similar to: Local routes passed to subnet-up

Hi all, I'm currently happily using tinc in my networks. I also use OpenVPN based on the customer requirements. I though have some questions which I could not find a clear answer. What I'd like to know is: 1. How to revoke a "node", simply removing the host file on the servers is enough? And one created by invitation? 2. Is there a way to let tinc ask for a username/password

Il 2015-05-05 13:29 Guus Sliepen ha scritto: > On Tue, May 05, 2015 at 01:18:15PM +0200, Alessandro Briosi wrote: > >> Now the odd thing is that when the VPN comes up they both also add the >> local >> subnet to their routes on the tinc interface: > [...] >> the subnet-up script runs this command: >> ip route add $SUBNET dev $INTERFACE metric $WEIGHT

On Tue, May 05, 2015 at 01:18:15PM +0200, Alessandro Briosi wrote: > Now the odd thing is that when the VPN comes up they both also add the local > subnet to their routes on the tinc interface: [...] > the subnet-up script runs this command: > ip route add $SUBNET dev $INTERFACE metric $WEIGHT > > Should I filter it in the subnet-up script? I have other installations which >

Hi all. I have the following setup: 1st dc is on CentOS 6 with Sernet samba 4.1.13 2nd dc is on Debian 7 with Sernet samba 4.1.13 The 2 dc work as expected. on CentOS I was able to configure sssd to work on Debian I'm using winbind Now I have a 3rd server which is CentOS 7 with samba 4.1.1 from CentOS repository. This system serves as a file server and works ok with samba, but I have a

Il dom 22 apr 2018, 10:46 Alessandro Briosi <ab1 at metalit.com> ha scritto: > Imho the easiest path would be to turn off sharding on the volume and > simply do a copy of the files (to a different directory, or rename and > then copy i.e.) > > This should simply store the files without sharding. > If you turn off sharding on a sharded volume with data in it, all sharded

Il 2014-12-31 16:29 Dr. Lars Hanke ha scritto: >>> OK, you can get winbind to update your keytab, you need to alter your >>> smb.conf slightly. You need to change 'kerberos method = secrets >>> only' >>> to either 'kerberos method = secrets and keytab' or 'kerberos method >>> = >>> system keytab' and add the line

Il 2017-07-10 18:32 Matthew Nichols ha scritto: > 1. That entirely depends on how you have it set up (look at > StrictSubnets and TunnelServer). It might also be recommended to have > every node re-key itself (http://tinc-vpn.org/security/). I've used StrictSubnets and TunnelServer (and probably will keep using this so roadwarriors don't see eachother, though looking at the logs

>> Hi, how have you setup the fileserver ? >> Is it joined to the domain ? >> Can you post your fileservers smb.conf >> Rowland OT: Oops, wasn't subscribed to the mailing list :) Yes, server is joined to the domain (otherwise I would not be able to generate the principal) Server configuration is following (only global part), winbind config is there because it was

Hi, The short answer to this is that Samba changes the machine account password every 7 days with the default settings. As you were told, if you join the domain with "kerberos method = secrets and keytab" on you smb.conf, the generated keytab won't expire. Another workaround would be to set "machine password timeout = 0" Best regards. On Mon, Dec 29, 2014 at 2:29 PM,

Hi Rowland, this posting ended a lot of grief I had with expired keytabs. While this is presumably an issue of sssd, I have no chance to attack the issue right at its root*). But rejoining the domain with the lines dedicated keytab file = /etc/krb5.memberserver.keytab kerberos method = secrets and keytab winbind refresh tickets = Yes seems to fix it. Phew... Maybe You or someone

Il 22/04/2018 11:39, Gandalf Corvotempesta ha scritto: > Il dom 22 apr 2018, 10:46 Alessandro Briosi <ab1 at metalit.com > <mailto:ab1 at metalit.com>> ha scritto: > > Imho the easiest path would be to turn off sharding on the volume and > simply do a copy of the files (to a different directory, or rename > and > then copy i.e.) > > This

2018-04-23 9:34 GMT+02:00 Alessandro Briosi <ab1 at metalit.com>: > Is it that really so? yes, i've opened a bug asking developers to block removal of sharding when volume has data on it or to write a huge warning message saying that data loss will happen > I thought that sharding was a extended attribute on the files created when > sharding is enabled. > > Turning off

Il 2014-12-31 18:24 Rowland Penny ha scritto: > > It expires because it was not created on the member server, having > said that, sssd should be able to update the keytab, I would suggest > that sssd is not setup correctly and as such, I think that you need to > take this problem to the sssd mailing list. > > If you decide to use winbind, which I can assure you will work,

thanks for answering. But I have to setup and test it myself and record the result. Can you guide me a little more. The problem is, one valid ip for each data centers exist, and each data centers have 3 servers. How should I config the network in which the server bricks see each other to create a glusterfs volume? On Tue, Oct 24, 2017 at 1:47 PM, <lemonnierk at ulrar.net> wrote: > Hi,

Il 24/10/2017 12:45, atris adam ha scritto: > thanks for answering. But I have to setup and test it myself and > record the result. Can you guide me a little more. The problem is, one > valid ip for each data centers exist, and each data centers have 3 > servers. How should I config the network in which the server bricks > see each other to create a glusterfs volume? > I would

Il 20/04/2018 21:44, Jamie Lawrence ha scritto: > Hello, > > So I have a volume on a gluster install (3.12.5) on which sharding was enabled at some point recently. (Don't know how it happened, it may have been an accidental run of an old script.) So it has been happily sharding behind our backs and it shouldn't have. > > I'd like to turn sharding off and reverse the

Hi list! I've got a debian "etch" box running samba 3.0.24. The server is a firewall (running Shorewall 3.2.6) with five NICs: eth0 -> DSL (it has a public IP address and it allows all the people browse by masquerading other interfaces) eth1 and eth3 -> bond0 (IP address is 192.168.1.1/24) eth2 and eth4 -> bond1 (IP address is 192.168.2.1/24) BTW, bond+ refers to an

Hi all, I need a suggestion or just to know if it's even possible to achieve the following. There is a "central" vpn server which is my main network. I have a few other gateways (customers) which should connect to this central server (there's a firewall on this machine too) which have behind the customer network. Then I have a few single servers which still connect to my

Whatever you do, keep in mind that tinc will always trust all nodes as long as they are part of the graph. It is not currently designed to deal with insider threats. Most importantly, that means anyone can impersonate any Subnet on a tinc network, just by changing the Subnet declaration in their node file. The only way around that is to use StrictSubnets, but that requires every node to be

On 4 May 2015 at 20:53, Anne-Gwenn Kettunen <anwen at asphodelium.eu> wrote: > We started to take a look about that, and apparently, it seems that the IP > in the public key is taken into account when a client connects to a gateway. > Spoofing at that level doesn't seem easy, because the IP address seems to be > part of the authentication process. I'm having trouble