HOWTO: Scalix Active Directory integration w. kerberos auth

[per.johansson]

Hi. I followed the Scalix Docs on how to setup kerberos auth against AD but i never got it to work.

Thanks to this great forum i managed to get it working nice and pretty.

What this guide will do is:
Manage users thru MS AD, sync all AD users in a OU to your Scalix machine and authenticate these users using
kerberos (The users AD password)

AD: 2003 R2 English 32-bit (64-bit wont work if you want the scalix-ad-gui-extensions)
Scalix: 11.4.2.GA.Community RHEL5 on CentOS 5.2 (final) 64-bit

Code: Select all

Naming: AD     = ad06.test.local
   Scalix = ms01.test.local

Code: Select all

1.
Add ms01 in your DNS forward and reverse zone.

2.
Follow this excellent guide (Skip Step 6)
http://www.scalix.com/wiki/index.php?title=HowTos/Active_Directory/Kerberos

3.
Create/Modify the following files
----------------------------------------------------------------
/var/opt/scalix/NN/s/sys/pam.d/pamcheck (only for debbugging)

Put these values in it:

auth required om_debug file=stderr verbosity=3
auth sufficient om_krb5 user_unknown=ignore
auth required pam_deny
account required om_auth
----------------------------------------------------------------
/var/opt/scalix/NN/s/sys/pam.d/ual.remote

Put these values in it (all other values must be commented out):

auth sufficient om_krb5 user_unknown=ignore
auth required pam_deny
account required om_auth
----------------------------------------------------------------
/var/opt/scalix/NN/s/sys/pam.d/smtpd.auth

Put these values in it (all other values must be commented out):

auth sufficient om_krb5 user_unknown=ignore
auth required pam_deny
account required om_auth


4. Install the Scalix AD Schema Extensions.msi:
Double click on the msi
Open a command prompt
cd c:\program files\scalix\administration
scalixforestprep.exe --install
verify the install with:
scalixforestprep.exe

5. Install the Scalix AD GUI Extensions.msi (Wont work on 64-bit):
Double click on the msi
Open a command prompt
cd c:\program files\scalix\administration
regsvr32 AdminMMC.dll
regsvr32 ScalixADPages.dll (ignore the error msg)
reboot your AD server.

6. Create a new OU in your domain root ex mailusers

7. Create a user in that OU:
Uncheck User must change password at next logon
Check Create a Scalix Mailbox
Home Mailnode: ms01

8. Setup the LDAP Sync agreement on Scalix.
/opt/scalix/bin/omldapsync -i ad06
1. Configure the LDAP dir sync setting
Select sync agreement type to create (21): 11
Dont edit it now and dont test it.
Quit the guide.
Edit the file with prefered editor ie nano /var/opt/scalix/m1/s/ldapsync/ad06/sync.cfg
Variables i had to modify
JAVA_HOME=/usr/java/jre1.5.0_13
EX_HOST=172.16.0.16
EX_LOGON=cn=Administrator,cn=users,dc=test,dc=local
IM_HOST=ms01.test.local
IM_CAA_URL=http://ms01.test.local:8080/caa/
IM_CAA_NAME=sxadmin
EX_BASE1=ou=mailusers,dc=test,dc=local

9. Run the sync
/opt/scalix/bin/omldapsync -i ad06
2. Force a complete (re)load of the directory
Quit the guide.

10. Verify the sync using the admin tool
http://ms01/sac

11. Log in to the webmail
http://ms01/webmail
test.user@TEST.LOCAL
your test.user:s AD Password.

Now auth works. If you add more users to your OU you must run the omldapsync again.

ToDo:
Verify kerberos auth using 2008 Server 32-bit.
Setup automatic sync between AD and Scalix.
Figure out how to login to the webmail using only firstname.lastname

[tonysu]

Hello,
Some questions I hope someone can answer. If I'm making any wrong inerpretations skimming through these instructions and trying to discern what is happening, my apologies and pls set me straight.

It looks like unlike Exchange which only stores the mailbox locally on the mailserver, does not store any User credentials locally and makes a call to the DC for any authentication, Scalix is being configured to initially sync with a DC to store a copy of Users (and credentials) locally. If this is the case, how is it being stored (hopefully encrypted)?

Your Step1 doesn't seem to describe explicitly, but your "ms01" seems to be the configured Scalix Node, not necessarily the Hostname of the Scalix Server (although by default is the same).

Am I to assume that the regular Scalix install already installs all required krb5 modules, or do those "basic" modules need to be installed into the OS? So, for instance for the RH/CentOS/Fedora and SuSE distros, you'd need to install the appropriate RPMs. If this is the case I'd guess that a slew of RPMs related to krb5, LDAP and possibly Samba would need to be installed since they are typically the components for Windows NT/AD authentication.

TIA to anyone who answers.

[mhoroschun]

It looks like unlike Exchange which only stores the mailbox locally on the mailserver, does not store any User credentials locally and makes a call to the DC for any authentication, Scalix is being configured to initially sync with a DC to store a copy of Users (and credentials) locally. If this is the case, how is it being stored (hopefully encrypted)?

No. omldapsync does not sync passwords. It just synchronises the users. Passwords are always authenticated in real time against the authentication server.

If you're using Outlook with Kerberos then Scalix doesn't see the password at all. Scalix just passes on the Kerberos tickets.

But if a user logs in through a non-Kerberos capable client (e.g. SWA) Scalix accepts the password and "proxies" it to the Kerberos server on the user's behalf (man om_krb5).

Am I to assume that the regular Scalix install already installs all required krb5 modules, or do those "basic" modules need to be installed into the OS? So, for instance for the RH/CentOS/Fedora and SuSE distros, you'd need to install the appropriate RPMs. If this is the case I'd guess that a slew of RPMs related to krb5, LDAP and possibly Samba would need to be installed since they are typically the components for Windows NT/AD authentication.

You need system krb5 packages (which are part of the base install for SLES, and I assume RHEL). You do not need Samba.