Difference between revisions of "HowTos/Samba4"
Line 21: | Line 21: | ||
Before start: here describes the test configuration for other cases you need to change some settings, for example: DN:DC=TEST,DC=SCALIX,DC=LOCAL replace to your DN | Before start: here describes the test configuration for other cases you need to change some settings, for example: DN:DC=TEST,DC=SCALIX,DC=LOCAL replace to your DN | ||
− | == | + | ==Expand the Samba scheme:== |
'''Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!! ''' | '''Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!! ''' |
Revision as of 11:54, 3 November 2014
Scalix Samba4 sync
Scalix server:
IP - 192.168.0.1
Hostname - mail.scalix.test
Samba4 server:
IP - 192.168.0.100
Hostname -DC.test.local
Domain - TEST.SCALIX.LOCAL
Samba test user name: testsx
Samba tets group name: scalixtestGR
Before start: here describes the test configuration for other cases you need to change some settings, for example: DN:DC=TEST,DC=SCALIX,DC=LOCAL replace to your DN
Expand the Samba scheme:
Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!!
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Att_extensions.ldif --option="dsdb:schema update allowed"=true
file:Att_extensions.ldif
dn: CN=scalixScalixObject,CN=Schema,CN=Configuration,DC=TEST,DC=SCALIX,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.10 cn: scalixScalixObject name: scalixScalixObject lDAPDisplayName: scalixScalixObject attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.12 cn: scalixAdministrator name: scalixAdministrator lDAPDisplayName: scalixAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixMailboxAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.13 cn: scalixMailboxAdministrator name: scalixMailboxAdministrator lDAPDisplayName: scalixMailboxAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixLimitMailboxSize,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.16 cn: scalixLimitMailboxSize name: scalixLimitMailboxSize lDAPDisplayName: scalixLimitMailboxSize attributeSyntax: 2.5.5.9 isSingleValued: FALSE dn: CN=scalixLimitOutboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.17 cn: scalixLimitOutboundMail name: scalixLimitOutboundMail lDAPDisplayName: scalixLimitOutboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixLimitInboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.18 cn: scalixLimitInboundMail name: scalixLimitInboundMail lDAPDisplayName: scalixLimitInboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixLimitNotifyUser,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.19 cn: scalixLimitNotifyUser name: scalixLimitNotifyUser lDAPDisplayName: scalixLimitNotifyUser attributeSyntax: 2.5.5.8 isSingleValued: FALSE dn: CN=scalixHideUserEntry,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.20 cn: scalixHideUserEntry name: scalixHideUserEntry lDAPDisplayName: scalixHideUserEntry attributeSyntax: 2.5.5.8 dn: CN=scalixMailnode,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.11 cn: scalixMailnode name: scalixMailnode lDAPDisplayName: scalixMailnode attributeSyntax: 2.5.5.12 isSingleValued: TRUE dn: CN=scalixServerLanguage,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.14 cn: scalixServerLanguage name: scalixServerLanguage lDAPDisplayName: scalixServerLanguage attributeSyntax: 2.5.5.12 isSingleValued: TRUE dn: CN=scalixEmailAddress,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.15 cn: scalixEmailAddress name: scalixEmailAddress lDAPDisplayName: scalixEmailAddress attributeSyntax: 2.5.5.12 isSingleValued: FALSE dn: CN=scalixMailboxClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.21 cn: scalixMailboxClass name: scalixMailboxClass lDAPDisplayName: scalixMailboxClass attributeSyntax: 2.5.5.12
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Class_extensions.ldif --option="dsdb:schema update allowed"=true
file:Class_extensions.ldif
dn: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.10 cn: scalixUserClass name: scalixUserClass lDAPDisplayName: scalixUserClass description: Supplemental class containing the Scalix User-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: scalixAdministrator mayContain: scalixMailboxAdministrator mayContain: scalixServerLanguage mayContain: scalixEmailAddress mayContain: scalixLimitMailboxSize mayContain: scalixLimitOutboundMail mayContain: scalixLimitInboundMail mayContain: scalixLimitNotifyUser mayContain: scalixHideUserEntry mayContain: scalixMailboxClass defaultObjectCategory: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL dn: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.11 cn: scalixGroupClass name: scalixGroupClass lDAPDisplayName: scalixGroupClass description: Supplemental class containing the Scalix Group-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: displayName mayContain: scalixEmailAddress mayContain: scalixHideUserEntry defaultObjectCategory: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Users_extensions.ldif --option="dsdb:schema update allowed"=true
file: Users_extensions.ldif
dn: CN=User,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixUserClass
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Groups_extensions.ldif --option="dsdb:schema update allowed"=true
file: Groups_extensions.ldif
dn: CN=Group,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixGroupClass
2. Old Samba4 users extensions.
For all users which you wish to add to Scalix make: /Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_user.ldif --option="dsdb:schema update allowed"=true
Instead "CN=testsx" type "CN=other user name'
file: Mod_user.ldif
dn: CN=testsx,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail replace:scalixMailboxClass scalixMailboxClass: FULL replace: scalixServerLanguage scalixServerLanguage: ENGLISH replace: scalixEmailAddress scalixEmailAddress:testsx@test.scalix.local replace:scalixLimitOutboundMail scalixLimitOutboundMail: FALSE replace:scalixAdministrator scalixAdministrator: FALSE
3. Old Samba4 groups extensions.
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_groups.ldif --option="dsdb:schema update allowed"=true
file: Mod_groups.ldif
dn: CN=scalixtestGR,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail
4. Add new user to Samba4.
Create new Samba user :/Path/to/samba/bin/samba-tool user add testsx
and modify it like in chapter 2. (There are simples ways to create a users, but described the most heaviest variant)
5. Create new group on Samba4.
/Path/to/samba/bin/samba-tool group add scalixtestGR
and modify it like in chapter 3.
6. Add a service principal (keytab).
Create user named "scalix-ual" : /Path/to/samba/bin/samba-tool user add scalix-ual
Create service principal : /Path/to/samba/bin/samba-tool spn add scalix-ual/scalix.test.local scalix-ual
Create keytab file: /Path/to/samba/bin/samba-tool domain exportkeytab ./test.keytab --principal=scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL
7. Kerberos config on Scalix system.
Copy test.keytab to Scalix server
run : ommergekeys ./test.keytab
run: omkrbconf -r TEST.SCALIX.LOCAL -s 192.168.0.100 -d TEST.SCALIX.LOCAL
8. Test Kerberos.
[root@scalix scalix-tomcat]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL 1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL 1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL
kinit scalix-ual@TEST.SCALIX.LOCAL
If no errors that means all ok.
9. Scalix Samba4 sync.
Create Samba SA (Synchronization Agreement) like in chpter 7 [[..|Scalix AD sync]]
Then go to /var/opt/scalix/??/s/ldapsync/[Agreement_name]
and on sync.cfg change lines:
sn|S|*1,40|* ==> name|S|*|* ... givenName|G|*,1,16!ISPRESENT=surname|* ==> name|G|*,1,16!ISPRESENT=surname|*
and run omldapsync -u [Agreement_name]
10.Tests.
On /var/opt/scalix/??/s/sys/pam.d modify authentications files:
file: omslapdeng
# Standard Scalix Authentication # # Comment this out if you want to use one of the alternative authentication # schemes below. #auth required om_auth nullok # # Kerberos authentication 1 # # With this scheme we attempt local authentication first and, if that # fails, we try kerberos authentication. Note that if we do it the other # way around we run the risk of the KDC locking a principal account for # users that are known to both Kerberos and Scalix. See om_krb5(8) for more # information. # # auth sufficient om_auth nullok # auth sufficient om_krb5 use_first_pass # auth required pam_deny # Kerberos authentication 2 # # With this scheme, users that are known to the kerberos KDC, must # authenticate using kerberos. Users not known to the kerberos KDC can log # in using their Scalix password. See om_krb5(8) for more information. # #auth required om_krb5 user_unknown=ignore #auth optional om_auth nullok use_first_pass # LDAP Authentication. # There are two possible schemes corresponding to the two Kerberos schemes. # above See om_ldap(8) for more information. # # LDAP authentication 1 # auth sufficient om_auth nullok # auth sufficient om_ldap use_first_pass # auth required pam_deny # # LDAP authentication 2 # auth required om_ldap user_unknown=ignore # auth optional om_auth nullok use_first_pass # Combined authentication # # It is possible to combine Kerberos authentication 1 and LDAP # authentication 1, although there is no good way to escape false negative # authentication attempts with one or the other scheme. If users are known # to either Kerberos or LDAP then we can extend scheme 2 for combined # authentication: # # auth required om_krb5 user_unknown=ignore # auth required om_ldap user_unknown=ignore # auth optional om_auth nullok use_first_pass #account required om_auth #password required om_auth nullok auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nullok
file: pop3
auth sufficient om_krb5 use_first_pass auth required pam_deny account required om_auth password required om_auth
file: smtpd.auth
auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth
file: ual.local
auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nopreauth nullok
file: ual.remote
# Standard Scalix Authentication # # Comment this out if you want to use one of the alternative authentication # schemes below. #auth required om_auth nullok # # Kerberos authentication 1 # # With this scheme we attempt local authentication first and, if that # fails, we try kerberos authentication. Note that if we do it the other # way around we run the risk of the KDC locking a principal account for # users that are known to both Kerberos and Scalix. See om_krb5(8) for more # information. # #auth sufficient om_auth nullok #auth sufficient om_krb5 use_first_pass #auth required pam_deny # Kerberos authentication 2 # # With this scheme, users that are known to the kerberos KDC, must # authenticate using kerberos. Users not known to the kerberos KDC can log # in using their Scalix password. See om_krb5(8) for more information. # # auth required om_krb5 user_unknown=ignore # auth optional om_auth nullok use_first_pass # LDAP Authentication. # There are two possible schemes corresponding to the two Kerberos schemes. # above See om_ldap(8) for more information. # # LDAP authentication 1 # auth sufficient om_auth nullok # auth sufficient om_ldap use_first_pass # auth required pam_deny # # LDAP authentication 2 # auth required om_ldap user_unknown=ignore # auth optional om_auth nullok use_first_pass # Combined authentication # # It is possible to combine Kerberos authentication 1 and LDAP # authentication 1, although there is no good way to escape false negative # authentication attempts with one or the other scheme. If users are known # to either Kerberos or LDAP then we can extend scheme 2 for combined # authentication: # #auth required om_krb5 user_unknown=ignore #auth required om_ldap user_unknown=ignore #auth optional om_auth nullok use_first_pass #account required om_auth #password required om_auth nullok auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nullok
Restart Scalix serveces and try to log in via Outlook, SWA, or POP3/IMAP