fruit streams_xattr is significant and important.
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
[global]
workgroup = WORKGROUP
min protocol = SMB2
log file = /var/log/samba/log.%m
max log size = 5000
logging = file
security = USER
panic action = /usr/share/samba/panic-action %d
server role = standalone server
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
username map = /etc/samba/users.map
map to guest = bad user
guest account = XXXYOURGUESTACCOUNT
# Time Machine settings
vfs objects = catia fruit streams_xattr
fruit:model = MacSamba
fruit:advertise_fullsync = true
fruit:metadata = stream
fruit:veto_appledouble = no
#default is yes, not necessary to specify fruit:posix_rename = no
#default is yes, not necessary to specify fruit:zero_file_id = yes
fruit:wipe_intentionally_left_blank_rfork = yes
fruit:delete_empty_adfiles = yes
ea support = yes
#default is yes, not necessary to specify fruit:aapl = yes
# Make share visible to Windows
#Disabled for a Mac-Only network
# lanman auth = no
# ntlm auth = yes
# wins support = yes
# local master = yes
# preferred master = yes
# Allow symlinks
# follow symlinks = yes
# wide links = yes
# unix extensions = no
#======================= Share Definitions =======================
[SHARED DRIVE]
path = /PATH/TO/YOUR/SHARED/FOLDER
valid users = #YOURGUESTUSERGROUP
writable = yes
durable handles = yes
kernel oplocks = no
kernel share modes = no
posix locking = no
vfs objects = catia fruit streams_xattr
#default is yes, not necessary to specify ea support = yes
#default is yes, not necessary to specify browseable = yes
read only = no
inherit acls = yes
fruit:time machine = yes
fruit:metadata = stream
fruit:locking = netatalk
guest ok = yes
[Time Machine]
path = /PATH/TO/YOUR/SHARED/FOLDER
valid users = #YOURGUESTUSERGROUP
writable = yes
durable handles = yes
kernel oplocks = no
kernel share modes = no
posix locking = no
vfs objects = catia fruit streams_xattr
#default is yes, not necessary to specify ea support = yes
browseable = no
read only = no
inherit acls = yes
fruit:time machine = yes
fruit:metadata = stream
fruit:locking = netatalk
fruit:time machine max size = 1.9T
Also note that The Samba build with Debian 10 currently does not have built-in support for advertising Time Machine shares. Normally specifying fruit:time machine = yes will trigger Samba to advertise a Time Machine destination via Avahi, but this specific support is not built with the Samba included in Debian 10. You'll need to configure a .service definition in /etc/avahi/services/. I created time_machine_advert.service in that folder. You'll need to restart avahi to be sure it gets applied with sudo systemctl restart avahi. I have two Time Machine destinations. Multiples can be advertised within a single file by simply duplicating the txt record and incrementing dkX, i.e. dk1, dk2 etc.
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_adisk._tcp</type>
<txt-record>sys=waMa=0,adVF=0x100</txt-record>
<txt-record>dk0=adVN=SAMBA SHARE NAME EXACTLY,adVF=0x82</txt-record>
<txt-record>dk1=adVN=SAMBA SHARE NAME #2 EXACTLY,adVF=0x82</txt-record>
</service>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
</service-group>
There are some additional useful sites for Samba configuration with regards to Time Machine here:
Samba team's official guide to Time Machine configuration, although this alone didn't get a working config for me: https://wiki.samba.org/index.php/Configure_Samba_to_Work_Better_with_Mac_OS_X
smb.conf reference: https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
vfs_fruit (the Apple compatibility module for Samba) reference https://www.samba.org/samba/docs/current/man-html/vfs_fruit.8.html
Ken Murphy's smb.conf on GitHub that finally pushed me over the edge and got my setup working: https://github.com/KenMurphy/SambaConfigs/blob/master/smb.conf
A general Samba on Debian guide: https://www.antoneliasson.se/journal/time-machine-compatible-samba-on-debian-buster/

How can i configure the smtp server running for gitlab(omnibus) which running on the same machine

I run the smtp server and gitlab on the same machine, and i am sure the the smtp server which runs the 25 port works because i receive the mail after running the this command --echo "This is the body of the email" | mail -s "This is the subject line" user#example.com. And i configure the gitlab like this in the /etc/gitlab/gitlab.rb
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = "localhost"
gitlab_rails['smtp_port'] = 25
gitlab_rails['smtp_user_name'] = "myRootName"
gitlab_rails['smtp_password'] = "myRootPassword"
#gitlab_rails['smtp_domain'] = "example.com"
gitlab_rails['smtp_authentication'] = "login"
gitlab_rails['smtp_enable_starttls_auto'] = false
gitlab_rails['smtp_tls'] = false
gitlab_rails['smtp_openssl_verify_mode'] = false
Can someone help? Thanks!
If you run a local MTA on the gitlab server there is nothing you need to configure explicitly. The SMTP settings in the gitlab.rb are only required if you use an external server or needs special configuration.
We run gitlab on Debian 8 here with the default installation of postfix. Works out of the box. But exim4 should work just fine as well.
You DO have to configure the following properties:
gitlab_rails['gitlab_email_from'] = 'gitlab#example.com'
gitlab_rails['gitlab_email_display_name'] = 'GitLab'

Failed to import extension mercurial_keyring - Rhodecode - Object has no attribute NullHandler

Machine Env: Windows7 box with Cygwin/TortoiseHg, Linux box (RHEL).
Mercurial/Hg - 3.0.1 version
I'm trying to integrate mercurial_keyring to perform username/password less operations. Mercurial keyring prompts first time per user / per repository link but after that, it doesn't prompt.
Our Hg repository code recently migrated to RhodeCode.
I have mercurial_keyring.py (python) file available on my machine (provided by this link): https://pypi.python.org/pypi/mercurial_keyring and https://bitbucket.org/Mekk/mercurial_keyring/src/tip/mercurial_keyring.py
While doing hg clone or any hg command, I'm getting the following error when used at command prompt (either in Linux or Windows machine via Cygwin).
*** failed to import extension hgext.mercurial_keyring from /root/AKS/goga/mercurial_keyring.py: 'module' object has no attribute 'NullHandler'
My ~/.hgrc file looks like:
# example config (see "hg help config" for more info)
[ui]
# name and email, e.g.
# username = Jane Doe <jdoe#example.com>
username=koba <koba.loki#shenzi.com>
[extensions]
# uncomment these lines to enable some popular extensions
# (see "hg help extensions" for more info)
# pager =
# progress =
# color =
hgext.mercurial_keyring = /root/AKS/goga/mercurial_keyring.py
[paths]
default = http://hg-server.cm.shenzi.com:8082
[auth]
default1.schemes = http https
default1.prefix = hg-server:8082
default1.username = koba
default.schemes = http https
default.prefix = hg-server.cm.shenzi.com:8082
default.username = koba
default3.schemes = http https
default3.prefix = 12.112.91.112
default3.username = koba
In Cygwin, I also got another error:
*** failed to import extension hgext.mercurial_keyring from ~/MerKeyRing/mercurial_keyring.py: No module named keyring