HowTos/Samba4
Scalix server:
IP - 192.168.0.1
Hostname - mail.scalix.test
Mail domain: scalix.test
Samba4 server:
IP - 192.168.0.100
Domain - TEST.SCALIX.LOCAL
Samba test user name: testsx
Samba test group name: scalixtestGR
Before start: here is described the test configuration for other cases you need to change some settings, for example: DN:DC=TEST,DC=SCALIX,DC=LOCAL replace to your DN
Contents
Extending of Samba scheme :
Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!!
[root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Att_extensions.ldif --option="dsdb:schema update allowed"=true
file:Att_extensions.ldif
dn: CN=scalixScalixObject,CN=Schema,CN=Configuration,DC=TEST,DC=SCALIX,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.10 cn: scalixScalixObject name: scalixScalixObject lDAPDisplayName: scalixScalixObject attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixMailnode,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.11 cn: scalixMailnode name: scalixMailnode lDAPDisplayName: scalixMailnode attributeSyntax: 2.5.5.12 isSingleValued: TRUE dn: CN=scalixAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.12 cn: scalixAdministrator name: scalixAdministrator lDAPDisplayName: scalixAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixMailboxAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.13 cn: scalixMailboxAdministrator name: scalixMailboxAdministrator lDAPDisplayName: scalixMailboxAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixServerLanguage,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.14 cn: scalixServerLanguage name: scalixServerLanguage lDAPDisplayName: scalixServerLanguage attributeSyntax: 2.5.5.12 isSingleValued: TRUE dn: CN=scalixEmailAddress,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.15 cn: scalixEmailAddress name: scalixEmailAddress lDAPDisplayName: scalixEmailAddress attributeSyntax: 2.5.5.12 isSingleValued: FALSE dn: CN=scalixLimitMailboxSize,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.16 cn: scalixLimitMailboxSize name: scalixLimitMailboxSize lDAPDisplayName: scalixLimitMailboxSize attributeSyntax: 2.5.5.9 isSingleValued: FALSE dn: CN=scalixLimitOutboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.17 cn: scalixLimitOutboundMail name: scalixLimitOutboundMail lDAPDisplayName: scalixLimitOutboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixLimitInboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.18 cn: scalixLimitInboundMail name: scalixLimitInboundMail lDAPDisplayName: scalixLimitInboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixLimitNotifyUser,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.19 cn: scalixLimitNotifyUser name: scalixLimitNotifyUser lDAPDisplayName: scalixLimitNotifyUser attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixHideUserEntry,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.20 cn: scalixHideUserEntry name: scalixHideUserEntry lDAPDisplayName: scalixHideUserEntry attributeSyntax: 2.5.5.8 dn: CN=scalixMailboxClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.21 cn: scalixMailboxClass name: scalixMailboxClass lDAPDisplayName: scalixMailboxClass attributeSyntax: 2.5.5.12 dn: CN=scalixActiveSync,CN=Schema,CN=Configuration,DC=SAMBA,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.22 cn: scalixActiveSync name: scalixActiveSync lDAPDisplayName: scalixActiveSync attributeSyntax: 2.5.5.8 isSingleValued: FALSE
[root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Class_extensions.ldif --option="dsdb:schema update allowed"=true
file:Class_extensions.ldif
dn: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.10 cn: scalixUserClass name: scalixUserClass lDAPDisplayName: scalixUserClass description: Supplemental class containing the Scalix User-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: scalixAdministrator mayContain: scalixMailboxAdministrator mayContain: scalixServerLanguage mayContain: scalixEmailAddress mayContain: scalixLimitMailboxSize mayContain: scalixLimitOutboundMail mayContain: scalixLimitInboundMail mayContain: scalixLimitNotifyUser mayContain: scalixHideUserEntry mayContain: scalixMailboxClass mayContain: scalixActiveSync defaultObjectCategory: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL dn: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.11 cn: scalixGroupClass name: scalixGroupClass lDAPDisplayName: scalixGroupClass description: Supplemental class containing the Scalix Group-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: displayName mayContain: scalixEmailAddress mayContain: scalixHideUserEntry defaultObjectCategory: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL
[root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Users_extensions.ldif --option="dsdb:schema update allowed"=true
file: Users_extensions.ldif
dn: CN=User,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixUserClass
[root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Groups_extensions.ldif --option="dsdb:schema update allowed"=true
file: Groups_extensions.ldif
dn: CN=Group,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixGroupClass
Old Samba4 users extensions.
For all Samba users which you wish to add to Scalix : [root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_user.ldif --option="dsdb:schema update allowed"=true
Instead "CN=testsx" type "CN=other user name'
file: Mod_user.ldif
dn: CN=testsx,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail replace:scalixMailboxClass scalixMailboxClass: FULL replace: scalixServerLanguage scalixServerLanguage: ENGLISH replace: scalixEmailAddress scalixEmailAddress:testsx@scalix.test replace:scalixLimitOutboundMail scalixLimitOutboundMail: FALSE replace:scalixAdministrator scalixAdministrator: FALSE
Old Samba4 groups extensions.
For all Samba groups which you wish to add to Scalix : [root@samba ~]#/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_groups.ldif --option="dsdb:schema update allowed"=true
file: Mod_groups.ldif
dn: CN=scalixtestGR,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail
Add new user to Samba4.
Create new Samba user [root@samba ~]#:/Path/to/samba/bin/samba-tool user add testsx
and modify it like in chapter 2. (There are simples ways to create a users, but described the most heaviest variant)
Create new group on Samba4.
[root@samba ~]#/Path/to/samba/bin/samba-tool group add scalixtestGR
and modify it like in chapter 3.
Add a service principal (keytab).
Create user named "scalix-ual" : [root@samba ~]#/Path/to/samba/bin/samba-tool user add scalix-ual
Create service principal : [root@samba ~]#/Path/to/samba/bin/samba-tool spn add scalix-ual/mail.scalix.test scalix-ual
Create keytab file: [root@samba ~]#/Path/to/samba/bin/samba-tool domain exportkeytab ./test.keytab --principal=scalix-ual/mail.scalix.testl@TEST.SCALIX.LOCAL
Kerberos config on Scalix system.
Copy test.keytab to Scalix server
run : [root@scalix ~]#ommergekeys ./test.keytab
run: [root@scalix ~]#omkrbconf -r TEST.SCALIX.LOCAL -s 192.168.0.100 -d TEST.SCALIX.LOCAL
Test Kerberos.
[root@scalix ~]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 scalix-ual/mail.scalix.test@TEST.SCALIX.LOCAL 1 scalix-ual/mail.scalix.test@TEST.SCALIX.LOCAL 1 scalix-ual/mail.scalix.test@TEST.SCALIX.LOCAL
[root@scalix ~]#kinit scalix-ual@TEST.SCALIX.LOCAL
If no errors that means all is ok.
Scalix Samba4 sync.
Create Samba Synchronization Agreement (Agreement type 11) like in chapter AD Integration HowTo
Then go to /var/opt/scalix/??/s/ldapsync/[Agreement_name]
and change lines on file sync.cfg :
sn|S|*1,40|* ==> name|S|*|* ... givenName|G|*,1,16!ISPRESENT=surname|* ==> name|G|*,1,16!ISPRESENT=surname|* ...
and run omldapsync -u [Agreement_name]
Tests.
On /var/opt/scalix/??/s/sys/pam.d modify authentications files:
file: omslapdeng
# Standard Scalix Authentication # # Comment this out if you want to use one of the alternative authentication # schemes below. #auth required om_auth # # Kerberos authentication 1 # # With this scheme we attempt local authentication first and, if that # fails, we try kerberos authentication. Note that if we do it the other # way around we run the risk of the KDC locking a principal account for # users that are known to both Kerberos and Scalix. See om_krb5(8) for more # information. # # auth sufficient om_auth # auth sufficient om_krb5 use_first_pass # auth required pam_deny # Kerberos authentication 2 # # With this scheme, users that are known to the kerberos KDC, must # authenticate using kerberos. Users not known to the kerberos KDC can log # in using their Scalix password. See om_krb5(8) for more information. # #auth required om_krb5 user_unknown=ignore #auth optional om_auth use_first_pass # LDAP Authentication. # There are two possible schemes corresponding to the two Kerberos schemes. # above See om_ldap(8) for more information. # # LDAP authentication 1 # auth sufficient om_auth # auth sufficient om_ldap use_first_pass # auth required pam_deny # # LDAP authentication 2 # auth required om_ldap user_unknown=ignore # auth optional om_auth use_first_pass # Combined authentication # # It is possible to combine Kerberos authentication 1 and LDAP # authentication 1, although there is no good way to escape false negative # authentication attempts with one or the other scheme. If users are known # to either Kerberos or LDAP then we can extend scheme 2 for combined # authentication: # # auth required om_krb5 user_unknown=ignore # auth required om_ldap user_unknown=ignore # auth optional om_auth use_first_pass #account required om_auth #password required om_auth auth required om_krb5 user_unknown=ignore auth optional om_auth use_first_pass account required om_auth password required om_auth
file: pop3
auth sufficient om_krb5 use_first_pass auth optional om_auth use_first_pass account required om_auth password required om_auth
file: smtpd.auth
auth required om_krb5 user_unknown=ignore auth optional om_auth use_first_pass account required om_auth
file: ual.local
auth required om_krb5 user_unknown=ignore auth optional om_auth use_first_pass account required om_auth password required om_auth nopreauth
file: ual.remote
# Standard Scalix Authentication # # Comment this out if you want to use one of the alternative authentication # schemes below. #auth required om_auth # # Kerberos authentication 1 # # With this scheme we attempt local authentication first and, if that # fails, we try kerberos authentication. Note that if we do it the other # way around we run the risk of the KDC locking a principal account for # users that are known to both Kerberos and Scalix. See om_krb5(8) for more # information. # #auth sufficient om_auth #auth sufficient om_krb5 use_first_pass #auth required pam_deny # Kerberos authentication 2 # # With this scheme, users that are known to the kerberos KDC, must # authenticate using kerberos. Users not known to the kerberos KDC can log # in using their Scalix password. See om_krb5(8) for more information. # # auth required om_krb5 user_unknown=ignore # auth optional om_auth use_first_pass # LDAP Authentication. # There are two possible schemes corresponding to the two Kerberos schemes. # above See om_ldap(8) for more information. # # LDAP authentication 1 # auth sufficient om_auth # auth sufficient om_ldap use_first_pass # auth required pam_deny # # LDAP authentication 2 # auth required om_ldap user_unknown=ignore # auth optional om_auth use_first_pass # Combined authentication # # It is possible to combine Kerberos authentication 1 and LDAP # authentication 1, although there is no good way to escape false negative # authentication attempts with one or the other scheme. If users are known # to either Kerberos or LDAP then we can extend scheme 2 for combined # authentication: # #auth required om_krb5 user_unknown=ignore #auth required om_ldap user_unknown=ignore #auth optional om_auth use_first_pass #account required om_auth #password required om_auth auth required om_krb5 user_unknown=ignore auth optional om_auth use_first_pass account required om_auth password required om_auth
Restart Scalix serveces and try to log in via Outlook, SWA, or POP3/IMAP