The commands here can save your life, please help us to maintain this page

Each time you launch 'signal-event ibay-modify IBAYNAME' you will restore the good ACL ownership.

getfacl /path/2/files/or/folders

setfacl -P -R -m u:UID:rwX,d:u:UID:rwX /path/2/files/or/folders
setfacl -P -R -m g:UID:rwX,d:g:UID:rwX /path/2/files/or/folders

-R : recursive -P : physical, follow symlinks

setfacl -d u:UID:rwX,d:u:UID:rwX /path/2/files/or/folders
setfacl -d g:UID:rwX,d:g:UID:rwX /path/2/files/or/folders

setfacl -b /path/2/files/or/folders

-S Show the settings as parsed from the config file (currently only shows the virtualhost settings).

httpd -S

By default the bash history does not show the date and time of any activity. You can enable this by entering the following command:

 HISTTIMEFORMAT="%d/%m/%y %T "

where %d=day, %m is month, &y is year and %T is time

To see the bash history with the date and time added, enter:

history

the history command can be useful in combination with added comments to shell commands for more precise analysis or (automatic) reporting based on a shell script and cron.

* find quickly with a database

locate <FileOrFolderName'>

do before :

yum install mlocate -y ; updatedb

updatedb must be launched manually each time you add new files (a cron job runs each night).

* find by name

find / -iname 'FileOrFolderName'

* find files by their size

it could be useful to find large file by the command line

find /home/e-smith -type f -size +200M -exec ls -lh {} \; | awk '{ print $ ":_" $5 }';

use

 k    for Kilobytes (units of 1024 bytes)
 M    for Megabytes (units of 1048576 bytes)
 G    for Gigabytes (units of 1073741824 bytes)

Replace a chain of characters chaine1 by chaine2 in all files of the current directory with '.txt'

find . -name "*.txt" -type f -exec sed -i "s/chaine1/chaine2/g" {} \;

you can run a command as fast the computer can do to test if it fails or not. For example here the `echo 'plop'` will be executed until you stop it with `ctrl+c`

time while echo 'plop'; do : ; done

`time` will save the time it will end, you can remove it if needed

you can add `&` at the end, it will run as a background process and you can launch it several time.

time while echo 'plop'; do : ; done &

[http://cr.yp.to/daemontools/tai64nlocal.html tai64nlocal] converts precise TAI64N timestamps to a human-readable format. tai64nlocal reads lines from stdin. If a line does not begin with @, tai64nlocal writes it to stdout without change. If a line begins with @, tai64nlocal looks for a timestamp after the @, in the format printed by tai64n, and writes the line to stdout with the timestamp converted to local time in ISO format: YYYY-MM-DD HH:MM:SS.SSSSSSSSS. <br />

Eg

 cat  /var/log/qpsmtpd/current |tai64nlocal|less

Or

 tailf /var/log/sshd/current | tai64nlocal

* find which service use a specific port

fuser -vn tcp 53     #TCP
fuser -vn udp 53     #UDP

* connect to a port with the command line

nc -tv 127.0.0.1 53        # TCP
nc -uv 127.0.0.1 53        # UDP

• mtr does a traceroute to 8.8.8.8 from an interface (use an IP)

mtr -rbwz 8.8.8.8 -a xxx.xxx.xxx.xxx

Like see you can see if the relevant NIC gets a network connectivity

• ping

ping google.fr

• traceroute

traceroute google.fr

• see the network setings

ip r
ip a

• Restore all permissions and ownership

If you want to restore all permissions and right ownership of rpm, you can do this in a root terminal.

  for f in $(rpm -qa); do echo $f; rpm --setugids $f; done
  for f in $(rpm -qa); do echo $f; rpm --setperms $f; done

• or specific to a rpm

# rpm --setugids  opendkim
# rpm --setperms  opendkim
# rpm -V opendkim
S.5....T.  c /etc/opendkim.conf
S.5....T.  c /etc/opendkim/KeyTable
S.5....T.  c /etc/opendkim/SigningTable
S.5....T.  c /etc/opendkim/TrustedHosts

• reinstall all base dependencies

yum install @nethserver-iso

* Yum helper

* reload the database

you can force clamav to reload its database

kill -USR2 `cat /var/run/clamd@rspamd/clamav.pid`

or to make a long freeze

kill -STOP `cat /var/run/clamd@rspamd/clamav.pid`

 and to unfreeze

kill -CONT `cat /var/run/clamd@rspamd/clamav.pid`

slow clamav

cpulimit -l 10 -p $(pidof clamd)

When testing, remember to flush caches:

systemctl restart clamd@rspamd
systemctl restart rspamd
redis-cli -s /var/run/redis-rspamd/rspamd flushall

Some useful commands:

Measure time taken by clamd to scan an email: clamdscan --config-file=/etc/clamd.d/rspamd.conf /tmp/mail
Measure time taken by rspam to analyze an email: rspamc -t 120 </tmp/mail

Enable the repository to get updates

yum install yum-utils
yum-config-manager --add-repo https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7
wget https://www.collaboraoffice.com/repos/CollaboraOnline/CODE-centos7/repodata/repomd.xml.key && rpm --import repomd.xml.key
yum update -y

* inspect

see all settings of a container

docker inspect containerName

see some settings of a container (EG: command given)

docker inspect  -f "{{.Name}} {{.Config.Cmd}}" containerName

* Ping the host

Testing It Out, Can the Container Reach the Docker Host?

We can test this out without needing to run a database or any service. We’ll just run an Alpine image, drop into a shell, install the ping utility and ping the Docker host.

Start the Alpine container and drop into a Shell prompt.

docker run --rm -it alpine sh

Install the ping utility.

apk update && apk add iputils

Ping your local network IP address (replace my IP address with yours).

ping 192.168.1.3

* ping a host from a container

docker run busybox ping -c 1 8.8.4.4
PING 8.8.4.4 (8.8.4.4): 56 data bytes
64 bytes from 8.8.4.4: seq=0 ttl=61 time=19.222 ms

--- 8.8.4.4 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 19.222/19.222/19.222 ms

* query dns from a container

docker run busybox nslookup google.com
Server:		127.0.0.11
Address:	127.0.0.11:53

Non-authoritative answer:
Name:	google.com
Address: 2a00:1450:4007:805::200e

*** Can't find google.com: No answer

* start a container and open a shell inside

docker exec -ti dockername /bin/sh

* start a nginx container for testing networking

docker run  -dit --name nginx-test-01 -p 9001:80 --restart=unless-stopped nginx:alpine nginx-debug -g 'daemon off;'

* delete all container

docker rm -f $(docker ps -aq)

* fix docker dns

https://development.robinwinslow.uk/2016/06/23/fix-docker-networking-dns/

vim /etc/docker/daemon.json
{
    "dns": ["10.0.0.2", "8.8.8.8"]
}
Then restart the docker service:

sudo service docker restart

or

Discover the address of your DNS server You can find out what network’s DNS server from within Ubuntu as follows:

$ nmcli dev show | grep 'IP4.DNS'
IP4.DNS[1]:                             10.0.0.2

Run Docker with the new DNS server To run a docker container with this DNS server, provide the –dns flag to the run command. For example, let’s run the command we used to check if DNS is working:

$ docker run --dns 10.0.0.2 busybox nslookup google.com
Server:    10.0.0.2
Address 1: 10.0.0.2
Name:      google.com
Address 1: 2a00:1450:4009:811::200e lhr26s02-in-x200e.1e100.net
Address 2: 216.58.198.174 lhr25s10-in-f14.1e100.net
And that’s what success looks like.

For a debugging purpose you can redirect queries to logs add in /etc/dnsmasq.conf

#redirect dns queries to /var/log/messages (test purpose)
log-queries

restart dnsmasq

systemctl restart dnsmasq

then check /var/log/messages

Unbound runs on the port ````10053````

dig @127.0.0.1 -p 10053 maps.rspamd.comf

    $ jq --arg value 30 -n '{"value":$value}'
{
  "value": "30"
}
    $ jq --argjson value 30 -n '{"value":$value}'
{
  "value": 30
}

SELECT User,Host FROM mysql.user;

SELECT User,Host FROM mysql.user;
DROP USER 'testuser'@'localhost';

mysql
create database owncloud;
grant all privileges on owncloud.* to username@localhost identified by 'password';
flush privileges;
exit

mysql
drop database owncloud;

mysqldump database > database.sql

When you want to diff the differences between two versions of a database, you need to do a specific dump

mysqldump --skip-comments --skip-extended-insert database >  database.sql

* Backup a database with the idea to diff the output

You might need to want to dump the database and have the need to diff the output against another database.

mysqldump --skip-comments --skip-extended-insert database >  filename

then

diff -Nur filename1  filename2 > diff_mysql.sql

a nice mysqldump

mysqldump databaseName --default-character-set=utf8mb4 --skip-dump-date --ignore-table=mysql.event --single-transaction --quick --add-drop-table > databaseName.sql

a shorter, it dumps the table roundcubemail to the file roundcubemail.sql

mysqldump --single-transaction --quick --add-drop-table -QB "roundcubemail" -r roundcubemail.sql

* to find opened udp and tcp ports in the firewall:

netstat -tupln

* to find TCP ports with nmap

yum install nmap
nmap -p 1-65535  127.0.0.1

* find a specific port with netstat

 # netstat -anp|grep 5232
 tcp        0      0 192.168.12.233:5232         0.0.0.0:*                   LISTEN      2028/python

* find a specific port with nmap

nmap can specify if a port is closed or not

 yum install nmap
 nmap localhost -p 5232

cat /sys/class/net/host0/address

connect to a remote host and check what tls protocol and cipher is used

openssl s_client -connect 192.168.56.12:636 -tls1_2

 -ssl3         - just use SSLv3
 -tls1_2       - just use TLSv1.2
 -tls1_1       - just use TLSv1.1
 -tls1         - just use TLSv1
 -dtls1        - just use DTLSv1
 -cipher       - preferred cipher to use, use the 'openssl ciphers'
                 command to see what is available

test if starttls is accepted

openssl s_client -starttls smtp -connect 127.0.0.1:587
openssl s_client -starttls imap -connect 127.0.0.1:143
openssl s_client -starttls sieve  -connect 127.0.0.1:4190

PHPinfo will provide an overview of all PHP related settings. A quick way to get an overview or search for a setting, one could use:

drop a file

<?php

echo implode("\n", get_loaded_extensions());
echo "\n";

then

php file

* remove all podman containers, if you use podman containers just for makerpms

sudo rm -rf $HOME/.local/share/containers/ 

rspamc uptime

Display all settings in rspamd, useful to understand what it occurs

 rspamadm configdump

rspamadm configdump | grep -E '(WHITE|BLACK)LIST \{'

 rspamc email.eml

curl smtp://127.0.0.1:25 -v --anyauth --mail-from no-reply@neth.net --mail-rcpt filippo@neth.net --upload-file ./2019.eml

- test the fom IP

[root@ns7loc14 ~]# host $(hostname)
[root@ns7loc14 ~]# config setprop postfix AccessBypassList 192.168.56.15

((++I)) ; curl smtp://$(hostname):25/$(hostname) -v --mail-from davidep2@email.celio.com --mail-rcpt postmaster@dpnet.nethesis.it <<EOF
Subject: Test ${I}
Date: $(date -R)
Message-ID: <${I}.$(date +%s)@$(hostname -d)>
From: davidep2@nethserver.org
To: postmaster@dpnet.nethesis.it
Mime-Version: 1.0

Test $I

Configuration settings for bayes expiry module should be 
added to the corresponding classifier section (for instance 
in the local.d/classifier-bayes.conf).
Bayes expiry module provides intelligent expiration of 
statistical tokens for the new schema of Redis statistics 
storage.

EOF

- test from email/domain

((++I)) ; curl smtp://$(hostname):25/$(hostname) -v --mail-from davidep2@email.celio.com --mail-rcpt postmaster@dpnet.nethesis.it <<EOF
Subject: Test ${I}
Date: $(date -R)
Message-ID: <${I}.$(date +%s)@$(hostname -d)>
From: davidep2@nethserver.org
To: postmaster@dpnet.nethesis.it
Mime-Version: 1.0

Test $I

Configuration settings for bayes expiry module should be 
added to the corresponding classifier section (for instance 
in the local.d/classifier-bayes.conf).
Bayes expiry module provides intelligent expiration of 
statistical tokens for the new schema of Redis statistics 
storage.

EOF

- test with getMail and a eicar

[root@vm5 ~]# /usr/bin/rspamc-getmail "-i" "127.0.0.1" "--mime" "-t" "120" "-h" "localhost:11334" <<'EOF' 
Return-Path: <root@nethservice.nethesis.it>
Delivered-To: davidep2@nethesis.it
Received: from nethservice.nethesis.it
by nethservice.nethesis.it with LMTP id 2MyWCgn7O14ucwAAJc5BcA
for <davidep2@nethesis.it>; Thu, 06 Feb 2020 12:39:53 +0100
Received: by nethservice.nethesis.it (Postfix, from userid 0)
id 2A0133054108E; Thu,  6 Feb 2020 12:39:53 +0100 (CET)
From: virus-tester@nethservice.nethesis.it
To: undisclosed-recipients:;
Subject: amavisd test - simple - virus scanner test pattern
Message-Id: <20200206113953.2A0133054108E@nethservice.nethesis.it>
Date: Thu,  6 Feb 2020 12:39:53 +0100 (CET)

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
EOF

grep -r -F .  /etc/rspamd/{white,black}list* | grep -v -F '#' | sort

train rspamd to learn about spam and ham

https://wiki.nethserver.org/doku.php?id=userguide:manual_training_of_the_bayes_filter_rspamd

- Display statistics

rspamc stat

- Show scores and actions (no action, reject…) from a log file

rspamd_stats </var/log/maillog

When you upgrade a rspamd version, useful to check if the settings are not obsoleted

rspamadm configtest

grep -E '(Cannot validate the message now|SelfCheck|Database correctly reloaded|/var/run/clamd@rspamd/clamav)' /var/log/maillog

systemctl restart clamd@rspamd
systemctl restart rspamd
redis-cli -s /var/run/redis-rspamd/rspamd flushall

Measure time taken by clamd to scan an email: clamdscan --config-file=/etc/clamd.d/rspamd.conf /tmp/mail
Measure time taken by rspam to analyze an email: rspamc -t 120 </tmp/mail

Yomi is a plugin for the enterprise version who send attachment to yoroy servers to be analysed, authenticated users are not able to use it, only attachments of unauthenticated senders are tested by yomi

make with thunderbird an email with an attachment that yomi will verify and scp it to the server, then issue the command

curl smtp://localhost:25 -v --anyauth --mail-from no-reply@neth.net --mail-rcpt stephane@domain.fr --upload-file ./hello.eml

then you can go to the maillog to see if the archive has been uploaded

Jun 28 14:56:46 ns7dev13 rspamd[5057]: <7fac8e>; proxy; rspamd_add_passthrough_result: <f5b43be1-2c53-2655-e6c3-0d2cb75ceaa3@domain.fr>: set pre-result to 'soft reject' (no score): 'Yomi cannot validate the message now. Try again later' from force_actions(0)
Jun 28 14:56:46 ns7dev13 rspamd[5057]: <7fac8e>; proxy; rspamd_task_write_log: id: <f5b43be1-2c53-2655-e6c3-0d2cb75ceaa3@domain.fr>, qid: <A77ED10813B2>, ip: 127.0.0.1, from: <no-reply@neth.net>, (default: F (soft reject): [-0.90/20.00] [SIGNED_PGP(-2.00){},YOMI_WAIT(1.00){Analysis in progress for CB_P5_fournissez-un-support-aux-utilisateurs_2021-06-25T162139.zip;},FORGED_SENDER(0.30){stephane@domain.fr;no-reply@neth.net;},MIME_GOOD(-0.20){multipart/signed;multipart/mixed;multipart/alternative;text/plain;},FORCE_ACTION_YOMI_FAIL(0.00){soft reject;},FROM_HAS_DN(0.00){},FROM_NEQ_ENVFROM(0.00){stephane@domain.fr;no-reply@neth.net;},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROM(0.00){},MIME_TRACE(0.00){0:+;1:+;2:+;3:+;4:+;5:~;6:~;7:~;...;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_ZERO(0.00){0;},TO_DN_NONE(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){},YOMI_FAIL(0.00){Analysis in progress for CB_P5_fournissez-un-support-aux-utilisateurs_2021-06-25T162139.zip;},YOMI_SKIPPED(0.00){OpenPGP_signature has MIME type to skip: application/pgp-signature;}]), len: 439113, time: 3194.391ms, dns req: 4, digest: <65cc257b362cd78c777438eaab09c6e7>, rcpts: <stephane@nethserver.fr>, mime_rcpts: <stephane@nethserver.fr>, forced: soft reject "Yomi cannot validate the message now. Try again later"; score=nan (set by force_actions)

You have to wait the remote provider scan your archive, but we could test also that the archive has been well submitted

Yomi is supposed to work with a list of mime contents

[root@ns7dev13 ~]# cat /usr/share/nethserver-yomi/mime_type_graylist
application/octet-stream
application/javascript
application/vnd.ms-excel
application/vnd.ms-excel.sheet.macroEnabled.12
application/vnd.ms-word.document.macroEnabled.12
application/x-7z-compressed
application/x-ms-dos-executable
application/x-dosexec
application/x-vbscript
application/x-rar
text/x-sh
text/x-python
application/zip
application/gzip
application/x-silverlight
application/x-python-code
application/x-msdos-program
application/vnd.openxmlformats-officedocument.wordprocessingml.document
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
application/vnd.openxmlformats-officedocument.presentationml.presentation
application/vnd.oasis.opendocument.text
application/vnd.oasis.opendocument.spreadsheet
application/vnd.oasis.opendocument.presentation
application/vnd.ms-word.template.macroEnabled.12
application/vnd.ms-powerpoint
application/vnd.ms-excel.template.macroEnabled.12
application/msword
application/CDFV2-unknown
application/x-iso9660-image
application/x-tar

redis-cli -s /var/run/redis-rspamd/rspamd FLUSHALL

https://redis.io/commands/flushdb

redis-cli -s /var/run/redis-rspamd/rspamd FLUSHDB

[root@prometheus ~]# redis-cli -s /var/run/redis-rspamd/rspamd
redis /var/run/redis-rspamd/rspamd> HGET BAYES_HAM learns 
redis /var/run/redis-rspamd/rspamd> HGET BAYES_SPAM learns

#!/bin/bash

for key in $(redis-cli -s /var/run/redis-rspamd/rspamd keys \*);
  do
     #if [[ $key =~ 'BAYES' ]]; then
       echo "Key : '$key'" 
       redis-cli -s /var/run/redis-rspamd/rspamd type $key;
       redis-cli -s /var/run/redis-rspamd/rspamd GET $key;
     #fi
done

redis-cli -s /var/run/redis-rspamd/rspamd monitor

https://github.com/NethServer/dev/issues/5755#issuecomment-492547473

https://mailcow.github.io/mailcow-dockerized-docs/u_e-rspamd/#reset-learned-data

You need to delete keys in Redis to reset learned mail, so create a copy of your Redis database now:

Backup database

# It is better to stop Redis before you copy the file.
cp /var/lib/redis/rspamd/dump.rdb /root/Reset Bayes data

 redis-cli -s /var/run/redis-rspamd/rspamd --scan --pattern BAYES_* | xargs redis-cli -s /var/run/redis-rspamd/rspamd del
 redis-cli -s /var/run/redis-rspamd/rspamd --scan --pattern RS* | xargs redis-cli -s /var/run/redis-rspamd/rspamd del

If it complains about…

(error) ERR wrong number of arguments for 'del' command …the key pattern was not found and thus no data is available to delete.

* To flush the oletools verdicts cache run the following command

redis-cli -s /var/run/redis-rspamd/rspamd --raw KEYS rs_oletools_* | xargs -- redis-cli -s /var/run/redis-rspamd/rspamd DEL

* To check how much seconds before a cache entry is being expunged from the cache (first match only)

redis-cli -s /var/run/redis-rspamd/rspamd --raw KEYS rs_oletools_* | xargs -L 

Curl could be a good way too but sendmail could help

echo "Subject: Test d'envoi mail"| sendmail -f stephane@domain.com  -v stephane@domain.com

Send an email to the recipient with the maillog transaction

iptables -F dynamic
shorewall save

shorewall clear

to restart

shorewall start

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/chap-managing_services_with_systemd

systemd-delta

Procedure The following commands control the foo service:

- Activate a service immediately:

# systemctl start foo

- Deactivate a service immediately:

# systemctl stop foo

- Restart a service:

# systemctl restart foo

- Show the status of a service including, whether it is running or not:

# systemctl status foo

- Enable a service to be started on boot:

# systemctl enable foo

- Disable a service to not start during boot:

# systemctl disable foo

- Prevent a service from starting dynamically or even manually unless unmasked:

# systemctl mask foo

- Check if a service is enabled or not:

# systemctl is-enabled foo

- Check if the service is active (started) or inactive (stopped)

# systemctl is-active foo

- Related Information Run ```man systemctl``` for more details.

capture packet and check port activity

tcpdump -i any port 389

The official backup module is probably the better way to do, but you can rsync the data of the NS by rsync. Only rsync the /var/lib/nethserver, might not be enough since some additional modules put a link in /etc/backup-data.d/ to save their data with the backup module.

[root@NS7DEVAllModules ~]# cat /etc/backup-data.d/*
/var/lib/nethserver/backup/duplicity/
/var/lib/nethserver/db
/var/www/bandwidthd/stats.db
/var/lib/nethserver/secrets
/root
/var/lib/nethserver
/var/lib/collectd
/var/spool/hylafax/log/seqf
/var/spool/hylafax/sendq/seqf
/var/spool/hylafax/docq/seqf
/var/spool/hylafax/recvq/seqf
/var/lightsquid
/var/lib/nethserver/webtop/logs
/var/www/html/nextcloud/config/config.php

so if you want a full backup solution, these paths must be saved also.

Therefore a solution like this should be better

rsync -avzR $(cat /etc/backup-data.d/*) root@YourIP:/your/path/to/save

the -R rsync option save the full path, it will ease your restoration

You have a full howto Page to RTFM, Like in every Linux shell you can use the TAB key when you use the command line to auto complete or propose all available answers.

dbfile : database name see them in /var/lib/nethserver/db or type 'db' then 'tab'
key    : uniq name not modifiable
prop   : property of key
val    : value of property

the STARTTLS command is supported on port 389, and is the preferred method if the clients have it. Check the libuser's password has been correctly set. The libuser's DN should be

uid=libuser,ou=People,dc=directory,dc=nh

or, if your domain part is example.com

uid=libuser,ou=People,dc=example,dc=com

The port 636 is disabled by default

you have two specific users to bind for ldap service

• ldapservice - read-only
• libuser - full access, read-write restricted to the localhost
• Anonymous bind has read-only access and does not require STARTTLS.

passwords are stored under /var/lib/nethserver/secrets/

For more documentation, please read

• http://docs.nethserver.org/projects/nethserver-devel/en/latest/directory.html
• http://docs.nethserver.org/projects/nethserver-devel/en/v7b/nethserver-directory.html

ldapsearch  -D cn=libuser,dc=directory,dc=nh -w `cat /var/lib/nethserver/secrets/libuser`

ldapsearch -b dc=directory,dc=nh -ZZ -h 192.168.56.12 -D uid=admin,ou=People,dc=directory,dc=nh -W

same over ldaps

ldapsearch -b dc=directory,dc=nh -H ldaps://192.168.56.12 -D uid=admin,ou=People,dc=directory,dc=nh -W

same with ldapservice

ldapsearch -b dc=directory,dc=nh -ZZ -h 192.168.56.12 -D cn=ldapservice,dc=directory,dc=nh -w V_85617fr2bK3Csj

By default set to 4 weeks, if you want to increase to one year

config setprop logrotate Times 52
signal-event nethserver-base-update

You have other options like compression and rotate condition

# config show logrotate
logrotate=configuration
    Compression=disabled
    Rotate=weekly
    Times=52

logrotate -vf /etc/logrotate.conf

- generate the backup code (5 code, it is not possible to know if they have not been already used, reset the key or generate more code)

oathtool -w 5 $(cat /var/lib/nethserver/home/user/.2fa.secret)

- generate a time based code (valid 30 seconds)

oathtool --totp $(cat /var/lib/nethserver/home/user/.2fa.secret)

- reset the otp for a user

rm -f /var/lib/nethserver/home/user/.2fa.secret

If you find something strange, you need to access the container and use the samba-tool

systemd-run -M nsdc -t /bin/bash

stop, start and status of the samba DC process

systemctl -M nsdc stop samba
systemctl -M nsdc start samba
systemctl -M nsdc status samba

search with filters

net ads search -P objectClass=Computer
net ads search -P objectClass=User
net ads search -P objectClass=Group

you can retrieve for a specific cn

net ads search -P cn=stephane

or use wildcard

net ads search -P cn=*|less

  ldapsearch -Z -x -D CN=Administrator,CN=Users,DC=neth,DC=eu -w Nethesis,1234 -b CN=Users,DC=neth,DC=eu -h 192.168.5.44
  ldapsearch -Z -x -D  CN=stephane,CN=Users,DC=ad,DC=nethservertest,DC=org -w 'azerty' -b CN=Users,DC=ad,DC=nethservertest,DC=org -h 192.168.56.101
  ldapsearch -Z -x -D "DOMAIN\stephane' -w 'azerty' -b CN=Users,DC=ad,DC=domain,DC=com -h 192.168.56.101
  ldapsearch -Z -x -D "stephane@domain.com' -w 'azerty' -b CN=Users,DC=ad,DC=domain,DC=com -h 192.168.56.101

• the ip must be relevant to the one of your container.
• the default password (Nethesis,1234) must be changed to the right one.

systemd-run -M nsdc -q -t  /usr/bin/ldbsearch -H /var/lib/samba/private/sam.ldb

systemd-run -M nsdc -q -t \
    /usr/bin/ldbsearch -H /var/lib/samba/private/sam.ldb "samaccountname=${userName}" dn | \
    sed -n '/^dn: / { s/\r// ; p ; q }'

If you're running a local Samba DC account provider, to enable and reset administrator's password:

systemd-run -t -M nsdc /bin/bash
samba-tool user enable administrator
samba-tool user setpassword administrator --newpassword=Nethesis,1234

It supports -U flag, to specify an alternative user with domain join rights. For instance

realm join -U administrator  YOURDOMAIN.COM

to leave it

realm leave

Please check this https://wiki.samba.org/index.php/Demoting_a_Samba_AD_DC#Demoting_an_Offline_Domain_Controller

A secondary DC is down, you are sure it will never come up again (e.g. hardware failure). You may want to remove it. Make sure the “broken DC” is offline.

From Nethserver root log into the NSDC chroot.

systemd-run -M nsdc -t /bin/bash

If you know the DC-name, you can check is status in your AD, please notice the name is case-sensitive.

ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid | grep -A1 DC-NAME

If you do not know the name, you may check all configured AD-DCs:

ldbsearch -H /var/lib/samba/private/sam.ldb '(invocationId=*)' --cross-ncs objectguid

Now the magic … you are sure what you are doing?

samba-tool domain demote --remove-other-dead-server=DC-NAME 

You can modify the samba ldap of the samba container with a ldif file, put your file in /var/lib/machines/nsdc/var/lib/samba/private/file.ldif.

then launch

/usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif

this is an example of a ldif file

dn: cn=stephane,cn=Users,dc=ad,dc=plop,dc=org
changetype: modify
replace: loginShell
loginShell: /usr/libexec/openssh/sftp-server

cat /var/lib/machines/nsdc/sys/class/net/host0/address

Please check this page In short

* Do you have a keytab on the file server ?

klist -k

* check if the computer is joined to the domain.

sudo net ads testjoin

This should print:

Join is OK

* leave the domain and rejoin:

net ads leave -U Administrator

net ads join -U Administrator

You should now have a keytab, if it is still not there, try creating it manually:

net ads keytab create -U Administrator

To retrieve the ldap settings, in a shell type the following command to get the current NethServer setup:

[root@vm5 ~]# account-provider-test dump
{
   "startTls" : "",
   "bindUser" : "VM5$",
   "userDN" : "dc=dpnet,dc=nethesis,dc=it",
   "port" : 636,
   "isAD" : "1",
   "host" : "dpnet.nethesis.it",
   "groupDN" : "dc=dpnet,dc=nethesis,dc=it",
   "isLdap" : "",
   "ldapURI" : "ldaps://dpnet.nethesis.it",
   "baseDN" : "dc=dpnet,dc=nethesis,dc=it",
   "bindPassword" : "secret",
   "bindDN" : "DPNET\\VM5$"
}

To expand all templates and restart the relevant services (no reboot, a business server shouldn't be rebooted) you can use:

/etc/e-smith/events/actions/system-adjust

yum install @nethserver-iso

• NS7

The builtin /usr/share/nethesis/NethServer/Authorization/base.json policy grants full access to members of administrators.

groupadd administrators
usermod -G administrators -a davidep@adnethesis.it

Now user davidep@adnethesis.it has full privileges from server-manager. You have two groups with delegated powers

1. administrators: Users of this group have the same permissions as the root or admin user.
2. managers: Users of this group are granted access to the Management section.

A SSH local port forward of 980

ssh -L 9980:localhost:980 <public IP>

Then connect to

https://localhost:9980

Of course the display is not as good as you can have in a real browser :)

elinks -eval 'set connection.ssl.cert_verify = 0' https://localhost:980/

or

yum install links     # if not installed yet
links2 https://localhost:980

1. create a group powerusers in Users & Groups page
2. add one ore more user to the group
3. create a sudo file like this:

  echo "%powerusers ALL=(ALL) ALL" > /etc/sudoers.d/90powerusers
  chmod 440  /etc/sudoers.d/90powerusers

Validation of the sudoers.d syntax

visudo -c

See all commands that the user may do on your system

sudo -ll -U userName

Edit and valid when you exit the sudoers file

visudo -f /etc/sudoers.d/20_nethserver_sssd

- Test changes in comps file

https://github.com/NethServer/dev/issues/6117#issuecomment-618316043

- if you want to test the upgrade of centos rpm (only) to a major version (eg 7.8 → 7.9)

yum --enablerepo=cr update

- if you want to upgrade your nethserver to a major version with the CLI

yum update
yum --enablerepo=nethserver-testing update nethserver-subscription\*
signal-event software-repos-upgrade

Or

yum install -y http://mirror.nethserver.org/nethserver/nethserver-release-7.rpm
signal-event software-repos-save
yum update