Configuration Files
From Zentyal Linux Small Business Server
Zentyal allows you to configure most common aspects on GUI but there is the possibility to configure specific aspects for some services on files under /etc/zentyal.
The basic instructions for the formatting of these .conf files are contained at the beginning of each file:
# Everything after a '#' character is ignored # # All whitespace is ignored # # Config keys are set this way: # # key = value # # They may contain comments at the end: # # key = value # this is ignored
This is the list of the different per module settings that you could find here:
ASTERISK
/etc/zentyal/asterisk.conf
# additional codecs included for SIP phones. ej: g723,g729, asterisk_additional_codecs = # # DTMF mode asterisk_dtmfmode = auto # # extensions range available for phones, if you edit this you # might have to update extensions.conf stub asterisk_phone_min_extn = 4000 asterisk_phone_max_extn = 7999
CAPTIVEPORTAL
/etc/zentyal/captiveportal.conf
# Uncomment the following line to enable # secondary LDAP configuration: #captive_secondary_ldap = yes
COMMON
/etc/zentyal/zentyal.conf
# user [required]. The user under which Zentyal will run. # It should have enough sudo privileges to perform all needed tasks. user = ebox # # egroup [required]. The group under which Zentyal will run. egroup = ebox # # debug mode [required]. yes|no # Note: In order to take effect, after changing this you need to execute: # /etc/init.d/zentyal apache restart debug = yes # # Dump exceptions on interface # This is useful for developers and is only enabled during beta period #dump_exceptions = yes
CORE
/etc/zentyal/core.conf
# Redis server port # If you change this value, you must manually restart the redis server # in two steps: # $ /etc/init.d/zentyal webadmin restart # write down the new configuration # $ restart ebox.redis # restart the daemon redis_port = 6380 # # Ignore system updates in Dashboard widget #widget_ignore_updates = yes # #Custom prefix for rebranding #custom_prefix = zentyal # # Zentyal desktop services # For changes in this configuration to take effect you must run: # $ /etc/init.d/zentyal webadmin restart # write down the new configuration desktop_services_enabled = yes desktop_services_port = 6895
DNS
/etc/zentyal/dns.conf
# Internal networks allowed to do recursive queries # to eBox DNS caching server. Localnetworks are already # allowed and this settings is intended to allow networks # reachable through static routes. # Example: intnets = 192.168.99.0/24,192.168.98.0/24 intnets = # # This key control the automatic reverse zone generation # Set to 'no' to disable it generate_reverse_zones = yes # # This key defines whether you want to sort the results based on the querying IP # Uncomment it to enable it # sortlist = yes
BACKUP
/etc/zentyal/backup.conf
# Enable ebackup menu (yes or no) ebackup_menu_enabled = yes # # Volume size in Mb (default: 25) # If you are backing up to the local file system: choose 600 or # greater in order to have less files volume_size = 25 # # temporal directory (default: /tmp) temp_dir = /tmp # # archive directory (default: /var/cache/zentyal/duplicity) # if you change this after the first run duplicity will have to recreate # it again from the repository. The old one will not be automatically deleted. archive_dir = /var/cache/zentyal/duplicity # # Retrying configuration # This set of values are set when the uploading is done and some # retries are required to complete the backup # It follows a geometric progression: # timeout_n = initial_value * scale_factor ^ (n-1) # For instance, initial_value = 60s, scale_factor = 2, n_tries = 4 # The backup will be tried 4 times after 60s, 120s, 240s before giving up # This value is set in seconds initial_value=60 scale_factor=2 n_tries=4 # # duplicity timeout # default is 5 minutes, but you can uncomment this and set a different value in seconds #duplicity_timeout = 300 # # scheduled backup priority # it should be a positive integer, range 0-19 # 0 is normal priority, a higher number is _less_ priority ebackup_scheduled_priority=10
FIREWALL
/etc/zentyal/firewall.conf
# Limit of logged packets per minute. iptables_log_limit = 50 # # Burst iptables_log_burst = 10 # # Logs all the drops iptables_log_drops = yes # # Extra iptables modules to load # Each module should be sperated by a comma, you can include module parameters iptables_modules = nf_conntrack_ftp, nf_nat_ftp, nf_conntrack_h323, nf_nat_h323, nf_conntrack_pptp, nf_nat_pptp, nf_conntrack_sip, nf_nat_sip # # Enable source NAT, if your router does NAT you can disable it nat_enabled = yes # # Uncomment the following to show the Rules added by Zentyal services #show_service_rules = yes
IPS
/etc/zentyal/ips.conf
# Set the IPS inline firewall rules position # It is set 'behind' (default), then only accepted input or forwarded traffic # will be analysed. # It is set 'front', all input and forwarded traffic will be analysed. Although, # this second option is more secure, it is high CPU consuming in those # networks with high network traffic. # If you modify this setting, then you must run the following commands # to take effect (Order is important). # $ sudo service zentyal ips restart # $ sudo service zentyal firewall restart # (Disable and enable IPS module is safer to avoid be locked out) # ips_fw_position = front|behind
NETWORK
/etc/zentyal/network.conf
# interfaces to ignore in the interface # (default: sit,tun,tap,lo,irda,ppp,virbr,vboxnet, vnet) ifaces_to_ignore = sit,tun,tap,lo,irda,ppp,virbr,vboxnet,vnet # # If you want to define a custom mtu for any interface # you can use mtu_<interface> = <MTU>. Example: #mtu_eth0 = 1400
OPENVPN
/etc/zentyal/openvpn.conf
# insecure_rip_conf [required]. If set to yes it will enable backwards # compatibility with eBox openVPN which used an insecure ripd configuration. # Do not enable it unless you are sure of what you are doing insecure_rip_conf = no # # Use mssfix to fix MTU discovery problems in some networks with UDP connections # It applies to all VPN clients # Enable it only if you are sure what you're doing # mss_fix = 1300
REMOTESERVICES
/etc/zentyal/remoteservices.conf
# Public DNS server ebox_services_nameserver = ns.cloud.zentyal.com # # Public API rs_api = api.cloud.zentyal.com # # Verify Cloud servers # Values: yes | no rs_verify_servers = yes # # If set to a 'yes' value, the Zentyal QA updates have priority and # other packages sources have the lowest priority and they will not # be used. # If you change this value, you must run the following command: # sudo /usr/share/zentyal-software/rewrite-conf # (Default: yes) qa_updates_exclusive_source = yes # # If set to a 'yes' value if the Zentyal QA updates are used, they will # be automatic to ensure you have always a system updated from a # trusted source. # (Default: yes) qa_updates_always_automatic = yes # # If set to a 'yes' value, the monitoring stats will be sent using the VPN # This method is more secure, but tends to have service interruptions # If you change this value, run /etc/init.d/zentyal monitor restart to get # these changes taken # (Default: no) monitoring_inside_vpn = no
SAMBA
/etc/zentyal/samba.conf
# -- s4sync settings -- s4sync_debug = yes # # -- File server -- # Choose the file server to use. The new 'ntvfs' included # in samba4 or the old 's3fs' from samba3. Printers and # vfs plugins such recycle bin, audit or antivirus will not # work if you choose 'ntvfs'. # values: ntvfs | s3fs samba_fs = s3fs # # -- Recycle Bin settings -- # Name of the recycle bin directory # If a full path like /tmp/foo is entered, # the same Recycle Bin will be used for all the shares repository = RecycleBin # # Permissions of the recycle bin directory directory_mode = 0700 # # Keep directory structure keeptree = Yes # # Keep copies if a file is deleted more than once versions = Yes # Specifies whether a file's access date should be updated # when the file is moved to the repository. #touch = Yes # # Files that are smaller than the number of bytes # specified by this parameter will not be put into # the repository. #minsize = 0 # # Files that are larger than the number of bytes # specified by this parameter will not be put into # the Recycle Bin. (0 = disabled) maxsize = 0 # # List of files that should not be stored when deleted, # but deleted in the regular way. #exclude = *.tmp|*.temp # # When files from these directories are deleted, # they are not put into the recycle bin but are deleted # in the regular way. excludedir = /tmp|/var/tmp # # Specifies a list of paths # (wildcards such as * and ? are supported) # for which no versioning should be used. # Only useful when versions is enabled. #noversions = *.foo|*.bar # # -- End of Recycle Bin settings -- # # -- antivirus settings -- # # Whether sockets, devices and fifo's (all not scanned for viruses) should be visible to the user show_special_files = True # # Whether files that are not visible (.scanned: files, .failed: files and .virus: files) # should be deleted if the user tries to remove the directory. If false, the user will # get the "directory is not empty" error. rm_hidden_files_on_rmdir = True # # If false, all non-scanned files are visible in directory listings. If such files are found in a # directory listing the scanning daemon is notified that scanning is required. Access to non-scanned # files is still denied (see allow_nonscanned_files). hide_nonscanned_files = False # # If non-scanned files are hidden (if scannedonly:hide_nonscanned_files = True), a fake 0 byte file # is shown. The filename is the original filename with the message as suffix. scanning_message = is being scanned for viruses # # If a non-scanned file is opened, the vfs module will wait recheck_tries_open times for # recheck_time_open milliseconds for the scanning daemon to create a .scanned: file. For # small files that are scanned by the daemon within the time (tries * time) the behavior # will be just like on-access scanning. recheck_time_open = 50 # # See recheck_time_open. recheck_tries_open = 100 # # If a non-scanned file is in a directory listing the vfs module notifies the daemon (once # for all files that need scanning in that directory), and waits recheck_tries_readdir times # for recheck_time_readdir milliseconds. Only used when hide_nonscanned_files is false. recheck_time_readdir = 50 # # See recheck_time_readdir. recheck_tries_readdir = 20 # # Allow access to non-scanned files. The daemon is notified, however, and special files such # as .scanned: files. .virus: files and .failed: files are not listed. allow_nonscanned_files = False # # Number of threads used to scan files scanning_threads = 4 # # -- End of antivirus settings -- # # Listen on external interfaces listen_external = no # # Show in the UI the textbox to choose the site where # the server should be added when joining a domain show_site_box = no # # Uncomment this if you want to set ACLs manually and avoid # Zentyal to overwrite them #unmanaged_acls = yes # # Uncomment this if you want to sync also users with a disabled account #sync_disabled_users = yes # # Disable full audit logging # Allowed values = [yes|no] # Default value = no # If you want to disable full audit, then uncomment next option #disable_fullaudit = yes # # This is a temporary workaround for these Samba 4 bugs: # https://bugzilla.samba.org/show_bug.cgi?id=9866 # https://bugzilla.samba.org/show_bug.cgi?id=9867 # Uncomment this if you have guest shares enabled and want to join # Windows Vista computers to the domain. Please note that completely # anonymous share access will not work if you don't provide any valid # domain credentials, but at least you will be able to join. #join_vista_with_guest_shares = yes # # Uncomment this if you want to skip setting the home directory of the # users while saving changes #unmanaged_home_directory = yes
/etc/zentyal/s4sync-groups.ignore List of Samba Groups that won't be imported into LDAP
/etc/zentyal/sids-to-hide.regex List of SID's (in regular expressions) that will be hidden
SQUID
/etc/zentyal/squid.conf
# cache_mem [required]. Amount of memory to be used by squid (in MB) cache_mem = 128 # # maximum_object_size [required]. Maximum object size to be cached (in MB) maximum_object_size = 300 # # max_fd if this value set the maximum number of file descriptors wil be # increased if needed at squid's start. If not set it will not be changed. #max_fd= 167140 # group = proxy # ## Performance tuning ## # do not change if you really know what are you doing # DansGuardian parameters maxchildren = 120 minchildren = 8 minsparechildren = 4 preforkchildren = 6 maxsparechildren = 32 maxagechildren = 500 # # load url lists from categorized lists, since they use a url_regex ACL type # you can disable them in low-memory systems load_url_lists = yes # # TAG: Authentication mode # key: auth_mode # This key controls the authentication mode for squid. When set to internal, # squid autheticate against the Zentyal internal LDAP, when set to external_ad, # squid authenticate users against an external Active Directory. # values: # - internal # - external_ad (only for enterprise edition) auth_mode = internal # # key: auth_ad_skip_system_groups # When using external active directory auth dont allow ACLs # with groups that has the attribute 'isSystemCriticalObject' set (almost all built-in) auth_ad_skip_system_groups = no # # key: auth_ad_acl_ttl # TTL in seconds for ACL cached results. auth_ad_acl_ttl = 3600
TRAFFICSHAPING
/etc/zentyal/trafficshaping.conf - configuration file for zentyal-trafficshaping
# R2Q value for guaranteed valid values range. The values are # calculated as follows: # # Maximum: 60000 * r2q * 8 / 1000 # Minimum: MTU * r2q * 8 / 1000 # # More info at: http://www.docum.org/docum.org/faq/cache/31.html r2q = 5
USERCORNER
/etc/zentyal/usercorner.conf - configuration file for zentyal-usercorner
# user corner redis server port redis_port_usercorner = 6381
USERS
/etc/zentyal/users.conf
# supported paswords formats: sha1, md5, lm, nt, digest (base64) and realm (hex) # whether to create user homes or not mk_home = yes # # default mode for home directory (umask mode) dir_umask = 0077 # # enable quota support enable_quota = yes # # synchronization frequency with LDAP slaves slave_time = 5
VIRT
/etc/zentyal/virt.conf
# VNC keymap: uncomment this to force a keymap for VNC sessions # otherwise it will be autodetected using the $LANG variable # Valid keymap names can be found under /usr/share/qemu/keymaps/* #vnc_keymap = en-us # # Uncomment this to use always IDE disks instead of SCSI ones # this key only applies to virtual machine with system operative set to 'Other' #use_ide_disks = yes # # View Console size # You can customize the width and height of the built-in VNC console # that appears on the Zentyal interface # Default size: 800x600 view_console_width = 800 view_console_height = 600 # # System user who will run the virtualbox machines vm_user = ebox # # Starting VNC port (they will be assigned sequentially) first_vnc_port = 5900 # # Maximum number of virtual machines, this also affect the number of ports # reserved for VNC connection vm_max = 32 # # If you want to customize the VNC passwords instead of having # the default autogenerated ones you just need to edit the # /var/lib/zentyal/conf/vnc-passwd file, which has the following # syntax: # # <machine1>:<pass1> # <machine2>:<pass2> # ... # # Example: # # winxp:3uDwdDPzY # ubuntu-desktop:VKtKzejl7 # # After editing it, make sure you set the proper permissions: # # chown ebox:ebox /var/lib/zentyal/conf/vnc-passwd # chmod 600 /var/lib/zentyal/conf/vnc-passwd
ZARAFA
/etc/zentyal/zarafa.conf
# where to store mail attachments: database | files zarafa_attachment_storage = files # # path where to store attachments if set to files zarafa_attachment_path = /var/lib/zarafa # # allow users send mail from other address different than their: no | yes zarafa_always_send_delegates = no # # use zarafa-indexer zarafa_indexer = no # # manage zarafa-licensed (needs zarafa-licensed package installed) zarafa_licensed = no # # enable hosted zarafa # note: this is not compatible with sso zarafa_enable_hosted_zarafa = no
