Troubles with Active Directory Authentication

[davidedg]

Hi,

I also posted the same questions on
http://www.scalix.com/community/viewtopic.php?t=3154
(but here there are more details so please answer here.)

I am having troubles with AD integration and Scalix.
My setup scenario is:

1 Domain Controller Windows 2003 Std R2 english, FQDN = w2k3std01.test.int
1 SLES 9 SP3 with Scalix 10.0.1
DNS (on the DC)
zone test.int contains:
w2k3std01 A record = 10.1.2.25
sca01 A record = 10.1.2.30
scalix-default-mail CNAME record = sca01.test.int
scalixdc CNAME record = w2k3std01.test.int
zone 10.1.2.x (reverse):
10.1.2.30 PTR record = sca01.test.int

Scalix Server installation went fine, I used these parameters:
hostname --fqdn = sca01.test.int
mailnode = sca01,test
domain = test.it (not test.int)

Schema Extension went fine (can see correct attributes in AD Schema Management ).
ADUC GUI Extension went fine

I created some Scalix Users from the SAC and tested them with SWA and with the Outlook connector... just fine.

I then created some AD users and set up Synchronization Agreement for omldapsync:
After some trial and errors, omldapsync -u AD_SX1 now correctly updates the users (I can see them with SAC (where they are greyed out) and with any LDAP Browser).

The problem is with AD *AUTHENTICATION*.
As far as I understood, the synchronization agreement cannot (nor should try to) synchronize the user passwords.

1st question: is it correct that, if I don't modify the default pam rules, AD users can log in WITHOUT a password in outlook and in webmail ?
In fact omshowu tells me that password is *unset* for the imported AD users.

Next, I tried to use Kerberos auth and single sign on, but had many troubles.
Here's what I did:

1. Created an AD user "scalix-ual" (FirstName, DisplayName and User Logon Name are "scalix-ual").

2. Tried ktpass with the sintax indicated in the Admin Guide:

Code: Select all

C:\Program Files\Support Tools>ktpass -princ scalix-ual/sca01.test.int@TEST.INT
-mapuser scalix-ual -pass password -out scalix-ual.keytab -kvno 3
Targeting domain controller: w2k3std01.test.int
Using legacy password setting method
Successfully mapped scalix-ual/sca01.test.int to scalix-ual.
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to scalix-ual.keytab:
Keytab version: 0x502
keysize 69 scalix-ual/sca01.test.int@TEST.INT ptype 0 (KRB5_NT_UNKNOWN) vno 3 et
ype 0x17 (RC4-HMAC) keylength 16 (0x1aa2b5c696504e29baab22f3a2118473)

But... I think there are some problems: pType is not 1 and etype is RC4-HMAC instead of DES.
In fact, in the docs (Scalix Administration Guide v10.0.1) the output for the ktpass command should be (page 119):

Successfully mapped scalix-ual/scalixserver.acme.net to scalixual.
Key created.
Output keytab to scalix-ual.keytab:
Keytab version: 0x502
keysize 68 scalix-ual/scalixserver.acme.net@ACME.NET ptype 1
(KRB5_NT_PRINCIPAL)
vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0xe6fb762ad01f8a9b)
Account has been set for DES-only encryption.

2.b.:
I tried to manually force the correct parameters with:

Code: Select all

C:\Program Files\Support Tools>ktpass.exe -princ scalix-ual/sca01.test.int@TEST.INT -mapuser scalix-ual -pass password -out scalix-ual.keytab -kvno 3 -crypto DES-CBC-MD5 -desonly -ptype KRB5_NT_PRINCIPAL
Targeting domain controller: w2k3std01.test.int
Using legacy password setting method
Successfully mapped scalix-ual/sca01.test.int to scalix-ual.
Key created.
Output keytab to scalix-ual.keytab:
Keytab version: 0x502
keysize 61 scalix-ual/sca01.test.int@TEST.INT ptype 1 (KRB5_NT_PRINCIPAL) vno 3
etype 0x3 (DES-CBC-MD5) keylength 8 (0xc4eaba894fda2554)

Is it correct?
Note that this is a Windows 2003 Std R2 domain controller and that the AD domain name ("test.int") is the *same* of the "hostname --fqdn" scalix server (test.int)... may these be source of problems?

---

3.
I merged the keytab files and modified krb5.conf:

Code: Select all

# ommergekeys /var/opt/scalix/scalix-ual.keytab
# omkrbconf -r TEST.INT -s scalixdc.test.int


-- I used the CNAME scalixdc in a first test ... but then I tried also with the A record (w2k3std01.test.int), by modifying /etc/krb5.conf ... any issues here?

4.
Tested Authentication with SWA and outlook.... users can login WITHOUT a password.

5.
I modified the 4 files (ual.remote, pop3, omslapdeng, smtpd.auth) under /var/opt/scalix/sys/pam.d/
They contain:

Code: Select all

auth required om_krb5 user_unknown=ignore
auth optional om_auth use_first_pass
account required om_auth
password required om_auth

as indicated in http://www.scalix.com/community/viewtopic.php?t=3154, but it does not work.
That is, users now are not allowed to login, with using their AD password or a blank password.
In the login name I tried user, user@test.int, user@TEST.INT, User Surname.... none worked.

EDIT: another issue: after the mod. to the pam rules (specifically, omslapdeng), the SAC refuses my scalix administrator (it was sxadmin@sca01.test.int).
I copied back the pam rules for omslapdeng and the SCA worked again.


What did I do wrong?
Should I restart scalix services (which ones?) after every modification?
May you elaborate on the whole setup? Is that correct?
Thank you in advance.

Davide DG.

[pgsousa]

Hi,

I was having the same problem, and figured out that it was related with dns. My windows domain and dns zone is called DOMAIN_DMN.DOMAIN.NET and the scalix server is called scalix.domain.net. I created the zone domain.net on my dns server, followed this howto: http://lists.centos.org/pipermail/cento ... 68632.html and it's working fine now.

I only have one issue with outlook, some users don't detect the scalix server and I have to store their AD password on the profile. I'm trying to figure out why. I think it has something to do with network authentication, some users are using "kerberos", others "password authentication."

Hope this helps.
PGSousa

[jim mullady]

Couple of things to try. Did you modify the authid of the user?
ommodu –o jsmith -–authid username@TEST.INT
then next you should try the kinit command.
kinit username@TEST.INT

You should modify the 4 files before trying to authenticate to SWA and Outlook

[davidedg]

Hi,

thanks for the rapid answers!

Pgsousa,
thanks for the info, I'll go and read the article !!

Jim,
Given your answer, something is now unclear to me:

I've set up a Synchronization Agreement, following the docs (Admin Guide 10.0.1, chapter "Integrating Scalix with Microsoft Active Directory").

I create a new user "john.wayne@test.int" in ADUC and enable it for the Scalix mailnode using the ADUC GUI Extension. Default Email is: john.wayne@test.it (not .int).

Here is the configuration of the agreement:
(settings asked and my answers are in red red)

sca01:~ # omldapsync -i AD_SX1
2006-10-04 15:25:36 STATUS: Interactive for AD_SX1 started ########
Common tasks menu for syncid AD_SX1
0. Display this menu
1. Configure the LDAP dir sync settings
2. Force a complete (re)load of the directory
3. Update the directory after some changes
4. Accept previous error and update directory
5. Skip previous error and update directory
6. Update the directory and prompt for error
7. Modify all sync records from the directory
8. Delete all sync records in the directory
d. Toggle debug mode from current setting <0>
n. Toggle test mode from current setting <>
q. Quit
INPUT: Please enter an option (0):1
2006-10-04 15:25:38 STATUS: Configuration of AD_SX1 started ########
INPUT: Edit config file now y/n (n):y
INPUT: Use vi to edit y/n (n):n
##################################################################
#
# Scalix LDAP Directory Synchronization configuration
# NOTE: this file must be edited with care before use
# Interactively editable fields are controlled by the following:
EDIT_PROMPT=JAVA_HOME EX_HOST EX_LOGON EX_PASS IM_HOST IM_CAA_URL IM_CAA_KEYSTORE IM_CAA_NAME IM_CAA_PASS EX_BASE1 EX_BASE2 EX_BASE3 IM_OMADDRESS
# Sync agreement type - see omldapsync man page
TYPE_ID=11
# Sync agreement id - set by argument
SYNC_ID=AD_SX1
# NEXT_SYNCID: next sync agreement id to be executed after current
# agreement has completed, e.g. user sync followed by group sync
NEXT_SYNCID=
# JAVA_HOME: home directory of java installation
# e.g. "/usr/java/j2sdk1.4.2_02"
JAVA_HOME[/usr/java/jre1.5.0_04]:
# The class path required by omldapagent java application (under
# /opt/scalix/svr/java/bin) is setup automatically by omldapsync to
# access dependent java libraries (under /opt/scalix/svr/java/lib)
##################################################################
#
# PART 1 General Configuration
##################################################################
# This section covers the settings required for tools to access
# both the remote and local systems for import or export.
# The general format is one or more line of <tag>=<value>
# Line starts with '#' is treated as comment
# When edited using omldaputil, do one of the followings:
# -presss <enter> to accept the default offered inside []
# -type in alternative <value> and press <enter>
# -do not quote the value with "" or ''
#
# PART 1.1 for IMPORT - remote host
##########################################
# EX_HOST: remote LDAP directory server name or IP address
# e.g. "remote_server.your_domain.com" or "192.168.1.216"
EX_HOST[scalixdc.test.int]:
# EX_PORT: LDAP server port number
# e.g. "389" is normally used
EX_PORT=389
# EX_LOGON: user that can search/delete/add/modify directory
# your adminstrator or migration account is often used
# e.g. "cn=Export Admin,cn=users,dc=your_org,dc=com"
EX_LOGON[cn=scalixsync,cn=Users,dc=test,dc=int]:
# EX_PASS: user password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
EX_PASS[scalixsync]:
#
# PART 1.2 for IMPORT - local host
#########################################
# IM_HOST: local Scalix directory server name
# must specify FQDN where internet and user group will be imported
# e.g. "local_server.your_domain.com"
IM_HOST[sca01.test.int]:
# IM_CAA_URL: Scalix CAA service url - must end with "/"
# e.g. "http://local_server.your_domain.com:8080/caa/"
IM_CAA_URL[http://sca01.test.int/caa/]:
# IM_CAA_KEYSTORE: Scalix CAA service keystore for HTTPS only
# e.g "/var/opt/scalix/ldapsync/keystore"
IM_CAA_KEYSTORE[]:
# IM_CAA_ID: service login session-id
# e.g. "12345"
IM_CAA_ID=12345
# IM_CAA_NAME: service login auth-id, must have Scalix admin capability
# e.g. "user_name@your_domain.com"
IM_CAA_NAME[sxadmin@sca01.test.int]:
# IM_CAA_PASS: service login password, or leave it blank so that omldapsync
# will prompt for it when executing import or export agreement
# NOTE: the prompt will prevent complete automation of sync process
IM_CAA_PASS[sxadmin]:
# IM_DELETE_MAILBOX: whether sync of mailbox delete will be applied to Scalix
# NOTE: set to "FALSE" to keep the mailbox and handle the deletion manually
IM_DELETE_MAILBOX=TRUE
# IM_FAIL2WARN_OPCODES: space separated list of opcodes that will be changed
# from failure to warning, a way to auto ignore certain type of error
# opcodes for add/modify/delete users=1/4/7 and groups=2/5/8
# opcodes for add/modify/delete members=3/3/9 and limits=12/12/-
# NOTE: should use a whole set, e.g. "3 9" to auto ignore all members error
IM_FAIL2WARN_OPCODES=
#
# PART 1.3 for IMPORT - ldap parameters
#######################################
# EX_SCALIX_ATTRS: list of resersed Scalix attributes in external directory
# to administer Scalix user/group from this remote master source
# e.g. "EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG ..."
EX_SCALIX_ATTRS=SCALIXHIDEUSERENTRY SCALIXMAILBOXCLASS SCALIXLIMITMAILBOXSIZE SCALIXLIMITOUTBOUNDMAIL SCALIXLIMITINBOUNDMAIL SCALIXLIMITNOTIFYUSER EX_SCALIX_MAILBOX EX_SCALIX_MAILNODE EX_SCALIX_MSGLANG EX_SCALIX_ADMIN EX_SCALIX_MBOXADMIN
# SCALIXHIDEUSERENTRY: name of attribute to specify whether the user entry
# should be hidden from Outlook address book
# e.g. "scalixHideUserEntry"
SCALIXHIDEUSERENTRY=scalixHideUserEntry
# SCALIXMAILBOXCLASS: name of attribute to specify whether the mailbox class
# should have full or limited features
# e.g. "scalixMailboxClass"
SCALIXMAILBOXCLASS=scalixMailboxClass
# SCALIXLIMITMAILBOXSIZE: name of attribute to specify whether Scalix limit
# on mailbox size is required, must use a numerical value >= zero
# e.g. "scalixLimitMailboxSize"
SCALIXLIMITMAILBOXSIZE=scalixLimitMailboxSize
# SCALIXLIMITOUTBOUNDMAIL: name of attribute to specify whether Scalix limit
# on outbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitOutboundMail"
SCALIXLIMITOUTBOUNDMAIL=scalixLimitOutboundMail
# SCALIXLIMITINBOUNDMAIL: name of attribute to specify whether Scalix limit
# on inbound mail is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitInboundMail"
SCALIXLIMITINBOUNDMAIL=scalixLimitInboundMail
# SCALIXLIMITNOTIFYUSER: name of attribute to specify whether Scalix limit
# on notify user is required, must use a boolean value "true" or "false"
# e.g. "scalixLimitNotifyUser"
SCALIXLIMITNOTIFYUSER=scalixLimitNotifyUser
# EX_SCALIX_MAILBOX: name of attribute to specify whether Scalix mailbox
# is required, yes if value is set to "true" or "scalix"
# e.g. "scalixScalixObject"
EX_SCALIX_MAILBOX=scalixScalixObject
# EX_SCALIX_MAILNODE: name of attribute to specify which Scalix mailnode
# to add the mailbox, must use "<ou1>,<ou2>,<ou3>,<ou4>" format
# e.g. "scalixMailnode"
EX_SCALIX_MAILNODE=scalixMailnode
# EX_SCALIX_MSGLANG: name of attribute to specify which Scalix message
# catalog language to use for client, default to "C" if not set
# e.g. "scalixServerLanguage"
EX_SCALIX_MSGLANG=scalixServerLanguage
# EX_SCALIX_ADMIN: name of attribute to specify whether to give the user
# Scalix admin capability, yes if value is set to "true"
# e.g. "scalixAdministrator"
EX_SCALIX_ADMIN=scalixAdministrator
# EX_SCALIX_MBOXADMIN: name of attribute to specify whether to give the user
# Scalix mailbox-admin capability, yes if value is set to "true"
# e.g. "scalixMailboxAdministrator"
EX_SCALIX_MBOXADMIN=scalixMailboxAdministrator
# EX_ATTR: attributes to extract from remote system for import
# e.g. "objectclass displayName sn givenname initials mail proxyAddresses mailNickname <etc>"
EX_ATTR=scalixHideUserEntry scalixMailboxClass scalixLimitMailboxSize scalixLimitOutboundMail scalixLimitInboundMail scalixLimitNotifyUser scalixScalixObject scalixMailnode scalixServerLanguage scalixAdministrator scalixMailboxAdministrator userAccountControl member distinguishedName userPrincipalName objectclass name displayName sn givenname initials mail scalixEmailAddress mailNickname objectGUID textEncodedORaddress facsimileTelephoneNumber homephone streetAddress st telephoneNumber title c company department description l mobile pager physicalDeliveryOfficeName postalCode secretary
# EX_BASEn: search base(s) to extract entries from remote system
# specify a container name and its full LDAP suffix
# e.g. "cn=users,dc=your_org,dc=com"
EX_BASE1[OU=OU_Utenti,DC=test,DC=int]:
EX_BASE2[]:
EX_BASE3[]:
EX_BASE4=
EX_BASE5=
EX_BASE6=
EX_BASE7=
EX_BASE8=
EX_BASE9=
# NOTE: extra EX_BASE10 upto EX_BASE200 can be defined here
# EX_FILTER: search filter to include/exclude entries to import
# e.g. "(&(cn=*)(mail=*))" for any cn AND mail
EX_FILTER=(&(cn=*)(mail=*))
# IM_OMADDRESS: Scalix address where where entries are imported
# NOTE: this is a route which you configure for coexistence
# e.g. "/internet,tnef" or "internet,tnef"
IM_OMADDRESS[/internet,tnef]:
# EX_GUID: the remote tag name for extracting Foreign GUID
# e.g. "objectGUID"
EX_GUID=objectGUID
# LDAPCT_BIN_ATT: must set value to EX_GUID if it is a binary attribute
# e.g. "objectGUID"
LDAPCT_BIN_ATT=objectGUID
# EX_PAGESIZE: use pagesize control extension to overcome search limit
# e.g. "100"
EX_PAGESIZE=1000
#
# PART 1.4 for EXPORT - ldap parameters
#######################################
# NOTE: export is not supported for this agreement type
#
# PART 2 Mapping Configuration
#################################################################
# WARNING: refer to documentation before editing the tables.
# This section defines the mappings required in order to map data
# between the remote and local LDAP systems for import or export.
# The general format is <lines of value> enclosed by markers.
# When edited using omldaputil, do one of the followings:
# -presss <enter> to accept the default offered inside []
# -type in alternative value and press <enter>
# -type in '-' to remove the line offered
# -type in '+<value> to insert it before current line
# For more details on all mapping rules see omldaputil man page.
#
# PART 2.1 for IMPORT - mapping table
#####################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in IM_MV_ATTR, only keep first instances
#####################################
# primary mapping table
IM_MAPPING_TABLE=
# tag the entry using sync agreement name
|ADMINISTERED-BY|*|ldapsync-AD_SX1
# scalix reserved attributes
scalixHideUserEntry|EX-CDA-DIRECTORY|TRUE|1
scalixHideUserEntry|EX-CDA-DIRECTORY|FALSE|
scalixMailboxClass|UL-CLASS|*|*
scalixLimitMailboxSize|scalixLimitMailboxSize|*|*
scalixLimitOutboundMail|scalixLimitOutboundMail|*|*
scalixLimitInboundMail|scalixLimitInboundMail|*|*
scalixLimitNotifyUser|scalixLimitNotifyUser|*|*
scalixScalixObject|omMailbox|*|*
scalixMailnode|omMailnode|*|*
scalixServerLanguage|UL-IL|*|*
scalixAdministrator|ADMIN|*|*
scalixMailboxAdministrator|MBOXADMIN|*|*
# mailbox locking
userAccountControl|ACCOUNT_STATUS|*,1,10!FLAGUNSET=2|unlock
userAccountControl|ACCOUNT_STATUS|*,1,10!FLAGISSET=2|lock
# scalix object classes
objectClass|*|group|distributionList
objectClass|*|organizationalPerson|*
objectClass||*|#ignore others
# distinguished name
dn|*|*|*
# global unique id
objectGUID|GLOBAL-UNIQUE-ID|*|*
# common name
name|CN|*,1,64!ISMISSING=displayname|*
name||*|#suppress it otherwise
displayName|CN|*,1,64|*
# initial
initials|I|*,1,5|*
# surname
sn|S|*,1,40|*
# extract surname substitute if real is missing
textEncodedORaddress|S|*|!CUSTOM=EX_TEXT_EOA_TO_SN
# givenname if surname is present
givenName|G|*,1,16!ISPRESENT=surname|*
givenName||*|#suppress it otherwise
# primary internet address for non-scalix user
mail|INTERNET-ADDR|*,1,512!ISMISSING=scalixemailaddress|*
mail||*|#suppress it otherwise
# all internet addresses for scalix user
scalixEmailAddress|INTERNET-ADDR|*,1,512|*
# map to alias
mailNickname|ALIAS|*,1,16|*
# the DN of the entry
distinguishedName|FOREIGN-ADDR|*,1,512|*
# the DN of the group member
member|omMemberForeignAddr|*|*
# authentication id - note upshift the REALM part for SSO
userPrincipalName|UL-AUTHID|*,1,256|!TOUPPER=@|
# informational attributes
facsimileTelephoneNumber|FAX|*,1,32|!CUSTOM=TO_PS_STR
homephone|HOME-PHONE|*,1,32|!CUSTOM=TO_PS_STR
streetAddress|STREET-ADDRESS|*,1,128|!REPLACE=\015\012|\012
st|STATE-OR-PROVINCE|*,1,128|*
telephoneNumber|PHONE-1|*,1,32|!CUSTOM=TO_PS_STR
title|TITLE|*,1,128|*
c|CNTRY|*,1,2|*
company|EMPL-ORG|*,1,64|*
department|EMPL-DEPT|*,1,32|*
description|ENTRY-DESC|*,1,1024|!REPLACE=\015\012|\012
l|L|*,1,128|*
mobile|MOBILE-PHONE|*,1,32|!CUSTOM=TO_PS_STR
pager|PAGER-PHONE|*,1,32|!CUSTOM=TO_PS_STR
physicalDeliveryOfficeName|PD-OFFICE-NAME|*,1,128|*
postalCode|POSTAL-CODE|*,1,40|*
secretary|ASSISTANT-PHONE|*,1,32|!CUSTOM=TO_PS_STR
#Telephone-Office2|PHONE-2|*,1,32|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#IM_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# PART 2.2 for EXPORT - mapping tables
######################################
# Table format/content/comment:
# <table begin marker>
# <table end marker>
# except those in EX_MV_ATTR, only keep first instances
#####################################
# primary mapping table
EX_MAPPING_TABLE=
*|*|*|*
=END_MAPPING_TABLE
#####################################
# secondary mapping table
#EX_MAPPING_TABLE2=
#*|*|*|*
#=END_MAPPING_TABLE
#
# END
#################################################################
Result=0
INPUT: Compare old config to new y/n (n):n
INPUT: Replace old config with new y/n (?):y
2006-10-04 15:25:59 STATUS: renamed old sync.cfg to sync.last
2006-10-04 15:25:59 STATUS: installed updated config sync.cfg
INPUT: Attempt to test data extraction now y/n (n):y
2006-10-04 15:25:55 INFO: test searching from scalixdc.test.int ...
2006-10-04 15:25:55 INFO: search base is OU=OU_Utenti,DC=test,DC=int
2006-10-04 15:25:55 INFO: ... test searched OK.
2006-10-04 15:25:55 INFO: test listing servers from http://sca01.test.int/caa/ ...
2006-10-04 15:25:56 INFO: ... found sca01.test.int OK.
2006-10-04 15:25:56 INFO: test listing mailnodes on sca01.test.int ...
2006-10-04 15:25:57 INFO: ... found mailnode OK.
2006-10-04 15:25:57 STATUS: Configuration of AD_SX1 completed ########
Common tasks menu for syncid AD_SX1
0. Display this menu
1. Configure the LDAP dir sync settings
2. Force a complete (re)load of the directory
3. Update the directory after some changes
4. Accept previous error and update directory
5. Skip previous error and update directory
6. Update the directory and prompt for error
7. Modify all sync records from the directory
8. Delete all sync records in the directory
d. Toggle debug mode from current setting <0>
n. Toggle test mode from current setting <>
q. Quit
INPUT: Please enter an option (0):q
2006-10-04 15:26:00 STATUS: Interactive for AD_SX1 completed ########

This is the output of the syncronization after adding the user john.wayne:

sca01:~ # omldapsync -u AD_SX1
2006-10-04 15:37:05 STATUS: LDAP dir sync import AD_SX1 started ###############
2006-10-04 15:37:06 INFO: work dir is /var/opt/scalix/ldapsync/AD_SX1/import
2006-10-04 15:37:06 STATUS: search source directory on scalixdc.test.int ...
2006-10-04 15:37:06 INFO: search base is OU=OU_Utenti,DC=test,DC=int
2006-10-04 15:37:06 INFO: ... 8 entries to check
2006-10-04 15:37:06 STATUS: find delta and perform mapping ...
2006-10-04 15:37:07 INFO: ... 0 entries to delete
2006-10-04 15:37:07 INFO: ... 1 entries to add
2006-10-04 15:37:07 INFO: ... 0 entries to modify
2006-10-04 15:37:07 STATUS: apply membdelete data against Scalix ...
2006-10-04 15:37:07 INFO: ... 0 entries passed for member.curr
2006-10-04 15:37:07 INFO: ... 0 entries failed for member.curr
2006-10-04 15:37:07 INFO: ... 0 entries warned for member.curr
2006-10-04 15:37:07 STATUS: apply delete data against Scalix ...
2006-10-04 15:37:07 INFO: ... 0 entries passed for delete.curr
2006-10-04 15:37:07 INFO: ... 0 entries failed for delete.curr
2006-10-04 15:37:07 INFO: ... 0 entries warned for delete.curr
2006-10-04 15:37:07 STATUS: apply add data against Scalix ...
2006-10-04 15:37:10 INFO: ... 1 entries passed for add.curr
2006-10-04 15:37:10 INFO: ... 0 entries failed for add.curr
2006-10-04 15:37:10 INFO: ... 0 entries warned for add.curr
2006-10-04 15:37:10 STATUS: apply limit data against Scalix ...
2006-10-04 15:37:11 INFO: ... 1 entries passed for add.curr
2006-10-04 15:37:11 INFO: ... 0 entries failed for add.curr
2006-10-04 15:37:11 INFO: ... 0 entries warned for add.curr
2006-10-04 15:37:11 STATUS: apply modify data against Scalix ...
2006-10-04 15:37:11 INFO: ... 0 entries passed for modify.curr
2006-10-04 15:37:11 INFO: ... 0 entries failed for modify.curr
2006-10-04 15:37:11 INFO: ... 0 entries warned for modify.curr
2006-10-04 15:37:11 STATUS: apply limit data against Scalix ...
2006-10-04 15:37:11 INFO: ... 0 entries passed for modify.curr
2006-10-04 15:37:11 INFO: ... 0 entries failed for modify.curr
2006-10-04 15:37:11 INFO: ... 0 entries warned for modify.curr
2006-10-04 15:37:11 STATUS: apply membadd data against Scalix ...
2006-10-04 15:37:12 INFO: ... 0 entries passed for member.curr
2006-10-04 15:37:12 INFO: ... 0 entries failed for member.curr
2006-10-04 15:37:12 INFO: ... 0 entries warned for member.curr
2006-10-04 15:37:12 STATUS: apply membmodify data against Scalix ...
2006-10-04 15:37:12 INFO: ... 0 entries passed for member.curr
2006-10-04 15:37:12 INFO: ... 0 entries failed for member.curr
2006-10-04 15:37:12 INFO: ... 0 entries warned for member.curr
2006-10-04 15:37:12 STATUS: LDAP dir sync import AD_SX1 completed #############
2006-10-04 15:37:12 STATUS: LDAP dir sync export AD_SX1 started ###############
2006-10-04 15:37:12 INFO: agreement type 11 only supports import operation
2006-10-04 15:37:12 STATUS: LDAP dir sync export AD_SX1 completed #############
sca01:~ #

Now (I have not used ommodu or kinit yet), omshowu shows me this:

Code: Select all

sca01:~ # omshowu "John Wayne"
Authentication ID: john.wayne@TEST.INT
User Name : John Wayne /CN=John Wayne
MailNode : sca01,test
Internet Address : "John Wayne" <john.wayne@test.it>
System Login : 60548
Password : unset
Admin Capabilities : NO
Mailbox Admin Capabilities : NO
Language : ENGLISH
Virtual Vault : Enabled (default)
Mail Account: Unlocked
Last Signon : Never.
Receipt of mail : ENABLED
Service level : 0
Excluded from Tidying : NO
User Class : Full


As you can see, the authentication id for the user is john.wayne@TEST.INT
Isn't it already ready ? I mean, how should I use the ommodu you suggest?

In fact, what is unclear to me is that you suggest to run the ommodu command against a user "jsmith"... but where should this user exist? on Scalix or on AD ?
In my example, user "john.wayne" is created on AD and exists in Scalix only thanks to the synchronization agreement.
Moreover, I don't understand how I should use the ommodu command, since the authentication ID for the user is already set up, without doing anything else than runnning omldapsync.


As for the kinit command, I tried with

Code: Select all

sca01:~ # kinit john.wayne@TEST.INT
john.wayne@TEST.INT's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week

But still no luck (no SWA and no Outlook, "Incorrect password or username").
I modified the 4 files for the pam rules, but no luck

Thank you for the support
Best Regards.
Davide DG.


[/code]

[jim mullady]

Okay the authid is corect then. the jsmith was just an example.

It appears that the kinit was susccessfull , it prompted you for the AD password, you entered it correctly and it came back toa prompt.

when you logon onto SWA are you using the AD logon as the user name and the AD password?

[davidedg]

It appears that the kinit was susccessfull , it prompted you for the AD password, you entered it correctly and it came back toa prompt.

Yes.

when you logon onto SWA are you using the AD logon as the user name and the AD password?

Yes:
Username: john.wayne (User Logon Name under the Account tab in the account properties in ADUC).
Password: AD password.

I repost the content of the pam rules (all the 4 files are identical):

Code: Select all

sca01:/var/opt/scalix/sys/pam.d # cat ual.remote
# Active Directory Authentication

auth required om_krb5 user_unknown=ignore
auth optional om_auth use_first_pass
account required om_auth
password required om_auth

Did I configure the DNS zones correctly??
AD Domain is test.int
Scalix Domain (set during the installer wizard) is test.it
Scalix server (linux) domain name is test.int (hostname --fqdn is "sca01.test.int").

Where should I create the dns entries sca01 and scalix-default-mail ? That is, under which zone ? test.it or test.int ?!

This thing is driving me crazy
Where can I activate the logs ?

Thanks for the support.
Davide DG.[/code]

[jim mullady]

In the /var/opt/scalix/tmp create a file called omsckd.log

#touch omsckd.log

then try connecting via outlook and see what we have in there.

[pgsousa]

You should create those entries on scalix dns, and should configure ktpass.exe to use scalix domain with domain REALM. That's how I solved my problem.

[davidedg]

pgsousa,

I configured scalix server to use the Domain Controller's DNS.
Do you mean that I should configure a dns server on the linux server??
Or that I should create a new zone ("test.it") in Windows DNS ?
and the use ktpass with REALM = TEST.IT ???

Moreover... should the linux domain name be equal to the Scalix domain name?
In my test scenario, Scalix Domain Name is test.it, while the machine domain name is test.int

I've set up this way because I thought the linux server like a "member" of the Windows domain... so I gave it the same domain.
But then, in Scalix installer wizard, I gave test.it as the domain.... maybe the error is here?

Jim,

thanks for the answer, tomorrow I'll give it a try.
Meanwhile, could you check my configuration, regarding the DNS issues that pgsousa suggests?

Thank you both for the quick answers

Davide DG.

[pgsousa]

You should create new dns zone on your Windows AD Server refering to your linux domain. Then create scalix-default-linux on your new dns zone. The AD Server has to resolve your linux domain.

On kpass you should have something like this:

ktpass -princ scalix-ual/scalixserver.linuxdomain.net@WINDOWSDOMAIN.NET -mapuser scalixual -pass password -out scalix-ual.keytab -kvno 3

There's nothing wrong on having 2 diferent domains, I have that configuration too.

Please note that I'm not a scalix expert, but I was having the same issues as you, and that's how it worked for me.

Hope this helps,
pgsousa

[davidedg]

When trying to connect with outlook client:

/var/opt/scalix/tmp/omsckd.log:

10750 2006-10-05 14:13:40 *** Scalix UAL Session Start
10750 2006-10-05 14:13:40 Initial PhysicalBlockSize: 32
10750 2006-10-05 14:13:40 Initial LogicalBlockSize: 32
10750 2006-10-05 14:13:40 Initial LogicalBytesLeft: 0
10750 2006-10-05 14:13:40 Requested Flags: NO_LOW_LEVEL_ACKS LOGICAL_BLK_COMPRESSION LOGICAL_BUFF_28_KB SERVER_PUSH_NOTIFS APPENDED_FT_DATA (0x2f00)
10750 2006-10-05 14:13:40 Requested Blocksize: 0
10750 2006-10-05 14:13:40 ActualFlags: NO_LOW_LEVEL_ACKS LOGICAL_BUFF_28_KB SERVER_PUSH_NOTIFS APPENDED_FT_DATA (0x2d00)
10750 2006-10-05 14:13:40 Actual Blocksize: 28672
10750 2006-10-05 14:13:40 logical block: phys=40, logical=32, left=0, flags=0 (read so far: 0)
10750 2006-10-05 14:13:40 argv[0] = "99"
10750 2006-10-05 14:13:40 argv[1] = "0"
10750 2006-10-05 14:13:40 argv[2] = "1"
10750 2006-10-05 14:13:40 argv[3] = "0"
10750 2006-10-05 14:13:40 argv[4] = "GSSAPI"
10750 2006-10-05 14:13:40 argv[5] = "scalix-ual"
10750 2006-10-05 14:13:40 argv[6] = "1"
10750 2006-10-05 14:13:40 SASL(NOTE): om_gssapi initialised
10750 2006-10-05 14:13:40 SASL challenge (708): (nil)
10750 2006-10-05 14:13:40 logical block: phys=1616, logical=1608, left=0, flags=0 (read so far: 0)
10750 2006-10-05 14:13:40 argv[0] = "99"
10750 2006-10-05 14:13:40 argv[1] = "0"
10750 2006-10-05 14:13:40 argv[2] = "2"
10750 2006-10-05 14:13:40 argv[3] = ""
10750 2006-10-05 14:13:40 argv[4] = ""
10750 2006-10-05 14:13:40 argv[5] = ""
10750 2006-10-05 14:13:40 argv[6] = "1"
10750 2006-10-05 14:13:40 argv[7] = "YIIEiAYJKoZIhvcSAQICAQBuggR3MIIEc6ADAgEFoQMCAQ6iBwMFAAAAAACjggOfYYIDmzCCA5eg
AwIBBaEKGwhURVNULklOVKInMCWgAwIBAqEeMBwbCnNjYWxpeC11YWwbDnNjYTAxLnRlc3QuaW50
o4IDWTCCA1WgAwIBF6EDAgEDooIDRwSCA0Nbz0xvOSchsTdarHFhBmFNTaePGxQcstxFV2zauWcU
jPemk+oCnJdZ+d3trHx6LkMgHE6S8XHlmgNE3pWF8WpHleYqbg5a6mW+KIfR9JHBM22AOSXucv1H
mQJ008rZ/cCRxzCel+//4kO/eFNpOj4/mg5qTFaPZ1+JUaFGJ1lYcILEuVILLQnZWmxiks7JWBYx
keVu1kKH0D0cNQ+eIHQz3BCdufC+1j+E0tEQCMcWgrLeA3BDUDNRUVkr/nnFfxeD1VDzzOg5uJgJ
v22/3MBdrD4JE+ld+V9t+wgR8EDu2wcxvhZ5UuBfQhIlld25MyLIXnjGtRY+vcphrWfjgyBToiEK
WdhquHMTCqjc4gR1892vZOGEQTM2vPRdLMlqBiT/W1vXqiMzrQFQAjpj4/BX1eb91N3c9kc5wjmZ
7oiHSzTooUSauM4lFzJcA0ys6lMR0fEQbiK1CpTy854hjiVFB7CH1JtwWcC2xBuHoI1nQvP5FJFW
71wUPhxVZa7Q41UVmVyYCTxUBwv1pqmgfk79Zu8i4C/m3RU0+ouJ4vH7koWKT0CRhZrlKh/LH/SC
JKp4A1JQhCP4ruIKUZQYLK8J4HMZ7Gp0rCURwMdyL2VpAoo01hSdCBGD5D9bRgkbVyblGhZ1nCkT
dGw3yR2dtDYYk5OTAZjNOmjxPLrPsnscOqUvMlx2Uo8RId7zmDLbqa9EFKTnnW9L8yd7ed/uXM3B
eNtmE4GER8LK2HYcTFSMznF4CrcCQIhdKo3Peljdzz+WF/3Pe8pSPWa33y6Z9dy2NSr4kahoUgWP
82yuGl2sdbiQQO2flQxE1PGL2PEdY8GWJKjpxnnFwIDfFOwWpOUK0mWVMFiWDTrRULnHY02XTBBz
3vg29oxTZRx+wt45laQC4XQKAjoEhMztajg9nyXt/lH39MDLxeLIV40CxK8ZXDpIDXA8Au1HGF4K
7E1vzbFyNdM/Htb3uLnAdUJG1b92BVemXRaOfnsNWYaX4Z+KGozl85l6rWvGfQvfCj92D1EA0RlM
FVhmlFJE7q/7Yqu/3idf9CrjB2psZGHcn/JFzV4cS+OnPVouyk25tLDwRN44p1wvnIdXna+HYVnY
SlgxtZDKpIG6MIG3oAMCAReiga8EgawDRBYYSSTZOeShQjh8h+2IrwGUw31NkWrqGnSD3l5OIg/g
oL3zbDhzhx+JysiqoLr3npcjWPCu8aUQSFR9bBrV5460epuyWg1GRjWB51meMRz1cW3d9g7VlrnR
kA3hMkcY97nSMgN/lr3BGaRikjXS3iDa/0dYB5/WE9es1ht89iijslGx20IjPXb63iF6+564q+m+
pe8xZphTXSSkKlVNsKe/vvPRxanp2KPu"
10750 2006-10-05 14:13:40 SASL(TRACE): om_gssapi accept security context
10750 2006-10-05 14:13:40 SASL(TRACE): GSSAPI: actual server name: "scalix-ual/sca01.test.int@TEST.INT"
10750 2006-10-05 14:13:40 SASL(TRACE): GSSAPI error while accepting security context: Miscellaneous failure (see text)
10750 2006-10-05 14:13:40 SASL(TRACE): GSSAPI error while accepting security context: failed to find scalix-ual/sca01.test.int@TEST.INT(kvno 3) in keytab FILE:/etc/krb5.keytab
10750 2006-10-05 14:13:40 SASL authentication result: SASL(-13): authentication failure: GSSAPI error while accepting security context: failed to find scalix-ual/sca01.test.int@TEST.INT(kvno 3) in keytab FILE:/etc/krb5.keytab
10750 2006-10-05 14:13:40 SASL challenge (655): (nil)
10750 2006-10-05 14:13:40 logical block: phys=43, logical=35, left=0, flags=0 (read so far: 0)
10750 2006-10-05 14:13:40 argv[0] = "100"
10750 2006-10-05 14:13:40 argv[1] = "0"
10750 2006-10-05 14:13:40 argv[2] = "3"
10750 2006-10-05 14:13:40 argv[3] = "8388608"
10750 2006-10-05 14:13:40 argv[4] = ""
10750 2006-10-05 14:13:40 argv[5] = ""
10750 2006-10-05 14:13:40 argv[6] = ""
10750 2006-10-05 14:13:40 argv[7] = "ISO8859_1"
10750 2006-10-05 14:13:40 argv[8] = ""
10750 2006-10-05 14:13:40 argv[9] = ""
10750 2006-10-05 14:13:40 argv[10] = ""

File /etc/krb5.keytab contains this (copied from vi):

Code: Select all

^E^B^@^@^@A^@^B^@^HTEST.INT^@
scalix-ual^@^Nsca01.test.int^@^@^@^AE#fs^C^@^C^@^HÃ
                                                   ÃƒÂªÃ‚º<89>OÃ%T^@^@^@^C

Is it a DNS issue? Or did I fail to use ktpass ?
I'm going to create a new zone on the Windows DNS, named test.it and try to export again the keytab with a fresh new account "scalix-ual" and post the results.
Should I also change the domain name of the linux machine ?! (I think this should be a problem.... I see "test.int" appears in many places in /etc ... sendmail.cf for example).

Anyway... I don't like the idea of creating a new zone for a public domain ("test.it")... I am used to the Exchange-style approach: the domain in DNS is internal (.int, .local and so on) and then I can choose to create a default policy for the addresses specifying the "real" domain. What is the best approach to this with scalix?
Reinstalling the software is not a problem, because I am working with vmware server and I have backups.

Any other hints?
Thank you so much for the help so far

Davide DG.

[jim mullady]

Still looks like some issue inthe keytab file. try receating it agian. Actually why don't you delete the existing user, and just follow the steps in the admin guide chapter 18 to setup the SSO again.

[davidedg]

Jim,

I am more inclined to just restore from backup and reinstall Scalix from scratch.
This will be useful as an exercise, too.

I just ask you to answer the DNS question:

I have an AD domain "test.local", which is a private (not public) domain.
My Internet (public) Domain will be "test.it"
I want to create and handle my Scalix mailboxes in AD.

--->>> What is the *best* approach in configuring :
1) the linux domain name (the "hostname --fqdn" stuff)
2) the Scalix domain name (set up during the installer wizard)

Please, be as more detailed as you can: think that I've always used Exchange, so I may be missing some obvious concept in this field.

Meanwhile, thank you for your help.

Davide DG.

[jim mullady]

For the Linux server name, make an entry in DNS for it, as for the mail domain (test.it), that would be covered by the mx reord that poinits it back to the Scalix server. No problem with the scalix mail domain. Chapter 18 in the admin guide has a good docuemtned way to setup the scalix-default-mail in windows DNS with forward and reverse lookup zones.

I still think that something was entered in wrong when we created the keytab. follow the steps in Chapter 18 and the use kinit to test it, and then create the 4 files.

[davidedg]

Sorry... I still don't understand how the hostname/scalix domain are related

Please just read the following and answer with a yes or no


Based on my last post (AD domain = test.local) will it work if I do the following:

1) during linux sles setup, assign hostname = scalix.test.local
2) during scalix setup, assign domain = test.it
3) in windows dns, under forward zone "test.local", create these:
- A-record "scalix.test.local" with IP of the scalix server
- CNAME record "scalix-default-mail" which points to "scalix.test.local"
in the reverse lookup zone, create this:
- PTR record with IP of the scalix server, which points to "scalix.test.local"

Will it work with these settings ??? yes or no ??

(This would be very similar to how I configure an Exchange server: the mail server is a "member" of the AD domain, just for the dns settings of course).

If yes... then my errors are related to the ktpass syntax.
If no... well... we'll see...


Thank you for your patience
Davide DG.